summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java57
-rw-r--r--BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd6
-rw-r--r--STAL/src/main/java/at/gv/egiz/stal/SignRequest.java125
-rw-r--r--STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java13
-rw-r--r--STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java8
-rw-r--r--STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java122
-rw-r--r--STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java18
-rw-r--r--STALXService/src/main/resources/wsdl/stal.xsd6
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java24
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java24
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java39
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java21
-rw-r--r--smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java9
13 files changed, 434 insertions, 38 deletions
diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
index 773bab8..3b9ee1d 100644
--- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
+++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java
@@ -24,6 +24,19 @@
package at.gv.egiz.bku.online.applet;
+import iaik.me.security.CryptoException;
+import iaik.me.security.MessageDigest;
+
+import java.awt.event.ActionListener;
+import java.security.DigestException;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
import at.gv.egiz.bku.gui.BKUGUIFacade;
import at.gv.egiz.bku.smccstal.SecureViewer;
import at.gv.egiz.stal.HashDataInput;
@@ -34,17 +47,6 @@ import at.gv.egiz.stal.service.types.GetHashDataInputResponseType;
import at.gv.egiz.stal.service.types.GetHashDataInputType;
import at.gv.egiz.stal.signedinfo.ReferenceType;
import at.gv.egiz.stal.signedinfo.SignedInfoType;
-import java.awt.event.ActionListener;
-import java.security.DigestException;
-
-import iaik.me.security.CryptoException;
-import iaik.me.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
/**
*
@@ -196,17 +198,30 @@ public class AppletSecureViewer implements SecureViewer {
log.debug("Digesting reference " + signedRefId + " (" + mimeType + ";" + encoding + ")");
}
-// if (signedDigestAlg.startsWith("CMS:")) {
-// log.info("CMS signature - skip verifying hashdata for now");
-// } else {
- byte[] hashDataInputDigest = digest(hdi, signedDigestAlg);
+ byte[] hashDataInputDigest;
+ if ((signedRef.getURI() != null) && signedRef.getURI().startsWith("CMSExcludedByteRange:")) {
+ String range = signedRef.getURI().substring(21);
+ int sep = range.indexOf('-');
+ int from = Integer.parseInt(range.substring(0, sep));
+ int to = Integer.parseInt(range.substring(sep+1));
- log.debug("Comparing digest to claimed digest value for reference {}.", signedRefId);
- if (!Arrays.equals(hashDataInputDigest, signedDigest)) {
- log.error("Bad digest value for reference {}.", signedRefId);
- throw new DigestException("Bad digest value for reference " + signedRefId);
- }
-// }
+ Arrays.fill(hdi, from, to+1, (byte)0);
+
+ byte[] hashData = new byte[hdi.length - ((to+1) - from)];
+ if (from > 0)
+ System.arraycopy(hdi, 0, hashData, 0, from);
+ if ((to+1) < hdi.length)
+ System.arraycopy(hdi, to+1, hashData, from, hdi.length - (to+1));
+ hashDataInputDigest = digest(hashData, signedDigestAlg);
+ } else {
+ hashDataInputDigest = digest(hdi, signedDigestAlg);
+ }
+
+ log.debug("Comparing digest to claimed digest value for reference {}.", signedRefId);
+ if (!Arrays.equals(hashDataInputDigest, signedDigest)) {
+ log.error("Bad digest value for reference {}.", signedRefId);
+ throw new DigestException("Bad digest value for reference " + signedRefId);
+ }
verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding, filename));
}
diff --git a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd
index 5ad9ec8..750cf35 100644
--- a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd
+++ b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd
@@ -134,6 +134,12 @@
</element>
<element name="SignatureMethod" type="string" minOccurs="0"/>
<element name="DigestMethod" type="string" minOccurs="0"/>
+ <element name="ExcludedByteRange" minOccurs="0">
+ <complexType>
+ <attribute name="from" type="unsignedLong" use="required"/>
+ <attribute name="to" type="unsignedLong" use="required"/>
+ </complexType>
+ </element>
</sequence>
</extension>
</complexContent>
diff --git a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java
index 52a3ffc..6041cf5 100644
--- a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java
+++ b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java
@@ -24,15 +24,19 @@
package at.gv.egiz.stal;
+import java.math.BigInteger;
import java.util.List;
+
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlAttribute;
import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlSchemaType;
import javax.xml.bind.annotation.XmlTransient;
import javax.xml.bind.annotation.XmlType;
import javax.xml.bind.annotation.XmlValue;
+
/**
* <p>Java class for SignRequestType complex type.
