From 438727ab21b5e80d1771279b988d6aed57ba3ab1 Mon Sep 17 00:00:00 2001 From: tkellner Date: Fri, 13 Dec 2013 04:06:05 +0000 Subject: Add ExcludedByteRange to STAL SignatureRequest, honour it for digest calculation git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1264 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/online/applet/AppletSecureViewer.java | 57 ++++++---- BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd | 6 + .../src/main/java/at/gv/egiz/stal/SignRequest.java | 125 ++++++++++++++++++++- .../stal/service/translator/STALTranslator.java | 13 +++ .../gv/egiz/stal/service/types/ObjectFactory.java | 8 ++ .../egiz/stal/service/types/SignRequestType.java | 122 +++++++++++++++++++- .../service/translator/STALTranslatorTest.java | 18 +++ STALXService/src/main/resources/wsdl/stal.xsd | 6 + .../bku/slcommands/impl/cms/CMSHashDataInput.java | 24 ++++ .../bku/slcommands/impl/cms/STALPrivateKey.java | 24 ++++ .../slcommands/impl/cms/STALSecurityProvider.java | 39 ++++++- .../gv/egiz/bku/slcommands/impl/cms/Signature.java | 21 ++-- .../gv/egiz/bku/smccstal/SignRequestHandler.java | 9 +- 13 files changed, 434 insertions(+), 38 deletions(-) diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java index 773bab80..3b9ee1d2 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java @@ -24,6 +24,19 @@ package at.gv.egiz.bku.online.applet; +import iaik.me.security.CryptoException; +import iaik.me.security.MessageDigest; + +import java.awt.event.ActionListener; +import java.security.DigestException; +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.gv.egiz.bku.gui.BKUGUIFacade; import at.gv.egiz.bku.smccstal.SecureViewer; import at.gv.egiz.stal.HashDataInput; @@ -34,17 +47,6 @@ import at.gv.egiz.stal.service.types.GetHashDataInputResponseType; import at.gv.egiz.stal.service.types.GetHashDataInputType; import at.gv.egiz.stal.signedinfo.ReferenceType; import at.gv.egiz.stal.signedinfo.SignedInfoType; -import java.awt.event.ActionListener; -import java.security.DigestException; - -import iaik.me.security.CryptoException; -import iaik.me.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; /** * @@ -196,17 +198,30 @@ public class AppletSecureViewer implements SecureViewer { log.debug("Digesting reference " + signedRefId + " (" + mimeType + ";" + encoding + ")"); } -// if (signedDigestAlg.startsWith("CMS:")) { -// log.info("CMS signature - skip verifying hashdata for now"); -// } else { - byte[] hashDataInputDigest = digest(hdi, signedDigestAlg); + byte[] hashDataInputDigest; + if ((signedRef.getURI() != null) && signedRef.getURI().startsWith("CMSExcludedByteRange:")) { + String range = signedRef.getURI().substring(21); + int sep = range.indexOf('-'); + int from = Integer.parseInt(range.substring(0, sep)); + int to = Integer.parseInt(range.substring(sep+1)); - log.debug("Comparing digest to claimed digest value for reference {}.", signedRefId); - if (!Arrays.equals(hashDataInputDigest, signedDigest)) { - log.error("Bad digest value for reference {}.", signedRefId); - throw new DigestException("Bad digest value for reference " + signedRefId); - } -// } + Arrays.fill(hdi, from, to+1, (byte)0); + + byte[] hashData = new byte[hdi.length - ((to+1) - from)]; + if (from > 0) + System.arraycopy(hdi, 0, hashData, 0, from); + if ((to+1) < hdi.length) + System.arraycopy(hdi, to+1, hashData, from, hdi.length - (to+1)); + hashDataInputDigest = digest(hashData, signedDigestAlg); + } else { + hashDataInputDigest = digest(hdi, signedDigestAlg); + } + + log.debug("Comparing digest to claimed digest value for reference {}.", signedRefId); + if (!Arrays.equals(hashDataInputDigest, signedDigest)) { + log.error("Bad digest value for reference {}.", signedRefId); + throw new DigestException("Bad digest value for reference " + signedRefId); + } verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding, filename)); } diff --git a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd index 5ad9ec83..750cf355 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd +++ b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd @@ -134,6 +134,12 @@ + + + + + + diff --git a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java index 52a3ffcd..6041cf5d 100644 --- a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java +++ b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java @@ -24,15 +24,19 @@ package at.gv.egiz.stal; +import java.math.BigInteger; import java.util.List; + import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlAttribute; import javax.xml.bind.annotation.XmlElement; +import javax.xml.bind.annotation.XmlSchemaType; import javax.xml.bind.annotation.XmlTransient; import javax.xml.bind.annotation.XmlType; import javax.xml.bind.annotation.XmlValue; + /** *

