From 620f4f25941188360f64447b9d773a310866f70b Mon Sep 17 00:00:00 2001 From: tknall Date: Thu, 24 Apr 2008 10:34:17 +0000 Subject: Two bug fixed: 1) Unable to find certificate if binary signature does not contain the serial number; 2) Certificates thoese issuer names contain certain RDNs (e.g. EMAILADDRESS) could not be retrieved from certstore. PDF-AS library version is logged in order to lighten bugfixing. git-svn-id: https://joinup.ec.europa.eu/svn/pdf-as/trunk@258 7b5415b0-85f9-ee4d-85bd-d5d0c3b42d1c --- pom.xml | 10 ++-- .../java/at/knowcenter/wag/egov/egiz/PdfAS.java | 6 ++- .../wag/egov/egiz/cfg/SettingsReader.java | 6 +++ .../wag/egov/egiz/sig/SignatureObject.java | 45 +++++++++++----- .../at/knowcenter/wag/egov/egiz/sig/X509Cert.java | 4 -- .../wag/egov/egiz/sig/connectors/BKUConnector.java | 7 ++- .../wag/egov/egiz/sig/connectors/MOAConnector.java | 3 +- src/site/changes.xml | 61 +++++++++------------- 8 files changed, 81 insertions(+), 61 deletions(-) diff --git a/pom.xml b/pom.xml index 92dabc9..08385c7 100644 --- a/pom.xml +++ b/pom.xml @@ -4,12 +4,13 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> 4.0.0 - war + jar knowcenter pdf-as PDF-AS - 3.0.4-20080403 + 3.0.4-20080424 + Amtssignatur fuer elektronische Aktenfuehrung http://egovlabs.gv.at/projects/pdf-as @@ -76,7 +77,7 @@ - ${artifactId} + ${artifactId}-${version} @@ -104,7 +105,7 @@ src/main/assembly/assemble_distribution_ws.xml src/main/assembly/assemble_repository.xml --> - src/main/assembly/assemble_repository.xml + src/main/assembly/assemble_libraries.xml @@ -123,6 +124,7 @@ . development ${pom.url} + ${pom.version} diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java b/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java index 5a7d32b..4c0ae44 100644 --- a/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java +++ b/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java @@ -90,6 +90,8 @@ import com.lowagie.text.pdf.PdfReader; */ public abstract class PdfAS { + + public static final String PDFAS_VERSION = "3.0.4-20080424"; /** * The key of the strict mode setting. */ @@ -865,7 +867,7 @@ public abstract class PdfAS // fixed by tknall if (so_to_be_verified.getX509Cert() == null) { - throw new SignatureException(313, "Document certificate is not defined."); + throw new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined."); } SignSignatureObject so = SignatureObjectHelper.convertSignatureObjectToSignSignatureObject(so_to_be_verified); @@ -910,7 +912,7 @@ public abstract class PdfAS // added by tknall if (so_to_be_verified.getX509Cert() == null) { - throw new SignatureException(313, "Document certificate is not defined."); + throw new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined."); } diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java b/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java index c58da3f..6481401 100644 --- a/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java +++ b/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java @@ -32,9 +32,11 @@ import java.util.Enumeration; import java.util.Properties; import java.util.Vector; +import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import at.knowcenter.wag.egov.egiz.PdfAS; import at.knowcenter.wag.egov.egiz.exceptions.SettingNotFoundException; import at.knowcenter.wag.egov.egiz.exceptions.SettingsException; @@ -724,6 +726,10 @@ public class SettingsReader implements Serializable // Does not conform with PKIX, but is used by belgium citizen card // log.info("Registering RDN \"SERIALNUMBER\" as " + ObjectID.serialNumber + "."); RFC2253NameParser.register("SERIALNUMBER", ObjectID.serialNumber); + + String versionString = "* PDF-AS library version " + PdfAS.PDFAS_VERSION + " *"; + String paddingString = StringUtils.repeat("*", versionString.length()); + logger_.info("PDF-AS info\n" + paddingString + "\n" + versionString + "\n" + paddingString); } } \ No newline at end of file diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java