scs-cbu-ced-iam / ais Goto Github PK
View Code? Open in Web Editor NEWSwisscom All-in Signing Service: Sample Scripts
License: Apache License 2.0
Swisscom All-in Signing Service: Sample Scripts
License: Apache License 2.0
Using aisService.wsdl
with http://php.net/manual/en/soapclient.soapclient.php it raises I/O warnings as not all schemaLocation are referenced to the local xsd files.
Warning: SoapClient::SoapClient(): I/O warning : failed to load external entity "http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd" in ...
Fatal error: SOAP-ERROR: Parsing Schema: can't import schema from 'http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd' in ...
It's impossible to generate the client from the wadl and the referenced xsd files.
the error
oasis-sstc-saml-schema-protocol-1.1.xsd:1:50: Des espaces sont obligatoires entre les ID publicId et systemId.
is returned
With the new WSDL in AIS 1.7, the <SignResponse xsi:type="SignResponse" ..> will no longer contain the xsi:type. Regression Test needs to be updated accordingly (expected response validation).
For test cases related to OnDemand Requests we should have a global configuration to define CN, O and C. This should help to ensure that only valid DNs are set for qualified signatures.
Update all client code and documentation to be align with the following server changes in the upcoming release:
Soap.java
contains a constant with a URN that is not used:
_CERTIFICATE_REQUEST_PROFILE = "urn:swisscom:advanced";
Actually, there's a check to add a 'Profile' attribute to the OnDemand's CertificateRequest-Element:
if (!_CERTIFICATE_REQUEST_PROFILE.equals(certRequestProfile)) {
certificateRequestElement.addAttribute(new QName("Profile"), certRequestProfile);
}
I haven't found any case in the source code where the 'certRequestProfile' value is set to something different than '_CERTIFICATE_REQUEST_PROFILE'. So it's...
a) dead code
b) we don't support a 'Profile'-attribute to the OnDemand's CertificateRequest-Element
The verification of a timestamp token in ais-verify.sh
shows a wrong Signer information:
[ phaupt@cartel:~/AIS/shell ] $ rm myfile.p7s; ./ais-timestamp.sh myfile.txt SHA256 myfile.p7s; ./ais-verify.sh -v myfile.txt myfile.p7s
OK on myfile.p7s with following details:
Signer : subject= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 2
issuer= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 2
validity= notBefore=Jun 24 08:38:14 2011 GMT notAfter=Jun 25 07:38:14 2031 GMT
OCSP check= No OCSP information found in the signers certificate
Embedded OCSP: No
Embedded TSA : No
The reason is related to a misorder in the certificate chain of the timestamp response. Currently, level1 and level2 are swapped:
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level0.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level0.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level1.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom TSS CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level1.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Service/CN=Swisscom TSA 3
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level2.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level2.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom TSS CA 2
This will be fixed on Swisscom AIS side. It shall always provide a correct order of the certificate chain in all responses.
See http://docs.oracle.com/javase/tutorial/java/package/namingpkgs.html
The package name should be refactored from swisscom.com.ais.itext
to com.swisscom.ais.itext
As there are several embeded OCSP options in the response based on the OIDs, the verify script should explicitly display the details
For the All-in Signing Service (AIS) related iText Module a new dedicated repository itext-ais
shall be created.
When using the aisService.wsdl
over PHP SoapClient the OptionalInputs are not taken in consideration
See implementation at https://github.com/FreddyKaiser/_dev_/tree/master/php-ais
Params passed to the `__soapCall($request, array('parameters' => $params));``
$request = 'Sign';
$params = array(
'SignRequest' => array(
'RequestID' => $this->__createTransID(),
'Profile' => 'http://ais.swisscom.ch/1.0',
'OptionalInputs' => array(
'ClaimedIdentity' => array(
'Name' => $this->customerID
),
'SignatureType' => 'urn:ietf:rfc:3369',
'AddTimestamp' => array('Type' => 'urn:ietf:rfc:3161'),
'AddRevocationInformation' => array('Type' => 'BOTH')
),
'InputDocuments' => array(
'DocumentHash' => array(
'DigestMethod' => array('Algorithm' => $digestMethod),
'DigestValue' => $digestValue
)
)
)
);
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ns1="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://service.ais.swisscom.com/">
<env:Body>
<ns3:sign>
<ns1:SignRequest RequestID="AIS.PHP.41144.5262" Profile="http://ais.swisscom.ch/1.0">
<ns1:OptionalInputs/>
<ns1:InputDocuments>
<ns1:DocumentHash>
<ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ns2:DigestValue>QkZCLzFZUnNQb00wVnZRYU4vRzNZMWRRUHRWYkljQUR0ODRZb1JOT012cz0=</ns2:DigestValue>
</ns1:DocumentHash>
</ns1:InputDocuments>
</ns1:SignRequest>
</ns3:sign>
</env:Body>
</env:Envelope>
iText help text shows:
Usage: swisscom.com.ais.itext.SignPDF [OPTIONS]
Options:
-v - set verbose output
-d - set debug mode
-config=VALUE - custom path to properties file which will overwrite default path
-type=VALUE - signature type, values: timestamp, sign
-infile=VALUE - source PDF file to be signed
-outfile=VALUE - target PDF file that will be signed
-reason=VALUE - signing reason
-location=VALUE - signing location
-contact=VALUE - signing contact
-dn=VALUE - distinguished name for OnDemand certificate signing
-msisdn=VALUE - Mobile ID step up MSISDN (requires -dn -msg -lang)
-msg=VALUE - Mobile ID step up message (requires -dn -msg -lang)
-lang=VALUE - Mobile ID step up language, values: en, de, fr, it (requires -dn -msg -lang)
Examples:
java swisscom.com.ais.itext.SignPDF -v -type=timestamp -infile=sample.pdf -outfile=signed.pdf
java swisscom.com.ais.itext.SignPDF -v -config=/tmp/signpdf.properties -type=sign -infile=sample.pdf -outfile=signed.pdf -reason=Approved -location=CH [email protected]
java swisscom.com.ais.itext.SignPDF -v -type=sign -infile=sample.pdf -outfile=signed.pdf -dn='cn=Hans Muster,o=ACME,c=CH'
java swisscom.com.ais.itext.SignPDF -v -type=sign -infile=sample.pdf -outfile=signed.pdf -dn='cn=Hans Muster,o=ACME,c=CH' -msisdn=41792080350 -msg='service.com: Sign?' -lang=en
Mobile ID step up related help text should be:
-msisdn=VALUE - Mobile ID step up MSISDN (requires -dn -msg -lang)
-msg=VALUE - Mobile ID step up message (requires -dn -msisdn -lang)
-lang=VALUE - Mobile ID step up language, values: en, de, fr, it (requires -dn -msisdn -msg)
Do you have a sample for this in C#?
Revocation information (RI) shouldn't be added to the DSS in case the AIS has already embedded RI in the signature, e.g. in case of static or ondemand signatures.
Currently iText does always add RI, in every case, causig the document to be altered. It'll break the signature in case of certification signatures.
Option has been delivered with 1.5.0 release.
AddRevocationInformation will be supported in the next major update of AIS. Scripts and readme's need to be updated accordingly.
WADL-Definitions are incomplete and should be consiered as informative only.
The README should be changes to include this information and the hint, that developers should use REST-libriaries such as Jersey oder Unirest to create the stups.
Provide a transactionID that can be used in the DTBS in the shell scripts as well as in the itext
For some reason the test step have been lost in the latest commit. To be cloned over from a previous commit.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.