*
@@ -55,6 +59,16 @@ import javax.xml.bind.annotation.XmlValue;
* &lt;/element>
* &lt;element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
* &lt;element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
+ * &lt;element name="ExcludedByteRange" minOccurs="0">
+ * &lt;complexType>
+ * &lt;complexContent>
+ * &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ * &lt;attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;/restriction>
+ * &lt;/complexContent>
+ * &lt;/complexType>
+ * &lt;/element>
* &lt;/sequence>
* &lt;/extension>
* &lt;/complexContent>
@@ -68,7 +82,8 @@ import javax.xml.bind.annotation.XmlValue;
"keyIdentifier",
"signedInfo",
"signatureMethod",
- "digestMethod"
+ "digestMethod",
+ "excludedByteRange"
})
public class SignRequest
extends STALRequest {
@@ -81,6 +96,8 @@ public class SignRequest
protected String signatureMethod;
@XmlElement(name = "DigestMethod")
protected String digestMethod;
+ @XmlElement(name = "ExcludedByteRange")
+ protected SignRequest.ExcludedByteRange excludedByteRange;
@XmlTransient
protected List<HashDataInput> hashData;
@@ -180,6 +197,30 @@ public class SignRequest
this.digestMethod = value;
}
+ /**
+ * Gets the value of the excludedByteRange property.
+ *
+ * @return
+ * possible object is
+ * {@link ExcludedByteRange.ExcludedByteRange }
+ *
+ */
+ public SignRequest.ExcludedByteRange getExcludedByteRange() {
+ return excludedByteRange;
+ }
+
+ /**
+ * Sets the value of the excludedByteRange property.
+ *
+ * @param value
+ * allowed object is
+ * {@link ExcludedByteRange.ExcludedByteRange }
+ *
+ */
+ public void setExcludedByteRange(SignRequest.ExcludedByteRange value) {
+ this.excludedByteRange = value;
+ }
+
public List<HashDataInput> getHashDataInput() {
return hashData;
}
@@ -188,6 +229,87 @@ public class SignRequest
this.hashData = hashData;
}
+
+ /**
+ * <p>Java class for anonymous complex type.
+ *
+ * <p>The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType>
+ * &lt;complexContent>
+ * &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ * &lt;attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;/restriction>
+ * &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ *
+ *
+ */
+ @XmlAccessorType(XmlAccessType.FIELD)
+ @XmlType(name = "")
+ public static class ExcludedByteRange {
+
+ @XmlAttribute(required = true)
+ @XmlSchemaType(name = "unsignedLong")
+ protected BigInteger from;
+ @XmlAttribute(required = true)
+ @XmlSchemaType(name = "unsignedLong")
+ protected BigInteger to;
+
+ /**
+ * Gets the value of the from property.
+ *
+ * @return
+ * possible object is
+ * {@link BigInteger }
+ *
+ */
+ public BigInteger getFrom() {
+ return from;
+ }
+
+ /**
+ * Sets the value of the from property.
+ *
+ * @param value
+ * allowed object is
+ * {@link BigInteger }
+ *
+ */
+ public void setFrom(BigInteger value) {
+ this.from = value;
+ }
+
+ /**
+ * Gets the value of the to property.
+ *
+ * @return
+ * possible object is
+ * {@link BigInteger }
+ *
+ */
+ public BigInteger getTo() {
+ return to;
+ }
+
+ /**
+ * Sets the value of the to property.
+ *
+ * @param value
+ * allowed object is
+ * {@link BigInteger }
+ *
+ */
+ public void setTo(BigInteger value) {
+ this.to = value;
+ }
+
+ }
+
+
/**
* <p>Java class for anonymous complex type.
