Release 1.17.0 (#11)

* [skip ci] Update project to latest tag verifica-firma-eidas-1.17.0 * Fix pom.xml * Fix pom.xml * [maven-release-plugin] prepare release verifica-firma-eidas-1.17.0 * [maven-release-plugin] prepare for next development iteration --------- Co-authored-by: parerworker <DevPARER@regione.emilia-romagna.it> Co-authored-by: GitHub Actions <actions@github.com>
RegioneER · Jul 4, 2024 · 683fab1 · 683fab1
1 parent 3932aa2
commit 683fab1
Show file tree

Hide file tree

Showing 8 changed files with 174 additions and 64 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,20 @@
+
+## 1.17.0 (10-04-2024)
+
+### Novità: 2
+- [#31808](https://parermine.regione.emilia-romagna.it/issues/31808) Rilassamento vincoli con verifica OCSP e data certificato antecedenete a quella del responder
+- [#31709](https://parermine.regione.emilia-romagna.it/issues/31709) Gestione migliorata sorgenti revoche (cache / online)
+
 ## 1.16.0 (14-03-2024)
 
 ### Novità: 1
 - [#31419](https://parermine.regione.emilia-romagna.it/issues/31419) Attivazione statistiche per monitoraggio con prometheus
 
+## 1.15.1 (16-02-2024)
+
+### Bugfix: 1
+- [#31275](https://parermine.regione.emilia-romagna.it/issues/31275) Correzione errore PKI su https://elektroninisparasas.lt/LT-TSL.xml
+
 ## 1.15.0 (29-01-2024)
 
 ### Novità: 2

diff --git a/CONTAINER-SCAN-REPORT.md b/CONTAINER-SCAN-REPORT.md
@@ -1,7 +1,8 @@
 ## Container scan evidence CVE
 <strong>Image name:</strong> registry.ente.regione.emr.it/parer/okd/verifica-firma-eidas:sast
-<br/><strong>Run date:</strong> Mon Jan 29 12:20:03 CET 2024
-<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/156713">Job</a>
-<br/><strong>CVE founded:</strong> 0
+<br/><strong>Run date:</strong> Wed Apr 10 16:45:14 CEST 2024
+<br/><strong>Produced by:</strong> <a href="https://gitlab.ente.regione.emr.it/parer/okd/verifica-firma-eidas/-/jobs/216130">Job</a>
+<br/><strong>CVE founded:</strong> 1
 | CVE | Description | Severity | Solution | 
 |:---:|:---|:---:|:---|
+| [CVE-2024-28182](https://access.redhat.com/security/cve/CVE-2024-28182)|A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.|High|No solution provided|
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -1,4 +1,5 @@
-## 1.16.0 (14-03-2024)
+## 1.17.0 (10-04-2024)
 
-### Novità: 1
-- [#31419](https://parermine.regione.emilia-romagna.it/issues/31419) Attivazione statistiche per monitoraggio con prometheus
+### Novità: 2
+- [#31808](https://parermine.regione.emilia-romagna.it/issues/31808) Rilassamento vincoli con verifica OCSP e data certificato antecedenete a quella del responder
+- [#31709](https://parermine.regione.emilia-romagna.it/issues/31709) Gestione migliorata sorgenti revoche (cache / online)
diff --git a/pdfdocs/CHANGELOG.pdf b/pdfdocs/CHANGELOG.pdf
diff --git a/pdfdocs/RELEASE-NOTES.pdf b/pdfdocs/RELEASE-NOTES.pdf
diff --git a/pom.xml b/pom.xml
@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<artifactId>verifica-firma-eidas</artifactId>
-	<version>1.16.1-SNAPSHOT</version>
+	<version>1.17.1-SNAPSHOT</version>
 	<packaging>${packaging.type}</packaging>
 	<name>Verifica Firma EIDAS</name>
 	<description>Progetto per effettuare firme e validazioni con librerie DSS (EIDAS)</description>

diff --git a/src/main/java/it/eng/parer/eidas/web/config/DSSBeanConfig.java b/src/main/java/it/eng/parer/eidas/web/config/DSSBeanConfig.java
@@ -20,9 +20,11 @@
 import java.io.File;
 import java.io.IOException;
 import java.security.KeyStore.PasswordProtection;
+import java.sql.SQLException;
 
 import javax.sql.DataSource;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.hc.client5.http.ssl.TrustAllStrategy;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -61,6 +63,8 @@
 import eu.europa.esig.dss.spi.x509.KeyStoreCertificateSource;
 import eu.europa.esig.dss.spi.x509.aia.AIASource;
 import eu.europa.esig.dss.spi.x509.aia.DefaultAIASource;
+import eu.europa.esig.dss.spi.x509.revocation.crl.CRLSource;
+import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPSource;
 import eu.europa.esig.dss.spi.x509.tsp.TSPSource;
 import eu.europa.esig.dss.token.KeyStoreSignatureTokenConnection;
 import eu.europa.esig.dss.tsl.function.OfficialJournalSchemeInformationURI;
@@ -122,7 +126,8 @@ public class DSSBeanConfig {
     @Value("${current.oj.url}")
     private String currentOjUrl;
 
