Update project to latest tag verifica-firma-eidas-1.25.0

CHANGELOG.md

@@ -1,4 +1,9 @@
 
+## 1.25.0 (29-01-2025)
+
+### Novità: 1
+- [#34663](https://parermine.regione.emilia-romagna.it/issues/34663) Aggiornamento libreria DSS 6.1
+
 ## 1.24.0 (12-12-2024)
 
 ### Novità: 1

CONTAINER-SCAN-REPORT.md

@@ -1,7 +1,7 @@
 ## Container scan evidence CVE
 <strong>Image name:</strong> registry.ente.regione.emr.it/parer/okd/verifica-firma-eidas:sast
-<br/><strong>Run date:</strong> Thu Dec 12 15:01:11 CET 2024
-<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/442389">Job</a>
+<br/><strong>Run date:</strong> Wed Jan 29 14:00:12 CET 2025
+<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/491037">Job</a>
 <br/><strong>CVE founded:</strong> 0
 | CVE | Description | Severity | Solution | 
 |:---:|:---|:---:|:---|

README.md

@@ -9,7 +9,7 @@ Fonte template redazione documento:  https://www.makeareadme.com/.
 # Descrizione
 
 Microservizio realizzato per effettuare verifica e validazione di documenti con firma digitale. <br/>
-Realizzato attraverso framework [Spring Boot](https://spring.io/projects/spring-boot) (versione 3.x) e [OpenJDK 17](https://openjdk.org/projects/jdk/17/), utilizza la versione <b>6.0</b> del progetto [DSS](https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/Digital+Signature+Service+-++DSS).
+Realizzato attraverso framework [Spring Boot](https://spring.io/projects/spring-boot) (versione 3.x) e [OpenJDK 17](https://openjdk.org/projects/jdk/17/), utilizza la versione <b>6.1</b> del progetto [DSS](https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/Digital+Signature+Service+-++DSS).
 
 # Installazione
 

RELEASE-NOTES.md

@@ -1,4 +1,4 @@
-## 1.24.0 (12-12-2024)
+## 1.25.0 (29-01-2025)
 
 ### Novità: 1
-- [#34662](https://parermine.regione.emilia-romagna.it/issues/34662) Aggiornamento libreria DSS 6.0
+- [#34663](https://parermine.regione.emilia-romagna.it/issues/34663) Aggiornamento libreria DSS 6.1

pom.xml

@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>verifica-firma-eidas</artifactId>
-	<version>1.24.1-SNAPSHOT</version>
+	<version>1.25.0</version>
 	<packaging>${packaging.type}</packaging>
 	<name>Verifica Firma EIDAS</name>
 	<description>Progetto per effettuare firme e validazioni con librerie DSS (EIDAS)</description>
@@ -21,12 +21,13 @@
 		<!-- Applied for jdk11 bug -->
 		<detectJavaApiLink>false</detectJavaApiLink>
         <!-- third party libs -->		
-		<dss.version>6.0</dss.version>
-		<springboot.version>3.3.5</springboot.version>
-		<springdoc-openapi-starter-webmvc-ui.version>2.6.0</springdoc-openapi-starter-webmvc-ui.version>		
-		<logstash-logback-encoder.version>7.2</logstash-logback-encoder.version>
+		<dss.version>6.1</dss.version>
+		<springboot.version>3.4.1</springboot.version>
+		<springdoc-openapi-starter-webmvc-ui.version>2.7.0</springdoc-openapi-starter-webmvc-ui.version>		
+		<logstash-logback-encoder.version>8.0</logstash-logback-encoder.version>
 		<tika.version>3.0.0</tika.version>
 		<httpcore5.version>5.3.1</httpcore5.version>
+		<httpclient5.version>5.4.1</httpclient5.version>
 		<jaxb-api.version>2.3.1</jaxb-api.version>
 		<bootstrap.version>4.6.2</bootstrap.version>
 		<popper.js.version>1.16.1</popper.js.version>
@@ -36,9 +37,10 @@
 		<highlightjs-badgejs.version>0.0.5</highlightjs-badgejs.version>
 		<font-awesome.version>6.5.2</font-awesome.version>
 		<fop.version>2.9</fop.version>
-		<commons-io.version>2.17.0</commons-io.version>
+		<commons-io.version>2.18.0</commons-io.version>
+		<org-json.version>20240303</org-json.version>
 		<!-- custom libs -->
-		<verificafirma-eidas-beans.version>1.11.0</verificafirma-eidas-beans.version>
+		<verificafirma-eidas-beans.version>1.12.0</verificafirma-eidas-beans.version>
 		<start-class>it.eng.parer.eidas.web.VerificaFirmaEidasApplication</start-class>	
 	</properties>
 
