From 620f4f25941188360f64447b9d773a310866f70b Mon Sep 17 00:00:00 2001
From: tknall <tknall@7b5415b0-85f9-ee4d-85bd-d5d0c3b42d1c>
Date: Thu, 24 Apr 2008 10:34:17 +0000
Subject: Two bug fixed: 1) Unable to find certificate if binary signature does
not contain the serial number; 2) Certificates thoese issuer names contain
certain RDNs (e.g. EMAILADDRESS) could not be retrieved from certstore.
PDF-AS library version is logged in order to lighten bugfixing.
git-svn-id: https://joinup.ec.europa.eu/svn/pdf-as/trunk@258 7b5415b0-85f9-ee4d-85bd-d5d0c3b42d1c
---
.../java/at/knowcenter/wag/egov/egiz/PdfAS.java | 6 ++-
.../wag/egov/egiz/cfg/SettingsReader.java | 6 +++
.../wag/egov/egiz/sig/SignatureObject.java | 45 +++++++++++-----
.../at/knowcenter/wag/egov/egiz/sig/X509Cert.java | 4 --
.../wag/egov/egiz/sig/connectors/BKUConnector.java | 7 ++-
.../wag/egov/egiz/sig/connectors/MOAConnector.java | 3 +-
src/site/changes.xml | 61 +++++++++-------------
7 files changed, 75 insertions(+), 57 deletions(-)
(limited to 'src')
diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java b/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java
index 5a7d32b..4c0ae44 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/PdfAS.java
@@ -90,6 +90,8 @@ import com.lowagie.text.pdf.PdfReader;
*/
public abstract class PdfAS
{
+
+ public static final String PDFAS_VERSION = "3.0.4-20080424";
/**
* The key of the strict mode setting.
*/
@@ -865,7 +867,7 @@ public abstract class PdfAS
// fixed by tknall
if (so_to_be_verified.getX509Cert() == null)
{
- throw new SignatureException(313, "Document certificate is not defined.");
+ throw new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");
}
SignSignatureObject so = SignatureObjectHelper.convertSignatureObjectToSignSignatureObject(so_to_be_verified);
@@ -910,7 +912,7 @@ public abstract class PdfAS
// added by tknall
if (so_to_be_verified.getX509Cert() == null)
{
- throw new SignatureException(313, "Document certificate is not defined.");
+ throw new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");
}
diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java b/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java
index c58da3f..6481401 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/cfg/SettingsReader.java
@@ -32,9 +32,11 @@ import java.util.Enumeration;
import java.util.Properties;
import java.util.Vector;
+import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import at.knowcenter.wag.egov.egiz.PdfAS;
import at.knowcenter.wag.egov.egiz.exceptions.SettingNotFoundException;
import at.knowcenter.wag.egov.egiz.exceptions.SettingsException;
@@ -724,6 +726,10 @@ public class SettingsReader implements Serializable
// Does not conform with PKIX, but is used by belgium citizen card
// log.info("Registering RDN \"SERIALNUMBER\" as " + ObjectID.serialNumber + ".");
RFC2253NameParser.register("SERIALNUMBER", ObjectID.serialNumber);
+
+ String versionString = "* PDF-AS library version " + PdfAS.PDFAS_VERSION + " *";
+ String paddingString = StringUtils.repeat("*", versionString.length());
+ logger_.info("PDF-AS info\n" + paddingString + "\n" + versionString + "\n" + paddingString);
}
}
\ No newline at end of file
diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java
index 3437a6e..b4818cd 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/SignatureObject.java
@@ -1099,6 +1099,7 @@ public class SignatureObject implements Serializable
if (cert_store_dir.isDirectory())
{
String cert_file_name = cert_store_path + FILE_SEP + serial_number + CERT_FILE_EXTENSION;
+ logger_.debug("Adding cert (issuer=\"" + cert.getIssuerName() + "\", sn=\"" + cert.getSerialNumber() + "\") to certstore: \"" + cert_file_name + "\".");
// boolean store =
FileHelper.writeToFile(cert_file_name, cert.getCertString());
// System.err.println("store:" + store + ":" +
@@ -1114,6 +1115,16 @@ public class SignatureObject implements Serializable
}
}
}
+
+ private X509Cert loadCertificateFromCertstore(String serialNumber, String issuer) {
+ String iss_hash = getIssuerFileHash(issuer);
