Signature validation

.github/CODEOWNERS

@@ -5,3 +5,4 @@
 /mvnw @slovensko-digital/autogram-release-team
 /mvnw.cmd @slovensko-digital/autogram-release-team
 /.mvn @slovensko-digital/autogram-release-team
+/src/main/resources/digital/slovensko/autogram/core/lotlKeyStore.p12 @slovensko-digital/autogram-release-team

.github/ISSUE_TEMPLATE/release-checklist.md

@@ -11,21 +11,30 @@ labels: release
 - [ ] funguje spustenie v GUI móde
 - [ ] funguje URL handler [autogram://go](autogram://go)
 - [ ] funguje GUI otvoriť jeden súbor, ten sa zobrazí, viem ho podpísať, vytvorí sa podpísaný súbor
-- [ ]  funguje CLI `autogram --help`
+- [ ] podpísaný súbor otvorím v autograme a pod náhľadom dokumentu je zobrazený môj podpis
+- [ ] kliknem na "Zobraziť detail podpisov" a otvorí sa detail podpisov
+- [ ] kliknem na "Zobraziť technické detaily" a otvorí sa report
+- [ ] funguje CLI `autogram --help`
 
 ## Linux
 - [ ] funguje inštalácia na Linux (Debian-based) cez stiahnutý .deb
 - [ ] funguje inštalácia na Linux cez stiahnutý .rpm
 - [ ] funguje spustenie v GUI móde
 - [ ] funguje URL handler [autogram://go](autogram://go)
 - [ ] funguje GUI otvoriť jeden súbor, ten sa zobrazí, viem ho podpísať, vytvorí sa podpísaný súbor
-- [ ]  funguje CLI `autogram --help`
+- [ ] podpísaný súbor otvorím v autograme a pod náhľadom dokumentu je zobrazený môj podpis
+- [ ] kliknem na "Zobraziť detail podpisov" a otvorí sa detail podpisov
+- [ ] kliknem na "Zobraziť technické detaily" a otvorí sa report
+- [ ] funguje CLI `autogram --help`
 
 ## MacOS
 - [ ] funguje inštalácia na MacOS cez stiahnutý .pkg
 - [ ] funguje spustenie v GUI móde
 - [ ] funguje URL handler [autogram://go](autogram://go)
 - [ ] funguje GUI otvoriť jeden súbor, ten sa zobrazí, viem ho podpísať, vytvorí sa podpísaný súbor
+- [ ] podpísaný súbor otvorím v autograme a pod náhľadom dokumentu je zobrazený môj podpis
+- [ ] kliknem na "Zobraziť detail podpisov" a otvorí sa detail podpisov
+- [ ] kliknem na "Zobraziť technické detaily" a otvorí sa report
 - [ ] funguje CLI `/Applications/Autogram.app/Contents/MacOS/AutogramApp --help`
 
 
@@ -39,4 +48,4 @@ labels: release
 - [ ] funguje API info request
 - [ ] funguje API docs request
 - [ ] funguje API sign request
-- [ ] funguje s [extension](https://github.com/slovensko-digital/autogram-extension)
+- [ ] funguje s [extension](https://github.com/slovensko-digital/autogram-extension)

.gitignore

@@ -25,4 +25,6 @@ whitelabel.iml
 .java-version
 secret
 
-/fakeTokenDriver
+.autogram
+
+/fakeTokenDriver

README.md

@@ -1,6 +1,6 @@
 # Autogram
 
-Autogram je multi-platformová (Windows, MacOS, Linux) desktopová JavaFX aplikácia, ktorá slúži na podpisovanie dokumentov v súlade s európskym nariadením eIDAS. Používateľ ňou môže podpisovať súbory priamo alebo je možné aplikáciu jednoducho zaintegrovať do vlastného (webového) informačného systému pomocou HTTP API. Podpisovanie je možné spúšať aj z príkazového riadku, čo je vhodné pre hromadné podpisovanie veľkého množstva súborov naraz.
+Autogram je multi-platformová (Windows, MacOS, Linux) desktopová JavaFX aplikácia, ktorá slúži na podpisovanie a overovanie dokumentov v súlade s európskym nariadením eIDAS. Používateľ ňou môže podpisovať súbory priamo alebo je možné aplikáciu jednoducho zaintegrovať do vlastného (webového) informačného systému pomocou HTTP API. Podpisovanie je možné spúšať aj z príkazového riadku, čo je vhodné pre hromadné podpisovanie veľkého množstva súborov naraz.
 