Java class for SignRequestType complex type. * @@ -55,6 +59,16 @@ import javax.xml.bind.annotation.XmlValue; * </element> * <element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> * <element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> + * <element name="ExcludedByteRange" minOccurs="0"> + * <complexType> + * <complexContent> + * <restriction base="{http://www.w3.org/2001/XMLSchema}anyType"> + * <attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" /> + * <attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" /> + * </restriction> + * </complexContent> + * </complexType> + * </element> * </sequence> * </extension> * </complexContent> @@ -68,7 +82,8 @@ import javax.xml.bind.annotation.XmlValue; "keyIdentifier", "signedInfo", "signatureMethod", - "digestMethod" + "digestMethod", + "excludedByteRange" }) public class SignRequest extends STALRequest { @@ -81,6 +96,8 @@ public class SignRequest protected String signatureMethod; @XmlElement(name = "DigestMethod") protected String digestMethod; + @XmlElement(name = "ExcludedByteRange") + protected SignRequest.ExcludedByteRange excludedByteRange; @XmlTransient protected List hashData; @@ -180,6 +197,30 @@ public class SignRequest this.digestMethod = value; } + /** + * Gets the value of the excludedByteRange property. + * + * @return + * possible object is + * {@link ExcludedByteRange.ExcludedByteRange } + * + */ + public SignRequest.ExcludedByteRange getExcludedByteRange() { + return excludedByteRange; + } + + /** + * Sets the value of the excludedByteRange property. + * + * @param value + * allowed object is + * {@link ExcludedByteRange.ExcludedByteRange } + * + */ + public void setExcludedByteRange(SignRequest.ExcludedByteRange value) { + this.excludedByteRange = value; + } + public List getHashDataInput() { return hashData; } @@ -188,6 +229,87 @@ public class SignRequest this.hashData = hashData; } + + /** + *

Java class for anonymous complex type. + * + *

The following schema fragment specifies the expected content contained within this class. + * + * 

+     * <complexType>
+     *   <complexContent>
+     *     <restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+     *       <attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+     *       <attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+     *     </restriction>
+     *   </complexContent>
+     * </complexType>
+     *
+ * + * + */ + @XmlAccessorType(XmlAccessType.FIELD) + @XmlType(name = "") + public static class ExcludedByteRange { + + @XmlAttribute(required = true) + @XmlSchemaType(name = "unsignedLong") + protected BigInteger from; + @XmlAttribute(required = true) + @XmlSchemaType(name = "unsignedLong") + protected BigInteger to; + + /** + * Gets the value of the from property. + * + * @return + * possible object is + * {@link BigInteger } + * + */ + public BigInteger getFrom() { + return from; + } + + /** + * Sets the value of the from property. + * + * @param value + * allowed object is + * {@link BigInteger } + * + */ + public void setFrom(BigInteger value) { + this.from = value; + } + + /** + * Gets the value of the to property. + * + * @return + * possible object is + * {@link BigInteger } + * + */ + public BigInteger getTo() { + return to; + } + + /** + * Sets the value of the to property. + * + * @param value + * allowed object is + * {@link BigInteger } + * + */ + public void setTo(BigInteger value) { + this.to = value; + } + + } + + /** *

