Add DigestMethod to STAL SignRequest, check digest value in secure viewer

NOTE: This currently disables viewing signature data which uses the ExcludeByteRange feature, e.g. PAdES signatures. git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1263 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
author: tkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2013-12-13 01:57:31 +0000
committer: tkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2013-12-13 01:57:31 +0000
commit: da6c49cbea9c80ad057a5fc3b698ce14ad9a7415 (patch)
tree: 2179084a1c0352a0a5a432de716a2778781f86bb
parent: d311d0f7b7ef9ed5bc383d6744b7d61239aafbc1 (diff)
download: mocca-da6c49cbea9c80ad057a5fc3b698ce14ad9a7415.tar.gz
mocca-da6c49cbea9c80ad057a5fc3b698ce14ad9a7415.tar.bz2
mocca-da6c49cbea9c80ad057a5fc3b698ce14ad9a7415.zip
11 files changed, 83 insertions, 12 deletions
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
index c6a2f72a..773bab80 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
@@ -196,9 +196,9 @@ public class AppletSecureViewer implements SecureViewer {
           log.debug("Digesting reference " + signedRefId + " (" + mimeType + ";" + encoding + ")");
         }
 
-        if (signedDigestAlg.startsWith("CMS:")) {
-          log.info("CMS signature - skip verifying hashdata for now");
-        } else {
+//        if (signedDigestAlg.startsWith("CMS:")) {
+//          log.info("CMS signature - skip verifying hashdata for now");
+//        } else {
           byte[] hashDataInputDigest = digest(hdi, signedDigestAlg);
 
           log.debug("Comparing digest to claimed digest value for reference {}.", signedRefId);
@@ -206,7 +206,7 @@ public class AppletSecureViewer implements SecureViewer {
             log.error("Bad digest value for reference {}.", signedRefId);
             throw new DigestException("Bad digest value for reference " + signedRefId);
           }
-        }
+//        }
 
         verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding, filename));
       }
diff --git a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd
index 5f96578d..5ad9ec83 100644
--- a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd
+++ b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd
@@ -133,6 +133,7 @@
             </complexType>
           </element>
           <element name="SignatureMethod" type="string" minOccurs="0"/>
+          <element name="DigestMethod" type="string" minOccurs="0"/>
         </sequence>
       </extension>
     </complexContent>
diff --git a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java
index e4a49e97..52a3ffcd 100644
--- a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java
+++ b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java
@@ -54,6 +54,7 @@ import javax.xml.bind.annotation.XmlValue;
  *           &lt;/complexType>
  *         &lt;/element>
  *         &lt;element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
+ *         &lt;element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
  *       &lt;/sequence>
  *     &lt;/extension>
  *   &lt;/complexContent>
@@ -66,7 +67,8 @@ import javax.xml.bind.annotation.XmlValue;
 @XmlType(name = "SignRequestType", propOrder = {
     "keyIdentifier",
     "signedInfo",
-    "signatureMethod"
+    "signatureMethod",
+    "digestMethod"
 })
 public class SignRequest
   extends STALRequest {
@@ -77,6 +79,8 @@ public class SignRequest
     protected SignRequest.SignedInfo signedInfo;
     @XmlElement(name = "SignatureMethod")
     protected String signatureMethod;
+    @XmlElement(name = "DigestMethod")
+    protected String digestMethod;
     @XmlTransient
     protected List<HashDataInput> hashData;
 
@@ -152,6 +156,30 @@ public class SignRequest
         this.signatureMethod = value;
     }
 
