diff --git a/CHANGELOG.md b/CHANGELOG.md
index a0cbe15..d86a431 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,20 @@
+
+## 1.17.0 (10-04-2024)
+
+### Novità: 2
+- [#31808](https://parermine.regione.emilia-romagna.it/issues/31808) Rilassamento vincoli con verifica OCSP e data certificato antecedenete a quella del responder
+- [#31709](https://parermine.regione.emilia-romagna.it/issues/31709) Gestione migliorata sorgenti revoche (cache / online)
+
## 1.16.0 (14-03-2024)
### Novità: 1
- [#31419](https://parermine.regione.emilia-romagna.it/issues/31419) Attivazione statistiche per monitoraggio con prometheus
+## 1.15.1 (16-02-2024)
+
+### Bugfix: 1
+- [#31275](https://parermine.regione.emilia-romagna.it/issues/31275) Correzione errore PKI su https://elektroninisparasas.lt/LT-TSL.xml
+
## 1.15.0 (29-01-2024)
### Novità: 2
diff --git a/CONTAINER-SCAN-REPORT.md b/CONTAINER-SCAN-REPORT.md
index dc16c7d..898bd92 100644
--- a/CONTAINER-SCAN-REPORT.md
+++ b/CONTAINER-SCAN-REPORT.md
@@ -1,7 +1,8 @@
## Container scan evidence CVE
Image name: registry.ente.regione.emr.it/parer/okd/verifica-firma-eidas:sast
-
Run date: Mon Jan 29 12:20:03 CET 2024
-
Produced by: Job
-
CVE founded: 0
+
Run date: Wed Apr 10 16:45:14 CEST 2024
+
Produced by: Job
+
CVE founded: 1
| CVE | Description | Severity | Solution |
|:---:|:---|:---:|:---|
+| [CVE-2024-28182](https://access.redhat.com/security/cve/CVE-2024-28182)|A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.|High|No solution provided|
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
index 683c678..06ec5e5 100644
--- a/RELEASE-NOTES.md
+++ b/RELEASE-NOTES.md
@@ -1,4 +1,5 @@
-## 1.16.0 (14-03-2024)
+## 1.17.0 (10-04-2024)
-### Novità: 1
-- [#31419](https://parermine.regione.emilia-romagna.it/issues/31419) Attivazione statistiche per monitoraggio con prometheus
+### Novità: 2
+- [#31808](https://parermine.regione.emilia-romagna.it/issues/31808) Rilassamento vincoli con verifica OCSP e data certificato antecedenete a quella del responder
+- [#31709](https://parermine.regione.emilia-romagna.it/issues/31709) Gestione migliorata sorgenti revoche (cache / online)
diff --git a/pdfdocs/CHANGELOG.pdf b/pdfdocs/CHANGELOG.pdf
new file mode 100644
index 0000000..1bd94f0
Binary files /dev/null and b/pdfdocs/CHANGELOG.pdf differ
diff --git a/pdfdocs/RELEASE-NOTES.pdf b/pdfdocs/RELEASE-NOTES.pdf
new file mode 100644
index 0000000..1f4e129
Binary files /dev/null and b/pdfdocs/RELEASE-NOTES.pdf differ
diff --git a/pom.xml b/pom.xml
index 8b0b0b5..e8702d8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,7 +2,7 @@
4.0.0
verifica-firma-eidas
- 1.16.1-SNAPSHOT
+ 1.17.1-SNAPSHOT
${packaging.type}
Verifica Firma EIDAS
Progetto per effettuare firme e validazioni con librerie DSS (EIDAS)
diff --git a/src/main/java/it/eng/parer/eidas/web/config/DSSBeanConfig.java b/src/main/java/it/eng/parer/eidas/web/config/DSSBeanConfig.java
index ab48aa5..9e586ff 100644
--- a/src/main/java/it/eng/parer/eidas/web/config/DSSBeanConfig.java
+++ b/src/main/java/it/eng/parer/eidas/web/config/DSSBeanConfig.java
@@ -20,9 +20,11 @@
import java.io.File;
import java.io.IOException;
import java.security.KeyStore.PasswordProtection;
+import java.sql.SQLException;
import javax.sql.DataSource;
+import org.apache.commons.lang3.StringUtils;
import org.apache.hc.client5.http.ssl.TrustAllStrategy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -61,6 +63,8 @@
import eu.europa.esig.dss.spi.x509.KeyStoreCertificateSource;
import eu.europa.esig.dss.spi.x509.aia.AIASource;
import eu.europa.esig.dss.spi.x509.aia.DefaultAIASource;
+import eu.europa.esig.dss.spi.x509.revocation.crl.CRLSource;
+import eu.europa.esig.dss.spi.x509.revocation.ocsp.OCSPSource;
import eu.europa.esig.dss.spi.x509.tsp.TSPSource;
