aboutsummaryrefslogtreecommitdiff
path: root/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2018-07-09 10:11:25 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2018-07-09 10:11:25 +0200
commit9acf3c2e8aca9016daf76785747d838cdc5b0330 (patch)
treef97d392a8eff4906c961128e231926a76829a4c8 /pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets
parent797634c687c6f44d314e4baa3fed220d142eed73 (diff)
downloadpdf-as-4-9acf3c2e8aca9016daf76785747d838cdc5b0330.tar.gz
pdf-as-4-9acf3c2e8aca9016daf76785747d838cdc5b0330.tar.bz2
pdf-as-4-9acf3c2e8aca9016daf76785747d838cdc5b0330.zip
add SL20 connecter-backend in a first beta version (getCertificate looks good, create signature is untested)
Diffstat (limited to 'pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets')
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java4
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java8
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/JSONAPIServlet.java11
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java234
-rw-r--r--pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/UIEntryPointServlet.java11
5 files changed, 263 insertions, 5 deletions
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
index 45861953..50c3b063 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
@@ -93,11 +93,11 @@ public class DataURLServlet extends HttpServlet {
if(jaxbObject.getValue() instanceof InfoboxReadResponseType) {
InfoboxReadResponseType infoboxReadResponseType = (InfoboxReadResponseType)jaxbObject.getValue();
logger.info("Got InfoboxReadResponseType");
- PdfAsHelper.injectCertificate(request, response, infoboxReadResponseType, getServletContext());
+ PdfAsHelper.injectCertificate(request, response, PdfAsHelper.getCertificate(infoboxReadResponseType), getServletContext());
} else if(jaxbObject.getValue() instanceof CreateCMSSignatureResponseType) {
CreateCMSSignatureResponseType createCMSSignatureResponseType = (CreateCMSSignatureResponseType)jaxbObject.getValue();
logger.info("Got CreateCMSSignatureResponseType");
- PdfAsHelper.injectSignature(request, response, createCMSSignatureResponseType, getServletContext());
+ PdfAsHelper.injectSignature(request, response, createCMSSignatureResponseType.getCMSSignature(), getServletContext());
} else if(jaxbObject.getValue() instanceof ErrorResponseType) {
ErrorResponseType errorResponseType = (ErrorResponseType)jaxbObject.getValue();
logger.warn("SecurityLayer: " + errorResponseType.getErrorCode() + " " + errorResponseType.getInfo());
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java
index 3cea5247..1d2ab14e 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java
@@ -354,7 +354,8 @@ public class ExternSignServlet extends HttpServlet {
logger.debug("Starting signature creation with: " + connector);
//IPlainSigner signer;
- if (connector.equals("bku") || connector.equals("onlinebku") || connector.equals("mobilebku")) {
+ if (connector.equals("bku") || connector.equals("onlinebku") || connector.equals("mobilebku")
+ || connector.equals("sl20")) {
// start asynchronous signature creation
if(connector.equals("bku")) {
@@ -372,6 +373,11 @@ public class ExternSignServlet extends HttpServlet {
throw new PdfAsWebException("Invalid connector bku is not supported");
}
}
+ if (connector.equals("sl20")) {
+ if(WebConfiguration.getSecurityLayer20URL() == null) {
+ throw new PdfAsWebException("Invalid connector bku is not supported");
+ }
+ }
PdfAsHelper.setStatisticEvent(request, response, statisticEvent);