*
@@ -267,4 +389,5 @@ public class SignRequest
}
}
+
}
diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java
index 5ddadbe..ff9e88c 100644
--- a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java
+++ b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java
@@ -41,6 +41,7 @@ import at.gv.egiz.stal.QuitRequest;
import at.gv.egiz.stal.STALRequest;
import at.gv.egiz.stal.STALResponse;
import at.gv.egiz.stal.SignRequest;
+import at.gv.egiz.stal.SignRequest.ExcludedByteRange;
import at.gv.egiz.stal.SignRequest.SignedInfo;
import at.gv.egiz.stal.SignResponse;
import at.gv.egiz.stal.StatusRequest;
@@ -225,6 +226,12 @@ public class STALTranslator {
req.setSignedInfo(signedInfo);
req.setSignatureMethod(((SignRequest) request).getSignatureMethod());
req.setDigestMethod(((SignRequest) request).getDigestMethod());
+ if (((SignRequest) request).getExcludedByteRange() != null) {
+ SignRequestType.ExcludedByteRange excludedByteRange = of.createSignRequestTypeExcludedByteRange();
+ excludedByteRange.setFrom(((SignRequest) request).getExcludedByteRange().getFrom());
+ excludedByteRange.setTo(((SignRequest) request).getExcludedByteRange().getTo());
+ req.setExcludedByteRange(excludedByteRange);
+ }
//TODO add hashdatainput (refactor signRequestType)
return of.createGetNextRequestResponseTypeSignRequest(req);
} else if (request instanceof InfoboxReadRequest) {
@@ -257,6 +264,12 @@ public class STALTranslator {
stalReq.setSignedInfo(signedInfo);
stalReq.setSignatureMethod(((SignRequestType) request).getSignatureMethod());
stalReq.setDigestMethod(((SignRequestType) request).getDigestMethod());
+ if (((SignRequestType) request).getExcludedByteRange() != null) {
+ ExcludedByteRange excludedByteRange = new ExcludedByteRange();
+ excludedByteRange.setFrom(((SignRequestType) request).getExcludedByteRange().getFrom());
+ excludedByteRange.setTo(((SignRequestType) request).getExcludedByteRange().getTo());
+ stalReq.setExcludedByteRange(excludedByteRange);
+ }
return stalReq;
} else if (request instanceof QuitRequestType) {
return new QuitRequest();
diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java b/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java
index f3b0040..ea7ca83 100644
--- a/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java
+++ b/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java
@@ -129,6 +129,14 @@ public class ObjectFactory {
}
/**
+ * Create an instance of {@link SignRequestType.ExcludedByteRange }
+ *
+ */
+ public SignRequestType.ExcludedByteRange createSignRequestTypeExcludedByteRange() {
+ return new SignRequestType.ExcludedByteRange();
+ }
+
+ /**
* Create an instance of {@link GetHashDataInputType.Reference }
*
*/
diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java
index 67755d6..84ccdc8 100644
--- a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java
+++ b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java
@@ -25,10 +25,13 @@
package at.gv.egiz.stal.service.types;
+import java.math.BigInteger;
+
import javax.xml.bind.annotation.XmlAccessType;
import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlAttribute;
import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlSchemaType;
import javax.xml.bind.annotation.XmlType;
import javax.xml.bind.annotation.XmlValue;
@@ -62,6 +65,16 @@ import javax.xml.bind.annotation.XmlValue;
* &lt;/element>
* &lt;element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
* &lt;element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
+ * &lt;element name="ExcludedByteRange" minOccurs="0">
+ * &lt;complexType>
+ * &lt;complexContent>
+ * &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ * &lt;attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;/restriction>
+ * &lt;/complexContent>
+ * &lt;/complexType>
+ * &lt;/element>
* &lt;/sequence>
* &lt;/extension>
* &lt;/complexContent>
@@ -75,7 +88,8 @@ import javax.xml.bind.annotation.XmlValue;
"keyIdentifier",
"signedInfo",
"signatureMethod",
- "digestMethod"
+ "digestMethod",
+ "excludedByteRange"
})
public class SignRequestType
extends RequestType
@@ -89,6 +103,8 @@ public class SignRequestType
protected String signatureMethod;
@XmlElement(name = "DigestMethod")
protected String digestMethod;
+ @XmlElement(name = "ExcludedByteRange")
+ protected SignRequestType.ExcludedByteRange excludedByteRange;
/**
* Gets the value of the keyIdentifier property.
@@ -186,6 +202,110 @@ public class SignRequestType
this.digestMethod = value;
}
+ /**
+ * Gets the value of the excludedByteRange property.
+ *
+ * @return
+ * possible object is
+ * {@link SignRequestType.ExcludedByteRange }
+ *
+ */
+ public SignRequestType.ExcludedByteRange getExcludedByteRange() {
+ return excludedByteRange;
+ }
+
+ /**
+ * Sets the value of the excludedByteRange property.
