ProcessSignedMessage.java
/*
* AdroitLogic UltraESB Enterprise Service Bus
*
* Copyright (c) 2010-2012 AdroitLogic Private Ltd. (http://adroitlogic.org). All Rights Reserved.
*
* GNU Affero General Public License Usage
*
* This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
* Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for
* more details.
*
* You should have received a copy of the GNU Affero General Public License along with this program (See LICENSE-AGPL.TXT).
* If not, see http://www.gnu.org/licenses/agpl-3.0.html
*
* Commercial Usage
*
* Licensees holding valid UltraESB Commercial licenses may use this file in accordance with the UltraESB Commercial
* License Agreement provided with the Software or, alternatively, in accordance with the terms contained in a written
* agreement between you and AdroitLogic.
*
* If you are unsure which license is appropriate for your use, or have questions regarding the use of this file,
* please contact AdroitLogic at info@adroitlogic.com
*/
/*
* Modificato da Link.it (https://link.it) per supportare le seguenti funzionalità:
* - firma e cifratura degli attachments
* - cifratura con chiave simmetrica
* - supporto CRL
*
* Copyright (c) 2011-2024 Link.it srl (https://link.it).
*
*/
package org.openspcoop2.security.message.soapbox;
import java.security.cert.X509Certificate;
import org.adroitlogic.soapbox.CryptoUtil;
import org.adroitlogic.soapbox.MessageSecurityContext;
import org.adroitlogic.soapbox.Processor;
import org.adroitlogic.soapbox.SBConstants;
import org.adroitlogic.soapbox.SecurityFailureException;
import org.openspcoop2.message.OpenSPCoop2SoapMessage;
import org.openspcoop2.security.message.signature.XMLSecEnvelopeIdResolver;
import org.openspcoop2.utils.LoggerWrapperFactory;
import org.slf4j.Logger;
import org.w3c.dom.Element;
/**
* ProcessSignedMessage
*
* Author of the original AdroitLogic code:
* @author asankha
*
* Authors of the Link.it modification to the code:
* @author Andrea Poli (apoli@link.it)
* @author Giovanni Bussu (bussu@link.it)
* @author $Author$
* @version $Rev$, $Date$
*/
public class ProcessSignedMessage implements Processor {
private OpenSPCoop2SoapMessage message;
public void setMessage(OpenSPCoop2SoapMessage message) {
this.message = message;
}
private String actor;
private boolean mustUnderstand;
public void setActor(String actor) {
this.actor = actor;
}
public void setMustUnderstand(boolean mustUnderstand) {
this.mustUnderstand = mustUnderstand;
}
private X509Certificate [] certificates = null;
public X509Certificate[] getCertificates() {
return this.certificates;
}
private static final Logger logger = LoggerWrapperFactory.getLogger(ProcessSignedMessage.class);
@Override
public void process(org.adroitlogic.soapbox.SecurityConfig secConfig, MessageSecurityContext msgSecCtx) {
//System.out.println("PROCESS SIGN XMLSEC["+this.useXMLSec+"]");
// ** Recupero header WSSecurity **
Element wsseSecurityElem = null;
try{
wsseSecurityElem = WSSUtils.getWSSecurityHeader(msgSecCtx.getDocument(), this.actor, this.mustUnderstand);
}catch(Exception e){
throw new SecurityFailureException(e.getMessage(), e);
}
// ** Recupero elemento Signaure **
Element elemSignature = CryptoUtil.getSecurityProcessorElement(wsseSecurityElem, SBConstants.DS, "Signature");
if (elemSignature == null) {
if (ProcessSignedMessage.logger.isDebugEnabled()) {
ProcessSignedMessage.logger.debug("Message is not signed - skipping ProcessSignedMessage");
}
throw new SecurityFailureException("WS-Security failure - Message is not signed");
}
// *** 1. Prepare to verify signature engine***
// NOTA:
// Vi sono fondamentalmente due versioni di XMLSignature con classi correlate.