import eu.europa.esig.dss.token.KeyStoreSignatureTokenConnection;
import eu.europa.esig.dss.tsl.function.OfficialJournalSchemeInformationURI;
@@ -122,7 +126,8 @@ public class DSSBeanConfig {
@Value("${current.oj.url}")
private String currentOjUrl;
- @Autowired
+ /* custom DataSource possibile null in case DB is disable by configuration */
+ @Autowired(required = false)
private DataSource dataSource;
@Autowired(required = false)
@@ -144,28 +149,46 @@ public class DSSBeanConfig {
@Value("${cache.ocsp.max.next.update:0}")
private long ocspMaxNextUpdate;
+ /* from 5.13 */
+ @Value("${cache.expiration:0}")
+ private long cacheExpiration;
+
/* custom */
- @Value("${revoke.data.loading.strategy.crl-first.enabled:true}")
+ @Value("${revoke.data.loading.strategy.crl-first.enabled:false}")
private boolean revokeDataLoadingStratCrlFirst;
@Value("${revoke.removeExpired.enabled:true}")
private boolean revokeRemoveExpired;
- @Value("${dataloader.timeoutconnection:60000}")
+ /* in ms */
+ @Value("${dataloader.timeoutconnection:1200000}")
private int timeoutConnection;
- @Value("${dataloader.timeoutsocket:60000}")
+ /* in ms */
+ @Value("${dataloader.timeoutsocket:1200000}")
private int timeoutSocket;
- @Value("${dataloader.connectionsmaxtotal:20}")
+ @Value("${dataloader.connectionsmaxtotal:40}")
private int connectionsMaxTotal;
- @Value("${dataloader.connectionsmaxperroute:2}")
+ @Value("${dataloader.connectionsmaxperroute:4}")
private int connectionsMaxPerRoute;
- @Value("${dataloader.ldaptimeoutconnection:30000}")
+ /* in ms */
+ @Value("${dataloader.connectiontimetolive:1200000}")
+ private int connectionTimeToLive;
+
+ /* in ms */
+ @Value("${dataloader.ldaptimeoutconnection:1200000}")
private String ldapTimeoutConnection;
+ @Value("${cache.enabled:true}")
+ private boolean cacheEnabled;
+
+ // default empty
+ @Value("${cache.file.path:}")
+ private String cacheFilePath;
+
@Bean
public CommonsDataLoaderExt dataLoader() {
CommonsDataLoaderExt dataLoader = new CommonsDataLoaderExt();
@@ -176,6 +199,7 @@ public CommonsDataLoaderExt dataLoader() {
dataLoader.setTimeoutSocket(timeoutSocket);
//
dataLoader.setConnectionsMaxPerRoute(connectionsMaxPerRoute);
+ dataLoader.setConnectionTimeToLive(connectionTimeToLive);
//
dataLoader.setLdapTimeoutConnection(ldapTimeoutConnection);
return dataLoader;
@@ -196,12 +220,22 @@ public OCSPDataLoaderExt ocspDataLoader() {
return ocspDataLoader;
}
+ /* from 5.13 */
@Bean
public FileCacheDataLoader fileCacheDataLoader() {
+ FileCacheDataLoader fileCacheDataLoader = initFileCacheDataLoader();
+ fileCacheDataLoader.setCacheExpirationTime(cacheExpiration * 1000); // to millis
+ return fileCacheDataLoader;
+ }
+
+ private FileCacheDataLoader initFileCacheDataLoader() {
FileCacheDataLoader fileCacheDataLoader = new FileCacheDataLoader();
fileCacheDataLoader.setDataLoader(dataLoader());
// Per default uses "java.io.tmpdir" property
// fileCacheDataLoader.setFileCacheDirectory(new File("/tmp"));
+ if (StringUtils.isNotBlank(cacheFilePath)) {
+ fileCacheDataLoader.setFileCacheDirectory(new File(cacheFilePath));
+ }
return fileCacheDataLoader;
}
@@ -213,55 +247,136 @@ public OnlineCRLSource onlineCRLSource() {
}
/*
- * destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che vengano create le tabelle ma
- * non si vuole dropparle non appena il processo viene interrotto
+ * initMethod = "initTable" esecuzione CREATE table gestita in fase di creazione del bean gestione logica doppio
+ * "source" JDBC vs FILE destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che
+ * vengano create le tabelle ma non si vuole dropparle non appena il processo viene interrotto
+ *
+ * Visit
+ * https://github.com/esig/dss-demonstrations/blob/master/dss-demo-webapp/src/main/java/eu/europa/esig/dss/web/