+ *
+ * @param value
+ * allowed object is
+ * {@link SignRequestType.ExcludedByteRange }
+ *
+ */
+ public void setExcludedByteRange(SignRequestType.ExcludedByteRange value) {
+ this.excludedByteRange = value;
+ }
+
+
+ /**
+ * <p>Java class for anonymous complex type.
+ *
+ * <p>The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType>
+ * &lt;complexContent>
+ * &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ * &lt;attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+ * &lt;/restriction>
+ * &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ *
+ *
+ */
+ @XmlAccessorType(XmlAccessType.FIELD)
+ @XmlType(name = "")
+ public static class ExcludedByteRange {
+
+ @XmlAttribute(required = true)
+ @XmlSchemaType(name = "unsignedLong")
+ protected BigInteger from;
+ @XmlAttribute(required = true)
+ @XmlSchemaType(name = "unsignedLong")
+ protected BigInteger to;
+
+ /**
+ * Gets the value of the from property.
+ *
+ * @return
+ * possible object is
+ * {@link BigInteger }
+ *
+ */
+ public BigInteger getFrom() {
+ return from;
+ }
+
+ /**
+ * Sets the value of the from property.
+ *
+ * @param value
+ * allowed object is
+ * {@link BigInteger }
+ *
+ */
+ public void setFrom(BigInteger value) {
+ this.from = value;
+ }
+
+ /**
+ * Gets the value of the to property.
+ *
+ * @return
+ * possible object is
+ * {@link BigInteger }
+ *
+ */
+ public BigInteger getTo() {
+ return to;
+ }
+
+ /**
+ * Sets the value of the to property.
+ *
+ * @param value
+ * allowed object is
+ * {@link BigInteger }
+ *
+ */
+ public void setTo(BigInteger value) {
+ this.to = value;
+ }
+
+ }
+
/**
* <p>Java class for anonymous complex type.
diff --git a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java
index a82006f..83adfe3 100644
--- a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java
+++ b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java
@@ -25,6 +25,8 @@
package at.gv.egiz.stal.service.translator;
+import java.math.BigInteger;
+
import at.gv.egiz.stal.STALRequest;
import at.gv.egiz.stal.STALResponse;
import at.gv.egiz.stal.SignRequest;
@@ -107,6 +109,12 @@ public class STALTranslatorTest {
assertEquals(request.getSignedInfo().isIsCMSSignedAttributes(), resultT.getSignedInfo().isIsCMSSignedAttributes());
assertEquals(request.getSignatureMethod(), resultT.getSignatureMethod());
assertEquals(request.getDigestMethod(), resultT.getDigestMethod());
+ if (request.getExcludedByteRange() == null)
+ assertNull(resultT.getExcludedByteRange());
+ else {
+ assertEquals(request.getExcludedByteRange().getFrom(), resultT.getExcludedByteRange().getFrom());
+ assertEquals(request.getExcludedByteRange().getTo(), resultT.getExcludedByteRange().getTo());
+ }
}
/**
@@ -122,6 +130,10 @@ public class STALTranslatorTest {
req.setSignedInfo(signedInfo);
req.setSignatureMethod("signatureMethod");
req.setDigestMethod("digestMethod");
+ SignRequestType.ExcludedByteRange excludedByteRange = of.createSignRequestTypeExcludedByteRange();
+ excludedByteRange.setFrom(BigInteger.ZERO);
+ excludedByteRange.setTo(BigInteger.ONE);
+ req.setExcludedByteRange(excludedByteRange);
JAXBElement<? extends RequestType> request = of.createGetNextRequestResponseTypeSignRequest(req);
STALTranslator instance = new STALTranslator();
STALRequest result = instance.translateWSRequest(request);
@@ -131,6 +143,12 @@ public class STALTranslatorTest {
assertEquals(req.getSignedInfo().isIsCMSSignedAttributes(), ((SignRequest) result).getSignedInfo().isIsCMSSignedAttributes());
assertEquals(req.getSignatureMethod(), ((SignRequest) result).getSignatureMethod());
assertEquals(req.getDigestMethod(), ((SignRequest) result).getDigestMethod());
+ if (req.getExcludedByteRange() == null)
+ assertNull(((SignRequest) result).getExcludedByteRange());
+ else {
+ assertEquals(req.getExcludedByteRange().getFrom(), ((SignRequest) result).getExcludedByteRange().getFrom());
+ assertEquals(req.getExcludedByteRange().getTo(), ((SignRequest) result).getExcludedByteRange().getTo());
+ }
}
@Test(expected=RuntimeException.class)
diff --git a/STALXService/src/main/resources/wsdl/stal.xsd b/STALXService/src/main/resources/wsdl/stal.xsd
