Preparing for 1.0.7.2 patch release

Signed-off-by: Indrek Jentson <indrek.jentson@cgi.com>

.gitignore

@@ -4,6 +4,7 @@ javadoc
 .idea/workspace.xml
 .idea/uiDesigner.xml
 .idea/dictionaries/xp.xml
+.idea/libraries
 *.log
 utility-package-lib
 zip-package-lib

RELEASE-NOTES.txt

@@ -1,4 +1,11 @@
 DigiDoc4J Java library release notes
+------------------------------------
+Release 1.0.7.2
+------------------
+Summary of the major changes since 1.0.7.1
+------------------------------------------
+* Prevent XXE(XML External Entity) processing (switching to sd-dss-5.0.d4j.5).
+
 ------------------------------------
 Release 1.0.7.1
 ------------------

digidoc4j.iml

@@ -60,28 +60,28 @@
     <orderEntry type="library" scope="TEST" name="Maven: org.skyscreamer:jsonassert:1.5.0" level="project" />
     <orderEntry type="library" scope="TEST" name="Maven: org.json:json:20160810" level="project" />
     <orderEntry type="library" name="Maven: log4j:log4j:1.2.17" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-common-validation-jaxb:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-detailed-report-jaxb:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-diagnostic-jaxb:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-document:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-model:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-policy-jaxb:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-reports:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-service:5.0.d4j.4" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-common-validation-jaxb:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-detailed-report-jaxb:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-diagnostic-jaxb:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-document:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-model:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-policy-jaxb:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-reports:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-service:5.0.d4j.5" level="project" />
     <orderEntry type="library" name="Maven: org.slf4j:jcl-over-slf4j:1.7.22" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-simple-report-jaxb:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-spi:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-token:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-tsl-jaxb:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-tsl-validation:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-xades:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-cades:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:validation-policy:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-asic-common:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-asic-cades:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-asic-xades:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-utils:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-utils-apache-commons:5.0.d4j.4" level="project" />
-    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-utils-google-guava:5.0.d4j.4" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-simple-report-jaxb:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-spi:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-token:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-tsl-jaxb:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-tsl-validation:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-xades:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-cades:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:validation-policy:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-asic-common:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-asic-cades:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-asic-xades:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-utils:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-utils-apache-commons:5.0.d4j.5" level="project" />
+    <orderEntry type="library" name="Maven: org.digidoc4j.dss:dss-utils-google-guava:5.0.d4j.5" level="project" />
   </component>
 </module>

pom.xml

@@ -6,7 +6,7 @@
   <groupId>org.digidoc4j</groupId>
   <artifactId>digidoc4j</artifactId>
   <packaging>jar</packaging>
-  <version>1.0.7.1</version>
+  <version>1.0.7.2</version>
   <name>DigiDoc4j</name>
   <description>DigiDoc4j is a Java library for digitally signing documents and creating digital signature containers of signed documents</description>
   <url>https://github.com/open-eid/digidoc4j</url>
@@ -98,7 +98,7 @@
     <bouncycastle.version>1.54</bouncycastle.version>
     <junit.version>4.11</junit.version>
     <dss.groupId>org.digidoc4j.dss</dss.groupId>
-    <dss.version>5.0.d4j.4</dss.version>
+    <dss.version>5.0.d4j.5</dss.version>
     <dss.util.build>${project.basedir}/build/</dss.util.build>
     <dss.util.lib>${project.basedir}/utility-package-lib</dss.util.lib>
     <dss.zip.lib>${project.basedir}/zip-package-lib</dss.zip.lib>

