From da6c49cbea9c80ad057a5fc3b698ce14ad9a7415 Mon Sep 17 00:00:00 2001 From: tkellner Date: Fri, 13 Dec 2013 01:57:31 +0000 Subject: Add DigestMethod to STAL SignRequest, check digest value in secure viewer NOTE: This currently disables viewing signature data which uses the ExcludeByteRange feature, e.g. PAdES signatures. git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1263 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/online/applet/AppletSecureViewer.java | 8 +++--- BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd | 1 + .../src/main/java/at/gv/egiz/stal/SignRequest.java | 30 +++++++++++++++++++++- .../stal/service/translator/STALTranslator.java | 2 ++ .../egiz/stal/service/types/SignRequestType.java | 30 +++++++++++++++++++++- .../service/translator/STALTranslatorTest.java | 3 +++ STALXService/src/main/resources/wsdl/stal.xsd | 1 + .../bku/slcommands/impl/cms/STALPrivateKey.java | 8 +++++- .../slcommands/impl/cms/STALSecurityProvider.java | 7 +++-- .../gv/egiz/bku/slcommands/impl/cms/Signature.java | 3 +-- .../gv/egiz/bku/smccstal/SignRequestHandler.java | 2 +- 11 files changed, 83 insertions(+), 12 deletions(-) diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java index c6a2f72a..773bab80 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java @@ -196,9 +196,9 @@ public class AppletSecureViewer implements SecureViewer { log.debug("Digesting reference " + signedRefId + " (" + mimeType + ";" + encoding + ")"); } - if (signedDigestAlg.startsWith("CMS:")) { - log.info("CMS signature - skip verifying hashdata for now"); - } else { +// if (signedDigestAlg.startsWith("CMS:")) { +// log.info("CMS signature - skip verifying hashdata for now"); +// } else { byte[] hashDataInputDigest = digest(hdi, signedDigestAlg); log.debug("Comparing digest to claimed digest value for reference {}.", signedRefId); @@ -206,7 +206,7 @@ public class AppletSecureViewer implements SecureViewer { log.error("Bad digest value for reference {}.", signedRefId); throw new DigestException("Bad digest value for reference " + signedRefId); } - } +// } verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding, filename)); } diff --git a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd index 5f96578d..5ad9ec83 100644 --- a/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd +++ b/BKUOnline/src/main/webapp/WEB-INF/wsdl/stal.xsd @@ -133,6 +133,7 @@ + diff --git a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java index e4a49e97..52a3ffcd 100644 --- a/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java +++ b/STAL/src/main/java/at/gv/egiz/stal/SignRequest.java @@ -54,6 +54,7 @@ import javax.xml.bind.annotation.XmlValue; * </complexType> * </element> * <element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> + * <element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> * </sequence> * </extension> * </complexContent> @@ -66,7 +67,8 @@ import javax.xml.bind.annotation.XmlValue; @XmlType(name = "SignRequestType", propOrder = { "keyIdentifier", "signedInfo", - "signatureMethod" + "signatureMethod", + "digestMethod" }) public class SignRequest extends STALRequest { @@ -77,6 +79,8 @@ public class SignRequest protected SignRequest.SignedInfo signedInfo; @XmlElement(name = "SignatureMethod") protected String signatureMethod; + @XmlElement(name = "DigestMethod") + protected String digestMethod; @XmlTransient protected List hashData; @@ -152,6 +156,30 @@ public class SignRequest this.signatureMethod = value; } + /** + * Gets the value of the digestMethod property. + * + * @return + * possible object is + * {@link String } + * + */ + public String getDigestMethod() { + return digestMethod; + } + + /** + * Sets the value of the digestMethod property. + * + * @param value + * allowed object is + * {@link String } + * + */ + public void setDigestMethod(String value) { + this.digestMethod = value; + } + public List getHashDataInput() { return hashData; } diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java index 28d60ed6..5ddadbe7 100644 --- a/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java +++ b/STALService/src/main/java/at/gv/egiz/stal/service/translator/STALTranslator.java @@ -224,6 +224,7 @@ public class STALTranslator { signedInfo.setIsCMSSignedAttributes(((SignRequest) request).getSignedInfo().isIsCMSSignedAttributes()); req.setSignedInfo(signedInfo); req.setSignatureMethod(((SignRequest) request).getSignatureMethod()); + req.setDigestMethod(((SignRequest) request).getDigestMethod()); //TODO add hashdatainput (refactor signRequestType) return of.createGetNextRequestResponseTypeSignRequest(req); } else if (request instanceof InfoboxReadRequest) { @@ -255,6 +256,7 @@ public class STALTranslator { signedInfo.setIsCMSSignedAttributes(((SignRequestType) request).getSignedInfo().isIsCMSSignedAttributes()); stalReq.setSignedInfo(signedInfo); stalReq.setSignatureMethod(((SignRequestType) request).getSignatureMethod()); + stalReq.setDigestMethod(((SignRequestType) request).getDigestMethod()); return stalReq; } else if (request instanceof QuitRequestType) { return new QuitRequest(); diff --git a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java index 50a00406..67755d69 100644 --- a/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java +++ b/STALService/src/main/java/at/gv/egiz/stal/service/types/SignRequestType.java @@ -61,6 +61,7 @@ import javax.xml.bind.annotation.XmlValue; * </complexType> * </element> * <element name="SignatureMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> + * <element name="DigestMethod" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/> * </sequence> * </extension> * </complexContent> @@ -73,7 +74,8 @@ import javax.xml.bind.annotation.XmlValue; @XmlType(name = "SignRequestType", propOrder = { "keyIdentifier", "signedInfo", - "signatureMethod" + "signatureMethod", + "digestMethod" }) public class SignRequestType extends RequestType @@ -85,6 +87,8 @@ public class SignRequestType protected SignRequestType.SignedInfo signedInfo; @XmlElement(name = "SignatureMethod") protected String signatureMethod; + @XmlElement(name = "DigestMethod") + protected String digestMethod; /** * Gets the value of the keyIdentifier property. @@ -158,6 +162,30 @@ public class SignRequestType this.signatureMethod = value; } + /** + * Gets the value of the digestMethod property. + * + * @return + * possible object is + * {@link String } + * + */ + public String getDigestMethod() { + return digestMethod; + } + + /** + * Sets the value of the digestMethod property. + * + * @param value + * allowed object is + * {@link String } + * + */ + public void setDigestMethod(String value) { + this.digestMethod = value; + } + /** *

Java class for anonymous complex type. diff --git a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java index 98d301a7..a82006fc 100644 --- a/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java +++ b/STALService/src/test/java/at/gv/egiz/stal/service/translator/STALTranslatorTest.java @@ -106,6 +106,7 @@ public class STALTranslatorTest { assertEquals(request.getSignedInfo().getValue(), resultT.getSignedInfo().getValue()); assertEquals(request.getSignedInfo().isIsCMSSignedAttributes(), resultT.getSignedInfo().isIsCMSSignedAttributes()); assertEquals(request.getSignatureMethod(), resultT.getSignatureMethod()); + assertEquals(request.getDigestMethod(), resultT.getDigestMethod()); } /** @@ -120,6 +121,7 @@ public class STALTranslatorTest { signedInfo.setValue("signedinfo".getBytes()); req.setSignedInfo(signedInfo); req.setSignatureMethod("signatureMethod"); + req.setDigestMethod("digestMethod"); JAXBElement request = of.createGetNextRequestResponseTypeSignRequest(req); STALTranslator instance = new STALTranslator(); STALRequest result = instance.translateWSRequest(request); @@ -128,6 +130,7 @@ public class STALTranslatorTest { assertEquals(req.getSignedInfo().getValue(), ((SignRequest) result).getSignedInfo().getValue()); assertEquals(req.getSignedInfo().isIsCMSSignedAttributes(), ((SignRequest) result).getSignedInfo().isIsCMSSignedAttributes()); assertEquals(req.getSignatureMethod(), ((SignRequest) result).getSignatureMethod()); + assertEquals(req.getDigestMethod(), ((SignRequest) result).getDigestMethod()); } @Test(expected=RuntimeException.class) diff --git a/STALXService/src/main/resources/wsdl/stal.xsd