-    @Autowired
+    /* custom DataSource possibile null in case DB is disable by configuration */
+    @Autowired(required = false)
     private DataSource dataSource;
 
     @Autowired(required = false)
@@ -144,28 +149,46 @@ public class DSSBeanConfig {
     @Value("${cache.ocsp.max.next.update:0}")
     private long ocspMaxNextUpdate;
 
+    /* from 5.13 */
+    @Value("${cache.expiration:0}")
+    private long cacheExpiration;
+
     /* custom */
-    @Value("${revoke.data.loading.strategy.crl-first.enabled:true}")
+    @Value("${revoke.data.loading.strategy.crl-first.enabled:false}")
     private boolean revokeDataLoadingStratCrlFirst;
 
     @Value("${revoke.removeExpired.enabled:true}")
     private boolean revokeRemoveExpired;
 
-    @Value("${dataloader.timeoutconnection:60000}")
+    /* in ms */
+    @Value("${dataloader.timeoutconnection:1200000}")
     private int timeoutConnection;
 
-    @Value("${dataloader.timeoutsocket:60000}")
+    /* in ms */
+    @Value("${dataloader.timeoutsocket:1200000}")
     private int timeoutSocket;
 
-    @Value("${dataloader.connectionsmaxtotal:20}")
+    @Value("${dataloader.connectionsmaxtotal:40}")
     private int connectionsMaxTotal;
 
-    @Value("${dataloader.connectionsmaxperroute:2}")
+    @Value("${dataloader.connectionsmaxperroute:4}")
     private int connectionsMaxPerRoute;
 
-    @Value("${dataloader.ldaptimeoutconnection:30000}")
+    /* in ms */
+    @Value("${dataloader.connectiontimetolive:1200000}")
+    private int connectionTimeToLive;
+
+    /* in ms */
+    @Value("${dataloader.ldaptimeoutconnection:1200000}")
     private String ldapTimeoutConnection;
 
+    @Value("${cache.enabled:true}")
+    private boolean cacheEnabled;
+
+    // default empty
+    @Value("${cache.file.path:}")
+    private String cacheFilePath;
+
     @Bean
     public CommonsDataLoaderExt dataLoader() {
         CommonsDataLoaderExt dataLoader = new CommonsDataLoaderExt();
@@ -176,6 +199,7 @@ public CommonsDataLoaderExt dataLoader() {
         dataLoader.setTimeoutSocket(timeoutSocket);
         //
         dataLoader.setConnectionsMaxPerRoute(connectionsMaxPerRoute);
+        dataLoader.setConnectionTimeToLive(connectionTimeToLive);
         //
         dataLoader.setLdapTimeoutConnection(ldapTimeoutConnection);
         return dataLoader;
@@ -196,12 +220,22 @@ public OCSPDataLoaderExt ocspDataLoader() {
         return ocspDataLoader;
     }
 
+    /* from 5.13 */
     @Bean
     public FileCacheDataLoader fileCacheDataLoader() {
+        FileCacheDataLoader fileCacheDataLoader = initFileCacheDataLoader();
+        fileCacheDataLoader.setCacheExpirationTime(cacheExpiration * 1000); // to millis
+        return fileCacheDataLoader;
+    }
+
+    private FileCacheDataLoader initFileCacheDataLoader() {
         FileCacheDataLoader fileCacheDataLoader = new FileCacheDataLoader();
         fileCacheDataLoader.setDataLoader(dataLoader());
         // Per default uses "java.io.tmpdir" property
         // fileCacheDataLoader.setFileCacheDirectory(new File("/tmp"));
+        if (StringUtils.isNotBlank(cacheFilePath)) {
+            fileCacheDataLoader.setFileCacheDirectory(new File(cacheFilePath));
+        }
         return fileCacheDataLoader;
     }
 
