From 2a1df5e58e44f8d77f34eb80df74e8c0d27caceb Mon Sep 17 00:00:00 2001 From: clemenso Date: Wed, 18 Mar 2009 22:27:28 +0000 Subject: 1.1-rc5 (pinProviderFactories, gui refactoring, signatureCard, secureViewer) git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@322 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/online/applet/AppletSecureViewer.java | 221 +++++++++++++++++++++ 1 file changed, 221 insertions(+) create mode 100644 BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java (limited to 'BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java') diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java new file mode 100644 index 00000000..e2551e2d --- /dev/null +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java @@ -0,0 +1,221 @@ +/* + * Copyright 2008 Federal Chancellery Austria and + * Graz University of Technology + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package at.gv.egiz.bku.online.applet; + +import at.gv.egiz.bku.smccstal.SecureViewer; +import java.security.DigestException; +import java.security.MessageDigest; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import at.gv.egiz.bku.smccstal.SignRequestHandler; +import at.gv.egiz.stal.HashDataInput; +import at.gv.egiz.stal.impl.ByteArrayHashDataInput; +import at.gv.egiz.stal.service.GetHashDataInputFault; +import at.gv.egiz.stal.service.STALPortType; +import at.gv.egiz.stal.service.types.GetHashDataInputResponseType; +import at.gv.egiz.stal.service.types.GetHashDataInputType; +import at.gv.egiz.stal.signedinfo.ReferenceType; +import java.security.NoSuchAlgorithmException; + +/** + * A SignRequesthandler that obtains hashdata inputs from a STAL webservice and + * displays these either within the applet or in a separate frame. + * The internal viewer displays plaintext data only, other mimetypes can be saved to disk. + * The standalone (frame) viewer displays all mimetypes. + * + * (This class depends on STALService and therefore is not part of BKUCommonGUI.) + * + * @author Clemens Orthacker + */ +public class AppletSecureViewer extends SignRequestHandler { + + private static final Log log = LogFactory.getLog(AppletSecureViewer.class); + protected STALPortType stalPort; + protected String sessId; + + public AppletSecureViewer(STALPortType stalPort, String sessId) { + if (stalPort == null || sessId == null) { + throw new NullPointerException("STAL port must not be null"); + } + this.sessId = sessId; + this.stalPort = stalPort; + } + + /** + * TODO don't throw exceptions + * @param signedReferences + * @throws java.security.DigestException + * @throws java.lang.Exception + */ + @Override + public void displayDataToBeSigned(List signedReferences) + throws DigestException, Exception { + + List hdi = getHashDataInput(signedReferences); + List verifiedHashDataInputs = verifyHashDataInput(signedReferences, hdi); + + if (verifiedHashDataInputs.size() > 0) { + gui.showSecureViewer(verifiedHashDataInputs, this, "hashDataDone"); + } else { + throw new Exception("No signature data (apart from any QualifyingProperties or a Manifest)"); + } + } + + /** + * Get all hashdata inputs that contain an ID attribute but no Type attribute. + * @param signedReferences + * @return + * @throws at.gv.egiz.stal.service.GetHashDataInputFault + */ + private List getHashDataInput(List signedReferences) + throws GetHashDataInputFault, Exception { + GetHashDataInputType request = new GetHashDataInputType(); + request.setSessionId(sessId); + +// HashMap idSignedRefMap = new HashMap(); + for (ReferenceType signedRef : signedReferences) { + //don't get Manifest, QualifyingProperties, ... + if (signedRef.getType() == null) { + String signedRefId = signedRef.getId(); + if (signedRefId != null) { + if (log.isTraceEnabled()) { + log.trace("requesting hashdata input for reference " + signedRefId); + } +// idSignedRefMap.put(signedRefId, signedRef); + GetHashDataInputType.Reference ref = new GetHashDataInputType.Reference(); + ref.setID(signedRefId); + request.getReference().add(ref); + + } else { + throw new Exception("Cannot resolve signature data for dsig:Reference without Id attribute"); + } + } + } + + if (request.getReference().size() < 1) { + log.error("No signature data (apart from any QualifyingProperties or a Manifest) for session " + sessId); + throw new Exception("No signature data (apart from any QualifyingProperties or a Manifest)"); + } + + if (log.isDebugEnabled()) { + log.debug("WebService call GetHashDataInput for " + request.getReference().size() + " references in session " + sessId); + } + GetHashDataInputResponseType response = stalPort.getHashDataInput(request); + return response.getReference(); + } + + /** + * Verifies all signed references and returns STAL HashDataInputs + * @param signedReferences + * @param hashDataInputs + * @return + * @throws java.security.DigestException + * @throws java.security.NoSuchAlgorithmException + * @throws Exception if no hashdata input is provided for a signed reference + */ + private List verifyHashDataInput(List signedReferences, List hashDataInputs) + throws DigestException, NoSuchAlgorithmException, Exception { + + ArrayList verifiedHashDataInputs = new ArrayList(); + + for (ReferenceType signedRef : signedReferences) { + if (signedRef.getType() == null) { + log.info("Verifying digest for signed reference " + signedRef.getId()); + + String signedRefId = signedRef.getId(); + byte[] signedDigest = signedRef.getDigestValue(); + String signedDigestAlg = null; + if (signedRef.getDigestMethod() != null) { + signedDigestAlg = signedRef.getDigestMethod().getAlgorithm(); + } else { + throw new NoSuchAlgorithmException("Failed to verify digest value for reference " + signedRefId + ": no digest algorithm"); + } + + // usually, there is just one item here + GetHashDataInputResponseType.Reference hashDataInput = null; + for (GetHashDataInputResponseType.Reference hdi : hashDataInputs) { + if (signedRefId.equals(hdi.getID())) { + hashDataInput = hdi; + break; + } + } + if (hashDataInput == null) { + throw new Exception("No hashdata input for reference " + signedRefId + " returned by service"); + } + + byte[] hdi = hashDataInput.getValue(); + String mimeType = hashDataInput.getMimeType(); + String encoding = hashDataInput.getEncoding(); + + if (hdi == null) { + throw new Exception("No hashdata input for reference " + signedRefId + " provided by service"); + } + if (log.isDebugEnabled()) { + log.debug("Got HashDataInput " + signedRefId + " (" + mimeType + ";" + encoding + ")"); + } + + byte[] hashDataInputDigest = digest(hdi, signedDigestAlg); + + if (log.isDebugEnabled()) { + log.debug("Comparing digest values... "); + } +// log.warn("***************** DISABLED HASHDATA VERIFICATION"); + if (!Arrays.equals(hashDataInputDigest, signedDigest)) { + log.error("Bad digest value for reference " + signedRefId); + throw new DigestException("Bad digest value for reference " + signedRefId); + } + + verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding)); + } + } + + return verifiedHashDataInputs; + } + + //TODO + private byte[] digest(byte[] hashDataInput, String mdAlg) throws NoSuchAlgorithmException { + if ("http://www.w3.org/2000/09/xmldsig#sha1".equals(mdAlg)) { + mdAlg = "SHA-1"; + } else if ("http://www.w3.org/2001/04/xmlenc#sha256".equals(mdAlg)) { + mdAlg = "SHA-256"; + } else if ("http://www.w3.org/2001/04/xmlenc#sha224".equals(mdAlg)) { + mdAlg = "SHA-224"; + } else if ("http://www.w3.org/2001/04/xmldsig-more#sha224".equals(mdAlg)) { + mdAlg = "SHA-224"; + } else if ("http://www.w3.org/2001/04/xmldsig-more#sha384".equals(mdAlg)) { + mdAlg = "SHA-384"; + } else if ("http://www.w3.org/2001/04/xmlenc#sha512".equals(mdAlg)) { + mdAlg = "SHA-512"; + } else if ("http://www.w3.org/2001/04/xmldsig-more#md2".equals(mdAlg)) { + mdAlg = "MD2"; + } else if ("http://www.w3.org/2001/04/xmldsig-more#md5".equals(mdAlg)) { + mdAlg = "MD5"; + } else if ("http://www.w3.org/2001/04/xmlenc#ripemd160".equals(mdAlg)) { + mdAlg = "RipeMD-160"; + } else { + throw new NoSuchAlgorithmException("Failed to verify digest value: unsupported digest algorithm " + mdAlg); + } + + MessageDigest md = MessageDigest.getInstance(mdAlg); + return md.digest(hashDataInput); + } +} -- cgit v1.2.3 From 616e06910051528674165319a1d6d161dff5859c Mon Sep 17 00:00:00 2001 From: clemenso Date: Fri, 27 Mar 2009 17:33:11 +0000 Subject: 1.1-RC6 (pinpad, pinmgmt, secureviewer) git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@323 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../egiz/bku/online/applet/AppletSecureViewer.java | 79 +++++++++++++--------- 1 file changed, 47 insertions(+), 32 deletions(-) (limited to 'BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java') diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java index e2551e2d..929cecb1 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java @@ -16,17 +16,8 @@ */ package at.gv.egiz.bku.online.applet; +import at.gv.egiz.bku.gui.BKUGUIFacade; import at.gv.egiz.bku.smccstal.SecureViewer; -import java.security.DigestException; -import java.security.MessageDigest; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; - -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; - -import at.gv.egiz.bku.smccstal.SignRequestHandler; import at.gv.egiz.stal.HashDataInput; import at.gv.egiz.stal.impl.ByteArrayHashDataInput; import at.gv.egiz.stal.service.GetHashDataInputFault; @@ -34,49 +25,73 @@ import at.gv.egiz.stal.service.STALPortType; import at.gv.egiz.stal.service.types.GetHashDataInputResponseType; import at.gv.egiz.stal.service.types.GetHashDataInputType; import at.gv.egiz.stal.signedinfo.ReferenceType; +import at.gv.egiz.stal.signedinfo.SignedInfoType; +import java.awt.event.ActionListener; +import java.security.DigestException; +import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; /** - * A SignRequesthandler that obtains hashdata inputs from a STAL webservice and - * displays these either within the applet or in a separate frame. - * The internal viewer displays plaintext data only, other mimetypes can be saved to disk. - * The standalone (frame) viewer displays all mimetypes. - * - * (This class depends on STALService and therefore is not part of BKUCommonGUI.) - * + * * @author Clemens Orthacker */ -public class AppletSecureViewer extends SignRequestHandler { +public class AppletSecureViewer implements SecureViewer { private static final Log log = LogFactory.getLog(AppletSecureViewer.class); + + protected BKUGUIFacade gui; protected STALPortType stalPort; protected String sessId; + protected List verifiedDataToBeSigned; - public AppletSecureViewer(STALPortType stalPort, String sessId) { - if (stalPort == null || sessId == null) { + public AppletSecureViewer(BKUGUIFacade gui, STALPortType stalPort, + String sessId) { + if (gui == null) { + throw new NullPointerException("GUI must not be null"); + } + if (stalPort == null) { throw new NullPointerException("STAL port must not be null"); } - this.sessId = sessId; + if (sessId == null) { + throw new NullPointerException("session id must not be null"); + } + this.gui = gui; this.stalPort = stalPort; + this.sessId = sessId; } /** - * TODO don't throw exceptions + * retrieves the data to be signed for * @param signedReferences + * @param okListener + * @param okCommand + * @param cancelListener + * @param cancelCommand * @throws java.security.DigestException * @throws java.lang.Exception */ @Override - public void displayDataToBeSigned(List signedReferences) + public void displayDataToBeSigned(SignedInfoType signedInfo, + ActionListener