Two bug fixed: 1) Unable to find certificate if binary signature does not contain the serial number; 2) Certificates thoese issuer names contain certain RDNs (e.g. EMAILADDRESS) could not be retrieved from certstore.

PDF-AS library version is logged in order to lighten bugfixing.

git-svn-id: https://joinup.ec.europa.eu/svn/pdf-as/trunk@258 7b5415b0-85f9-ee4d-85bd-d5d0c3b42d1c

7 files changed, 75 insertions, 57 deletions

diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java b/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java
index 5a7d32b..4c0ae44 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java
@@ -90,6 +90,8 @@ import com.lowagie.text.pdf.PdfReader;
  */

 public abstract class PdfAS

 {

+   

+   public static final String PDFAS_VERSION = "3.0.4-20080424";

   /**

    * The key of the strict mode setting.

    */

@@ -865,7 +867,7 @@ public abstract class PdfAS
     // fixed by tknall

     if (so_to_be_verified.getX509Cert() == null)

     {

-      throw new SignatureException(313, "Document certificate is not defined.");

+      throw new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");

     }

 

     SignSignatureObject so = SignatureObjectHelper.convertSignatureObjectToSignSignatureObject(so_to_be_verified);

@@ -910,7 +912,7 @@ public abstract class PdfAS
     // added by tknall

     if (so_to_be_verified.getX509Cert() == null)

     {

-      throw new SignatureException(313, "Document certificate is not defined.");

+      throw new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");

     }

 

 

diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java b/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java
index c58da3f..6481401 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java
@@ -32,9 +32,11 @@ import java.util.Enumeration;
 import java.util.Properties;

 import java.util.Vector;

 

+import org.apache.commons.lang.StringUtils;

 import org.apache.commons.logging.Log;

 import org.apache.commons.logging.LogFactory;

 

+import at.knowcenter.wag.egov.egiz.PdfAS;

 import at.knowcenter.wag.egov.egiz.exceptions.SettingNotFoundException;

 import at.knowcenter.wag.egov.egiz.exceptions.SettingsException;

 

@@ -724,6 +726,10 @@ public class SettingsReader implements Serializable
 		// Does not conform with PKIX, but is used by belgium citizen card

 //		log.info("Registering RDN \"SERIALNUMBER\" as " + ObjectID.serialNumber + ".");

 		RFC2253NameParser.register("SERIALNUMBER", ObjectID.serialNumber);

+		

+		String versionString = "*  PDF-AS library version " + PdfAS.PDFAS_VERSION + "  *";

+		String paddingString = StringUtils.repeat("*", versionString.length());

+		logger_.info("PDF-AS info\n" + paddingString + "\n" + versionString + "\n" + paddingString);

   }

 

 }
\ No newline at end of file
diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java
index 3437a6e..b4818cd 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java
@@ -1099,6 +1099,7 @@ public class SignatureObject implements Serializable
             if (cert_store_dir.isDirectory())

             {

               String cert_file_name = cert_store_path + FILE_SEP + serial_number + CERT_FILE_EXTENSION;

+              logger_.debug("Adding cert (issuer=\"" + cert.getIssuerName() + "\", sn=\"" + cert.getSerialNumber() + "\") to certstore: \"" + cert_file_name + "\".");

               // boolean store =

               FileHelper.writeToFile(cert_file_name, cert.getCertString());

               // System.err.println("store:" + store + ":" +

@@ -1114,6 +1115,16 @@ public class SignatureObject implements Serializable
       }

     }

   }

+  

+  private X509Cert loadCertificateFromCertstore(String serialNumber, String issuer) {

+     String iss_hash = getIssuerFileHash(issuer);

+     String cert_store_path = certPath_ + iss_hash;

+     String cert_file_name = cert_store_path + FILE_SEP + serialNumber + CERT_FILE_EXTENSION;

+     if (logger_.isDebugEnabled()) {

+        logger_.debug("Trying to load cert (issuer=\"" + (issuer != null ? normalizeIssuer(issuer) : issuer) + "\", sn=\"" + serialNumber + "\") from certstore: \"" + cert_file_name + "\".");