index 3437a6e..b4818cd 100644 --- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java +++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java @@ -1099,6 +1099,7 @@ public class SignatureObject implements Serializable if (cert_store_dir.isDirectory()) { String cert_file_name = cert_store_path + FILE_SEP + serial_number + CERT_FILE_EXTENSION; + logger_.debug("Adding cert (issuer=\"" + cert.getIssuerName() + "\", sn=\"" + cert.getSerialNumber() + "\") to certstore: \"" + cert_file_name + "\"."); // boolean store = FileHelper.writeToFile(cert_file_name, cert.getCertString()); // System.err.println("store:" + store + ":" + @@ -1114,6 +1115,16 @@ public class SignatureObject implements Serializable } } } + + private X509Cert loadCertificateFromCertstore(String serialNumber, String issuer) { + String iss_hash = getIssuerFileHash(issuer); + String cert_store_path = certPath_ + iss_hash; + String cert_file_name = cert_store_path + FILE_SEP + serialNumber + CERT_FILE_EXTENSION; + if (logger_.isDebugEnabled()) { + logger_.debug("Trying to load cert (issuer=\"" + (issuer != null ? normalizeIssuer(issuer) : issuer) + "\", sn=\"" + serialNumber + "\") from certstore: \"" + cert_file_name + "\"."); + } + return X509Cert.initByFilePath(cert_file_name); + } /** * This method load a X509v3 certificate from the filesystem. The reference to @@ -1154,14 +1165,16 @@ public class SignatureObject implements Serializable X509Cert cert = null; if (issuer != null && serialNumber != null) { - String iss_hash = getIssuerFileHash(issuer); - String cert_store_path = certPath_ + iss_hash; - String cert_file_name = cert_store_path + FILE_SEP + serialNumber + CERT_FILE_EXTENSION; - if (logger_.isDebugEnabled()) - { - logger_.debug("load certificate:" + cert_file_name); + cert = loadCertificateFromCertstore(serialNumber, issuer); + if (cert == null) { + logger_.debug("Certificate not found. Trying alternative normalization method."); + try { + Name issuerName = new RFC2253NameParser(issuer).parse(); + cert = loadCertificateFromCertstore(serialNumber, issuerName.getRFC2253String(false)); + } catch (RFC2253NameParserException e) { + logger_.error(e); + } } - cert = X509Cert.initByFilePath(cert_file_name); if (cert == null) { @@ -1180,14 +1193,14 @@ public class SignatureObject implements Serializable storeNewCertificateInLocalStore(cert_data); - // load the local cert - cert = X509Cert.initByFilePath(cert_file_name); - + cert = X509Cert.initByByteArray(cert_data); if (cert == null) { logger_.debug("The certificate should be loaded here, but is null - something's wrong."); } } + } else { + logger_.warn("loadCertificate(\"" + serialNumber + "\", \"" + issuer + "\")"); } return cert; } @@ -1220,9 +1233,15 @@ public class SignatureObject implements Serializable FileOutputStream fos = new FileOutputStream(save_file); fos.write(cert_data); fos.close(); - } - catch (IOException e) - { + // fixed by tknall: if serialnumber or issuername is omitted (binary signature) the + // certificate could not be found in the certstore. The fix sets the issuername and + // serialnumber as long the are known. + X509Cert cert = X509Cert.initByByteArray(cert_data); + if (cert.isX509Cert()) { + this.setSignationSerialNumber(cert.getSerialNumber()); + this.setSignationIssuer(cert.getIssuerName()); + } + } catch (IOException e) { e.printStackTrace(); return; } diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java index 64631cb..71ca754 100644 --- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java +++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java @@ -219,10 +219,6 @@ public class X509Cert implements Serializable */ public static X509Cert initByFilePath(String filePath) { - if (logger_.isDebugEnabled()) - { - logger_.debug("Add cert file:" + filePath); - } if (filePath == null) { return null; diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java index 75e4c31..c9e3fce 100644 --- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java +++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java @@ -22,6 +22,7 @@ import java.util.Properties; import java.util.regex.Matcher; import java.util.regex.Pattern; +import at.gv.egiz.pdfas.exceptions.ErrorCode; import at.gv.egiz.pdfas.exceptions.external.ExternalErrorException; import org.apache.log4j.Level; @@ -368,7 +369,7 @@ public class BKUConnector implements LocalConnector String x509_cert_string = sigObject.getX509CertificateString(); if (x509_cert_string == null) { - SignatureException se = new SignatureException(313, "Document certificate is not defined."); + SignatureException se = new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined."); throw se; } String cert_alg = settings_.getValueFromKey("cert.alg.ecdsa"); @@ -410,6 +411,10 @@ public class BKUConnector implements LocalConnector final String string_to_be_hashed = sig_prop_str.substring(hash_start, hash_end); logger_.debug("etsi:SignedProperties string to be hashed: " + string_to_be_hashed); + logger_.debug("\n--------------------- ETSI properties string to be hashed: start ---------------------"); + logger_.debug(string_to_be_hashed); + logger_.debug("\n--------------------- ETSI properties string to be hashed: stop ---------------------"); + final byte [] bytes_to_be_hashed = string_to_be_hashed.getBytes("UTF-8"); sig_prop_code = CodingHelper.buildDigest(bytes_to_be_hashed); } diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java index 4dd3d5e..5e1aeed 100644 --- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java +++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java @@ -31,6 +31,7 @@ import javax.xml.rpc.Call; import javax.xml.rpc.Service; import javax.xml.rpc.ServiceFactory; +import at.gv.egiz.pdfas.exceptions.ErrorCode; import at.gv.egiz.pdfas.exceptions.external.ExternalErrorException; import org.apache.axis.message.SOAPBodyElement; @@ -428,7 +429,7 @@ public class MOAConnector implements Connector String x509Certificate = sigObject.getX509CertificateString(); if (x509Certificate == null) { - SignatureException se = new SignatureException(313, "Document certificate is not defined."); + SignatureException se = new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined."); throw se; } String cert_alg = settings_.getValueFromKey("cert.alg.ecdsa"); diff --git a/src/site/changes.xml b/src/site/changes.xml index 488d468..9410600 100644 --- a/src/site/changes.xml +++ b/src/site/changes.xml @@ -6,50 +6,39 @@ - + - - - QualifiedCertificate property (moa/bku) is now being evaluated - - - - - - basic authentication for logging disabled - - - - - - LDAP support added + + + Bug fixed: If we have a binary signature, the + certificate is embedded. So there should be no serial + number needed within the signature block. PDF-AS stores + the certificate in the certstore but tries to load the + certificate via serialnumber and issuername from + certstore, which fails because of the missing serial + number. - - - - - some bugs fixed, algorithms adjusted + + Bug fixed: For storage of the certificate in the + certstore the issuername is taken from the certificate, + normalized and hashed. The base64 value of the hash is + used as the directory name. Loading the certificate from + the certstore, the issuername is taken from the + signature block, normalized and hashed. Some issuernames + (with rdns that are not registered) lead to two + different hash values (one at storage, another at + retrieval), which leads to a certificate not found + exception. - - - - interface for LDAP-API added; - implementing class is declared by system property - at.knowcenter.wag.egov.egiz.sig.LDAPAPI.SYS_PROP_IMPLEMENTATION ("pdfas.ldapapi.impl"); - previous implementation DummyLDAPAPI serves as failback implementation if system - property is not set, so version 2.3 provides backward compatibility to version 2.2 - - - - - - first release of PDF-AS + PDF-AS library version is logged in order to lighten + bugfixing. -- cgit v1.2.3