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/JSONAPIServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/JSONAPIServlet.java
index 0cee185a..13d874e8 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/JSONAPIServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/JSONAPIServlet.java
@@ -119,7 +119,9 @@ public class JSONAPIServlet extends HttpServlet {
connectorEnum = PDFASSignParameters.Connector.MOBILEBKU;
} else if(PDFASSignParameters.Connector.ONLINEBKU.equalsName(connector)) {
connectorEnum = PDFASSignParameters.Connector.ONLINEBKU;
- }
+ } else if(PDFASSignParameters.Connector.SECLAYER20.equalsName(connector)) {
+ connectorEnum = PDFASSignParameters.Connector.SECLAYER20;
+ }
if(connectorEnum == null) {
throw new ServletException(
@@ -212,6 +214,13 @@ public class JSONAPIServlet extends HttpServlet {
"Invalid connector mobilebku is not supported");
}
}
+
+ if (PDFASSignParameters.Connector.SECLAYER20.equals(connectorEnum)) {
+ if (WebConfiguration.getSecurityLayer20URL() == null) {
+ throw new PdfAsWebException(
+ "Invalid connector mobilebku is not supported");
+ }
+ }
PdfAsHelper.startSignatureJson(request, response, getServletContext(),
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java
new file mode 100644
index 00000000..7ddf0a55
--- /dev/null
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/SLDataURLServlet.java
@@ -0,0 +1,234 @@
+package at.gv.egiz.pdfas.web.servlets;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.List;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.MultipartConfig;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.jose4j.base64url.Base64Url;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+
+import at.gv.egiz.pdfas.lib.util.StreamUtils;
+import at.gv.egiz.pdfas.web.config.WebConfiguration;
+import at.gv.egiz.pdfas.web.helper.PdfAsHelper;
+import at.gv.egiz.pdfas.web.sl20.JsonSecurityUtils;
+import at.gv.egiz.pdfas.web.sl20.X509Utils;
+import at.gv.egiz.sl20.data.VerificationResult;
+import at.gv.egiz.sl20.exceptions.SL20Exception;
+import at.gv.egiz.sl20.exceptions.SL20SecurityException;
+import at.gv.egiz.sl20.exceptions.SLCommandoParserException;
+import at.gv.egiz.sl20.utils.SL20Constants;
+import at.gv.egiz.sl20.utils.SL20JSONExtractorUtils;
+
+@MultipartConfig
+public class SLDataURLServlet extends HttpServlet {
+
+ private static final Logger logger = LoggerFactory
+ .getLogger(SLDataURLServlet.class);
+
+ private static final long serialVersionUID = 1L;
+
+ /**
+ * @see HttpServlet#HttpServlet()
+ */
+ public SLDataURLServlet() {
+ super();
+ }
+
+ /**
+ * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
+ * response)
+ */
+ protected void doGet(HttpServletRequest request,
+ HttpServletResponse response) throws ServletException, IOException {
+ this.process(request, response);
+ }
+
+ /**
+ * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
+ * response)
+ */
+ protected void doPost(HttpServletRequest request,
+ HttpServletResponse response) throws ServletException, IOException {
+ this.process(request, response);
+ }
+
+ protected void process(HttpServletRequest request,
+ HttpServletResponse response) throws ServletException, IOException {
+
+ JsonObject sl20ReqObj = null;
+ try {
+ if(!PdfAsHelper.checkDataUrlAccess(request)) {
+ throw new Exception("No valid dataURL access");
+ }
+
+ PdfAsHelper.setFromDataUrl(request);
+
+ String sl20Result = request.getParameter(SL20Constants.PARAM_SL20_REQ_COMMAND_PARAM);
+ if (StringUtils.isEmpty(sl20Result)) {
+ //Workaround for SIC Handy-Signature, because it sends result in InputStream