src/org/digidoc4j/impl/bdoc/BDocSignatureBuilder.java

@@ -124,19 +124,19 @@ protected Signature invokeSigningProcess() {
     logger.info("Signing BDoc container");
     signatureParameters.setSigningCertificate(signatureToken.getCertificate());
     byte[] dataToSign = getDataToBeSigned();
+    logger.info("DataToSign: " + bytesToHex(dataToSign, hexMaxlen));
     Signature result = null;
-    byte[] signatureValue = null;
     int count = 0;
     boolean finalized = false;
     while (!finalized && count < maxTryCount) {
+      byte[] signatureValue = signatureToken.sign(signatureParameters.getDigestAlgorithm(), dataToSign);
+      if (signatureParameters.getEncryptionAlgorithm() == EncryptionAlgorithm.ECDSA
+          && isAsn1Encoded(signatureValue)) {
+        signatureValue = DSSSignatureUtils.convertToXmlDSig(eu.europa.esig.dss.EncryptionAlgorithm.ECDSA, signatureValue);
+      }
       try {
         // TODO: Investigate instability (of BouncyCastle?)
         // Sometimes sign returns value what causes error in finalizeSignature
-        signatureValue = signatureToken.sign(signatureParameters.getDigestAlgorithm(), dataToSign);
-        if (signatureParameters.getEncryptionAlgorithm() == EncryptionAlgorithm.ECDSA
-            && isAsn1Encoded(signatureValue)) {
-          signatureValue = DSSSignatureUtils.convertToXmlDSig(eu.europa.esig.dss.EncryptionAlgorithm.ECDSA, signatureValue);
-        }
         result = finalizeSignature(signatureValue);
         finalized = true;
       } catch (TechnicalException e) {

src/org/digidoc4j/signers/PKCS11SignatureToken.java

@@ -10,25 +10,18 @@
 
 package org.digidoc4j.signers;
 
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivateKey;
-import java.security.SignatureException;
 import java.security.cert.X509Certificate;
 import java.util.List;
 
-import org.apache.commons.lang3.ArrayUtils;
 import org.digidoc4j.DigestAlgorithm;
 import org.digidoc4j.SignatureToken;
-import org.digidoc4j.exceptions.TechnicalException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import eu.europa.esig.dss.DSSUtils;
-import eu.europa.esig.dss.EncryptionAlgorithm;
+import eu.europa.esig.dss.SignatureValue;
+import eu.europa.esig.dss.ToBeSigned;
 import eu.europa.esig.dss.token.AbstractSignatureTokenConnection;
 import eu.europa.esig.dss.token.DSSPrivateKeyEntry;
-import eu.europa.esig.dss.token.KSPrivateKeyEntry;
 import eu.europa.esig.dss.token.PasswordInputCallback;
 import eu.europa.esig.dss.token.Pkcs11SignatureToken;
 
@@ -50,7 +43,6 @@ public class PKCS11SignatureToken implements SignatureToken {
   private static final Logger logger = LoggerFactory.getLogger(PKCS11SignatureToken.class);
   private AbstractSignatureTokenConnection signatureTokenConnection;
   private DSSPrivateKeyEntry privateKeyEntry;
-
   /**
    * Initializes the PKCS#11 token.
    *
@@ -104,37 +96,12 @@ public X509Certificate getCertificate() {
 