 **Inštalačné balíky pre Windows, MacOS a Linux sú dostupné v časti [Releases](https://github.com/slovensko-digital/autogram/releases).** Na použitie na existujúcich štátnych weboch bude potrebné doinštalovať aj [rozšírenie do prehliadača](https://github.com/slovensko-digital/autogram-extension#readme).
 

src/main/java/digital/slovensko/autogram/core/Autogram.java

@@ -14,6 +14,8 @@
 import eu.europa.esig.dss.pdfa.PDFAStructureValidator;
 
 import java.io.File;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.ScheduledExecutorService;
 import java.util.function.Consumer;
 
 public class Autogram {
@@ -42,7 +44,23 @@ public Autogram(UI ui, DriverDetector driverDetector, Integer slotId) {
     }
 
     public void sign(SigningJob job) {
-        ui.onUIThreadDo(() -> ui.startSigning(job, this));
+        ui.onUIThreadDo(()
+        -> ui.startSigning(job, this));
+    }
+
+    public void checkAndValidateSignatures(SigningJob job) {
+        checkSignatures(job);
+
+        var reports = SignatureValidator.getInstance().getSignatureValidationReport(job);
+        if (!reports.haveSignatures())
+            return;
+
+        ui.onUIThreadDo(() -> ui.onSignatureValidationCompleted(reports));
+    }
+
+    private void checkSignatures(SigningJob job) {
+        var reports = SignatureValidator.getSignatureCheckReport(job);
+        ui.onUIThreadDo(() -> ui.onSignatureCheckCompleted(reports));
     }
 
     public void checkPDFACompliance(SigningJob job) {
@@ -189,4 +207,13 @@ public void onDocumentBatchSaved(BatchUiResult result) {
     public void onSigningFailed(AutogramException e) {
         ui.onUIThreadDo(() -> ui.onSigningFailed(e));
     }
+
+    public void initializeSignatureValidator(ScheduledExecutorService scheduledExecutorService, ExecutorService cachedExecutorService) {
+        ui.onWorkThreadDo(() -> {
+            SignatureValidator.getInstance().initialize(cachedExecutorService);
+        });
+
+        scheduledExecutorService.scheduleAtFixedRate(() -> SignatureValidator.getInstance().refresh(),
+            480, 480, java.util.concurrent.TimeUnit.MINUTES);
+    }
 }