@@ -119,6 +121,11 @@
 			    <artifactId>httpcore5</artifactId>
 			    <version>${httpcore5.version}</version>
 			</dependency>
+			<dependency>
+			    <groupId>org.apache.httpcomponents.client5</groupId>
+			    <artifactId>httpclient5</artifactId>
+			    <version>${httpclient5.version}</version>
+			</dependency>
 			<!-- commons -->
 			<dependency>
 				<groupId>commons-io</groupId>
@@ -355,6 +362,11 @@
 			<version>3.0.1</version>
 			<scope>provided</scope>
 		</dependency>
+		<dependency>
+		    <groupId>org.json</groupId>
+		    <artifactId>json</artifactId>
+		    <version>${org-json.version}</version>
+		</dependency>		
 		<!-- Webjars -->
 		<dependency>
 			<groupId>org.webjars</groupId>

src/main/docker/Dockerfile

@@ -77,7 +77,7 @@
 #   accessed directly. (example: "foo.example.com,bar.example.com")
 #
 ###
-FROM registry.access.redhat.com/ubi8/openjdk-21:1.20
+FROM registry.access.redhat.com/ubi8/openjdk-21:1.21
 
 LABEL io.k8s.description="Microservizio verifica firma EIDAS (basato su immagine ubi RedHat)" \
       io.k8s.display-name="Verifica firma EIDAS" \

src/main/java/it/eng/parer/eidas/core/bean/CommonsDataHttpClient.java

@@ -47,13 +47,13 @@
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
 import org.apache.hc.client5.http.protocol.HttpClientContext;
+import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
 import org.apache.hc.client5.http.ssl.DefaultHostnameVerifier;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.io.HttpClientResponseHandler;
 import org.apache.hc.core5.http.io.SocketConfig;
 import org.apache.hc.core5.http.protocol.HttpContext;
+import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.ssl.TrustStrategy;
 import org.apache.hc.core5.util.TimeValue;
@@ -770,7 +770,8 @@ protected void closeQuietly(HttpUriRequestBase httpRequest, CloseableHttpClient
 
     private HttpClientConnectionManager getConnectionManager() {
         final PoolingHttpClientConnectionManagerBuilder builder = PoolingHttpClientConnectionManagerBuilder.create()
-                .setSSLSocketFactory(getConnectionSocketFactoryHttps()).setDefaultSocketConfig(getSocketConfig())
+        	.setTlsSocketStrategy(getClientTlsStrategy())
+        	.setDefaultSocketConfig(getSocketConfig())
                 .setMaxConnTotal(getConnectionsMaxTotal()).setMaxConnPerRoute(getConnectionsMaxPerRoute());
 
         final ConnectionConfig.Builder connectionConfigBuilder = ConnectionConfig.custom()
@@ -792,7 +793,7 @@ private SocketConfig getSocketConfig() {
         return socketConfigBuilder.build();
     }
 
-    private SSLConnectionSocketFactory getConnectionSocketFactoryHttps() {
+    private DefaultClientTlsStrategy getClientTlsStrategy() {
         try {
             SSLContextBuilder sslContextBuilder = SSLContextBuilder.create();
             sslContextBuilder.setProtocol(sslProtocol);
@@ -819,11 +820,10 @@ private SSLConnectionSocketFactory getConnectionSocketFactoryHttps() {
                 }
             }
 