+ String isReqInput = StreamUtils.readStream(request.getInputStream(), "UTF-8");
+ if (StringUtils.isNotEmpty(isReqInput)) {
+ logger.info("Use SIC Handy-Signature work-around!");
+ sl20Result = isReqInput.substring("slcommand=".length());
+
+ } else {
+ logger.info("NO SL2.0 commando or result FOUND.");
+ throw new SL20Exception("sl20.04", null);
+ }
+
+ }
+
+ logger.trace("Received SL2.0 result: " + sl20Result);
+
+ //parse SL2.0 command/result into JSON
+ try {
+ JsonParser jsonParser = new JsonParser();
+ JsonElement sl20Req = jsonParser.parse(Base64Url.decodeToUtf8String(sl20Result));
+ sl20ReqObj = sl20Req.getAsJsonObject();
+
+ } catch (JsonSyntaxException e) {
+ logger.warn("SL2.0 command or result is NOT valid JSON.", e);
+ logger.debug("SL2.0 msg: " + sl20Result);
+ throw new SL20Exception("sl20.02", e);
+
+ }
+
+ //extract transactionId
+ String transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false);
+ if (StringUtils.isNotEmpty(transactionId))
+ request.setAttribute(PdfAsHelper.PDF_SESSION_PREFIX + SL20Constants.SL20_TRANSACTIONID, transactionId);
+
+
+ //validate reqId with inResponseTo
+ String sl20ReqId = (String) request.getSession(false).getAttribute(PdfAsHelper.PDF_SESSION_PREFIX + SL20Constants.SL20_REQID);
+ String inRespTo = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_INRESPTO, true);
+ if (sl20ReqId == null || !sl20ReqId.equals(inRespTo)) {
+ logger.info("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+ throw new SL20SecurityException("SL20 'reqId': " + sl20ReqId + " does NOT match to 'inResponseTo':" + inRespTo);
+ }
+
+ JsonSecurityUtils joseTools = JsonSecurityUtils.getInstance();
+ if (!joseTools.isInitialized())
+ joseTools = null;
+
+ //validate signature
+ VerificationResult payLoadContainer = SL20JSONExtractorUtils.extractSL20PayLoad(sl20ReqObj, joseTools,
+ WebConfiguration.isSL20SigningRequired());
+
+ if ( (payLoadContainer.isValidSigned() == null || !payLoadContainer.isValidSigned())) {
+ if (WebConfiguration.isSL20SigningRequired()) {
+ logger.info("SL20 result from VDA was not valid signed");
+ throw new SL20SecurityException("Signature on SL20 result NOT valid.");
+
+ } else {
+ logger.warn("SL20 result from VDA is NOT valid signed, but signatures-verification is DISABLED by configuration!");
+
+ }
+ }
+
+ //extract payloaf
+ JsonObject payLoad = payLoadContainer.getPayload();
+
+ //check response type
+ if (SL20JSONExtractorUtils.getStringValue(
+ payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true)
+ .equals(SL20Constants.SL20_COMMAND_IDENTIFIER_GETCERTIFICATE)) {
+ logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_GETCERTIFICATE + " result .... ");
+
+ JsonElement getCertificateResult = SL20JSONExtractorUtils.extractSL20Result(
+ payLoad, joseTools,
+ WebConfiguration.isSL20EncryptionRequired());
+
+ //extract certificates
+ List<String> certsB64 = SL20JSONExtractorUtils.getListOfStringElements(getCertificateResult.getAsJsonObject(),
+ SL20Constants.SL20_COMMAND_PARAM_GETCERTIFICATE_RESULT_CERTIFICATE,
+ true);
+
+ if (certsB64.isEmpty()) {
+ logger.warn("SL20 'getCertificate' result contains NO certificate");
+ throw new SLCommandoParserException();
+
+ } else if (certsB64.size() == 1) {
+ logger.debug("SL20 'getCertificate' result contains only one certificate");
+ PdfAsHelper.injectCertificate(request, response, Base64.getDecoder().decode(certsB64.get(0)), getServletContext());
+
+ } else {
+ logger.debug("SL20 'getCertificate' result contains more than one certificate. Certificates must be sorted ... ");