+     }

+     return X509Cert.initByFilePath(cert_file_name);

+  }

 

   /**

    * This method load a X509v3 certificate from the filesystem. The reference to

@@ -1154,14 +1165,16 @@ public class SignatureObject implements Serializable
     X509Cert cert = null;

     if (issuer != null && serialNumber != null)

     {

-      String iss_hash = getIssuerFileHash(issuer);

-      String cert_store_path = certPath_ + iss_hash;

-      String cert_file_name = cert_store_path + FILE_SEP + serialNumber + CERT_FILE_EXTENSION;

-      if (logger_.isDebugEnabled())

-      {

-        logger_.debug("load certificate:" + cert_file_name);

+       cert = loadCertificateFromCertstore(serialNumber, issuer);

+       if (cert == null) {

+          logger_.debug("Certificate not found. Trying alternative normalization method.");

+          try {

+             Name issuerName = new RFC2253NameParser(issuer).parse();

+             cert = loadCertificateFromCertstore(serialNumber, issuerName.getRFC2253String(false));

+          } catch (RFC2253NameParserException e) {

+             logger_.error(e);

+          }

       }

-      cert = X509Cert.initByFilePath(cert_file_name);

 

       if (cert == null)

       {

@@ -1180,14 +1193,14 @@ public class SignatureObject implements Serializable
 

         storeNewCertificateInLocalStore(cert_data);

 

-        // load the local cert

-        cert = X509Cert.initByFilePath(cert_file_name);

-

+        cert = X509Cert.initByByteArray(cert_data);

         if (cert == null)

         {

           logger_.debug("The certificate should be loaded here, but is null - something's wrong.");

         }

       }

+    } else {

+       logger_.warn("loadCertificate(\"" + serialNumber + "\", \"" + issuer + "\")");

     }

     return cert;

   }

@@ -1220,9 +1233,15 @@ public class SignatureObject implements Serializable
       FileOutputStream fos = new FileOutputStream(save_file);

       fos.write(cert_data);

       fos.close();

-    }

-    catch (IOException e)

-    {

+      // fixed by tknall: if serialnumber or issuername is omitted (binary signature) the

+      // certificate could not be found in the certstore. The fix sets the issuername and

+      // serialnumber as long the are known.

+      X509Cert cert = X509Cert.initByByteArray(cert_data);

+      if (cert.isX509Cert()) {

+         this.setSignationSerialNumber(cert.getSerialNumber());

+         this.setSignationIssuer(cert.getIssuerName());

+      }

+    } catch (IOException e) {

       e.printStackTrace();

       return;

     }

diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java
index 64631cb..71ca754 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java
@@ -219,10 +219,6 @@ public class X509Cert implements Serializable
    */

   public static X509Cert initByFilePath(String filePath)

   {

-    if (logger_.isDebugEnabled())

-    {

-      logger_.debug("Add cert file:" + filePath);

-    }

     if (filePath == null)

     {

       return null;

diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java
index 75e4c31..c9e3fce 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java
@@ -22,6 +22,7 @@ import java.util.Properties;
 import java.util.regex.Matcher;

 import java.util.regex.Pattern;

 

+import at.gv.egiz.pdfas.exceptions.ErrorCode;

 import at.gv.egiz.pdfas.exceptions.external.ExternalErrorException;

 

 import org.apache.log4j.Level;

@@ -368,7 +369,7 @@ public class BKUConnector implements LocalConnector
     String x509_cert_string = sigObject.getX509CertificateString();

     if (x509_cert_string == null)

     {

-      SignatureException se = new SignatureException(313, "Document certificate is not defined.");

+      SignatureException se = new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");

       throw se;

     }

     String cert_alg = settings_.getValueFromKey("cert.alg.ecdsa");

@@ -410,6 +411,10 @@ public class BKUConnector implements LocalConnector
       final String string_to_be_hashed =  sig_prop_str.substring(hash_start, hash_end);

       logger_.debug("etsi:SignedProperties string to be hashed: " + string_to_be_hashed);

       

+      logger_.debug("\n--------------------- ETSI properties string to be hashed: start ---------------------");

+      logger_.debug(string_to_be_hashed);

