From e210f9d25fb530a2650059390f12a7e8ecec48b3 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Tue, 28 Jan 2014 13:49:33 +0100 Subject: PDF-AS cleanups --- .../gv/egiz/pdfas/web/config/WebConfiguration.java | 4 ++ .../at/gv/egiz/pdfas/web/helper/DigestHelper.java | 27 ++++++++++++++ .../at/gv/egiz/pdfas/web/helper/PdfAsHelper.java | 43 +++++++++++++++++++--- .../pdfas/web/helper/PdfAsParameterExtractor.java | 12 ------ .../gv/egiz/pdfas/web/helper/RemotePDFFetcher.java | 1 + .../egiz/pdfas/web/servlets/ExternSignServlet.java | 14 +++++-- .../at/gv/egiz/pdfas/web/servlets/PDFData.java | 24 ++++++++++++ 7 files changed, 103 insertions(+), 22 deletions(-) create mode 100644 pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/DigestHelper.java (limited to 'pdf-as-web/src/main/java') diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java index 3c6a7f21..6609e51d 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java @@ -108,4 +108,8 @@ public class WebConfiguration { return false; } + public static boolean isProvidePdfURLinWhitelist(String url) { + //TODO implement whitelisting for pdfURLS + return false; + } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/DigestHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/DigestHelper.java new file mode 100644 index 00000000..af002da4 --- /dev/null +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/DigestHelper.java @@ -0,0 +1,27 @@ +package at.gv.egiz.pdfas.web.helper; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +import org.apache.commons.codec.binary.Hex; + +public class DigestHelper { + + public static final String SHA1 = "SHA-1"; + public static final String SHA224 = "SHA-224"; + public static final String SHA256 = "SHA-256"; + public static final String SHA384 = "SHA-384"; + public static final String SHA512 = "SHA-512"; + + public static String DefaulAlgorithm = SHA256; + + public static String getHexEncodedHash(byte[] data) throws NoSuchAlgorithmException { + return getHexEncodedHash(data, DefaulAlgorithm); + } + + public static String getHexEncodedHash(byte[] data, String algorithm) throws NoSuchAlgorithmException { + MessageDigest md = MessageDigest.getInstance(algorithm); + byte[] hash = md.digest(data); + return Hex.encodeHexString(hash); + } +} diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java index e61a113a..2f62269b 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java @@ -20,6 +20,7 @@ import org.slf4j.LoggerFactory; import com.lowagie.text.html.WebColors; +import at.gv.egiz.pdfas.common.exceptions.PdfAsException; import at.gv.egiz.pdfas.lib.api.ByteArrayDataSink; import at.gv.egiz.pdfas.lib.api.ByteArrayDataSource; import at.gv.egiz.pdfas.lib.api.Configuration; @@ -65,6 +66,8 @@ public class PdfAsHelper { private static final String PDF_ERR_URL = "PDF_ERR_URL"; private static final String PDF_INVOKE_URL = "PDF_INVOKE_URL"; private static final String REQUEST_FROM_DU = "REQ_DATA_URL"; + private static final String SIGNATURE_DATA_HASH = "SIGNATURE_DATA_HASH"; + private static final String SIGNATURE_ACTIVE = "SIGNATURE_ACTIVE"; private static final Logger logger = LoggerFactory .getLogger(PdfAsHelper.class); @@ -110,7 +113,7 @@ public class PdfAsHelper { } } } - + private static String buildPosString(HttpServletRequest request, HttpServletResponse response) throws PdfAsWebException { String posP = PdfAsParameterExtractor.getSigPosP(request); @@ -177,11 +180,6 @@ public class PdfAsHelper { return sb.toString(); } - public static void doSignature(HttpServletRequest request, - HttpServletResponse response, byte[] pdfData) throws Exception { - - } - /** * Create synchronous PDF Signature * @@ -242,6 +240,13 @@ public class PdfAsHelper { HttpServletResponse response, ServletContext context, byte[] pdfData) throws Exception { + // TODO: Protect session so that only one PDF can be signed during one session + /*if(PdfAsHelper.isSignatureActive(request)) { + throw new PdfAsException("Signature is active in this session"); + } + + PdfAsHelper.setSignatureActive(request, true);*/ + validatePdfSize(request, response, pdfData); HttpSession session = request.getSession(); @@ -609,4 +614,30 @@ public class PdfAsHelper { } return false; } + + public static void setSignatureDataHash(HttpServletRequest request, String value) { + request.setAttribute(SIGNATURE_DATA_HASH, value); + } + + public static String getSignatureDataHash(HttpServletRequest request) { + Object obj = request.getAttribute(SIGNATURE_DATA_HASH); + if (obj != null) { + return obj.toString(); + } + return ""; + } + + public static void setSignatureActive(HttpServletRequest request, boolean value) { + request.setAttribute(SIGNATURE_ACTIVE, new