// - com.sun.org.apache.xml.internal.security.signature: presente nel runtime di java
// - org.apache.xml.security.signature: presente in xmlsec-2.1.7.jar
//
// A seconda della versione utilizzata devono essere implementate delle classi a corredo:
// - com.sun.org.apache.xml.internal.security.transforms.TransformSpi implementato tramite org.openspcoop2.security.message.signature.SunAttachmentContentTransform
// - org.apache.xml.security.transforms.TransformSpi implementato tramite org.openspcoop2.security.message.signature.XMLSecAttachmentContentTransform
// NOTA: L'implementazione del Transformer tramite le classi della Sun cosi come realizzate usano metodi diversi presenti su Java 1.6 patch 26 o maggiore rispetto a Java 7.
// Java 1.7 ha modificato i metodi della classe astratta com.sun.org.apache.xml.internal.security.transforms.TransformSpi
// Il codice seguente e' stato scritto per poter effettuare i test incrociati sulle due versioni adeguando le classi utilizzate rispetto ad una variabile cablata nel codice
// definita in org.openspcoop2.security.message.soapbox.MesageSecurityContext_soapbox.USE_XMLSEC_IMPL
//
// A seconda della versione utilizzata devono inoltre essere implementate le classe di risoluzione delle signature reference
// - com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi implementata tramite org.openspcoop2.security.message.signature.SunEnvelopeIdResolver
// - org.apache.xml.security.utils.resolver.ResourceResolverSpi implementata tramite org.openspcoop2.security.message.signature.XMLSecEnvelopeIdResolver
// NOTA!!!: tutto il discorso sopra e' terminato con java 11
org.apache.xml.security.signature.XMLSignature sigXMLSec = null;
//org.apache.xml.security.signature.XMLSignature sig2 = null;
try {
sigXMLSec = new org.apache.xml.security.signature.XMLSignature(elemSignature, null);
//sig2 = new org.apache.xml.security.signature.XMLSignature(msgSecCtx.getDocument(), null, "http://www.w3.org/2000/09/xmldsig#rsa-sha1", "http://www.w3.org/2001/10/xml-exc-c14n#");
} catch (Exception e) {
throw new SecurityFailureException("No signature or error in processing signature in document", e);
}
sigXMLSec.addResourceResolver(XMLSecEnvelopeIdResolver.getInstance(this.message));
// *** 2. Extract certificate for the signature, from reference or other means ***
X509Certificate[] certs = null;
org.apache.xml.security.keys.KeyInfo keyInfo = sigXMLSec.getKeyInfo();
if (keyInfo != null && keyInfo.containsKeyValue()) {
throw new UnsupportedOperationException("Verification of signatures from PublicKeys not yet supported");
} else if (keyInfo != null) {
certs = CryptoUtil.getCertificatesFromSecurityTokenReference(secConfig, msgSecCtx,
CryptoUtil.getFirstChild(elemSignature, SBConstants.WSSE, SBConstants.SECURITY_TOKEN_REFERENCE));
} else {
throw new SecurityFailureException("No key information for signature was found");
}
this.certificates = certs;
// *** 3. Check validity of certificate used and validate signature ***
if (certs != null && certs.length != 0) {
for (int i=0; i<certs.length; i++) {
try {
certs[i].checkValidity();
} catch (Exception e) {
throw new SecurityFailureException("Certificate used for signature with DN : " +
certs[i].getSubjectDN().toString() + " is not valid", e);
}
}
try {
((SoapBoxSecurityConfig)secConfig).validateX509Certificate(certs);
} catch (Exception e) {
throw new SecurityFailureException("Certificate used for signature with DN : " +
certs[0].getSubjectDN().toString() + " or its issuer/s is/are not valid", e);
}
try {
boolean signValid = false;
signValid = sigXMLSec.checkSignatureValue(certs[0]);
if (!signValid) {
//System.out.println("TEST["+sig2.checkSignatureValue(certs[0])+"]");
throw new SecurityFailureException("Signature verification failed");
} else {
msgSecCtx.setProperty(org.adroitlogic.soapbox.api.MessageSecurityContext.USER_CERTS, certs);
}
} catch (Exception e) {
throw new SecurityFailureException("Signature verification failed", e);
}
} else {
throw new SecurityFailureException("Certificate for signature was not found");
}
if (ProcessSignedMessage.logger.isDebugEnabled()) {
ProcessSignedMessage.logger.debug("Signature verified successfully");
}
}
}