Skip to content

Commit

Permalink
#83689768 validate signature timestamp against TSL, changed dss jars,…
Browse files Browse the repository at this point in the history 
… changed tests that broke due to changes made in dss fork in order to catch timestamp errors, changed constraint.xml
  • Loading branch information
allan.juhanson committed Nov 5, 2015
1 parent 94d4e8b commit 3a48701
Show file tree
Hide file tree
Showing 19 changed files with 110 additions and 37 deletions.
2 changes: 0 additions & 2 deletions conf/constraint.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,6 @@
<RightOrder Level="FAIL"/>
<SigningCertificate>
<Recognition Level="FAIL"/>
<DigestValueMatch Level="FAIL">true</DigestValueMatch>
<IssuerSerialMatch Level="FAIL">true</IssuerSerialMatch>
<Signature Level="FAIL"/>
<Expiration Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
Expand Down
2 changes: 0 additions & 2 deletions conf/test_constraint.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,6 @@
<RightOrder Level="FAIL"/>
<SigningCertificate>
<Recognition Level="FAIL"/>
<DigestValueMatch Level="FAIL">true</DigestValueMatch>
<IssuerSerialMatch Level="FAIL">true</IssuerSerialMatch>
<Signature Level="FAIL"/>
<Expiration Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
Expand Down
2 changes: 0 additions & 2 deletions conf/test_constraint_SigningTimeCreationTimeDeltaIs27H.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,8 +127,6 @@
<RightOrder Level="FAIL"/>
<SigningCertificate>
<Recognition Level="FAIL"/>
<DigestValueMatch Level="FAIL">true</DigestValueMatch>
<IssuerSerialMatch Level="FAIL">true</IssuerSerialMatch>
<Signature Level="FAIL"/>
<Expiration Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
Expand Down
Binary file renamed lib/dss-common-4.4.RC2.jar → lib/dss-common-4.4.RC2.d4j.1.jar
View file
Binary file not shown.
Binary file renamed lib/dss-diagnostic-jaxb-4.4.RC2.jar → lib/dss-diagnostic-jaxb-4.4.RC2.d4j.1.jar
View file
Binary file not shown.
Binary file renamed lib/dss-document-4.4.RC2.jar → lib/dss-document-4.4.RC2.d4j.1.jar
View file
Binary file not shown.
Binary file renamed lib/dss-service-4.4.RC2.jar → lib/dss-service-4.4.RC2.d4j.1.jar
View file
Binary file not shown.
Binary file renamed lib/dss-spi-4.4.RC2.jar → lib/dss-spi-4.4.RC2.d4j.1.jar
View file
Binary file not shown.
Binary file renamed lib/dss-tsl-jaxb-4.4.RC2.jar → lib/dss-tsl-jaxb-4.4.RC2.d4j.1.jar
View file
Binary file not shown.
2 changes: 0 additions & 2 deletions src/org/digidoc4j/Configuration.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,8 +159,6 @@ private void initDefaultValues() {

if (mode == Mode.TEST) {
configuration.put("tspSource", "http://demo.sk.ee/tsa");
configuration.put("tspSource", "http://tsa.sk.ee");
configuration.put("tslLocation", "http://10.0.25.57/tsl/trusted-test-mp.xml");
configuration.put("tslLocation", "file:test-tsl/trusted-test-mp.xml");
configuration.put("validationPolicy", "conf/test_constraint.xml");
configuration.put("ocspSource", TEST_OCSP_URL);
Expand Down
15 changes: 14 additions & 1 deletion src/org/digidoc4j/impl/bdoc/XadesSignatureValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

package org.digidoc4j.impl.bdoc;

import static org.apache.commons.lang.StringUtils.containsOnly;
import static org.apache.commons.lang.StringUtils.isBlank;

import java.util.ArrayList;
Expand Down Expand Up @@ -42,7 +43,9 @@
import eu.europa.ec.markt.dss.validation102853.report.DiagnosticData;
import eu.europa.ec.markt.dss.validation102853.report.Reports;
import eu.europa.ec.markt.dss.validation102853.report.SimpleReport;
import eu.europa.ec.markt.dss.validation102853.rules.Indication;
import eu.europa.ec.markt.dss.validation102853.rules.MessageTag;
import eu.europa.ec.markt.dss.validation102853.rules.SubIndication;
import eu.europa.ec.markt.dss.validation102853.xades.XAdESSignature;
import eu.europa.ec.markt.dss.validation102853.xades.XPathQueryHolder;

