From ac5be55b6300718d64e19b01a36181ecf57c9987 Mon Sep 17 00:00:00 2001 From: Tobias Kellner Date: Tue, 13 Jan 2015 02:02:32 +0100 Subject: XAdES1.4 Blacklist added --- .../AbstractCommandSequenceBindingProcessor.java | 2 +- .../egiz/bku/binding/HTTPBindingProcessorImpl.java | 7 ++- .../gv/egiz/bku/slcommands/SLCommandContext.java | 22 +++++---- .../impl/CreateXMLSignatureCommandImpl.java | 54 +++++++++++++++++++--- .../impl/CreateCMSSignatureCommandImplTest.java | 2 +- .../impl/CreateXMLSignatureCommandImplTest.java | 4 +- .../slcommands/impl/InfoboxReadComandImplTest.java | 4 +- .../impl/SVPersonendatenInfoboxImplTest.java | 4 +- 8 files changed, 75 insertions(+), 24 deletions(-) diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java index 301514ab..0f262599 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/AbstractCommandSequenceBindingProcessor.java @@ -99,7 +99,7 @@ public abstract class AbstractCommandSequenceBindingProcessor extends AbstractBi SLCommand command; do { command = getNextCommand(); - SLCommandContext context = new SLCommandContext(getSTAL(), getUrlDereferencer(), locale); + SLCommandContext context = new SLCommandContext(getSTAL(), getUrlDereferencer(), null, locale); SLResult result = null; if (external) { result = commandBroker.execute(command, context, 3 * 60 * 1000); diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java index 98218e52..943e8707 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java @@ -121,6 +121,10 @@ public class HTTPBindingProcessorImpl extends AbstractBindingProcessor implement public static final String USE_XADES_1_4 = "UseXAdES14"; + public static final String USE_XADES_1_4_BLACKLIST = "UseXAdES14Blacklist"; + + public static final String XADES_1_4_BLACKLIST_URL = "http://www.buergerkarte.at/BKU_XAdES_14_blacklist.txt"; + public static final String ALLOW_OTHER_REDIRECTS = "AllowOtherRedirects"; public int getMaxDataUrlHops() { @@ -340,7 +344,8 @@ public class HTTPBindingProcessorImpl extends AbstractBindingProcessor implement log.info("Entered State: {}, Processing {}.", State.PROCESS, slCommand.getName()); SLCommandContext commandCtx = new SLCommandContext( getSTAL(), - new FormDataURLDereferencer(urlDereferencer, this), + new FormDataURLDereferencer(urlDereferencer, this), + getDataUrl(), locale); commandInvoker.setCommand(commandCtx, slCommand); responseCode = 200; diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java index 6615f767..cf2e4875 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/SLCommandContext.java @@ -30,22 +30,25 @@ import at.gv.egiz.bku.utils.urldereferencer.URLDereferencer; import at.gv.egiz.stal.STAL; public class SLCommandContext { - + private STAL stal; - + private URLDereferencer urlDereferencer; - + private Locale locale; - public SLCommandContext(STAL stal, URLDereferencer urlDereferencer) { + private String dataURL; + + public SLCommandContext(STAL stal, URLDereferencer urlDereferencer, + String dataURL) { this.stal = stal; this.urlDereferencer = urlDereferencer; + this.dataURL = dataURL; } public SLCommandContext(STAL stal, URLDereferencer urlDereferencer, - Locale locale) { - this.stal = stal; - this.urlDereferencer = urlDereferencer; + String dataURL, Locale locale) { + this(stal, urlDereferencer, dataURL); this.locale = locale; } @@ -72,5 +75,8 @@ public class SLCommandContext { public void setLocale(Locale locale) { this.locale = locale; } - + + public String getDataURL() { + return dataURL; + } } \ No newline at end of file diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java index 93b118e5..174a8884 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImpl.java @@ -24,11 +24,15 @@ package at.gv.egiz.bku.slcommands.impl; +import java.io.InputStream; +import java.net.URL; import java.security.NoSuchAlgorithmException; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Collections; import