   @Override
   public byte[] sign(DigestAlgorithm digestAlgorithm, byte[] dataToSign) {
-    try {
-      logger.debug("Signing with PKCS#11 and " + digestAlgorithm.name());
-      byte[] digestToSign = DSSUtils.digest(digestAlgorithm.getDssDigestAlgorithm(), dataToSign);
-      byte[] digestWithPadding = addPadding(digestToSign, digestAlgorithm);
-      return signDigest(digestWithPadding);
-    } catch (Exception e) {
-      logger.error("Failed to sign with PKCS#11: " + e.getMessage());
-      throw new TechnicalException("Failed to sign with PKCS#11: " + e.getMessage(), e);
-    }
-  }
-
-  private byte[] signDigest(byte[] digestToSign) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException {
-    logger.debug("Signing digest");
-    DSSPrivateKeyEntry privateKeyEntry = getPrivateKeyEntry();
-    PrivateKey privateKey = ((KSPrivateKeyEntry) privateKeyEntry).getPrivateKey();
-    EncryptionAlgorithm encryptionAlgorithm = privateKeyEntry.getEncryptionAlgorithm();
-    String signatureAlgorithm = "NONEwith" + encryptionAlgorithm.getName();
-    return invokeSigning(digestToSign, privateKey, signatureAlgorithm);
-  }
-
-  private byte[] invokeSigning(byte[] digestToSign, PrivateKey privateKey, String signatureAlgorithm) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
-    logger.debug("Signing with signature algorithm " + signatureAlgorithm);
-    java.security.Signature signer = java.security.Signature.getInstance(signatureAlgorithm);
-    signer.initSign(privateKey);
-    signer.update(digestToSign);
-    byte[] signatureValue = signer.sign();
-    return signatureValue;
-  }
-
-  private static byte[] addPadding(byte[] digest, DigestAlgorithm digestAlgorithm) {
-    return ArrayUtils.addAll(digestAlgorithm.digestInfoPrefix(), digest); // should find the prefix by checking digest length?
+    logger.info("Signing with PKCS#11 signature token, using digest algorithm: " + digestAlgorithm.name());
+    ToBeSigned toBeSigned = new ToBeSigned(dataToSign);
+    eu.europa.esig.dss.DigestAlgorithm dssDigestAlgorithm = eu.europa.esig.dss.DigestAlgorithm.forXML(digestAlgorithm.toString());
+    getPrivateKeyEntry();
+    SignatureValue signature = signatureTokenConnection.sign(toBeSigned, dssDigestAlgorithm, privateKeyEntry);
+    return signature.getValue();
   }
 
   private DSSPrivateKeyEntry getPrivateKeyEntry() {

test/org/digidoc4j/SignatureBuilderTest.java

@@ -40,6 +40,7 @@
 import org.digidoc4j.testutils.TestSigningHelper;
 import org.digidoc4j.utils.TokenAlgorithmSupport;
 import org.junit.After;
+import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TemporaryFolder;
@@ -52,6 +53,7 @@ public class SignatureBuilderTest extends DigiDoc4JTestHelper {
   @Rule
   public TemporaryFolder testFolder = new TemporaryFolder();
   private final PKCS12SignatureToken testSignatureToken = new PKCS12SignatureToken("testFiles/p12/signout.p12", "test".toCharArray());
+  private final PKCS12SignatureToken PKCS12_SIGNER_ECC = new PKCS12SignatureToken("testFiles/p12/ec-digiid.p12", "inno".toCharArray());
 
   @After
   public void tearDown() throws Exception {
@@ -105,6 +107,25 @@ public void buildingDataToSign_shouldContainSignatureParameters() throws Excepti
     assertTrue(bytesToSign.length > 1);
   }
 
+  @Ignore // Fix is coming with next release
+  @Test
+  public void signDocumentExternally() throws Exception {
+    Container container = TestDataBuilder.createContainerWithFile(testFolder);
+    DataToSign dataToSign = SignatureBuilder.
+        aSignature(container).
+        withSigningCertificate(testSignatureToken.getCertificate()).
+        withSignatureDigestAlgorithm(DigestAlgorithm.SHA256).
+        buildDataToSign();
+    // This simulates external sign
+    byte[] signatureValue = testSignatureToken.sign(dataToSign.getDigestAlgorithm(), dataToSign.getDigestToSign());
+    assertNotNull(signatureValue);
+    assertTrue(signatureValue.length > 1);
+    Signature signature = dataToSign.finalize(signatureValue);
+    assertTrue(signature.validateSignature().isValid());
+    container.addSignature(signature);
+    assertTrue(container.validate().isValid());
+  }
+
   @Test
   public void signDocumentExternallyTwice() throws Exception {
     Container container = TestDataBuilder.createContainerWithFile(testFolder);