Expand Down Expand Up @@ -158,7 +161,17 @@ private boolean isTimestampValidForSignature(String signatureId) {
return true;
}
String timestampId = timestampIdList.get(0);
return diagnosticData.isTimestampMessageImprintIntact(timestampId);
return diagnosticData.isTimestampMessageImprintIntact(timestampId) && !isIndeterminateTimestamp(signatureId);
}

private boolean isIndeterminateTimestamp(String signatureId) {
SimpleReport simpleReport = getSimpleReport(signatureId);
String indication = simpleReport.getIndication(signatureId);
String subIndication = simpleReport.getSubIndication(signatureId);
if (Indication.INDETERMINATE.equals(indication)) {
return SubIndication.NO_VALID_TIMESTAMP.equals(subIndication);
}
return false;
}

private Map<String, SimpleReport> extractSimpleReports(Reports report) {
Expand Down
2 changes: 1 addition & 1 deletion test/org/digidoc4j/ConfigurationTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ public void addedTSLIsValid() throws IOException, CertificateException {
addFromFileToTSLCertificate("testFiles/EE_Certification_Centre_Root_CA.pem.crt");
addFromFileToTSLCertificate("testFiles/ESTEID-SK_2011.pem.crt");
addFromFileToTSLCertificate("testFiles/SK_OCSP_RESPONDER_2011.pem.cer");

addFromFileToTSLCertificate("testFiles/SK_TSA.pem.crt");
AsicFacade container = new AsicFacade("testFiles/test.asice", configuration);
ValidationResult verify = container.verify();
assertTrue(verify.isValid());
Expand Down
47 changes: 25 additions & 22 deletions test/org/digidoc4j/SignatureTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,27 @@

package org.digidoc4j;

import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual;
import static org.digidoc4j.Container.DocumentType.BDOC;
import static org.digidoc4j.Container.DocumentType.DDOC;
import static org.digidoc4j.ContainerBuilder.BDOC_CONTAINER_TYPE;
import static org.digidoc4j.ContainerBuilder.DDOC_CONTAINER_TYPE;
import static org.digidoc4j.utils.DateUtils.isAlmostNow;
import static org.digidoc4j.utils.Helper.deleteFile;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;

import java.io.IOException;
import java.net.URI;
import java.security.cert.CertificateEncodingException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.List;
import java.util.Locale;

import org.apache.commons.codec.binary.Base64;
import org.digidoc4j.exceptions.CertificateNotFoundException;
import org.digidoc4j.exceptions.DigiDoc4JException;
Expand All @@ -20,34 +41,14 @@
import org.digidoc4j.impl.DigiDoc4JTestHelper;
import org.digidoc4j.impl.ddoc.DDocOpener;
import org.digidoc4j.signers.PKCS12SignatureToken;
import org.digidoc4j.testutils.TSLHelper;
import org.digidoc4j.testutils.TestDataBuilder;
import org.digidoc4j.utils.Helper;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

import java.io.IOException;
import java.net.URI;
import java.security.cert.CertificateEncodingException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.List;
import java.util.Locale;

import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual;
import static org.digidoc4j.Container.DocumentType.BDOC;
import static org.digidoc4j.Container.DocumentType.DDOC;
import static org.digidoc4j.ContainerBuilder.BDOC_CONTAINER_TYPE;
import static org.digidoc4j.ContainerBuilder.DDOC_CONTAINER_TYPE;
import static org.digidoc4j.utils.DateUtils.isAlmostNow;
import static org.digidoc4j.utils.Helper.deleteFile;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertNotNull;

public class SignatureTest extends DigiDoc4JTestHelper {

private PKCS12SignatureToken PKCS12_SIGNER;
Expand Down Expand Up @@ -196,7 +197,9 @@ public void testValidationNoParametersForDDoc() {

@Test
public void testValidationForBDocDefaultValidation() throws Exception {
Container container = ContainerOpener.open("testFiles/two_signatures.bdoc");
Configuration configuration = new Configuration(Configuration.Mode.TEST);
TSLHelper.addSK_TSACertificateToTSL(configuration);
Container container = ContainerOpener.open("testFiles/two_signatures.bdoc", configuration);
Signature signature = container.getSignatures().get(0);
assertEquals(0, signature.validate().size());
signature = container.getSignatures().get(1);
Expand Down
14 changes: 13 additions & 1 deletion test/org/digidoc4j/ValidationTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,20 @@