b/STALXService/src/main/resources/wsdl/stal.xsd index 30880d74..f102d215 100644 --- a/STALXService/src/main/resources/wsdl/stal.xsd +++ b/STALXService/src/main/resources/wsdl/stal.xsd @@ -133,6 +133,7 @@ + diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java index 8da52227..8e71fa7c 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALPrivateKey.java @@ -11,9 +11,11 @@ public class STALPrivateKey implements PrivateKey { private static final long serialVersionUID = 1L; private String algorithm; + private String digestAlgorithm; - public STALPrivateKey(String algorithm) { + public STALPrivateKey(String algorithm, String digestAlgorithm) { this.algorithm = algorithm; + this.digestAlgorithm = digestAlgorithm; } @Override @@ -21,6 +23,10 @@ public class STALPrivateKey implements PrivateKey { return algorithm; } + public String getDigestAlgorithm() { + return digestAlgorithm; + } + @Override public byte[] getEncoded() { throw new UnsupportedOperationException("STALPrivateKey does not support the getEncoded() method."); diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java index 0a2140c3..7c8b2b4e 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/STALSecurityProvider.java @@ -60,8 +60,9 @@ public class STALSecurityProvider extends IaikProvider { throws SignatureException, InvalidKeyException, NoSuchAlgorithmException { log.debug("calculateSignatureFromSignedAttributes: " + signatureAlgorithm + ", " + digestAlgorithm); + STALPrivateKey spk = (STALPrivateKey) privateKey; SignRequest signRequest = getSTALSignRequest(keyboxIdentifier, signedAttributes, - privateKey.getAlgorithm(), hashDataInput); + spk.getAlgorithm(), spk.getDigestAlgorithm(), hashDataInput); log.debug("Sending STAL request ({})", privateKey.getAlgorithm()); List responses = @@ -86,7 +87,8 @@ public class STALSecurityProvider extends IaikProvider { } private static SignRequest getSTALSignRequest(String keyboxIdentifier, - byte[] signedAttributes, String signatureMethod, List hashDataInput) { + byte[] signedAttributes, String signatureMethod, String digestMethod, + List hashDataInput) { SignRequest signRequest = new SignRequest(); signRequest.setKeyIdentifier(keyboxIdentifier); log.debug("SignedAttributes: " + Util.toBase64String(signedAttributes)); @@ -95,6 +97,7 @@ public class STALSecurityProvider extends IaikProvider { signedInfo.setIsCMSSignedAttributes(true); signRequest.setSignedInfo(signedInfo); signRequest.setSignatureMethod(signatureMethod); + signRequest.setDigestMethod(digestMethod); signRequest.setHashDataInput(hashDataInput); return signRequest; } diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java index 307f0bfc..9e76bf22 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/cms/Signature.java @@ -95,7 +95,6 @@ public class Signature { private AlgorithmID signatureAlgorithm; private AlgorithmID digestAlgorithm; private String signatureAlgorithmURI; - @SuppressWarnings("unused") private String digestAlgorithmURI; public Signature(CMSDataObjectRequiredMetaType dataObject, String structure, @@ -116,7 +115,7 @@ public class Signature { new iaik.x509.X509Certificate(signingCertificate.getEncoded()); CertificateIdentifier signerIdentifier = new IssuerAndSerialNumber(sigcert); - PrivateKey privateKey = new STALPrivateKey(signatureAlgorithmURI); + PrivateKey privateKey = new STALPrivateKey(signatureAlgorithmURI, digestAlgorithmURI); signerInfo = new SignerInfo(signerIdentifier, digestAlgorithm, signatureAlgorithm, privateKey); } diff --git a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java index bb7856c3..dba822ea 100644 --- a/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java +++ b/smccSTAL/src/main/java/at/gv/egiz/bku/smccstal/SignRequestHandler.java @@ -180,7 +180,7 @@ public class SignRequestHandler extends AbstractRequestHandler { reference.setId(HashDataInput.CMS_DEF_REFERENCE_ID); reference.setURI(CMS_DEF_OBJECT_ID); DigestMethodType digestMethod = new DigestMethodType(); - digestMethod.setAlgorithm("CMS:" + signReq.getSignatureMethod()); + digestMethod.setAlgorithm(signReq.getDigestMethod()); reference.setDigestMethod(digestMethod); byte[] messageDigest = null; try { -- cgit v1.2.3