Java class for anonymous complex type. * @@ -267,4 +389,5 @@ public class SignRequest } } + } diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java index 5ddadbe7..ff9e88ca 100644 --- a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java +++ b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java @@ -41,6 +41,7 @@ import at.gv.egiz.stal.QuitRequest; import at.gv.egiz.stal.STALRequest; import at.gv.egiz.stal.STALResponse; import at.gv.egiz.stal.SignRequest; +import at.gv.egiz.stal.SignRequest.ExcludedByteRange; import at.gv.egiz.stal.SignRequest.SignedInfo; import at.gv.egiz.stal.SignResponse; import at.gv.egiz.stal.StatusRequest; @@ -225,6 +226,12 @@ public class STALTranslator { req.setSignedInfo(signedInfo); req.setSignatureMethod(((SignRequest) request).getSignatureMethod()); req.setDigestMethod(((SignRequest) request).getDigestMethod()); + if (((SignRequest) request).getExcludedByteRange() != null) { + SignRequestType.ExcludedByteRange excludedByteRange = of.createSignRequestTypeExcludedByteRange(); + excludedByteRange.setFrom(((SignRequest) request).getExcludedByteRange().getFrom()); + excludedByteRange.setTo(((SignRequest) request).getExcludedByteRange().getTo()); + req.setExcludedByteRange(excludedByteRange); + } //TODO add hashdatainput (refactor signRequestType) return of.createGetNextRequestResponseTypeSignRequest(req); } else if (request instanceof InfoboxReadRequest) { @@ -257,6 +264,12 @@ public class STALTranslator { stalReq.setSignedInfo(signedInfo); stalReq.setSignatureMethod(((SignRequestType) request).getSignatureMethod()); stalReq.setDigestMethod(((SignRequestType) request).getDigestMethod()); + if (((SignRequestType) request).getExcludedByteRange() != null) { + ExcludedByteRange excludedByteRange = new ExcludedByteRange(); + excludedByteRange.setFrom(((SignRequestType) request).getExcludedByteRange().getFrom()); + excludedByteRange.setTo(((SignRequestType) request).getExcludedByteRange().getTo()); + stalReq.setExcludedByteRange(excludedByteRange); + } return stalReq; } else if (request instanceof QuitRequestType) { return new QuitRequest(); diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java b/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java index f3b00402..ea7ca837 100644 --- a/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java +++ b/STALService/src/main/java/at/gv/egiz/stal/service/types/ObjectFactory.java @@ -128,6 +128,14 @@ public class ObjectFactory { return new SignRequestType.SignedInfo(); } + /** + * Create an instance of {@link SignRequestType.ExcludedByteRange } + * + */ + public SignRequestType.ExcludedByteRange createSignRequestTypeExcludedByteRange() { + return new SignRequestType.ExcludedByteRange(); + } + /** * Create an instance of {@link GetHashDataInputType.Reference } * diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java index 67755d69..84ccdc8a 100644 --- a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java +++ b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java @@ -25,10 +25,13 @@ package at.gv.egiz.stal.service.types; +import java.math.BigInteger; + import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlAttribute; import javax.xml.bind.annotation.XmlElement; +import javax.xml.bind.annotation.XmlSchemaType; import javax.xml.bind.annotation.XmlType; import javax.xml.bind.annotation.XmlValue; @@ -62,6 +65,16 @@ import javax.xml.bind.annotation.XmlValue; * </element> * <element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> * <element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> + * <element name="ExcludedByteRange" minOccurs="0"> + * <complexType> + * <complexContent> + * <restriction base="{http://www.w3.org/2001/XMLSchema}anyType"> + * <attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" /> + * <attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" /> + * </restriction> + * </complexContent> + * </complexType> + * </element> * </sequence> * </extension> * </complexContent> @@ -75,7 +88,8 @@ import javax.xml.bind.annotation.XmlValue; "keyIdentifier", "signedInfo", "signatureMethod", - "digestMethod" + "digestMethod", + "excludedByteRange" }) public class SignRequestType extends RequestType @@ -89,6 +103,8 @@ public class SignRequestType protected String signatureMethod; @XmlElement(name = "DigestMethod") protected String digestMethod; + @XmlElement(name = "ExcludedByteRange") + protected SignRequestType.ExcludedByteRange excludedByteRange; /** * Gets the value of the keyIdentifier