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

import java.util.ArrayList;
import java.util.List;

import org.digidoc4j.exceptions.ContainerWithoutSignaturesException;
import org.digidoc4j.exceptions.DigiDoc4JException;
import org.digidoc4j.exceptions.InvalidTimestampException;
import org.digidoc4j.exceptions.TimestampAfterOCSPResponseTimeException;
import org.digidoc4j.impl.DigiDoc4JTestHelper;
import org.junit.Test;

import ch.qos.logback.classic.pattern.LineSeparatorConverter;

public class ValidationTests extends DigiDoc4JTestHelper {

@Test
Expand All @@ -38,7 +45,12 @@ public void asicContainerWithoutSignatures_isNotValid() throws Exception {
public void asicOcspTimeShouldBeAfterTimestamp() throws Exception {
ValidationResult result = validateContainer("testFiles/TS-08_23634_TS_OCSP_before_TS.asice");
assertFalse(result.isValid());
assertEquals(TimestampAfterOCSPResponseTimeException.MESSAGE,result.getErrors().get(0).getMessage());
assertTrue(result.getErrors().size() >= 1);
List<String> errorMessages = new ArrayList<>();

This comment has been minimized.

Sign in to view

Copy link
@rvillido

rvillido Nov 6, 2015

Contributor

I would extract that to a separate reusable method. Looks like it's something that could be used elsewhere as well and would keep the method lentht shorter
for (DigiDoc4JException error : result.getErrors()) {
errorMessages.add(error.getMessage());
}
assertTrue(errorMessages.contains(TimestampAfterOCSPResponseTimeException.MESSAGE));
}

private ValidationResult validateContainer(String containerPath) {
Expand Down
16 changes: 15 additions & 1 deletion test/org/digidoc4j/impl/bdoc/AsicContainerValidatorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,11 @@
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;

import org.digidoc4j.Configuration;
import org.digidoc4j.exceptions.ContainerWithoutSignaturesException;
import org.digidoc4j.exceptions.InvalidTimestampException;
import org.digidoc4j.testutils.TestDataBuilder;
import org.junit.Test;

Expand Down Expand Up @@ -57,9 +59,21 @@ public void validateInvalidContainer() throws Exception {
assertFalse(result.isValid());
}

@Test
public void validateTimestampWithUnknownTSAShouldBeInvalid() throws Exception {
AsicContainerValidator validator = createAsicContainerValidator("testFiles/TS-05_23634_TS_unknown_TSA.asice");
AsicContainerValidationResult result = validator.validate();
assertFalse(result.isValid());
assertEquals(result.getbDocValidationResult().getErrors().get(0).getMessage(), InvalidTimestampException.MESSAGE);
}

private AsicContainerValidator createAsicContainerValidator(String containerPath) {
DSSDocument container = TestDataBuilder.createAsicContainer(containerPath);
Configuration configuration = new Configuration(Configuration.Mode.TEST);
return createAsicContainerValidator(containerPath, configuration);
}

private AsicContainerValidator createAsicContainerValidator(String containerPath, Configuration configuration) {
DSSDocument container = TestDataBuilder.createAsicContainer(containerPath);
SKCommonCertificateVerifier commonCertificateVerifier = new SKCommonCertificateVerifier();
commonCertificateVerifier.setCrlSource(null);
commonCertificateVerifier.setOcspSource(null);
Expand Down
10 changes: 7 additions & 3 deletions test/org/digidoc4j/impl/bdoc/AsicFacadeTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import org.digidoc4j.impl.Signatures;
import org.digidoc4j.signers.ExternalSigner;
import org.digidoc4j.signers.PKCS12SignatureToken;
import org.digidoc4j.testutils.TSLHelper;
import org.digidoc4j.utils.Helper;
import org.junit.AfterClass;
import org.junit.Before;
Expand All @@ -36,6 +37,7 @@
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
Expand Down Expand Up @@ -685,7 +687,7 @@ public void TSLIsLoadedAfterSettingNewTSLLocation() {

configuration.setTslLocation("http://10.0.25.57/tsl/trusted-test-mp.xml");
container = new AsicFacade(configuration);
assertNotEquals(6, container.configuration.getTSL().getCertificates().size());
assertNotEquals(5, container.configuration.getTSL().getCertificates().size());
}

@Test (expected = DigiDoc4JException.class)
Expand Down Expand Up @@ -1392,8 +1394,10 @@ public void signatureFileContainsIncorrectFileName() {

@SuppressWarnings("ThrowableResultOfMethodCallIgnored")
@Test
public void secondSignatureFileContainsIncorrectFileName() {
Container container = ContainerOpener.open("testFiles/filename_mismatch_second_signature.asice");
public void secondSignatureFileContainsIncorrectFileName() throws IOException, CertificateException {
Configuration configuration = new Configuration(Configuration.Mode.TEST);
TSLHelper.addSK_TSACertificateToTSL(configuration);
Container container = ContainerOpener.open("testFiles/filename_mismatch_second_signature.asice", configuration);
ValidationResult validate = container.validate();
List<DigiDoc4JException> errors = validate.getErrors();
assertEquals(3, errors.size());
Expand Down
32 changes: 32 additions & 0 deletions test/org/digidoc4j/testutils/TSLHelper.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
package org.digidoc4j.testutils;

import java.io.FileInputStream;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import org.digidoc4j.Configuration;

import eu.europa.ec.markt.dss.DSSUtils;

public class TSLHelper {

/**
* This might be needed to validate already created containers that use test certificates but are timestamped by live TSA
* @param configuration the configuration to add the certificate.
* @return the same configuration with certificate added to TSL
* @throws IOException
* @throws CertificateException
*/
public static Configuration addSK_TSACertificateToTSL(Configuration configuration) throws IOException, CertificateException {

This comment has been minimized.