index f102d21..9b77f0f 100644
--- a/STALXService/src/main/resources/wsdl/stal.xsd
+++ b/STALXService/src/main/resources/wsdl/stal.xsd
@@ -134,6 +134,12 @@
</element>
<element name="SignatureMethod" type="string" minOccurs="0"/>
<element name="DigestMethod" type="string" minOccurs="0"/>
+ <element name="ExcludedByteRange" minOccurs="0">
+ <complexType>
+ <attribute name="from" type="unsignedLong" use="required"/>
+ <attribute name="to" type="unsignedLong" use="required"/>
+ </complexType>
+ </element>
</sequence>
</extension>
</complexContent>
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java
index e25fd3a..e596e5c 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java
@@ -1,3 +1,27 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint
+ * initiative of the Federal Chancellery Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
package at.gv.egiz.bku.slcommands.impl.cms;
import java.io.ByteArrayInputStream;
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java
index 8e71fa7..0792a98 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java
@@ -1,3 +1,27 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint
+ * initiative of the Federal Chancellery Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
package at.gv.egiz.bku.slcommands.impl.cms;
import java.security.PrivateKey;
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java
index 7c8b2b4..77bfaaa 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java
@@ -1,3 +1,27 @@
+/*
+ * Copyright 2011 by Graz University of Technology, Austria
+ * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint
+ * initiative of the Federal Chancellery Austria and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+
+
package at.gv.egiz.bku.slcommands.impl.cms;
import iaik.asn1.DerCoder;
@@ -20,6 +44,7 @@ import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import at.buergerkarte.namespaces.securitylayer._1_2_3.ExcludedByteRangeType;
import at.gv.egiz.bku.slcommands.impl.xsect.STALSignatureException;
import at.gv.egiz.stal.ErrorResponse;
import at.gv.egiz.stal.HashDataInput;
@@ -41,13 +66,15 @@ public class STALSecurityProvider extends IaikProvider {
private String keyboxIdentifier;
private STAL stal;
private List<HashDataInput> hashDataInput;
+ private ExcludedByteRangeType excludedByteRange;
public STALSecurityProvider(STAL stal, String keyboxIdentifier,
- HashDataInput hashDataInput) {
+ HashDataInput hashDataInput, ExcludedByteRangeType excludedByteRange) {
this.keyboxIdentifier = keyboxIdentifier;
this.stal = stal;
this.hashDataInput = new ArrayList<HashDataInput>();
this.hashDataInput.add(hashDataInput);
+ this.excludedByteRange = excludedByteRange;
}
/* (non-Javadoc)
@@ -62,7 +89,7 @@ public class STALSecurityProvider extends IaikProvider {
STALPrivateKey spk = (STALPrivateKey) privateKey;
SignRequest signRequest = getSTALSignRequest(keyboxIdentifier, signedAttributes,
- spk.getAlgorithm(), spk.getDigestAlgorithm(), hashDataInput);
+ spk.getAlgorithm(), spk.getDigestAlgorithm(), hashDataInput, excludedByteRange);
log.debug("Sending STAL request ({})", privateKey.getAlgorithm());
List<STALResponse> responses =
@@ -88,7 +115,7 @@ public class STALSecurityProvider extends IaikProvider {
private static SignRequest getSTALSignRequest(String keyboxIdentifier,
byte[] signedAttributes, String signatureMethod, String digestMethod,
- List<HashDataInput> hashDataInput) {
+ List<HashDataInput> hashDataInput, ExcludedByteRangeType excludedByteRange) {
SignRequest signRequest = new SignRequest();
signRequest.setKeyIdentifier(keyboxIdentifier);
log.debug("SignedAttributes: " + Util.toBase64String(signedAttributes));
@@ -99,6 +126,12 @@ public class STALSecurityProvider extends IaikProvider {
signRequest.setSignatureMethod(signatureMethod);
signRequest.setDigestMethod(digestMethod);
signRequest.setHashDataInput(hashDataInput);
+ if (excludedByteRange != null) {
+ SignRequest.ExcludedByteRange ebr = new SignRequest.ExcludedByteRange();
+ ebr.setFrom(excludedByteRange.getFrom());
+ ebr.setTo(excludedByteRange.getTo());
+ signRequest.setExcludedByteRange(ebr);
+ }
return signRequest;