property. @@ -186,6 +202,110 @@ public class SignRequestType this.digestMethod = value; } + /** + * Gets the value of the excludedByteRange property. + * + * @return + * possible object is + * {@link SignRequestType.ExcludedByteRange } + * + */ + public SignRequestType.ExcludedByteRange getExcludedByteRange() { + return excludedByteRange; + } + + /** + * Sets the value of the excludedByteRange property. + * + * @param value + * allowed object is + * {@link SignRequestType.ExcludedByteRange } + * + */ + public void setExcludedByteRange(SignRequestType.ExcludedByteRange value) { + this.excludedByteRange = value; + } + + + /** + *

Java class for anonymous complex type. + * + *

The following schema fragment specifies the expected content contained within this class. + * + * 

+     * <complexType>
+     *   <complexContent>
+     *     <restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+     *       <attribute name="from" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+     *       <attribute name="to" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedLong" />
+     *     </restriction>
+     *   </complexContent>
+     * </complexType>
+     *
+ * + * + */ + @XmlAccessorType(XmlAccessType.FIELD) + @XmlType(name = "") + public static class ExcludedByteRange { + + @XmlAttribute(required = true) + @XmlSchemaType(name = "unsignedLong") + protected BigInteger from; + @XmlAttribute(required = true) + @XmlSchemaType(name = "unsignedLong") + protected BigInteger to; + + /** + * Gets the value of the from property. + * + * @return + * possible object is + * {@link BigInteger } + * + */ + public BigInteger getFrom() { + return from; + } + + /** + * Sets the value of the from property. + * + * @param value + * allowed object is + * {@link BigInteger } + * + */ + public void setFrom(BigInteger value) { + this.from = value; + } + + /** + * Gets the value of the to property. + * + * @return + * possible object is + * {@link BigInteger } + * + */ + public BigInteger getTo() { + return to; + } + + /** + * Sets the value of the to property. + * + * @param value + * allowed object is + * {@link BigInteger } + * + */ + public void setTo(BigInteger value) { + this.to = value; + } + + } + /** *

Java class for anonymous complex type. diff --git a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java index a82006fc..83adfe30 100644 --- a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java +++ b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java @@ -25,6 +25,8 @@ package at.gv.egiz.stal.service.translator; +import java.math.BigInteger; + import at.gv.egiz.stal.STALRequest; import at.gv.egiz.stal.STALResponse; import at.gv.egiz.stal.SignRequest; @@ -107,6 +109,12 @@ public class STALTranslatorTest { assertEquals(request.getSignedInfo().isIsCMSSignedAttributes(), resultT.getSignedInfo().isIsCMSSignedAttributes()); assertEquals(request.getSignatureMethod(), resultT.getSignatureMethod()); assertEquals(request.getDigestMethod(), resultT.getDigestMethod()); + if (request.getExcludedByteRange() == null) + assertNull(resultT.getExcludedByteRange()); + else { + assertEquals(request.getExcludedByteRange().getFrom(), resultT.getExcludedByteRange().getFrom()); + assertEquals(request.getExcludedByteRange().getTo(), resultT.getExcludedByteRange().getTo()); + } } /** @@ -122,6 +130,10 @@ public class STALTranslatorTest { req.setSignedInfo(signedInfo); req.setSignatureMethod("signatureMethod"); req.setDigestMethod("digestMethod"); + SignRequestType.ExcludedByteRange excludedByteRange = of.createSignRequestTypeExcludedByteRange(); + excludedByteRange.setFrom(BigInteger.ZERO); + excludedByteRange.setTo(BigInteger.ONE); + req.setExcludedByteRange(excludedByteRange); JAXBElement request = of.createGetNextRequestResponseTypeSignRequest(req); STALTranslator instance = new STALTranslator(); STALRequest result = instance.translateWSRequest(request); @@ -131,6 +143,12 @@ public class STALTranslatorTest { assertEquals(req.getSignedInfo().isIsCMSSignedAttributes(), ((SignRequest) result).getSignedInfo().isIsCMSSignedAttributes()); assertEquals(req.getSignatureMethod(), ((SignRequest) result).getSignatureMethod()); assertEquals(req.getDigestMethod(), ((SignRequest) result).getDigestMethod()); + if (req.getExcludedByteRange() == null) + assertNull(((SignRequest) result).getExcludedByteRange()); + else { + assertEquals(req.getExcludedByteRange().getFrom(), ((SignRequest) result).getExcludedByteRange().getFrom()); + assertEquals(req.getExcludedByteRange().getTo(), ((SignRequest) result).getExcludedByteRange().getTo()); + } } @Test(expected=RuntimeException.class) diff --git a/STALXService/src/main/resources/wsdl/stal.xsd b/STALXService/src/main/resources/wsdl/stal.xsd index f102d215..9b77f0f9 100644 --- a/STALXService/src/main/resources/wsdl/stal.xsd +++ b/STALXService/src/main/resources/wsdl/stal.xsd @@ -134,6 +134,12 @@ + + + + + + diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java index e25fd3ab..e596e5c8 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/CMSHashDataInput.java @@ -1,3 +1,27 @@ +/* + * Copyright 2011 by Graz University of Technology, Austria + * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint + * initiative of the Federal Chancellery Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + package at.gv.egiz.bku.slcommands.impl.cms; import java.io.ByteArrayInputStream; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java index 8e71fa7c..0792a987 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java @@ -1,3 +1,27 @@ +/* + * Copyright 2011 by Graz University of Technology, Austria + * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint + * initiative of the Federal Chancellery Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + package at.gv.egiz.bku.slcommands.impl.cms; import java.security.PrivateKey; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java index 7c8b2b4e..77bfaaa7 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java @@ -1,3 +1,27 @@ +/* + * Copyright 2011 by Graz University of Technology, Austria + * MOCCA has been developed by the E-Government Innovation Center EGIZ, a joint + * initiative of the Federal Chancellery Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + package at.gv.egiz.bku.slcommands.impl.cms; import iaik.asn1.DerCoder; @@ -20,6 +44,7 @@ import java.util.List; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.buergerkarte.namespaces.securitylayer._1_2_3.ExcludedByteRangeType; import at.gv.egiz.bku.slcommands.impl.xsect.STALSignatureException; import at.gv.egiz.stal.ErrorResponse; import at.gv.egiz.stal.HashDataInput; @@ -41,13 +66,15 @@ public class STALSecurityProvider extends IaikProvider { private String keyboxIdentifier; private STAL stal; private List hashDataInput; + private ExcludedByteRangeType excludedByteRange; public STALSecurityProvider(STAL stal, String keyboxIdentifier, - HashDataInput hashDataInput) { + HashDataInput hashDataInput, ExcludedByteRangeType excludedByteRange) { this.keyboxIdentifier = keyboxIdentifier; this.stal = stal; this.hashDataInput = new ArrayList(); this.hashDataInput.add(hashDataInput); + this.excludedByteRange = excludedByteRange; } /* (non-Javadoc) @@ -62,7 +89,7 @@ public class STALSecurityProvider extends IaikProvider { STALPrivateKey spk = (STALPrivateKey) privateKey; SignRequest signRequest = getSTALSignRequest(keyboxIdentifier, signedAttributes, - spk.getAlgorithm(), spk.getDigestAlgorithm(), hashDataInput); + spk.getAlgorithm(), spk.getDigestAlgorithm(), hashDataInput, excludedByteRange); log.debug("Sending STAL request ({})", privateKey.getAlgorithm()); List responses = @@ -88,7 +115,7 @@ public class STALSecurityProvider extends IaikProvider { private static SignRequest getSTALSignRequest(String keyboxIdentifier, byte[] signedAttributes, String signatureMethod, String digestMethod, - List hashDataInput) { + List hashDataInput, ExcludedByteRangeType excludedByteRange) { SignRequest signRequest = new SignRequest(); signRequest.setKeyIdentifier(keyboxIdentifier); log.debug("SignedAttributes: " + Util.toBase64String(signedAttributes)); @@ -99,6 +126,12 @@ public class STALSecurityProvider extends IaikProvider { signRequest.setSignatureMethod(signatureMethod); signRequest.setDigestMethod(digestMethod); signRequest.setHashDataInput(hashDataInput); + if (excludedByteRange != null) { + SignRequest.ExcludedByteRange ebr = new