okListener, String okCommand) throws DigestException, Exception { - - List hdi = getHashDataInput(signedReferences); - List verifiedHashDataInputs = verifyHashDataInput(signedReferences, hdi); - - if (verifiedHashDataInputs.size() > 0) { - gui.showSecureViewer(verifiedHashDataInputs, this, "hashDataDone"); + + if (verifiedDataToBeSigned == null) { + log.info("retrieve data to be signed for dsig:SignedInfo " + + signedInfo.getId()); + List hdi = + getHashDataInput(signedInfo.getReference()); + verifiedDataToBeSigned = verifyHashDataInput(signedInfo.getReference(), + hdi); + } + if (verifiedDataToBeSigned.size() > 0) { + gui.showSecureViewer(verifiedDataToBeSigned, okListener, okCommand); } else { - throw new Exception("No signature data (apart from any QualifyingProperties or a Manifest)"); + throw new Exception("No data to be signed (apart from any QualifyingProperties or a Manifest)"); } } @@ -110,7 +125,7 @@ public class AppletSecureViewer extends SignRequestHandler { } } } - + if (request.getReference().size() < 1) { log.error("No signature data (apart from any QualifyingProperties or a Manifest) for session " + sessId); throw new Exception("No signature data (apart from any QualifyingProperties or a Manifest)"); @@ -187,7 +202,7 @@ public class AppletSecureViewer extends SignRequestHandler { verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding)); } } - + return verifiedHashDataInputs; } -- cgit v1.2.3 From b7dd29046e232e4d42623655efc28965cce942b8 Mon Sep 17 00:00:00 2001 From: clemenso Date: Fri, 13 Nov 2009 15:13:21 +0000 Subject: git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@546 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java') diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java index 929cecb1..2e0cb331 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java @@ -185,13 +185,13 @@ public class AppletSecureViewer implements SecureViewer { throw new Exception("No hashdata input for reference " + signedRefId + " provided by service"); } if (log.isDebugEnabled()) { - log.debug("Got HashDataInput " + signedRefId + " (" + mimeType + ";" + encoding + ")"); + log.debug("Digesting reference " + signedRefId + " (" + mimeType + ";" + encoding + ")"); } byte[] hashDataInputDigest = digest(hdi, signedDigestAlg); if (log.isDebugEnabled()) { - log.debug("Comparing digest values... "); + log.debug("Comparing digest to claimed digest value for reference " + signedRefId); } // log.warn("***************** DISABLED HASHDATA VERIFICATION"); if (!Arrays.equals(hashDataInputDigest, signedDigest)) { -- cgit v1.2.3 From 5af9b75dccc1b52d1382fe0f2df30affd509f5b9 Mon Sep 17 00:00:00 2001 From: clemenso Date: Tue, 24 Nov 2009 18:48:00 +0000 Subject: Filenames derived from reference URI git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@553 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java') diff --git a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java index 2e0cb331..c67699af 100644 --- a/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java +++ b/BKUApplet/src/main/java/at/gv/egiz/bku/online/applet/AppletSecureViewer.java @@ -180,6 +180,7 @@ public class AppletSecureViewer implements SecureViewer { byte[] hdi = hashDataInput.getValue(); String mimeType = hashDataInput.getMimeType(); String encoding = hashDataInput.getEncoding(); + String filename = hashDataInput.getFilename(); if (hdi == null) { throw new Exception("No hashdata input for reference " + signedRefId + " provided by service"); @@ -199,7 +200,7 @@ public class AppletSecureViewer implements SecureViewer { throw new DigestException("Bad digest value for reference " + signedRefId); } - verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding)); + verifiedHashDataInputs.add(new ByteArrayHashDataInput(hdi, signedRefId, mimeType, encoding, filename)); } } -- cgit v1.2.3