@@ -213,55 +247,136 @@ public OnlineCRLSource onlineCRLSource() {
     }
 
     /*
-     * destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che vengano create le tabelle ma
-     * non si vuole dropparle non appena il processo viene interrotto
+     * initMethod = "initTable" esecuzione CREATE table gestita in fase di creazione del bean gestione logica doppio
+     * "source" JDBC vs FILE destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che
+     * vengano create le tabelle ma non si vuole dropparle non appena il processo viene interrotto
+     * 
+     * Visit
+     * https://github.com/esig/dss-demonstrations/blob/master/dss-demo-webapp/src/main/java/eu/europa/esig/dss/web/
+     * config/DSSBeanConfig.java
+     * 
      */
     // @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
-    @Bean(initMethod = "initTable")
-    public JdbcCacheCRLSource cachedCRLSource() {
-        JdbcCacheCRLSource jdbcCacheCRLSource = new JdbcCacheCRLSource();
-        jdbcCacheCRLSource.setJdbcCacheConnector(jdbcCacheConnector());
-        jdbcCacheCRLSource.setProxySource(onlineCRLSource());
-        jdbcCacheCRLSource.setDefaultNextUpdateDelay(crlDefaultNextUpdate); // 0 (get new one every time)
-        jdbcCacheCRLSource.setMaxNextUpdateDelay(crlMaxNextUpdate); // 0 (get new one every time)
-        // default = true
-        // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
-        jdbcCacheCRLSource.setRemoveExpired(revokeRemoveExpired);
-        return jdbcCacheCRLSource;
+    @Bean
+    public CRLSource defineCRLSource() {
+        if (cacheEnabled) {
+            if (dataSource != null) {
+                JdbcCacheCRLSource jdbcCacheCRLSource = new JdbcCacheCRLSource();
+                jdbcCacheCRLSource.setJdbcCacheConnector(jdbcCacheConnector());
+                jdbcCacheCRLSource.setProxySource(onlineCRLSource());
+                jdbcCacheCRLSource.setDefaultNextUpdateDelay(crlDefaultNextUpdate); // 0 (get new one every time)
+                jdbcCacheCRLSource.setMaxNextUpdateDelay(crlMaxNextUpdate); // 0 (get new one every time)
+                // default = true
+                // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
+                jdbcCacheCRLSource.setRemoveExpired(revokeRemoveExpired);
+                // create table if not exits
+                try {
+                    jdbcCacheCRLSource.initTable();
+                } catch (SQLException e) {
+                    throw new DSSException("Errore inizializzazione CRL JDBC cache", e);
+                }
+                return jdbcCacheCRLSource;
+            }
+            OnlineCRLSource onlineCRLSource = onlineCRLSource();
+            FileCacheDataLoader fileCacheDataLoader = initFileCacheDataLoader();
+            fileCacheDataLoader.setCacheExpirationTime(crlMaxNextUpdate * 1000); // to millis
+            onlineCRLSource.setDataLoader(fileCacheDataLoader);
+            return onlineCRLSource;
+        } else {
+            return onlineCRLSource();
+        }
+
     }
 
     @Bean
-    public OnlineOCSPSource onlineOcspSource() {
+    public OnlineOCSPSource onlineOCSPSource() {
         OnlineOCSPSource onlineOCSPSource = new OnlineOCSPSource();
         onlineOCSPSource.setDataLoader(ocspDataLoader());
         return onlineOCSPSource;
     }
 