-            SSLConnectionSocketFactoryBuilder sslConnectionSocketFactoryBuilder = new SSLConnectionSocketFactoryBuilder();
-            return sslConnectionSocketFactoryBuilder.setSslContext(sslContextBuilder.build())
-                    .setTlsVersions(getSupportedSSLProtocols()).setCiphers(getSupportedSSLCipherSuites())
-                    .setHostnameVerifier(getHostnameVerifier()).build();
-
+	    DefaultClientTlsStrategy defaultClientTlsStrategy = new DefaultClientTlsStrategy(sslContextBuilder.build(),
+		    getSupportedSSLProtocols(), getSupportedSSLCipherSuites(), SSLBufferMode.STATIC,
+		    getHostnameVerifier());
+	    return defaultClientTlsStrategy;           
         } catch (final Exception e) {
             throw new IllegalArgumentException("Unable to configure the SSLContext/SSLConnectionSocketFactory", e);
         }

src/main/java/it/eng/parer/eidas/core/service/CustomRemoteDocumentValidationImpl.java

@@ -53,9 +53,9 @@
 import eu.europa.esig.dss.policy.ValidationPolicyFacade;
 import eu.europa.esig.dss.policy.jaxb.Level;
 import eu.europa.esig.dss.policy.jaxb.LevelConstraint;
+import eu.europa.esig.dss.spi.signature.AdvancedSignature;
+import eu.europa.esig.dss.spi.validation.CertificateVerifier;
 import eu.europa.esig.dss.utils.Utils;
-import eu.europa.esig.dss.validation.AdvancedSignature;
-import eu.europa.esig.dss.validation.CertificateVerifier;
 import eu.europa.esig.dss.validation.SignedDocumentValidator;
 import eu.europa.esig.dss.validation.reports.Reports;
 import eu.europa.esig.dss.ws.validation.dto.WSReportsDTO;

src/main/java/it/eng/parer/eidas/core/service/ICustomRemoteDocumentValidation.java

@@ -22,7 +22,7 @@
 
 import org.springframework.core.io.Resource;
 
-import eu.europa.esig.dss.validation.CertificateVerifier;
+import eu.europa.esig.dss.spi.validation.CertificateVerifier;
 import it.eng.parer.eidas.model.EidasDataToValidateMetadata;
 import it.eng.parer.eidas.model.EidasWSReportsDTOTree;
 import jakarta.servlet.http.HttpServletRequest;

src/main/java/it/eng/parer/eidas/web/config/DSSBeanConfig.java

@@ -60,6 +60,9 @@
 import eu.europa.esig.dss.spi.client.http.IgnoreDataLoader;
 import eu.europa.esig.dss.spi.client.jdbc.JdbcCacheConnector;
 import eu.europa.esig.dss.spi.tsl.TrustedListsCertificateSource;
+import eu.europa.esig.dss.spi.validation.CRLFirstRevocationDataLoadingStrategyFactory;
+import eu.europa.esig.dss.spi.validation.CertificateVerifier;
+import eu.europa.esig.dss.spi.validation.CommonCertificateVerifier;
 import eu.europa.esig.dss.spi.x509.KeyStoreCertificateSource;
 import eu.europa.esig.dss.spi.x509.aia.AIASource;
 import eu.europa.esig.dss.spi.x509.aia.DefaultAIASource;
@@ -70,9 +73,6 @@
 import eu.europa.esig.dss.tsl.function.OfficialJournalSchemeInformationURI;
 import eu.europa.esig.dss.tsl.job.TLValidationJob;
 import eu.europa.esig.dss.tsl.source.LOTLSource;
-import eu.europa.esig.dss.validation.CRLFirstRevocationDataLoadingStrategyFactory;
-import eu.europa.esig.dss.validation.CertificateVerifier;
-import eu.europa.esig.dss.validation.CommonCertificateVerifier;
 import eu.europa.esig.dss.ws.signature.common.RemoteDocumentSignatureServiceImpl;
 import eu.europa.esig.dss.ws.signature.common.RemoteMultipleDocumentsSignatureServiceImpl;
 import eu.europa.esig.dss.ws.signature.common.RemoteTrustedListSignatureServiceImpl;