+ * config/DSSBeanConfig.java
+ *
*/
// @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
- @Bean(initMethod = "initTable")
- public JdbcCacheCRLSource cachedCRLSource() {
- JdbcCacheCRLSource jdbcCacheCRLSource = new JdbcCacheCRLSource();
- jdbcCacheCRLSource.setJdbcCacheConnector(jdbcCacheConnector());
- jdbcCacheCRLSource.setProxySource(onlineCRLSource());
- jdbcCacheCRLSource.setDefaultNextUpdateDelay(crlDefaultNextUpdate); // 0 (get new one every time)
- jdbcCacheCRLSource.setMaxNextUpdateDelay(crlMaxNextUpdate); // 0 (get new one every time)
- // default = true
- // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
- jdbcCacheCRLSource.setRemoveExpired(revokeRemoveExpired);
- return jdbcCacheCRLSource;
+ @Bean
+ public CRLSource defineCRLSource() {
+ if (cacheEnabled) {
+ if (dataSource != null) {
+ JdbcCacheCRLSource jdbcCacheCRLSource = new JdbcCacheCRLSource();
+ jdbcCacheCRLSource.setJdbcCacheConnector(jdbcCacheConnector());
+ jdbcCacheCRLSource.setProxySource(onlineCRLSource());
+ jdbcCacheCRLSource.setDefaultNextUpdateDelay(crlDefaultNextUpdate); // 0 (get new one every time)
+ jdbcCacheCRLSource.setMaxNextUpdateDelay(crlMaxNextUpdate); // 0 (get new one every time)
+ // default = true
+ // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
+ jdbcCacheCRLSource.setRemoveExpired(revokeRemoveExpired);
+ // create table if not exits
+ try {
+ jdbcCacheCRLSource.initTable();
+ } catch (SQLException e) {
+ throw new DSSException("Errore inizializzazione CRL JDBC cache", e);
+ }
+ return jdbcCacheCRLSource;
+ }
+ OnlineCRLSource onlineCRLSource = onlineCRLSource();
+ FileCacheDataLoader fileCacheDataLoader = initFileCacheDataLoader();
+ fileCacheDataLoader.setCacheExpirationTime(crlMaxNextUpdate * 1000); // to millis
+ onlineCRLSource.setDataLoader(fileCacheDataLoader);
+ return onlineCRLSource;
+ } else {
+ return onlineCRLSource();
+ }
+
}
@Bean
- public OnlineOCSPSource onlineOcspSource() {
+ public OnlineOCSPSource onlineOCSPSource() {
OnlineOCSPSource onlineOCSPSource = new OnlineOCSPSource();
onlineOCSPSource.setDataLoader(ocspDataLoader());
return onlineOCSPSource;
}
/*
- * destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che vengano create le tabelle ma
- * non si vuole dropparle non appena il processo viene interrotto
+ * initMethod = "initTable" esecuzione CREATE table gestita in fase di creazione del bean gestione logica doppio
+ * "source" JDBC vs FILE destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che
+ * vengano create le tabelle ma non si vuole dropparle non appena il processo viene interrotto
+ *
+ * Visit
+ * https://github.com/esig/dss-demonstrations/blob/master/dss-demo-webapp/src/main/java/eu/europa/esig/dss/web/
+ * config/DSSBeanConfig.java
+ *
+ *
+ */
+ // @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
+ @Bean
+ public OCSPSource defineOCSPSource() {
+ if (cacheEnabled) {
+ if (dataSource != null) {
+ JdbcCacheOCSPSource jdbcCacheOCSPSource = new JdbcCacheOCSPSource();
+ jdbcCacheOCSPSource.setJdbcCacheConnector(jdbcCacheConnector());
+ jdbcCacheOCSPSource.setProxySource(onlineOCSPSource());
+ jdbcCacheOCSPSource.setDefaultNextUpdateDelay(ocspDefaultNextUpdate); // 0 (get new one every time)
+ jdbcCacheOCSPSource.setMaxNextUpdateDelay(ocspMaxNextUpdate); // 0 (get new one every time)
+ // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
+ jdbcCacheOCSPSource.setRemoveExpired(revokeRemoveExpired);
+ try {
+ jdbcCacheOCSPSource.initTable();
+ } catch (SQLException e) {
+ throw new DSSException("Errore inizializzazione OCSP JDBC cache", e);
+ }
+ return jdbcCacheOCSPSource;
+ }
+ OnlineOCSPSource onlineOCSPSource = onlineOCSPSource();
+ FileCacheDataLoader fileCacheDataLoader = initFileCacheDataLoader();
+ fileCacheDataLoader.setDataLoader(ocspDataLoader());
