scs-cbu-ced-iam / ais Goto Github PK

View Code? Open in Web Editor NEW

9.0 9.0 7.0 5.5 MB

Swisscom All-in Signing Service: Sample Scripts

License: Apache License 2.0

Shell 63.26% PHP 36.74%

qes qualified-signature signing-service

ais's People

Stargazers

Watchers

Forkers

chrfri rvanhaarlem momo-ge whummer objectecm ll-priva withomas

ais's Issues

WSDL file produces I/O warnings with PHP SoapClient

Using aisService.wsdl with http://php.net/manual/en/soapclient.soapclient.php it raises I/O warnings as not all schemaLocation are referenced to the local xsd files.

Warning: SoapClient::SoapClient(): I/O warning : failed to load external entity "http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd" in ...

Fatal error: SOAP-ERROR: Parsing Schema: can't import schema from 'http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd' in ...

WADL definition / Impossible to generate client stub

It's impossible to generate the client from the wadl and the referenced xsd files.

the error

oasis-sstc-saml-schema-protocol-1.1.xsd:1:50: Des espaces sont obligatoires entre les ID publicId et systemId.

is returned

Create a ModuleInterface for SetaPDF-Signer

http://www.setasign.com/products/setapdf-signer/details/

AIS 1.7 - New WSDL omits xsi:type

With the new WSDL in AIS 1.7, the <SignResponse xsi:type="SignResponse" ..> will no longer contain the xsi:type. Regression Test needs to be updated accordingly (expected response validation).

PHP - Add support for MobileID UserAssistance URL

SoapUI Test Suite should have global configuration for Distinguished Name

For test cases related to OnDemand Requests we should have a global configuration to define CN, O and C. This should help to ensure that only valid DNs are set for qualified signatures.

Namespace and Service Endpoint changes

Update all client code and documentation to be align with the following server changes in the upcoming release:

~~compliant with IANA-Speficication (urn:com:swisscom:dss:... -> urn:swisscom:ais:...)~~
Standardisation of version number to format x.y (instead of Vx.y)
"dss" changed to "ais"
"DSS-Server" changed to "AIS-Server"

iText CertificateRequest Profile

Soap.java contains a constant with a URN that is not used:

_CERTIFICATE_REQUEST_PROFILE = "urn:swisscom:advanced";

Actually, there's a check to add a 'Profile' attribute to the OnDemand's CertificateRequest-Element:

if (!_CERTIFICATE_REQUEST_PROFILE.equals(certRequestProfile)) {
                    certificateRequestElement.addAttribute(new QName("Profile"), certRequestProfile);
                }

I haven't found any case in the source code where the 'certRequestProfile' value is set to something different than '_CERTIFICATE_REQUEST_PROFILE'. So it's...
a) dead code
b) we don't support a 'Profile'-attribute to the OnDemand's CertificateRequest-Element

ais-verify.sh: Wrong signer info due to unsorted cert-chain in timestamp response

The verification of a timestamp token in ais-verify.sh shows a wrong Signer information:

[ phaupt@cartel:~/AIS/shell ] $ rm myfile.p7s; ./ais-timestamp.sh myfile.txt SHA256 myfile.p7s; ./ais-verify.sh -v myfile.txt myfile.p7s
OK on myfile.p7s with following details:
 Signer       : subject= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 2
                issuer= C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 2
                validity= notBefore=Jun 24 08:38:14 2011 GMT notAfter=Jun 25 07:38:14 2031 GMT
                OCSP check= No OCSP information found in the signers certificate
 Embedded OCSP: No
 Embedded TSA : No

The reason is related to a misorder in the certificate chain of the timestamp response. Currently, level1 and level2 are swapped:

$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level0.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level0.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2

$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level1.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom TSS CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level1.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Service/CN=Swisscom TSA 3

$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level2.pem -issuer
issuer= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom Root CA 2
$ openssl x509 -noout -in /tmp/_tmp.xKWIVS.certs.level2.pem -subject
subject= /C=ch/O=Swisscom/OU=Digital Certificate Services/CN=Swisscom TSS CA 2

This will be fixed on Swisscom AIS side. It shall always provide a correct order of the certificate chain in all responses.

Parse and store the chain of the signing certificate

iText: Wrong package naming convention

See http://docs.oracle.com/javase/tutorial/java/package/namingpkgs.html

The package name should be refactored from swisscom.com.ais.itext to com.swisscom.ais.itext

Separate embedded OCSP checks

As there are several embeded OCSP options in the response based on the OIDs, the verify script should explicitly display the details

Split itext subfolder into a new dedicated repository

For the All-in Signing Service (AIS) related iText Module a new dedicated repository itext-ais shall be created.