src/main/openshift/verifica-firma-eidas-template.yml

@@ -6,11 +6,11 @@ labels:
 metadata:
   annotations:
     description: |-
-      Template microservizio verifica firma EIDAS JDK17 OracleDB (vedere https://gitlab.ente.regione.emr.it/parer/okd/verificafirma-eidas.git)
+      Template microservizio verifica firma eIDAS (https://gitlab.ente.regione.emr.it/parer/okd/verificafirma-eidas.git)
     iconClass: icon-spring
     openshift.io/display-name: Microservice EIDAS 
     openshift.io/documentation-url: https://gitlab.ente.regione.emr.it/parer/okd/verificafirma-eidas
-    openshift.io/long-description: Il template fornisce la creazione del microservizio EIDAS (effimero DB H2 su disco)
+    openshift.io/long-description: Il template fornisce la creazione del microservizio verifica firma eIDAS
     openshift.io/provider-display-name: Parer (Regione Emilia Romagna)
     openshift.io/support-url: https://gitlab.ente.regione.emr.it/parer
     tags: springboot,eidas
@@ -298,8 +298,6 @@ objects:
             limits:
               cpu: 800m
               memory: 2500Mi
-          securityContext:
-            privileged: false
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           volumeMounts:
@@ -312,10 +310,7 @@ objects:
         restartPolicy: Always
         schedulerName: default-scheduler
         securityContext: {}
-        terminationGracePeriodSeconds: 30
-        securityContext:
-          runAsUser: 1000660000
-          fsGroup: 1000660000        
+        terminationGracePeriodSeconds: 30      
         volumes:
         - configMap:
             defaultMode: 420

src/main/resources/application.yaml

@@ -51,7 +51,7 @@ management:
       exposure:
         include: "info, health, jolokia, threaddump, scheduledtasks, prometheus"
 
-# DSS (sostituito rispetto dss.properties)
+# DSS (sostituito dss.properties)
 dss: 
  server:
   signing:
@@ -60,6 +60,7 @@ dss:
       filename: classpath:user_a_rsa.p12
       password: password
 
+# EU LOTL config
 oj:
   content:
     keystore:

src/main/resources/policy/README.md

@@ -1,6 +1,6 @@
 # Custom constraint policy rules
 
-Il file [custom_constraint.xml](custom_constraint.xml) è ricavato dal file [constraint.xml](https://github.com/esig/dss/blob/6.0/dss-policy-jaxb/src/main/resources/policy/constraint.xml) alla versione **6.0** delle librerie DSS.
+Il file [custom_constraint.xml](custom_constraint.xml) è ricavato dal file [constraint.xml](https://github.com/esig/dss/blob/6.1/dss-policy-jaxb/src/main/resources/policy/constraint.xml) alla versione **6.1** delle librerie DSS.
 