+ List<X509Certificate> certs = new ArrayList<X509Certificate>();
+ for (String certB64 : certsB64)
+ certs.add(new iaik.x509.X509Certificate(Base64.getDecoder().decode(certB64)));
+
+ List<X509Certificate> sortedCerts = X509Utils.sortCertificates(certs);
+ logger.debug("Sorting of certificate completed. Select end-user certificate ... ");
+ PdfAsHelper.injectCertificate(request, response, Base64.getDecoder().decode(sortedCerts.get(0).getEncoded()), getServletContext());
+
+ }
+
+ } else if (SL20JSONExtractorUtils.getStringValue(
+ payLoad, SL20Constants.SL20_COMMAND_CONTAINER_NAME, true)
+ .equals(SL20Constants.SL20_COMMAND_IDENTIFIER_CREATE_SIG_CADES)) {
+ logger.debug("Find " + SL20Constants.SL20_COMMAND_IDENTIFIER_CREATE_SIG_CADES + " result .... ");
+
+ JsonElement getCertificateResult = SL20JSONExtractorUtils.extractSL20Result(
+ payLoad, joseTools,
+ WebConfiguration.isSL20EncryptionRequired());
+
+ //extract CAdES signature
+ String cadesSigB64 = SL20JSONExtractorUtils.getStringValue(
+ getCertificateResult.getAsJsonObject(),
+ SL20Constants.SL20_COMMAND_PARAM_CREATE_SIG_CADES_RESULT_SIGNATURE,
+ true);
+
+ if (StringUtils.isEmpty(cadesSigB64)) {
+ logger.warn("SL20 'createCAdES' result contains NO signature");
+ throw new SLCommandoParserException();
+ }
+
+ PdfAsHelper.injectSignature(request, response, Base64.getDecoder().decode(cadesSigB64), getServletContext());
+
+ } else {
+ logger.info("SL20 response is NOT a " + SL20Constants.SL20_COMMAND_IDENTIFIER_QUALIFIEDEID + " result");
+ throw new SLCommandoParserException();
+
+ }
+
+ } catch (Exception e) {
+ logger.warn("Error in DataURL Servlet. " , e);
+ PdfAsHelper.setSessionException(request, response, e.getMessage(),
+ e);
+
+ if (PdfAsHelper.getFromDataUrl(request)) {
+ String errorUrl = PdfAsHelper.generateErrorURL(request, response);
+ try {
+ String transactionId = null;
+ if (sl20ReqObj != null)
+ transactionId = SL20JSONExtractorUtils.getStringValue(sl20ReqObj, SL20Constants.SL20_TRANSACTIONID, false);
+
+ PdfAsHelper.buildSL20RedirectResponse(request, response, transactionId, errorUrl);
+
+ } catch (SL20Exception e1) {
+ logger.error("SL20 error-handling FAILED", e);
+ response.sendError(500, "Internal Server Error.");
+
+ }
+
+ } else
+ PdfAsHelper.gotoError(getServletContext(), request, response);
+ }
+ }
+}
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/UIEntryPointServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/UIEntryPointServlet.java
index e8ac3658..73f8299c 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/UIEntryPointServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/UIEntryPointServlet.java
@@ -131,7 +131,8 @@ public class UIEntryPointServlet extends HttpServlet {
// IPlainSigner signer;
if (connector.equals(Connector.BKU)
|| connector.equals(Connector.ONLINEBKU)
- || connector.equals(Connector.MOBILEBKU)) {
+ || connector.equals(Connector.MOBILEBKU)
+ || connector.equals(Connector.SECLAYER20)) {
// start asynchronous signature creation
if (connector.equals(Connector.BKU)) {
@@ -154,6 +155,14 @@ public class UIEntryPointServlet extends HttpServlet {
"Invalid connector mobilebku is not supported");
}
}
+
+ if (connector.equals(Connector.SECLAYER20)) {
+ if (WebConfiguration.getSecurityLayer20URL() == null) {
+ throw new PdfAsWebException(
+ "Invalid connector mobilebku is not supported");
+ }
+ }
+
Map<String, String> map = null;
if (pdfAsRequest.getParameters().getPreprocessor() != null) {
map = pdfAsRequest.getParameters().getPreprocessor()