+ String cert_store_path = certPath_ + iss_hash;
+ String cert_file_name = cert_store_path + FILE_SEP + serialNumber + CERT_FILE_EXTENSION;
+ if (logger_.isDebugEnabled()) {
+ logger_.debug("Trying to load cert (issuer=\"" + (issuer != null ? normalizeIssuer(issuer) : issuer) + "\", sn=\"" + serialNumber + "\") from certstore: \"" + cert_file_name + "\".");
+ }
+ return X509Cert.initByFilePath(cert_file_name);
+ }
/**
* This method load a X509v3 certificate from the filesystem. The reference to
@@ -1154,14 +1165,16 @@ public class SignatureObject implements Serializable
X509Cert cert = null;
if (issuer != null && serialNumber != null)
{
- String iss_hash = getIssuerFileHash(issuer);
- String cert_store_path = certPath_ + iss_hash;
- String cert_file_name = cert_store_path + FILE_SEP + serialNumber + CERT_FILE_EXTENSION;
- if (logger_.isDebugEnabled())
- {
- logger_.debug("load certificate:" + cert_file_name);
+ cert = loadCertificateFromCertstore(serialNumber, issuer);
+ if (cert == null) {
+ logger_.debug("Certificate not found. Trying alternative normalization method.");
+ try {
+ Name issuerName = new RFC2253NameParser(issuer).parse();
+ cert = loadCertificateFromCertstore(serialNumber, issuerName.getRFC2253String(false));
+ } catch (RFC2253NameParserException e) {
+ logger_.error(e);
+ }
}
- cert = X509Cert.initByFilePath(cert_file_name);
if (cert == null)
{
@@ -1180,14 +1193,14 @@ public class SignatureObject implements Serializable
storeNewCertificateInLocalStore(cert_data);
- // load the local cert
- cert = X509Cert.initByFilePath(cert_file_name);
-
+ cert = X509Cert.initByByteArray(cert_data);
if (cert == null)
{
logger_.debug("The certificate should be loaded here, but is null - something's wrong.");
}
}
+ } else {
+ logger_.warn("loadCertificate(\"" + serialNumber + "\", \"" + issuer + "\")");
}
return cert;
}
@@ -1220,9 +1233,15 @@ public class SignatureObject implements Serializable
FileOutputStream fos = new FileOutputStream(save_file);
fos.write(cert_data);
fos.close();
- }
- catch (IOException e)
- {
+ // fixed by tknall: if serialnumber or issuername is omitted (binary signature) the
+ // certificate could not be found in the certstore. The fix sets the issuername and
+ // serialnumber as long the are known.
+ X509Cert cert = X509Cert.initByByteArray(cert_data);
+ if (cert.isX509Cert()) {
+ this.setSignationSerialNumber(cert.getSerialNumber());
+ this.setSignationIssuer(cert.getIssuerName());
+ }
+ } catch (IOException e) {
e.printStackTrace();
return;
}
diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java
index 64631cb..71ca754 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/X509Cert.java
@@ -219,10 +219,6 @@ public class X509Cert implements Serializable
*/
public static X509Cert initByFilePath(String filePath)
{
- if (logger_.isDebugEnabled())
- {
- logger_.debug("Add cert file:" + filePath);
- }
if (filePath == null)
{
return null;
diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java
index 75e4c31..c9e3fce 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/BKUConnector.java
@@ -22,6 +22,7 @@ import java.util.Properties;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import at.gv.egiz.pdfas.exceptions.ErrorCode;
import at.gv.egiz.pdfas.exceptions.external.ExternalErrorException;
import org.apache.log4j.Level;
@@ -368,7 +369,7 @@ public class BKUConnector implements LocalConnector
String x509_cert_string = sigObject.getX509CertificateString();
if (x509_cert_string == null)
{
- SignatureException se = new SignatureException(313, "Document certificate is not defined.");
+ SignatureException se = new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");
throw se;
}
String cert_alg = settings_.getValueFromKey("cert.alg.ecdsa");
@@ -410,6 +411,10 @@ public class BKUConnector implements LocalConnector
final String string_to_be_hashed = sig_prop_str.substring(hash_start, hash_end);
logger_.debug("etsi:SignedProperties string to be hashed: " + string_to_be_hashed);
+ logger_.debug("\n--------------------- ETSI properties string to be hashed: start ---------------------");