src/main/java/digital/slovensko/autogram/core/SignatureValidator.java

@@ -0,0 +1,178 @@
+package digital.slovensko.autogram.core;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.file.Path;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.concurrent.ExecutorService;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import eu.europa.esig.dss.model.DSSException;
+import eu.europa.esig.dss.service.crl.OnlineCRLSource;
+import eu.europa.esig.dss.service.http.commons.CommonsDataLoader;
+import eu.europa.esig.dss.service.http.commons.FileCacheDataLoader;
+import eu.europa.esig.dss.service.ocsp.OnlineOCSPSource;
+import eu.europa.esig.dss.spi.tsl.TrustedListsCertificateSource;
+import eu.europa.esig.dss.spi.x509.CertificateSource;
+import eu.europa.esig.dss.spi.x509.KeyStoreCertificateSource;
+import eu.europa.esig.dss.tsl.function.OfficialJournalSchemeInformationURI;
+import eu.europa.esig.dss.tsl.function.TLPredicateFactory;
+import eu.europa.esig.dss.tsl.job.TLValidationJob;
+import eu.europa.esig.dss.tsl.source.LOTLSource;
+import eu.europa.esig.dss.tsl.sync.ExpirationAndSignatureCheckStrategy;
+import eu.europa.esig.dss.validation.CertificateVerifier;
+import eu.europa.esig.dss.validation.CommonCertificateVerifier;
+import eu.europa.esig.dss.validation.SignedDocumentValidator;
+import eu.europa.esig.dss.validation.reports.Reports;
+
+import static digital.slovensko.autogram.util.DSSUtils.*;
+
+public class SignatureValidator {
+    private static final String LOTL_URL = "https://ec.europa.eu/tools/lotl/eu-lotl.xml";
+    private static final String OJ_URL = "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG";
+    private CertificateVerifier verifier;
+    private TLValidationJob validationJob;
+    private static Logger logger = LoggerFactory.getLogger(SignatureValidator.class);
+
+    // Singleton
+    private static SignatureValidator instance;
+
+    private SignatureValidator() {
+    }
+
+    public synchronized static SignatureValidator getInstance() {
+        if (instance == null)
+            instance = new SignatureValidator();
+
+        return instance;
+    }
+
+    public synchronized Reports validate(SignedDocumentValidator docValidator) {
+        docValidator.setCertificateVerifier(verifier);
+
+        // TODO: do not print stack trace inside DSS
+        return docValidator.validateDocument();
+    }
+
+    public synchronized void refresh() {
+        validationJob.offlineRefresh();
+    }
+
+    public synchronized void initialize(ExecutorService executorService) {
+        SimpleDateFormat formatter = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
+        logger.debug("Initializing signature validator at {}", formatter.format(new Date()));
+
+        validationJob = new TLValidationJob();
+
+        var lotlSource = new LOTLSource();
+        lotlSource.setCertificateSource(getJournalCertificateSource());
+        lotlSource.setSigningCertificatesAnnouncementPredicate(new OfficialJournalSchemeInformationURI(OJ_URL));
+        lotlSource.setUrl(LOTL_URL);
+        lotlSource.setPivotSupport(true);
+        lotlSource.setTlPredicate(TLPredicateFactory.createEUTLCountryCodePredicate("SK", "CZ", "AT", "HU", "PL"));
+
+        var targetLocation = Path.of(System.getProperty("user.dir"), ".autogram", "cache", "certs").toFile();
+        targetLocation.mkdirs();
+
+        var offlineFileLoader = new FileCacheDataLoader();
+        offlineFileLoader.setCacheExpirationTime(21600000);
+        offlineFileLoader.setDataLoader(new CommonsDataLoader());
+        offlineFileLoader.setFileCacheDirectory(targetLocation);
+        validationJob.setOfflineDataLoader(offlineFileLoader);
+
+        var onlineFileLoader = new FileCacheDataLoader();
+        onlineFileLoader.setCacheExpirationTime(0);
+        onlineFileLoader.setDataLoader(new CommonsDataLoader());
+        onlineFileLoader.setFileCacheDirectory(targetLocation);
+        validationJob.setOnlineDataLoader(onlineFileLoader);
+
+        var trustedListCertificateSource = new TrustedListsCertificateSource();
+        validationJob.setTrustedListCertificateSource(trustedListCertificateSource);
+        validationJob.setListOfTrustedListSources(lotlSource);
+        validationJob.setSynchronizationStrategy(new ExpirationAndSignatureCheckStrategy());
+        validationJob.setExecutorService(executorService);
+        validationJob.setDebug(false);
+
+        logger.debug("Starting signature validator offline refresh");
+        validationJob.offlineRefresh();
+
+        verifier = new CommonCertificateVerifier();
+        verifier.setTrustedCertSources(trustedListCertificateSource);
+        verifier.setCrlSource(new OnlineCRLSource());
+        verifier.setOcspSource(new OnlineOCSPSource());
+
+        logger.debug("Signature validator initialized at {}", formatter.format(new Date()));
+    }
+
+    private CertificateSource getJournalCertificateSource() throws AssertionError {
+        try {
+            var keystore = getClass().getResourceAsStream("lotlKeyStore.p12");
+            return new KeyStoreCertificateSource(keystore, "PKCS12", "dss-password");
+
+        } catch (DSSException | NullPointerException e) {
+            throw new AssertionError("Cannot load LOTL keystore", e);
+        }
+    }
+
+    public synchronized ValidationReports getSignatureValidationReport(SigningJob job) {
+        var documentValidator = createDocumentValidator(job.getDocument());
+        if (documentValidator == null)
+            return new ValidationReports(null, job);
+
+        return new ValidationReports(validate(documentValidator), job);
+    }
+
+    public static String getSignatureValidationReportHTML(Reports signatureValidationReport) {
+        var builderFactory = DocumentBuilderFactory.newInstance();
+        builderFactory.setNamespaceAware(true);
+
+        try {
+            var document = builderFactory.newDocumentBuilder().parse(new InputSource(new StringReader(signatureValidationReport.getXmlSimpleReport())));
+            var xmlSource = new DOMSource(document);
+
+            var xsltFile = SignatureValidator.class.getResourceAsStream("simple-report-bootstrap4.xslt");
+            var xsltSource = new StreamSource(xsltFile);
+
+            var outputTarget = new StreamResult(new StringWriter());
+            var transformer = TransformerFactory.newInstance().newTransformer(xsltSource);
+            transformer.transform(xmlSource, outputTarget);
+
+            var r = outputTarget.getWriter().toString().trim();
+
+            var templateFile = SignatureValidator.class.getResourceAsStream("simple-report-template.html");
+            var templateString = new String(templateFile.readAllBytes());
+            return templateString.replace("{{content}}", r);
+
+        } catch (SAXException | IOException | ParserConfigurationException | TransformerException e) {
+            return "Error transforming validation report";
+        }
+    }
+
+    public static ValidationReports getSignatureCheckReport(SigningJob job) {
+        var validator = createDocumentValidator(job.getDocument());
+        if (validator == null)
+            return new ValidationReports(null, job);
+
+        validator.setCertificateVerifier(new CommonCertificateVerifier());
+        return new ValidationReports(validator.validateDocument(), job);
+    }
+
+    public synchronized boolean areTLsLoaded() {
+        // TODO: consider validation turned off as well
+        return validationJob.getSummary().getNumberOfProcessedTLs() > 0;
+    }
+}