 ## Nota bene
 

src/main/resources/policy/custom_constraint.xml

@@ -45,7 +45,11 @@
 		<BasicSignatureConstraints>
 			<ReferenceDataExistence Level="FAIL" />
 			<ReferenceDataIntact Level="FAIL" />
+			<ReferenceDataNameMatch Level="WARN" />
 			<ManifestEntryObjectExistence Level="WARN" />
+			<ManifestEntryObjectGroup Level="WARN" />
+			<ManifestEntryObjectIntact Level="FAIL" />
+			<ManifestEntryNameMatch Level="WARN" />
 			<SignatureIntact Level="FAIL" />
 			<SignatureDuplicated Level="FAIL" />
 			<ProspectiveCertificateChain Level="FAIL" />
@@ -75,6 +79,11 @@
 				<Signature Level="FAIL" />
 				<NotExpired Level="FAIL" />
 				<AuthorityInfoAccessPresent Level="WARN" />
+				<RevocationDataSkip Level="INFORM">
+					<CertificateExtensions>
+						<Id>0.4.0.194121.2.1</Id> <!-- valassured-ST-certs -->
+					</CertificateExtensions>
+				</RevocationDataSkip>
 				<RevocationInfoAccessPresent Level="WARN" />
 				<RevocationDataAvailable Level="FAIL" />
 				<AcceptableRevocationDataFound Level="FAIL" />
@@ -183,6 +192,11 @@
 		<BasicSignatureConstraints>
 			<ReferenceDataExistence Level="FAIL" />
 			<ReferenceDataIntact Level="FAIL" />
+			<ReferenceDataNameMatch Level="WARN" />
+			<ManifestEntryObjectExistence Level="WARN" />
+			<ManifestEntryObjectGroup Level="WARN" />
+			<ManifestEntryObjectIntact Level="FAIL" />
+			<ManifestEntryNameMatch Level="WARN" />
 			<SignatureIntact Level="FAIL" />
 			<SignatureDuplicated Level="FAIL" />
 			<ProspectiveCertificateChain Level="FAIL" />
@@ -201,6 +215,11 @@
 				<Signature Level="FAIL" />
 				<NotExpired Level="FAIL" />
 				<AuthorityInfoAccessPresent Level="WARN" />
+				<RevocationDataSkip Level="INFORM">
+					<CertificateExtensions>
+						<Id>0.4.0.194121.2.1</Id> <!-- valassured-ST-certs -->
+					</CertificateExtensions>
+				</RevocationDataSkip>
 				<RevocationInfoAccessPresent Level="WARN" />
 				<RevocationDataAvailable Level="FAIL" />
 				<AcceptableRevocationDataFound Level="FAIL" />
@@ -308,6 +327,11 @@
 		<BasicSignatureConstraints>
 			<ReferenceDataExistence Level="FAIL" />
 			<ReferenceDataIntact Level="FAIL" />
+			<ReferenceDataNameMatch Level="WARN" />
+			<ManifestEntryObjectExistence Level="WARN" />
+			<ManifestEntryObjectGroup Level="WARN" />
+			<ManifestEntryObjectIntact Level="FAIL" />
+			<ManifestEntryNameMatch Level="WARN" />
 			<SignatureIntact Level="FAIL" />
 			<ProspectiveCertificateChain Level="FAIL" />
 			<ByteRange Level="FAIL" />
@@ -415,6 +439,11 @@
 				<Recognition Level="FAIL" />
 				<Signature Level="FAIL" />
 				<NotExpired Level="FAIL" />
+				<RevocationDataSkip Level="IGNORE">
+					<CertificateExtensions>
+						<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
+					</CertificateExtensions>
+				</RevocationDataSkip>
 				<RevocationDataAvailable Level="FAIL" />
 				<AcceptableRevocationDataFound Level="FAIL" />
 				<CRLNextUpdatePresent Level="WARN" />
@@ -483,11 +512,13 @@
 		<DataObjectIntact Level="FAIL" />
 		<DataObjectFound Level="FAIL" />
 		<DataObjectGroup Level="WARN" />
+		<HashTreeRenewal Level="FAIL" />
 		<Cryptographic />
 	</EvidenceRecord>
 	<Cryptographic Level="FAIL">
 		<AcceptableEncryptionAlgo>
 			<Algo>RSA</Algo>
+			<Algo>RSASSA-PSS</Algo>
 			<Algo>DSA</Algo>
 			<Algo>ECDSA</Algo>
 			<Algo>PLAIN-ECDSA</Algo>
@@ -496,6 +527,7 @@
 		<MiniPublicKeySize>
 			<Algo Size="1024">DSA</Algo>
 			<Algo Size="1024">RSA</Algo>
+			<Algo Size="1024">RSASSA-PSS</Algo>
 			<Algo Size="160">ECDSA</Algo>
 			<Algo Size="160">PLAIN-ECDSA</Algo>
 <!-- 		<Algo Size="24">EdDSA</Algo> 		Not referenced in ETSI/SOGIS -->
@@ -539,6 +571,10 @@
 			<Algo Date="2016" Size="1536">RSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
 			<Algo Date="2026" Size="1900">RSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
 			<Algo Date="2029" Size="3000">RSA</Algo> <!-- ETSI 119 312 V1.4.2 -->
+			<Algo Date="2009" Size="1024">RSASSA-PSS</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.0.0 -->
+			<Algo Date="2016" Size="1536">RSASSA-PSS</Algo> <!-- ETSI 119 312 V1.1.1 -->
+			<Algo Date="2026" Size="1900">RSASSA-PSS</Algo> <!-- ETSI 119 312 V1.4.2 -->
+			<Algo Date="2029" Size="3000">RSASSA-PSS</Algo> <!-- ETSI 119 312 V1.4.2 -->
 			<Algo Date="2013" Size="160">ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
 			<Algo Date="2013" Size="192">ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
 			<Algo Date="2016" Size="224">ECDSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
@@ -565,4 +601,4 @@
 		<TLWellSigned Level="WARN" />
 		<TLVersion Level="FAIL" value="5" />
 	</eIDAS>
-</ConstraintsParameters>
+</ConstraintsParameters>