diff --git a/etp-core/etp-backend/deps.edn b/etp-core/etp-backend/deps.edn index f2c7bb97d..61fd3264f 100644 --- a/etp-core/etp-backend/deps.edn +++ b/etp-core/etp-backend/deps.edn @@ -2,52 +2,54 @@ "src/main/sql" "src/main/resources"] :mvn/repos {"shibboleth" {:url "https://build.shibboleth.net/maven/releases/"}} - :deps {org.clojure/clojure {:mvn/version "1.12.0"} - ch.qos.logback/logback-classic {:mvn/version "1.5.12"} - org.slf4j/log4j-over-slf4j {:mvn/version "2.0.16"} - flathead/flathead {:mvn/version "0.0.6"} - integrant/integrant {:mvn/version "0.13.1"} - hikari-cp/hikari-cp {:mvn/version "3.1.0"} - org.postgresql/postgresql {:mvn/version "42.7.4"} - org.clojure/java.jdbc {:mvn/version "0.7.12"} - org.clojure/data.csv {:mvn/version "1.1.0"} - http-kit/http-kit {:mvn/version "2.8.0"} - ring/ring-core {:mvn/version "1.13.0"} - javax.servlet/servlet-api {:mvn/version "2.5"} - org.clojure/tools.logging {:mvn/version "1.3.0"} - prismatic/schema {:mvn/version "1.4.1"} - metosin/reitit-ring {:mvn/version "0.7.2"} - metosin/reitit-swagger {:mvn/version "0.7.2"} - metosin/reitit-swagger-ui {:mvn/version "0.7.2"} - metosin/ring-swagger-ui {:mvn/version "5.17.14"} - metosin/reitit-middleware {:mvn/version "0.7.2"} - metosin/reitit-dev {:mvn/version "0.7.2"} - metosin/reitit-schema {:mvn/version "0.7.2"} - fi.metosin/reitit-openapi {:mvn/version "0.7.2"} - metosin/muuntaja {:mvn/version "0.6.10"} - metosin/jsonista {:mvn/version "0.3.12"} - metosin/schema-tools {:mvn/version "0.13.1"} - webjure/jeesql {:mvn/version "0.4.7"} - clj-http/clj-http {:mvn/version "3.13.0"} - buddy/buddy-core {:mvn/version "1.12.0-430"} - buddy/buddy-sign {:mvn/version "3.6.1-359"} - buddy/buddy-hashers {:mvn/version "2.0.167"} + :deps {org.clojure/clojure {:mvn/version "1.12.0"} + ch.qos.logback/logback-classic {:mvn/version "1.5.12"} + org.slf4j/log4j-over-slf4j {:mvn/version "2.0.16"} + flathead/flathead {:mvn/version "0.0.6"} + integrant/integrant {:mvn/version "0.13.1"} + hikari-cp/hikari-cp {:mvn/version "3.1.0"} + org.postgresql/postgresql {:mvn/version "42.7.4"} + org.clojure/java.jdbc {:mvn/version "0.7.12"} + org.clojure/data.csv {:mvn/version "1.1.0"} + http-kit/http-kit {:mvn/version "2.8.0"} + ring/ring-core {:mvn/version "1.13.0"} + javax.servlet/servlet-api {:mvn/version "2.5"} + org.clojure/tools.logging {:mvn/version "1.3.0"} + prismatic/schema {:mvn/version "1.4.1"} + metosin/reitit-ring {:mvn/version "0.7.2"} + metosin/reitit-swagger {:mvn/version "0.7.2"} + metosin/reitit-swagger-ui {:mvn/version "0.7.2"} + metosin/ring-swagger-ui {:mvn/version "5.17.14"} + metosin/reitit-middleware {:mvn/version "0.7.2"} + metosin/reitit-dev {:mvn/version "0.7.2"} + metosin/reitit-schema {:mvn/version "0.7.2"} + fi.metosin/reitit-openapi {:mvn/version "0.7.2"} + metosin/muuntaja {:mvn/version "0.6.10"} + metosin/jsonista {:mvn/version "0.3.12"} + metosin/schema-tools {:mvn/version "0.13.1"} + webjure/jeesql {:mvn/version "0.4.7"} + clj-http/clj-http {:mvn/version "3.13.0"} + buddy/buddy-core {:mvn/version "1.12.0-430"} + buddy/buddy-sign {:mvn/version "3.6.1-359"} + buddy/buddy-hashers {:mvn/version "2.0.167"} - org.apache.poi/poi {:mvn/version "5.3.0"} - org.apache.poi/poi-ooxml {:mvn/version "5.3.0"} + org.apache.poi/poi {:mvn/version "5.3.0"} + org.apache.poi/poi-ooxml {:mvn/version "5.3.0"} - org.apache.pdfbox/pdfbox {:mvn/version "2.0.32"} - io.github.solita/puumerkki {:mvn/version "0.12.0"} - org.clojure/core.match {:mvn/version "1.1.0"} - com.cognitect.aws/api {:mvn/version "0.8.692"} - com.cognitect.aws/endpoints {:mvn/version "1.1.12.772"} - com.cognitect.aws/s3 {:mvn/version "869.2.1687.0"} - com.cognitect.aws/kms {:mvn/version "869.2.1687.0"} - de.ubercode.clostache/clostache {:mvn/version "1.4.0"} - commonmark-hiccup/commonmark-hiccup {:mvn/version "0.3.0"} + org.bouncycastle/bcprov-jdk18on {:mvn/version "1.79"} + org.bouncycastle/bcmail-jdk18on {:mvn/version "1.79"} + org.apache.pdfbox/pdfbox {:mvn/version "2.0.32"} + io.github.solita/puumerkki {:mvn/version "0.12.0"} + org.clojure/core.match {:mvn/version "1.1.0"} + com.cognitect.aws/api {:mvn/version "0.8.692"} + com.cognitect.aws/endpoints {:mvn/version "1.1.12.772"} + com.cognitect.aws/s3 {:mvn/version "869.2.1687.0"} + com.cognitect.aws/kms {:mvn/version "869.2.1687.0"} + de.ubercode.clostache/clostache {:mvn/version "1.4.0"} + commonmark-hiccup/commonmark-hiccup {:mvn/version "0.3.0"} - com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"} - com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"} + com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"} + com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"} ;; Contains vulnerable version of batik-* libraries, exclude those ;; and add direct dependency to newer versions @@ -56,27 +58,39 @@ :exclusions [org.apache.xmlgraphics/batik-transcoder org.apache.xmlgraphics/batik-codec org.apache.xmlgraphics/batik-ext]} - org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.18"} - org.apache.xmlgraphics/batik-codec {:mvn/version "1.18"} - org.apache.xmlgraphics/batik-ext {:mvn/version "1.18"} + org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.18"} + org.apache.xmlgraphics/batik-codec {:mvn/version "1.18"} + org.apache.xmlgraphics/batik-ext {:mvn/version "1.18"} ;; Non-alpha version does not support xml namespaces - org.clojure/data.xml {:mvn/version "0.2.0-alpha9"} - camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.3"} - com.jcraft/jsch {:mvn/version "0.1.55"} - com.sun.mail/javax.mail {:mvn/version "1.6.2"} + org.clojure/data.xml {:mvn/version "0.2.0-alpha9"} + camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.3"} + com.jcraft/jsch {:mvn/version "0.1.55"} + com.sun.mail/javax.mail {:mvn/version "1.6.2"} - org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.3"} - org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.3"} - com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.4"} - org.apache.axis/axis {:mvn/version "1.4"} - commons-io/commons-io {:mvn/version "2.17.0"} + org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.3"} + org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.3"} + com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.4"} + org.apache.axis/axis {:mvn/version "1.4"} + commons-io/commons-io {:mvn/version "2.17.0"} ;; commons-discovery is needed by some other library dynamically at runtime ;; related to suomi.fi-viestit implementation - commons-discovery/commons-discovery {:mvn/version "0.5"} - com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"} - kovacnica/clojure.network.ip {:mvn/version "0.1.5" - :exclusions [org.clojure/clojurescript]}} + commons-discovery/commons-discovery {:mvn/version "0.5"} + com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"} + kovacnica/clojure.network.ip {:mvn/version "0.1.5" + :exclusions [org.clojure/clojurescript]} + + eu.europa.ec.joinup.sd-dss/dss-enumerations {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-model {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-service {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-pades {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-utils-apache-commons {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-utils {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-validation {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-spi {:mvn/version "6.1"} + eu.europa.ec.joinup.sd-dss/dss-pades-pdfbox {:mvn/version "6.1"} + + } :aliases {:dev {:extra-paths ["src/test/clj" "src/test/resources" "src/dev/clj"] diff --git a/etp-core/etp-backend/src/main/clj/solita/etp/service/signing/dss_augmentation.clj b/etp-core/etp-backend/src/main/clj/solita/etp/service/signing/dss_augmentation.clj new file mode 100644 index 000000000..f5e32e0ee --- /dev/null +++ b/etp-core/etp-backend/src/main/clj/solita/etp/service/signing/dss_augmentation.clj @@ -0,0 +1,74 @@ +(ns solita.etp.service.signing.dss-augmentation + (:import (eu.europa.esig.dss.alert LogOnStatusAlert) + (eu.europa.esig.dss.enumerations SignatureLevel) + (eu.europa.esig.dss.model FileDocument) + (eu.europa.esig.dss.pades PAdESSignatureParameters) + (eu.europa.esig.dss.pades.signature PAdESService) + (eu.europa.esig.dss.service.ocsp OnlineOCSPSource) + (eu.europa.esig.dss.spi.validation CommonCertificateVerifier) + (eu.europa.esig.dss.spi.x509.tsp KeyEntityTSPSource) + (java.io File) + (java.security KeyPair KeyPairGenerator KeyStore PrivateKey SecureRandom Security) + (java.security.cert X509Certificate) + (java.util ArrayList Date List) + (org.bouncycastle.asn1.x500 X500Name) + (org.bouncycastle.cert X509v3CertificateBuilder) + (org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509v3CertificateBuilder) + (org.bouncycastle.jce.provider BouncyCastleProvider) + (org.bouncycastle.operator ContentSigner) + (org.bouncycastle.operator.jcajce JcaContentSignerBuilder))) + +(def tsp-key-and-cert + (let [_ (Security/addProvider (BouncyCastleProvider.)) ;; TODO: Should this be done elsewhere? + ^KeyPairGenerator keyPairGenerator (doto (KeyPairGenerator/getInstance "RSA") + (.initialize 2048)) + ^KeyPair keyPair (-> keyPairGenerator .generateKeyPair) + + subjectDN "CN=Self-Signed, O=Example, C=FI" + issuerDN subjectDN + serialNumber (BigInteger. 64 (SecureRandom.)) + ^Date notBefore (Date.) + ^Date notAfter (Date. ^long (+ (System/currentTimeMillis) (* 365 24 60 60 1000))) + + ^X509v3CertificateBuilder certBuilder (JcaX509v3CertificateBuilder. + (X500Name. issuerDN) + serialNumber + notBefore + notAfter + (X500Name. subjectDN) + (-> keyPair .getPublic)) + + ^ContentSigner signer (-> (JcaContentSignerBuilder. "SHA256withRSA") (.build (-> keyPair .getPrivate))) + ^X509Certificate certificate (-> (doto (JcaX509CertificateConverter.) (.setProvider "BC")) (.getCertificate (-> certBuilder (.build signer))))] + {:private-key (-> keyPair .getPrivate) + :public-key (-> keyPair .getPublic) + :certificate certificate})) + +(defn create-longer-validation-document [pdf-file] + (let [parameters (PAdESSignatureParameters.) + _ (-> parameters (.setSignatureLevel SignatureLevel/PAdES_BASELINE_T)) + + certificate-verifier (doto (CommonCertificateVerifier.) + (.setOcspSource (OnlineOCSPSource.)) + (.setAlertOnInvalidTimestamp (LogOnStatusAlert.))) + + #_(-> certificate-verifier (.setTrustedCertSources "")) + key-store-file (File. "/tmp/test-key-store") + key-store-pw (char-array "kissa") + ^KeyStore key-store (doto (KeyStore/getInstance "PKCS12") + (.load nil key-store-pw)) + ;;key-entity-tsp-source (KeyEntityTSPSource. key-store "self-signed-tsa" key-store-pw) + key-entity-tsp-source (KeyEntityTSPSource. ^PrivateKey (:private-key tsp-key-and-cert) + ^X509Certificate (:certificate tsp-key-and-cert) + ^List (doto (ArrayList.) (.add (:certificate tsp-key-and-cert)))) + _ (-> key-entity-tsp-source (.setTsaPolicy "1.2.3.4")) + + pades-service (doto (PAdESService. certificate-verifier) + (.setTspSource key-entity-tsp-source)) + + ;;hopefully-document-with-ocsp (-> pades-service (.extendDocument pdf-file parameters)) + ])) + +;;TODO: Continue "Certificate must have an ExtendedKeyUsage extension." +(def pdf-file (FileDocument. "src/test/resources/energiatodistukset/signed-with-ocsp-information.pdf")) +;;(create-longer-validation-document pdf-file) \ No newline at end of file