+ logger_.debug(string_to_be_hashed);
+ logger_.debug("\n--------------------- ETSI properties string to be hashed: stop ---------------------");
+
final byte [] bytes_to_be_hashed = string_to_be_hashed.getBytes("UTF-8");
sig_prop_code = CodingHelper.buildDigest(bytes_to_be_hashed);
}
diff --git a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java
index 4dd3d5e..5e1aeed 100644
--- a/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java
+++ b/src/main/java/at/knowcenter/wag/egov/egiz/sig/connectors/MOAConnector.java
@@ -31,6 +31,7 @@ import javax.xml.rpc.Call;
import javax.xml.rpc.Service;
import javax.xml.rpc.ServiceFactory;
+import at.gv.egiz.pdfas.exceptions.ErrorCode;
import at.gv.egiz.pdfas.exceptions.external.ExternalErrorException;
import org.apache.axis.message.SOAPBodyElement;
@@ -428,7 +429,7 @@ public class MOAConnector implements Connector
String x509Certificate = sigObject.getX509CertificateString();
if (x509Certificate == null)
{
- SignatureException se = new SignatureException(313, "Document certificate is not defined.");
+ SignatureException se = new SignatureException(ErrorCode.CERTIFICATE_NOT_FOUND, "Document certificate is not defined.");
throw se;
}
String cert_alg = settings_.getValueFromKey("cert.alg.ecdsa");
diff --git a/src/site/changes.xml b/src/site/changes.xml
index 488d468..9410600 100644
--- a/src/site/changes.xml
+++ b/src/site/changes.xml
@@ -6,50 +6,39 @@
</properties>
<body>
-
+
<!--
<release version="major.minor" date="yyyy-MM-dd" description="foo">
- <action dev="foo" type="add|update|fix|remove">foo</action>
+ <action dev="foo" type="add|update|fix|remove">foo</action>
</release>
-->
- <release version="2.34" date="2007-01-10" description="subsequent release">
- <action dev="tknall" type="add">
- QualifiedCertificate property (moa/bku) is now being evaluated
- </action>
- </release>
-
- <release version="2.33" date="2006-12-14" description="subsequent release">
- <action dev="tknall" type="update">
- basic authentication for logging disabled
- </action>
- </release>
-
- <release version="2.32" date="2006-12-13" description="subsequent release">
- <action dev="tknall" type="add">
- LDAP support added
+ <release version="3.0.4" date="2008-04-24"
+ description="first release">
+ <action dev="tknall" type="fix">
+ Bug fixed: If we have a binary signature, the
+ certificate is embedded. So there should be no serial
+ number needed within the signature block. PDF-AS stores
+ the certificate in the certstore but tries to load the
+ certificate via serialnumber and issuername from
+ certstore, which fails because of the missing serial
+ number.
</action>
- </release>
-
- <release version="2.31" date="2006-12-07" description="subsequent release">
- <action dev="wlackner" type="fix">
- some bugs fixed, algorithms adjusted
+ <action dev="tknall" type="fix">
+ Bug fixed: For storage of the certificate in the
+ certstore the issuername is taken from the certificate,
+ normalized and hashed. The base64 value of the hash is
+ used as the directory name. Loading the certificate from
+ the certstore, the issuername is taken from the
+ signature block, normalized and hashed. Some issuernames
+ (with rdns that are not registered) lead to two
+ different hash values (one at storage, another at
+ retrieval), which leads to a certificate not found
+ exception.
</action>
- </release>
-
- <release version="2.3" date="2006-12-01" description="subsequent release">
<action dev="tknall" type="add">
- interface for LDAP-API added;
- implementing class is declared by system property
- at.knowcenter.wag.egov.egiz.sig.LDAPAPI.SYS_PROP_IMPLEMENTATION ("pdfas.ldapapi.impl");
- previous implementation DummyLDAPAPI serves as failback implementation if system
- property is not set, so version 2.3 provides backward compatibility to version 2.2
- </action>
- </release>
-
- <release version="2.2" date="2006-09-29" description="first release">
- <action dev="wlackner" type="add">
- first release of PDF-AS
+ PDF-AS library version is logged in order to lighten
+ bugfixing.
</action>
</release>
--
cgit v1.2.3