SignRequest.ExcludedByteRange(); + ebr.setFrom(excludedByteRange.getFrom()); + ebr.setTo(excludedByteRange.getTo()); + signRequest.setExcludedByteRange(ebr); + } return signRequest; } diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java index 9e76bf22..937296b1 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java @@ -96,6 +96,7 @@ public class Signature { private AlgorithmID digestAlgorithm; private String signatureAlgorithmURI; private String digestAlgorithmURI; + private ExcludedByteRangeType excludedByteRange; public Signature(CMSDataObjectRequiredMetaType dataObject, String structure, X509Certificate signingCertificate, Date signingTime, boolean useStrongHash) @@ -175,20 +176,20 @@ public class Signature { byte[] data = dataObject.getContent().getBase64Content(); this.signedDocument = data.clone(); - ExcludedByteRangeType ebr = dataObject.getExcludedByteRange(); - if (ebr == null) + this.excludedByteRange = dataObject.getExcludedByteRange(); + if (this.excludedByteRange == null) return data; - int from = dataObject.getExcludedByteRange().getFrom().intValue(); - int to = dataObject.getExcludedByteRange().getTo().intValue(); + int from = this.excludedByteRange.getFrom().intValue(); + int to = this.excludedByteRange.getTo().intValue(); if (from > data.length || to > data.length || from > to) - throw new InvalidParameterException("ExcludeByteRange contains invalid data: [" + + throw new InvalidParameterException("ExcludedByteRange contains invalid data: [" + from + "-" + to + "], Content length: " + data.length); - // Fill ExcludeByteRange with 0s for document to display in viewer + // Fill ExcludedByteRange with 0s for document to display in viewer Arrays.fill(this.signedDocument, from, to+1, (byte)0); - // Remove ExcludeByteRange from data to be signed + // Remove ExcludedByteRange from data to be signed byte[] first = null; byte[] second = null; if (from > 0) @@ -196,7 +197,7 @@ public class Signature { if ((to + 1) < data.length) second = Arrays.copyOfRange(data, to + 1, data.length); data = ArrayUtils.addAll(first, second); - log.debug("ExcludeByteRange [" + from + "-" + to + "], Content length: " + data.length); + log.debug("ExcludedByteRange [" + from + "-" + to + "], Content length: " + data.length); return data; } @@ -282,8 +283,8 @@ public class Signature { } public byte[] sign(STAL stal, String keyboxIdentifier) throws CMSException, CMSSignatureException, SLCommandException { - signedData.setSecurityProvider( - new STALSecurityProvider(stal, keyboxIdentifier, getHashDataInput())); + signedData.setSecurityProvider(new STALSecurityProvider( + stal, keyboxIdentifier, getHashDataInput(), this.excludedByteRange)); setSignerInfo(); ContentInfo contentInfo = new ContentInfo(signedData); return contentInfo.getEncoded(); diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java index dba822ea..3026d27a 100644 --- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java +++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java @@ -67,7 +67,6 @@ public class SignRequestHandler extends AbstractRequestHandler { private final static Logger log = LoggerFactory.getLogger(SignRequestHandler.class); private final static String CMS_DEF_SIGNEDINFO_ID = "SignedInfo-1"; - private final static String CMS_DEF_OBJECT_ID = "SignatureData-1"; private final static String OID_MESSAGEDIGEST = "1.2.840.113549.1.9.4"; private static JAXBContext jaxbContext; @@ -178,7 +177,6 @@ public class SignRequestHandler extends AbstractRequestHandler { List references = signedInfo.getReference(); ReferenceType reference = new ReferenceType(); reference.setId(HashDataInput.CMS_DEF_REFERENCE_ID); - reference.setURI(CMS_DEF_OBJECT_ID); DigestMethodType digestMethod = new DigestMethodType(); digestMethod.setAlgorithm(signReq.getDigestMethod()); reference.setDigestMethod(digestMethod); @@ -204,6 +202,13 @@ public class SignRequestHandler extends AbstractRequestHandler { throw new SignatureException(e); } reference.setDigestValue(messageDigest); + if (signReq.getExcludedByteRange() != null) { + // Abuse URI to store ExcludedByteRange + String range = "CMSExcludedByteRange:" + + signReq.getExcludedByteRange().getFrom() + "-" + + signReq.getExcludedByteRange().getTo(); + reference.setURI(range); + } references.add(reference); return signedInfo; } -- cgit v1.2.3