+    /**
+     * Gets the value of the digestMethod property.
+     * 
+     * @return
+     *     possible object is
+     *     {@link String }
+     *     
+     */
+    public String getDigestMethod() {
+        return digestMethod;
+    }
+
+    /**
+     * Sets the value of the digestMethod property.
+     * 
+     * @param value
+     *     allowed object is
+     *     {@link String }
+     *     
+     */
+    public void setDigestMethod(String value) {
+        this.digestMethod = value;
+    }
+
     public List<HashDataInput> getHashDataInput() {
         return hashData;
     }
diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java
index 28d60ed6..5ddadbe7 100644
--- a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java
+++ b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java
@@ -224,6 +224,7 @@ public class STALTranslator {
         signedInfo.setIsCMSSignedAttributes(((SignRequest) request).getSignedInfo().isIsCMSSignedAttributes());
         req.setSignedInfo(signedInfo);
         req.setSignatureMethod(((SignRequest) request).getSignatureMethod());
+        req.setDigestMethod(((SignRequest) request).getDigestMethod());
         //TODO add hashdatainput (refactor signRequestType)
         return of.createGetNextRequestResponseTypeSignRequest(req);
       } else if (request instanceof InfoboxReadRequest) {
@@ -255,6 +256,7 @@ public class STALTranslator {
         signedInfo.setIsCMSSignedAttributes(((SignRequestType) request).getSignedInfo().isIsCMSSignedAttributes());
         stalReq.setSignedInfo(signedInfo);
         stalReq.setSignatureMethod(((SignRequestType) request).getSignatureMethod());
+        stalReq.setDigestMethod(((SignRequestType) request).getDigestMethod());
         return stalReq;
       } else if (request instanceof QuitRequestType) {
         return new QuitRequest();
diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java
index 50a00406..67755d69 100644
--- a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java
+++ b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java
@@ -61,6 +61,7 @@ import javax.xml.bind.annotation.XmlValue;
  *           &lt;/complexType>
  *         &lt;/element>
  *         &lt;element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
+ *         &lt;element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
  *       &lt;/sequence>
  *     &lt;/extension>
  *   &lt;/complexContent>
@@ -73,7 +74,8 @@ import javax.xml.bind.annotation.XmlValue;
 @XmlType(name = "SignRequestType", propOrder = {
     "keyIdentifier",
     "signedInfo",
-    "signatureMethod"
+    "signatureMethod",
+    "digestMethod"
 })
 public class SignRequestType
     extends RequestType
@@ -85,6 +87,8 @@ public class SignRequestType
     protected SignRequestType.SignedInfo signedInfo;
     @XmlElement(name = "SignatureMethod")
     protected String signatureMethod;
+    @XmlElement(name = "DigestMethod")
+    protected String digestMethod;
 
     /**
      * Gets the value of the keyIdentifier property.
@@ -158,6 +162,30 @@ public class SignRequestType
         this.signatureMethod = value;
     }
 
+    /**
+     * Gets the value of the digestMethod property.
+     * 
+     * @return
+     *     possible object is
+     *     {@link String }
+     *     
+     */
+    public String getDigestMethod() {
+        return digestMethod;
+    }
+
+    /**
+     * Sets the value of the digestMethod property.
+     * 
+     * @param value
+     *     allowed object is
+     *     {@link String }
+     *     
+     */
+    public void setDigestMethod(String value) {
+        this.digestMethod = value;
+    }
+
 
     /**
      * <p>Java class for anonymous complex type.
diff --git a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java
index 98d301a7..a82006fc 100644
--- a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java
+++ b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java
@@ -106,6 +106,7 @@ public class STALTranslatorTest {
     assertEquals(request.getSignedInfo().getValue(), resultT.getSignedInfo().getValue());
     assertEquals(request.getSignedInfo().isIsCMSSignedAttributes(), resultT.getSignedInfo().isIsCMSSignedAttributes());
     assertEquals(request.getSignatureMethod(), resultT.getSignatureMethod());
+    assertEquals(request.getDigestMethod(), resultT.getDigestMethod());
   }
 
   /**
@@ -120,6 +121,7 @@ public class STALTranslatorTest {
     signedInfo.setValue("signedinfo".getBytes());
     req.setSignedInfo(signedInfo);
     req.setSignatureMethod("signatureMethod");
+    req.setDigestMethod("digestMethod");
     JAXBElement<? extends RequestType> request = of.createGetNextRequestResponseTypeSignRequest(req);
     STALTranslator instance = new STALTranslator();
     STALRequest result = instance.translateWSRequest(request);
@@ -128,6 +130,7 @@ public class STALTranslatorTest {
     assertEquals(req.getSignedInfo().getValue(), ((SignRequest) result).getSignedInfo().getValue());
     assertEquals(req.getSignedInfo().isIsCMSSignedAttributes(), ((SignRequest) result).getSignedInfo().isIsCMSSignedAttributes());
     assertEquals(req.getSignatureMethod(), ((SignRequest) result).getSignatureMethod());
+    assertEquals(req.getDigestMethod(), ((SignRequest) result).getDigestMethod());
   }
 
   @Test(expected=RuntimeException.class)
diff --git a/STALXService/src/main/resources/wsdl/stal.xsd b/STALXService/src/main/resources/wsdl/stal.xsd
index 30880d74..f102d215 100644
--- a/STALXService/src/main/resources/wsdl/stal.xsd
+++ b/STALXService/src/main/resources/wsdl/stal.xsd
@@ -133,6 +133,7 @@
             </complexType>
           </element>
           <element name="SignatureMethod" type="string" minOccurs="0"/>
+          <element name="DigestMethod" type="string" minOccurs="0"/>
         </sequence>
       </extension>
     </complexContent>
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java
index 8da52227..8e71fa7c 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java
@@ -11,9 +11,11 @@ public class STALPrivateKey implements PrivateKey {
   private static final long serialVersionUID = 1L;
 
   private String algorithm;
+  private String digestAlgorithm;
 