src/main/java/digital/slovensko/autogram/core/ValidationReports.java

@@ -0,0 +1,25 @@
+package digital.slovensko.autogram.core;
+
+import eu.europa.esig.dss.validation.reports.Reports;
+
+public class ValidationReports {
+    private final Reports reports;
+    private final SigningJob signingJob;
+
+    public ValidationReports(Reports reports, SigningJob signingJob) {
+        this.reports = reports;
+        this.signingJob = signingJob;
+    }
+
+    public Reports getReports() {
+        return reports;
+    }
+
+    public SigningJob getSigningJob() {
+        return signingJob;
+    }
+
+    public boolean haveSignatures() {
+        return reports != null && reports.getSimpleReport().getSignaturesCount() > 0;
+    }
+}

src/main/java/digital/slovensko/autogram/server/AutogramServer.java

@@ -9,7 +9,6 @@
 import java.security.KeyStore;
 import java.util.List;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManagerFactory;
@@ -25,9 +24,10 @@ public class AutogramServer {
     private final HttpServer server;
     private final Autogram autogram;
 
-    public AutogramServer(Autogram autogram, String hostname, int port, boolean isHttps) {
+    public AutogramServer(Autogram autogram, String hostname, int port, boolean isHttps, ExecutorService executorService) {
         this.autogram = autogram;
         this.server = buildServer(hostname, port, isHttps);
+        this.server.setExecutor(executorService);
     }
 
     public void start() {
@@ -47,7 +47,6 @@ public void start() {
                 .add(new AutogramCorsFilter(List.of("POST", "DELETE")));
 
         // Start server
-        server.setExecutor(Executors.newCachedThreadPool());
         server.start();
     }
 

src/main/java/digital/slovensko/autogram/ui/UI.java

@@ -48,6 +48,10 @@ public interface UI {
 
     void onPDFAComplianceCheckFailed(SigningJob job);
 
+    public void onSignatureValidationCompleted(ValidationReports reports);
+
+    public void onSignatureCheckCompleted(ValidationReports reports);
+
     void showIgnorableExceptionDialog(IgnorableException exception);
 
     void showError(AutogramException exception);

src/main/java/digital/slovensko/autogram/ui/cli/CliUI.java

@@ -13,6 +13,7 @@
 import digital.slovensko.autogram.core.SigningJob;
 import digital.slovensko.autogram.core.SigningKey;
 import digital.slovensko.autogram.core.Updater;
+import digital.slovensko.autogram.core.ValidationReports;
 import digital.slovensko.autogram.core.errors.AutogramException;
 import digital.slovensko.autogram.core.errors.FunctionCanceledException;
 import digital.slovensko.autogram.core.errors.InitializationFailedException;
@@ -210,6 +211,15 @@ public void showVisualization(Visualization visualization, Autogram autogram) {
     }
 
     @Override
+    public void onSignatureValidationCompleted(ValidationReports reports) {
+
+    }
+
+    @Override
+    public void onSignatureCheckCompleted(ValidationReports reports) {
+
+    }
+
     public void showIgnorableExceptionDialog(IgnorableException exception) {
         throw exception;
     }

src/main/java/digital/slovensko/autogram/ui/gui/BatchDialogController.java

@@ -167,7 +167,7 @@ public void hideVisualization() {
     }
 
     public void disableKeyPicking() {
-        chooseKeyButton.setText("Načítavam certifikáty...");
+        chooseKeyButton.setText("Načítavam certifikáty…");
         chooseKeyButton.setDisable(true);
     }