     /*
-     * destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che vengano create le tabelle ma
-     * non si vuole dropparle non appena il processo viene interrotto
+     * initMethod = "initTable" esecuzione CREATE table gestita in fase di creazione del bean gestione logica doppio
+     * "source" JDBC vs FILE destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che
+     * vengano create le tabelle ma non si vuole dropparle non appena il processo viene interrotto
+     * 
+     * Visit
+     * https://github.com/esig/dss-demonstrations/blob/master/dss-demo-webapp/src/main/java/eu/europa/esig/dss/web/
+     * config/DSSBeanConfig.java
+     * 
+     * 
+     */
+    // @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
+    @Bean
+    public OCSPSource defineOCSPSource() {
+        if (cacheEnabled) {
+            if (dataSource != null) {
+                JdbcCacheOCSPSource jdbcCacheOCSPSource = new JdbcCacheOCSPSource();
+                jdbcCacheOCSPSource.setJdbcCacheConnector(jdbcCacheConnector());
+                jdbcCacheOCSPSource.setProxySource(onlineOCSPSource());
+                jdbcCacheOCSPSource.setDefaultNextUpdateDelay(ocspDefaultNextUpdate); // 0 (get new one every time)
+                jdbcCacheOCSPSource.setMaxNextUpdateDelay(ocspMaxNextUpdate); // 0 (get new one every time)
+                // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
+                jdbcCacheOCSPSource.setRemoveExpired(revokeRemoveExpired);
+                try {
+                    jdbcCacheOCSPSource.initTable();
+                } catch (SQLException e) {
+                    throw new DSSException("Errore inizializzazione OCSP JDBC cache", e);
+                }
+                return jdbcCacheOCSPSource;
+            }
+            OnlineOCSPSource onlineOCSPSource = onlineOCSPSource();
+            FileCacheDataLoader fileCacheDataLoader = initFileCacheDataLoader();
+            fileCacheDataLoader.setDataLoader(ocspDataLoader());
+            fileCacheDataLoader.setCacheExpirationTime(ocspMaxNextUpdate * 1000); // to millis
+            onlineOCSPSource.setDataLoader(fileCacheDataLoader);
+            return onlineOCSPSource;
+        } else {
+            return onlineOCSPSource();
+        }
+    }
+
+    /*
+     * initMethod = "initTable" esecuzione CREATE table gestita in fase di creazione del bean gestione logica doppio
+     * "source" JDBC vs FILE destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che
+     * vengano create le tabelle ma non si vuole dropparle non appena il processo viene interrotto
+     * 
+     * 
+     * Visit
+     * https://github.com/esig/dss-demonstrations/blob/master/dss-demo-webapp/src/main/java/eu/europa/esig/dss/web/
+     * config/DSSBeanConfig.java
+     * 
      */
-    /* from 5.6 */
     // @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
-    @Bean(initMethod = "initTable")
-    public JdbcCacheOCSPSource cachedOCSPSource() {
-        JdbcCacheOCSPSource jdbcCacheOCSPSource = new JdbcCacheOCSPSource();
-        jdbcCacheOCSPSource.setJdbcCacheConnector(jdbcCacheConnector());
-        jdbcCacheOCSPSource.setProxySource(onlineOcspSource());
-        jdbcCacheOCSPSource.setDefaultNextUpdateDelay(ocspDefaultNextUpdate); // 0 (get new one every time)
-        jdbcCacheOCSPSource.setMaxNextUpdateDelay(ocspMaxNextUpdate); // 0 (get new one every time)
-        // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
-        jdbcCacheOCSPSource.setRemoveExpired(revokeRemoveExpired);
-        return jdbcCacheOCSPSource;
+    @Bean
+    public AIASource defineAIASource() {
+        if (cacheEnabled) {
+            if (dataSource != null) {
+                JdbcCacheAIASource jdbcCacheAIASource = new JdbcCacheAIASource();
+                jdbcCacheAIASource.setJdbcCacheConnector(jdbcCacheConnector());
+                jdbcCacheAIASource.setProxySource(onlineAIASource());
+                return jdbcCacheAIASource;
+            }
+            FileCacheDataLoader fileCacheDataLoader = fileCacheDataLoader();
+            return new DefaultAIASource(fileCacheDataLoader);
+        } else {
+            return onlineAIASource();
+        }
+    }
+
+    @Bean
+    public AIASource onlineAIASource() {
+        return new DefaultAIASource(dataLoader());
     }
 
     /* from 5.8 */
     @Bean
     public CertificateVerifier certificateVerifier() {
         CommonCertificateVerifier certificateVerifier = new CommonCertificateVerifier();
-        certificateVerifier.setCrlSource(cachedCRLSource());
-        certificateVerifier.setOcspSource(cachedOCSPSource());
-        certificateVerifier.setAIASource(cachedAIASource());
+        /* manage source */
+        certificateVerifier.setCrlSource(defineCRLSource());
+        certificateVerifier.setOcspSource(defineOCSPSource());
+        certificateVerifier.setAIASource(defineAIASource());
         certificateVerifier.setTrustedCertSources(trustedListSource());
 
         // Default configs
@@ -471,25 +586,6 @@ public SSLCertificateLoader sslCertificateLoader() {
         return sslCertificateLoader;
     }
 
-    /*
-     * destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che vengano create le tabelle ma
-     * non si vuole dropparle non appena il processo viene interrotto
-     */
-    /* from 5.10.1 */
-    // @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
-    @Bean(initMethod = "initTable")
-    public JdbcCacheAIASource cachedAIASource() {
-        JdbcCacheAIASource jdbcCacheAIASource = new JdbcCacheAIASource();
-        jdbcCacheAIASource.setJdbcCacheConnector(jdbcCacheConnector());
-        jdbcCacheAIASource.setProxySource(onlineAIASource());
-        return jdbcCacheAIASource;
-    }
-
-    @Bean
-    public AIASource onlineAIASource() {
-        return new DefaultAIASource(dataLoader());
-    }
-
     @Bean
     public JdbcCacheConnector jdbcCacheConnector() {
         return new JdbcCacheConnector(dataSource);

diff --git a/src/main/resources/policy/custom_constraint.xml b/src/main/resources/policy/custom_constraint.xml
@@ -105,7 +105,7 @@
 				<SerialNumberPresent Level="WARN" />
 				<NotRevoked Level="FAIL" />
 				<NotOnHold Level="FAIL" />
-				<RevocationIssuerNotExpired Level="FAIL" />
+				<RevocationIssuerNotExpired Level="WARN" />
 				<NotSelfSigned Level="WARN" />
 <!--				<QcCompliance Level="WARN" /> -->
 <!--				<QcSSCD Level="WARN" /> -->