PHP class for the All-in Signing service

OptionalInputs can not be set when using directly the WSDL file

When using the aisService.wsdlover PHP SoapClient the OptionalInputs are not taken in consideration

See implementation at https://github.com/FreddyKaiser/_dev_/tree/master/php-ais
Params passed to the `__soapCall($request, array('parameters' => $params));``

        $request = 'Sign';
        $params = array(
            'SignRequest' => array(
                'RequestID' => $this->__createTransID(),
                'Profile' => 'http://ais.swisscom.ch/1.0',
                'OptionalInputs' => array(
                    'ClaimedIdentity' => array(
                        'Name' => $this->customerID
                    ),
                    'SignatureType' => 'urn:ietf:rfc:3369',
                    'AddTimestamp' => array('Type' => 'urn:ietf:rfc:3161'),
                    'AddRevocationInformation' => array('Type' => 'BOTH')
                ),
                'InputDocuments' => array(
                    'DocumentHash' => array(
                        'DigestMethod' => array('Algorithm' => $digestMethod),
                        'DigestValue' => $digestValue
                     )
                )
            )
        );

<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ns1="urn:oasis:names:tc:dss:1.0:core:schema" xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" xmlns:ns3="http://service.ais.swisscom.com/">
  <env:Body>
    <ns3:sign>
      <ns1:SignRequest RequestID="AIS.PHP.41144.5262" Profile="http://ais.swisscom.ch/1.0">
        <ns1:OptionalInputs/>
        <ns1:InputDocuments>
          <ns1:DocumentHash>
            <ns2:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ns2:DigestValue>QkZCLzFZUnNQb00wVnZRYU4vRzNZMWRRUHRWYkljQUR0ODRZb1JOT012cz0=</ns2:DigestValue>
          </ns1:DocumentHash>
        </ns1:InputDocuments>
      </ns1:SignRequest>
    </ns3:sign>
  </env:Body>
</env:Envelope>

AIS v1.6.6 Add support for Mobile ID SerialNumber

iText help text glitches (minor)

iText help text shows:

Usage: swisscom.com.ais.itext.SignPDF [OPTIONS]

Options:
  -v                - set verbose output
  -d                - set debug mode
  -config=VALUE     - custom path to properties file which will overwrite default path
  -type=VALUE       - signature type, values: timestamp, sign
  -infile=VALUE     - source PDF file to be signed
  -outfile=VALUE    - target PDF file that will be signed
  -reason=VALUE     - signing reason
  -location=VALUE   - signing location
  -contact=VALUE    - signing contact
  -dn=VALUE         - distinguished name for OnDemand certificate signing
  -msisdn=VALUE     - Mobile ID step up MSISDN (requires -dn -msg -lang)
  -msg=VALUE        - Mobile ID step up message (requires -dn -msg -lang)
  -lang=VALUE       - Mobile ID step up language, values: en, de, fr, it (requires -dn -msg -lang)

Examples:
  java swisscom.com.ais.itext.SignPDF -v -type=timestamp -infile=sample.pdf -outfile=signed.pdf
  java swisscom.com.ais.itext.SignPDF -v -config=/tmp/signpdf.properties -type=sign -infile=sample.pdf -outfile=signed.pdf -reason=Approved -location=CH [email protected]
  java swisscom.com.ais.itext.SignPDF -v -type=sign -infile=sample.pdf -outfile=signed.pdf -dn='cn=Hans Muster,o=ACME,c=CH'
  java swisscom.com.ais.itext.SignPDF -v -type=sign -infile=sample.pdf -outfile=signed.pdf -dn='cn=Hans Muster,o=ACME,c=CH' -msisdn=41792080350 -msg='service.com: Sign?' -lang=en

Mobile ID step up related help text should be:

  -msisdn=VALUE     - Mobile ID step up MSISDN (requires -dn -msg -lang)
  -msg=VALUE        - Mobile ID step up message (requires -dn -msisdn -lang)
  -lang=VALUE       - Mobile ID step up language, values: en, de, fr, it (requires -dn -msisdn -msg)

scs-cbu-ced-iam / ais Goto Github PK

ais's People

Stargazers

Watchers

Forkers

ais's Issues

Recommend Projects

Recommend Topics

Recommend Org