+      logger_.debug("\n--------------------- ETSI properties string to be hashed: stop  ---------------------");

+      

       final byte [] bytes_to_be_hashed = string_to_be_hashed.getBytes("UTF-8");

       sig_prop_code = CodingHelper.buildDigest(bytes_to_be_hashed);

     }

diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java
index 4dd3d5e..5e1aeed 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java
@@ -31,6 +31,7 @@ import javax.xml.rpc.Call;
 import javax.xml.rpc.Service;

 import javax.xml.rpc.ServiceFactory;

 

+import at.gv.egiz.pdfas.exceptions.ErrorCode;

 import at.gv.egiz.pdfas.exceptions.external.ExternalErrorException;

 

 import org.apache.axis.message.SOAPBodyElement;

@@ -428,7 +429,7 @@ public class MOAConnector implements Connector
       String x509Certificate = sigObject.getX509CertificateString();

       if (x509Certificate == null)

       {

-        SignatureException se = new SignatureException(313, "Document certificate is not defined.");

+        SignatureException se = new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");

         throw se;

       }

       String cert_alg = settings_.getValueFromKey("cert.alg.ecdsa");

diff --git a/src/site/changes.xml b/src/site/changes.xml
index 488d468..9410600 100644
--- a/src/site/changes.xml
+++ b/src/site/changes.xml
@@ -6,50 +6,39 @@
 	</properties>

 

 	<body>

-	

+

 		<!-- 

 			<release version="major.minor" date="yyyy-MM-dd" description="foo">

-				<action dev="foo" type="add|update|fix|remove">foo</action>

+			<action dev="foo" type="add|update|fix|remove">foo</action>

 			</release>

 		-->

 

-		<release version="2.34" date="2007-01-10" description="subsequent release">

-			<action dev="tknall" type="add">

-				QualifiedCertificate property (moa/bku) is now being evaluated

-			</action>

-		</release>

-

-		<release version="2.33" date="2006-12-14" description="subsequent release">

-			<action dev="tknall" type="update">

-				basic authentication for logging disabled

-			</action>

-		</release>

-

-		<release version="2.32" date="2006-12-13" description="subsequent release">

-			<action dev="tknall" type="add">

-				LDAP support added

+		<release version="3.0.4" date="2008-04-24"

+			description="first release">

+			<action dev="tknall" type="fix">

+				Bug fixed: If we have a binary signature, the

+				certificate is embedded. So there should be no serial

+				number needed within the signature block. PDF-AS stores

+				the certificate in the certstore but tries to load the

+				certificate via serialnumber and issuername from

+				certstore, which fails because of the missing serial

+				number.

 			</action>

-		</release>

-

-		<release version="2.31" date="2006-12-07" description="subsequent release">

-			<action dev="wlackner" type="fix">

-				some bugs fixed, algorithms adjusted

+			<action dev="tknall" type="fix">

+				Bug fixed: For storage of the certificate in the

+				certstore the issuername is taken from the certificate,

+				normalized and hashed. The base64 value of the hash is

+				used as the directory name. Loading the certificate from

+				the certstore, the issuername is taken from the

+				signature block, normalized and hashed. Some issuernames

+				(with rdns that are not registered) lead to two

+				different hash values (one at storage, another at

+				retrieval), which leads to a certificate not found

+				exception.

 			</action>

-		</release>

-

-		<release version="2.3" date="2006-12-01" description="subsequent release">

 			<action dev="tknall" type="add">

-				interface for LDAP-API added;

-				implementing class is declared by system property

-				at.knowcenter.wag.egov.egiz.sig.LDAPAPI.SYS_PROP_IMPLEMENTATION ("pdfas.ldapapi.impl");

-				previous implementation DummyLDAPAPI serves as failback implementation if system

-				property is not set, so version 2.3 provides backward compatibility to version 2.2

-			</action>

-		</release>

-

-		<release version="2.2" date="2006-09-29" description="first release">

-			<action dev="wlackner" type="add">

-				first release of PDF-AS

+				PDF-AS library version is logged in order to lighten

+				bugfixing.

 			</action>

 		</release>