+ fileCacheDataLoader.setCacheExpirationTime(ocspMaxNextUpdate * 1000); // to millis
+ onlineOCSPSource.setDataLoader(fileCacheDataLoader);
+ return onlineOCSPSource;
+ } else {
+ return onlineOCSPSource();
+ }
+ }
+
+ /*
+ * initMethod = "initTable" esecuzione CREATE table gestita in fase di creazione del bean gestione logica doppio
+ * "source" JDBC vs FILE destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che
+ * vengano create le tabelle ma non si vuole dropparle non appena il processo viene interrotto
+ *
+ *
+ * Visit
+ * https://github.com/esig/dss-demonstrations/blob/master/dss-demo-webapp/src/main/java/eu/europa/esig/dss/web/
+ * config/DSSBeanConfig.java
+ *
*/
- /* from 5.6 */
// @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
- @Bean(initMethod = "initTable")
- public JdbcCacheOCSPSource cachedOCSPSource() {
- JdbcCacheOCSPSource jdbcCacheOCSPSource = new JdbcCacheOCSPSource();
- jdbcCacheOCSPSource.setJdbcCacheConnector(jdbcCacheConnector());
- jdbcCacheOCSPSource.setProxySource(onlineOcspSource());
- jdbcCacheOCSPSource.setDefaultNextUpdateDelay(ocspDefaultNextUpdate); // 0 (get new one every time)
- jdbcCacheOCSPSource.setMaxNextUpdateDelay(ocspMaxNextUpdate); // 0 (get new one every time)
- // questo permette di mantenere il dato su DB aggiornandolo se risulta *expired*
- jdbcCacheOCSPSource.setRemoveExpired(revokeRemoveExpired);
- return jdbcCacheOCSPSource;
+ @Bean
+ public AIASource defineAIASource() {
+ if (cacheEnabled) {
+ if (dataSource != null) {
+ JdbcCacheAIASource jdbcCacheAIASource = new JdbcCacheAIASource();
+ jdbcCacheAIASource.setJdbcCacheConnector(jdbcCacheConnector());
+ jdbcCacheAIASource.setProxySource(onlineAIASource());
+ return jdbcCacheAIASource;
+ }
+ FileCacheDataLoader fileCacheDataLoader = fileCacheDataLoader();
+ return new DefaultAIASource(fileCacheDataLoader);
+ } else {
+ return onlineAIASource();
+ }
+ }
+
+ @Bean
+ public AIASource onlineAIASource() {
+ return new DefaultAIASource(dataLoader());
}
/* from 5.8 */
@Bean
public CertificateVerifier certificateVerifier() {
CommonCertificateVerifier certificateVerifier = new CommonCertificateVerifier();
- certificateVerifier.setCrlSource(cachedCRLSource());
- certificateVerifier.setOcspSource(cachedOCSPSource());
- certificateVerifier.setAIASource(cachedAIASource());
+ /* manage source */
+ certificateVerifier.setCrlSource(defineCRLSource());
+ certificateVerifier.setOcspSource(defineOCSPSource());
+ certificateVerifier.setAIASource(defineAIASource());
certificateVerifier.setTrustedCertSources(trustedListSource());
// Default configs
@@ -471,25 +586,6 @@ public SSLCertificateLoader sslCertificateLoader() {
return sslCertificateLoader;
}
- /*
- * destroyMethod = "destroyTable" = esecuzione DROP TABLE non desisedarata corretto che vengano create le tabelle ma
- * non si vuole dropparle non appena il processo viene interrotto
- */
- /* from 5.10.1 */
- // @Bean(initMethod = "initTable", destroyMethod = "destroyTable")
- @Bean(initMethod = "initTable")
- public JdbcCacheAIASource cachedAIASource() {
- JdbcCacheAIASource jdbcCacheAIASource = new JdbcCacheAIASource();
- jdbcCacheAIASource.setJdbcCacheConnector(jdbcCacheConnector());
- jdbcCacheAIASource.setProxySource(onlineAIASource());
- return jdbcCacheAIASource;
- }
-
- @Bean
- public AIASource onlineAIASource() {
- return new DefaultAIASource(dataLoader());
- }
-
@Bean
public JdbcCacheConnector jdbcCacheConnector() {
return new JdbcCacheConnector(dataSource);
diff --git a/src/main/resources/policy/custom_constraint.xml b/src/main/resources/policy/custom_constraint.xml
index ad01b75..0c7cfe8 100644
--- a/src/main/resources/policy/custom_constraint.xml
+++ b/src/main/resources/policy/custom_constraint.xml
@@ -105,7 +105,7 @@
-
+