}
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java
index 9e76bf2..937296b 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java
@@ -96,6 +96,7 @@ public class Signature {
private AlgorithmID digestAlgorithm;
private String signatureAlgorithmURI;
private String digestAlgorithmURI;
+ private ExcludedByteRangeType excludedByteRange;
public Signature(CMSDataObjectRequiredMetaType dataObject, String structure,
X509Certificate signingCertificate, Date signingTime, boolean useStrongHash)
@@ -175,20 +176,20 @@ public class Signature {
byte[] data = dataObject.getContent().getBase64Content();
this.signedDocument = data.clone();
- ExcludedByteRangeType ebr = dataObject.getExcludedByteRange();
- if (ebr == null)
+ this.excludedByteRange = dataObject.getExcludedByteRange();
+ if (this.excludedByteRange == null)
return data;
- int from = dataObject.getExcludedByteRange().getFrom().intValue();
- int to = dataObject.getExcludedByteRange().getTo().intValue();
+ int from = this.excludedByteRange.getFrom().intValue();
+ int to = this.excludedByteRange.getTo().intValue();
if (from > data.length || to > data.length || from > to)
- throw new InvalidParameterException("ExcludeByteRange contains invalid data: [" +
+ throw new InvalidParameterException("ExcludedByteRange contains invalid data: [" +
from + "-" + to + "], Content length: " + data.length);
- // Fill ExcludeByteRange with 0s for document to display in viewer
+ // Fill ExcludedByteRange with 0s for document to display in viewer
Arrays.fill(this.signedDocument, from, to+1, (byte)0);
- // Remove ExcludeByteRange from data to be signed
+ // Remove ExcludedByteRange from data to be signed
byte[] first = null;
byte[] second = null;
if (from > 0)
@@ -196,7 +197,7 @@ public class Signature {
if ((to + 1) < data.length)
second = Arrays.copyOfRange(data, to + 1, data.length);
data = ArrayUtils.addAll(first, second);
- log.debug("ExcludeByteRange [" + from + "-" + to + "], Content length: " + data.length);
+ log.debug("ExcludedByteRange [" + from + "-" + to + "], Content length: " + data.length);
return data;
}
@@ -282,8 +283,8 @@ public class Signature {
}
public byte[] sign(STAL stal, String keyboxIdentifier) throws CMSException, CMSSignatureException, SLCommandException {
- signedData.setSecurityProvider(
- new STALSecurityProvider(stal, keyboxIdentifier, getHashDataInput()));
+ signedData.setSecurityProvider(new STALSecurityProvider(
+ stal, keyboxIdentifier, getHashDataInput(), this.excludedByteRange));
setSignerInfo();
ContentInfo contentInfo = new ContentInfo(signedData);
return contentInfo.getEncoded();
diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
index dba822e..3026d27 100644
--- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
+++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java
@@ -67,7 +67,6 @@ public class SignRequestHandler extends AbstractRequestHandler {
private final static Logger log = LoggerFactory.getLogger(SignRequestHandler.class);
private final static String CMS_DEF_SIGNEDINFO_ID = "SignedInfo-1";
- private final static String CMS_DEF_OBJECT_ID = "SignatureData-1";
private final static String OID_MESSAGEDIGEST = "1.2.840.113549.1.9.4";
private static JAXBContext jaxbContext;
@@ -178,7 +177,6 @@ public class SignRequestHandler extends AbstractRequestHandler {
List<ReferenceType> references = signedInfo.getReference();
ReferenceType reference = new ReferenceType();
reference.setId(HashDataInput.CMS_DEF_REFERENCE_ID);
- reference.setURI(CMS_DEF_OBJECT_ID);
DigestMethodType digestMethod = new DigestMethodType();
digestMethod.setAlgorithm(signReq.getDigestMethod());
reference.setDigestMethod(digestMethod);
@@ -204,6 +202,13 @@ public class SignRequestHandler extends AbstractRequestHandler {
throw new SignatureException(e);
}
reference.setDigestValue(messageDigest);
+ if (signReq.getExcludedByteRange() != null) {
+ // Abuse URI to store ExcludedByteRange
+ String range = "CMSExcludedByteRange:" +
+ signReq.getExcludedByteRange().getFrom() + "-" +
+ signReq.getExcludedByteRange().getTo();
+ reference.setURI(range);
+ }
references.add(reference);
return signedInfo;
}