Sign in to view

Copy link
@rvillido

rvillido Nov 6, 2015

Contributor

Not sure if using underscore in a method name is a good idea. Perhaps addSkTsaCertificateToTsl would be a better one.
I have used underscore in longer unit test names, for example doingThis_withTheseConditions_shouldResultInThat, but I think regular method names should be in Camel Case.
return addCertificateFromFileToTSL(configuration, "testFiles/SK_TSA.pem.crt");
}

public static Configuration addCertificateFromFileToTSL(Configuration configuration, String fileName) throws IOException, CertificateException {
FileInputStream fileInputStream = new FileInputStream(fileName);
X509Certificate certificate = DSSUtils.loadCertificate(fileInputStream).getCertificate();
configuration.getTSL().addTSLCertificate(certificate);
fileInputStream.close();
return configuration;
}
}
3 changes: 3 additions & 0 deletions testFiles/SK_TSA.pem.crt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIQJK/s6xJo0AJUF/eG7W8BWTANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJFRTEiMCAGA1UECgwZQVMgU2VydGlmaXRzZWVyaW1pc2tlc2t1czEoMCYGA1UEAwwfRUUgQ2VydGlmaWNhdGlvbiBDZW50cmUgUm9vdCBDQTEYMBYGCSqGSIb3DQEJARYJcGtpQHNrLmVlMB4XDTE0MDkxNjA4NDAzOFoXDTE5MDkxNjA4NDAzOFowYzELMAkGA1UEBhMCRUUxIjAgBgNVBAoMGUFTIFNlcnRpZml0c2VlcmltaXNrZXNrdXMxDDAKBgNVBAsMA1RTQTEiMCAGA1UEAwwZU0sgVElNRVNUQU1QSU5HIEFVVEhPUklUWTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJPa/dQKemSKCNSwlMUp9YKQY6zQOfs9vgUnbzTRHCRBRdsabZYknxTI4DqQ5+JPqw8MTkDvb6nfDZGd15t4oY4tHXXoCfRrbMjJ9+DV+M7bd+vrBI8vi7DBCM59/VAjxBAuZ9P7Tsg8o8BrVqqB9c0ezlSCtFg8X0x2ET3ZBtZ49UARh/XP07I7eRk/DtSLYauxJDPzXVEZmSJCIybclox93u8F5/o8GySbD5GYMhffOJgXmul/Vz7eR0d5SxCMvJIRrP7WfiJYaUjLYqL2wjFQe/nUltcGCn2KtqGCyH7vl+Xzefea6Xjc8ebTgan2FJ0UH0mHv98lWADKuTI2fXcCAwEAAaOBqjCBpzAOBgNVHQ8BAf8EBAMCBsAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwHQYDVR0OBBYEFLGwvffmoGkWbCDlUftc9DBic1cnMB8GA1UdIwQYMBaAFBLyWj7qVhy/zQas8fElyalL1BSZMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly93d3cuc2suZWUvcmVwb3NpdG9yeS9jcmxzL2VlY2NyY2EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCopcU932wVPD6eed+sDBht4zt+kMPPFXv1pIX0RgbizaKvHWU4oHpRH8zcgo/gpotRLlLhZbHtu94pLFN6enpiyHNwevkmUyvrBWylONR1Yhwb4dLS8pBGGFR6eRdhGzoKAUF4B4dIoXOj4p26q1yYULF5ZkZHxhQFNi5uxak9tgCFlGtzXumjL5jBmtWeDTGE4YSa34pzDXjz8VAjPJ9sVuOmK2E0gyWxUTLXF9YevrWzRLzVFqw+qewBV2I4of/6miZOOT2wlA/meL7zr3hnfo7KSJQmMNUjZ6lh6RBIVvYI0t+A/fpTKiZfviz/Xn2e4PC6i57wmH5EgOOav0UK
-----END CERTIFICATE-----
Binary file added testFiles/TS-05_23634_TS_unknown_TSA.asice
View file
Binary file not shown.

0 comments on commit 3a48701

Please sign in to comment.