-  public STALPrivateKey(String algorithm) {
+  public STALPrivateKey(String algorithm, String digestAlgorithm) {
     this.algorithm = algorithm;
+    this.digestAlgorithm = digestAlgorithm;
   }
 
   @Override
@@ -21,6 +23,10 @@ public class STALPrivateKey implements PrivateKey {
     return algorithm;
   }
 
+  public String getDigestAlgorithm() {
+    return digestAlgorithm;
+  }
+
   @Override
   public byte[] getEncoded() {
     throw new UnsupportedOperationException("STALPrivateKey does not support the getEncoded() method.");
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java
index 0a2140c3..7c8b2b4e 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java
@@ -60,8 +60,9 @@ public class STALSecurityProvider extends IaikProvider {
       throws SignatureException, InvalidKeyException, NoSuchAlgorithmException {
     log.debug("calculateSignatureFromSignedAttributes: " + signatureAlgorithm + ", " + digestAlgorithm);
 
+    STALPrivateKey spk = (STALPrivateKey) privateKey;
     SignRequest signRequest = getSTALSignRequest(keyboxIdentifier, signedAttributes,
-        privateKey.getAlgorithm(), hashDataInput);
+        spk.getAlgorithm(), spk.getDigestAlgorithm(), hashDataInput);
 
     log.debug("Sending STAL request ({})", privateKey.getAlgorithm());
     List<STALResponse> responses =
@@ -86,7 +87,8 @@ public class STALSecurityProvider extends IaikProvider {
   }
 
   private static SignRequest getSTALSignRequest(String keyboxIdentifier,
-      byte[] signedAttributes, String signatureMethod, List<HashDataInput> hashDataInput) {
+      byte[] signedAttributes, String signatureMethod, String digestMethod,
+      List<HashDataInput> hashDataInput) {
     SignRequest signRequest = new SignRequest();
     signRequest.setKeyIdentifier(keyboxIdentifier);
     log.debug("SignedAttributes: " + Util.toBase64String(signedAttributes));
@@ -95,6 +97,7 @@ public class STALSecurityProvider extends IaikProvider {
     signedInfo.setIsCMSSignedAttributes(true);
     signRequest.setSignedInfo(signedInfo);
     signRequest.setSignatureMethod(signatureMethod);
+    signRequest.setDigestMethod(digestMethod);
     signRequest.setHashDataInput(hashDataInput);
     return signRequest;
   }
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java
index 307f0bfc..9e76bf22 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java
@@ -95,7 +95,6 @@ public class Signature {
   private AlgorithmID signatureAlgorithm;
   private AlgorithmID digestAlgorithm;
   private String signatureAlgorithmURI;
-  @SuppressWarnings("unused")
   private String digestAlgorithmURI;
 
   public Signature(CMSDataObjectRequiredMetaType dataObject, String structure,
@@ -116,7 +115,7 @@ public class Signature {
         new iaik.x509.X509Certificate(signingCertificate.getEncoded());
     CertificateIdentifier signerIdentifier =
         new IssuerAndSerialNumber(sigcert);
-    PrivateKey privateKey = new STALPrivateKey(signatureAlgorithmURI);
+    PrivateKey privateKey = new STALPrivateKey(signatureAlgorithmURI, digestAlgorithmURI);
     signerInfo = new SignerInfo(signerIdentifier, digestAlgorithm,
         signatureAlgorithm, privateKey);
   }
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
index bb7856c3..dba822ea 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
@@ -180,7 +180,7 @@ public class SignRequestHandler extends AbstractRequestHandler {
       reference.setId(HashDataInput.CMS_DEF_REFERENCE_ID);
       reference.setURI(CMS_DEF_OBJECT_ID);
       DigestMethodType digestMethod = new DigestMethodType();
-      digestMethod.setAlgorithm("CMS:" + signReq.getSignatureMethod());
+      digestMethod.setAlgorithm(signReq.getDigestMethod());
       reference.setDigestMethod(digestMethod);
       byte[] messageDigest = null;
       try {
author	tkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2013-12-13 01:57:31 +0000
committer	tkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2013-12-13 01:57:31 +0000
commit	da6c49cbea9c80ad057a5fc3b698ce14ad9a7415 (patch)
tree	2179084a1c0352a0a5a432de716a2778781f86bb
parent	d311d0f7b7ef9ed5bc383d6744b7d61239aafbc1 (diff)
download	mocca-da6c49cbea9c80ad057a5fc3b698ce14ad9a7415.tar.gz mocca-da6c49cbea9c80ad057a5fc3b698ce14ad9a7415.tar.bz2 mocca-da6c49cbea9c80ad057a5fc3b698ce14ad9a7415.zip