Boolean(value)); + } + + public static boolean isSignatureActive(HttpServletRequest request) { + Object obj = request.getAttribute(SIGNATURE_ACTIVE); + if (obj != null) { + if (obj instanceof Boolean) { + return ((Boolean) obj).booleanValue(); + } + } + return false; + } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java index 5a79bb4a..4d6ad1fe 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsParameterExtractor.java @@ -70,16 +70,4 @@ public class PdfAsParameterExtractor { public static String getSigPosW(HttpServletRequest request) { return (String)request.getAttribute(PARAM_SIG_POS_W); } - - // legacy Parameter - public static final String PARAM_PDF_ID = "pdf-id"; - public static final String PARAM_SESSION_ID = "session-id"; - - public static String getPdfId(HttpServletRequest request) { - return (String)request.getAttribute(PARAM_PDF_ID); - } - - public static String getSessionId(HttpServletRequest request) { - return (String)request.getAttribute(PARAM_SESSION_ID); - } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java index 7c90dbc8..9532e074 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/RemotePDFFetcher.java @@ -17,6 +17,7 @@ public class RemotePDFFetcher { throw new PdfAsWebException("Not a valid URL!", e); } if(url.getProtocol().equals("http") || url.getProtocol().equals("https")) { + try { InputStream is = url.openStream(); return StreamUtils.inputStreamToByteArray(is); diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java index c96225bd..3a6bc971 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/ExternSignServlet.java @@ -2,7 +2,6 @@ package at.gv.egiz.pdfas.web.servlets; import java.io.File; import java.io.IOException; -import java.io.PrintWriter; import java.util.List; import javax.servlet.ServletException; @@ -18,14 +17,12 @@ import org.slf4j.LoggerFactory; import at.gv.egiz.pdfas.common.exceptions.PdfAsException; import at.gv.egiz.pdfas.lib.api.sign.IPlainSigner; -import at.gv.egiz.pdfas.sigs.pades.PAdESSigner; import at.gv.egiz.pdfas.web.config.WebConfiguration; import at.gv.egiz.pdfas.web.exception.PdfAsWebException; +import at.gv.egiz.pdfas.web.helper.DigestHelper; import at.gv.egiz.pdfas.web.helper.PdfAsHelper; import at.gv.egiz.pdfas.web.helper.PdfAsParameterExtractor; import at.gv.egiz.pdfas.web.helper.RemotePDFFetcher; -import at.gv.egiz.sl.util.BKUSLConnector; -import at.gv.egiz.sl.util.MOAConnector; /** * Servlet implementation class Sign @@ -209,6 +206,15 @@ public class ExternSignServlet extends HttpServlet { String errorUrl = PdfAsParameterExtractor.getInvokeErrorURL(request); PdfAsHelper.setErrorURL(request, response, errorUrl); + if(pdfData == null) { + throw new PdfAsException("No Signature data available"); + } + + String pdfDataHash = DigestHelper.getHexEncodedHash(pdfData); + + PdfAsHelper.setSignatureDataHash(request, pdfDataHash); + logger.debug("Storing signatures data hash: " + pdfDataHash); + logger.debug("Starting signature creation with: " + connector); IPlainSigner signer; diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFData.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFData.java index 6ce0e1c9..9bf66fe9 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFData.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/PDFData.java @@ -8,14 +8,23 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + import at.gv.egiz.pdfas.web.helper.PdfAsHelper; /** * Servlet implementation class PDFData */ public class PDFData extends HttpServlet { + private static final long serialVersionUID = 1L; + private static final Logger logger = LoggerFactory + .getLogger(PDFData.class); + + private static String ORIGINAL_DIGEST = "origdigest"; + /** * @see HttpServlet#HttpServlet() */ @@ -45,7 +54,22 @@ public class PDFData extends HttpServlet { HttpServletResponse response) throws ServletException, IOException { byte[] signedData = PdfAsHelper.getSignedPdf(request, response); + String plainPDFDigest = request.getParameter(ORIGINAL_DIGEST); + if (signedData != null) { + if(plainPDFDigest != null) { + String signatureDataHash = PdfAsHelper.getSignatureDataHash(request); + if(!plainPDFDigest.equalsIgnoreCase(signatureDataHash)) { + logger.error("Digest Hash mismatch!"); + logger.error("Requested digest: " + plainPDFDigest); + logger.error("Saved digest: " + signatureDataHash); + + PdfAsHelper.setSessionException(request, response, + "Signature Data digest do not match!", null); + PdfAsHelper.gotoError(getServletContext(), request, response); + return; + } + } response.setContentType("application/pdf"); OutputStream os = response.getOutputStream(); os.write(signedData); -- cgit v1.2.3