java.util.Date; import java.util.List; +import java.util.Scanner; import javax.xml.crypto.MarshalException; import javax.xml.crypto.URIReferenceException; @@ -73,7 +77,7 @@ public class CreateXMLSignatureCommandImpl extends /** * Logging facility. */ - private final Logger log = LoggerFactory.getLogger(CreateXMLSignatureCommandImpl.class); + private final static Logger log = LoggerFactory.getLogger(CreateXMLSignatureCommandImpl.class); /** * The signing certificate. @@ -100,20 +104,42 @@ public class CreateXMLSignatureCommandImpl extends public static final String USE_STRONG_HASH = "UseStrongHash"; public static final String USE_XADES_1_4 = - HTTPBindingProcessorImpl.ConfigurationFacade.USE_XADES_1_4; + HTTPBindingProcessorImpl.ConfigurationFacade.USE_XADES_1_4; + public static final String USE_XADES_1_4_BLACKLIST = + HTTPBindingProcessorImpl.ConfigurationFacade.USE_XADES_1_4_BLACKLIST; public void setConfiguration(Configuration configuration) { - this.configuration = configuration; + this.configuration = configuration; } public boolean getUseStrongHash() { - return configuration.getBoolean(USE_STRONG_HASH, true); + return configuration.getBoolean(USE_STRONG_HASH, true); } public boolean getUseXAdES14() { - return configuration.getBoolean(USE_XADES_1_4, false); + return configuration.getBoolean(USE_XADES_1_4, false); } -} + + public boolean getUseXAdES14Blacklist() { + return configuration.getBoolean(USE_XADES_1_4_BLACKLIST, false); + } + } + + private static final List XADES_1_4_BLACKLIST; + static { + XADES_1_4_BLACKLIST = new ArrayList(); + try { + URL bl = new URL(HTTPBindingProcessorImpl.ConfigurationFacade.XADES_1_4_BLACKLIST_URL); + InputStream in = bl.openStream(); + Scanner s = new Scanner(in); + while (s.hasNext()){ + XADES_1_4_BLACKLIST.add(s.next()); + } + s.close(); + } catch (Exception e) { + log.error("Blacklist load error", e); + } + } public void setConfiguration(Configuration configuration) { configurationFacade.setConfiguration(configuration); @@ -138,8 +164,22 @@ public class CreateXMLSignatureCommandImpl extends throw new SLCommandException(4006); } + boolean useXAdES14 = configurationFacade.getUseXAdES14(); + if (useXAdES14 && configurationFacade.getUseXAdES14Blacklist()) { + String dataURL = commandContext.getDataURL(); + log.debug("Checking DataURL against XAdES14 blacklist: {}", dataURL); + if (dataURL != null) { + for (String bl_entry : XADES_1_4_BLACKLIST) { + if (dataURL.matches(bl_entry)) { + log.debug("XAdES14 blacklist match"); + useXAdES14 = false; + } + } + } + } + signature = new Signature(commandContext.getURLDereferencer(), - idValueFactory, algorithmMethodFactory, configurationFacade.getUseXAdES14()); + idValueFactory, algorithmMethodFactory, useXAdES14); // SigningTime signature.setSigningTime(new Date()); diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImplTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImplTest.java index 94f03584..b1ec7777 100644 --- a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImplTest.java +++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateCMSSignatureCommandImplTest.java @@ -96,7 +96,7 @@ public class CreateCMSSignatureCommandImplTest { SLCommand command = factory.createSLCommand(new StreamSource(new InputStreamReader(inputStream))); assertTrue(command instanceof CreateCMSSignatureCommand); - SLCommandContext context = new SLCommandContext(stal, urlDereferencer); + SLCommandContext context = new SLCommandContext(stal, urlDereferencer, null); SLResult result = command.execute(context); result.writeTo(new StreamResult(System.out), false); } diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImplTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImplTest.java index d4694c40..f80ef965 100644 --- a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImplTest.java +++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/CreateXMLSignatureCommandImplTest.java @@ -97,7 +97,7 @@ public class CreateXMLSignatureCommandImplTest { SLCommand command = factory.createSLCommand(new StreamSource(new InputStreamReader(inputStream))); assertTrue(command instanceof CreateXMLSignatureCommand); - SLCommandContext context = new SLCommandContext(stal, urlDereferencer); + SLCommandContext context = new SLCommandContext(stal, urlDereferencer, null); SLResult result = command.execute(context); result.writeTo(new StreamResult(System.out), false); } @@ -119,7 +119,7 @@ public class CreateXMLSignatureCommandImplTest { SLCommand command = factory.createSLCommand(new StreamSource(new InputStreamReader(inputStream))); assertTrue(command instanceof InfoboxReadCommandImpl); - SLCommandContext context = new SLCommandContext(stal, urlDereferencer); + SLCommandContext context = new SLCommandContext(stal, urlDereferencer, null); SLResult result = command.execute(context); assertTrue(result instanceof ErrorResult); } diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadComandImplTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadComandImplTest.java index 42cf0232..437278e4 100644 --- a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadComandImplTest.java +++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/InfoboxReadComandImplTest.java @@ -91,7 +91,7 @@ public class InfoboxReadComandImplTest { InputStream inputStream = getClass().getClassLoader().getResourceAsStream("at/gv/egiz/bku/slcommands/infoboxreadcommand/IdentityLink.Binary.xml"); assertNotNull(inputStream); - SLCommandContext context = new SLCommandContext(stal, urlDereferencer); + SLCommandContext context = new SLCommandContext(stal, urlDereferencer, null); context.setSTAL(stal); SLCommand command = factory.createSLCommand(new StreamSource(new InputStreamReader(inputStream))); assertTrue(command instanceof InfoboxReadCommand); @@ -113,7 +113,7 @@ public class InfoboxReadComandImplTest { InputStream inputStream = getClass().getClassLoader().getResourceAsStream("at/gv/egiz/bku/slcommands/infoboxreadcommand/IdentityLink.Binary.Invalid-2.xml"); assertNotNull(inputStream); - SLCommandContext context = new SLCommandContext(stal, urlDereferencer); + SLCommandContext context = new SLCommandContext(stal, urlDereferencer, null); SLCommand command = factory.createSLCommand(new StreamSource(new InputStreamReader(inputStream))); assertTrue(command instanceof InfoboxReadCommand); diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java index 9281efcb..7f205eb1 100644 --- a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java +++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/impl/SVPersonendatenInfoboxImplTest.java @@ -134,7 +134,7 @@ public class SVPersonendatenInfoboxImplTest { InputStream inputStream = getClass().getClassLoader().getResourceAsStream("at/gv/egiz/bku/slcommands/infoboxreadcommand/IdentityLink.Binary.xml"); assertNotNull(inputStream); - SLCommandContext context = new SLCommandContext(stal, urlDereferencer); + SLCommandContext context = new SLCommandContext(stal, urlDereferencer, null); SLCommand command = factory.createSLCommand(new StreamSource(new InputStreamReader(inputStream))); assertTrue(command instanceof InfoboxReadCommand); @@ -156,7 +156,7 @@ public class SVPersonendatenInfoboxImplTest { InputStream inputStream = getClass().getClassLoader().getResourceAsStream("at/gv/egiz/bku/slcommands/infoboxreadcommand/IdentityLink.Binary.Invalid-2.xml"); assertNotNull(inputStream); - SLCommandContext context = new SLCommandContext(stal, urlDereferencer); + SLCommandContext context = new SLCommandContext(stal, urlDereferencer, null); SLCommand command = factory.createSLCommand(new StreamSource(new InputStreamReader(inputStream))); assertTrue(command instanceof InfoboxReadCommand); -- cgit v1.2.3