Signature validation

.github/CODEOWNERS

@@ -5,3 +5,4 @@
 /mvnw @slovensko-digital/autogram-release-team
 /mvnw.cmd @slovensko-digital/autogram-release-team
 /.mvn @slovensko-digital/autogram-release-team
+/src/main/resources/digital/slovensko/autogram/core/lotlKeyStore.p12 @slovensko-digital/autogram-release-team

.gitignore

@@ -25,4 +25,6 @@ whitelabel.iml
 .java-version
 secret
 
-/fakeTokenDriver
+cache/
+
+/fakeTokenDriver

src/main/java/digital/slovensko/autogram/core/Autogram.java

@@ -13,6 +13,8 @@
 import eu.europa.esig.dss.pdfa.PDFAStructureValidator;
 
 import java.io.File;
+import java.util.Timer;
+import java.util.TimerTask;
 import java.util.function.Consumer;
 
 public class Autogram {
@@ -31,7 +33,23 @@ public Autogram(UI ui, DriverDetector driverDetector) {
     }
 
     public void sign(SigningJob job) {
-        ui.onUIThreadDo(() -> ui.startSigning(job, this));
+        ui.onUIThreadDo(()
+        -> ui.startSigning(job, this));
+    }
+
+    public void checkAndValidateSignatures(SigningJob job) {
+        ui.onWorkThreadDo(() -> checkSignatures(job));
+
+        if (!SignatureValidator.hasSignatures(job.getDocument()))
+            return;
+
+        var reports = SignatureValidator.getInstance().getSignatureValidationReport(job.getDocument());
+        ui.onUIThreadDo(() -> ui.onSignatureValidationCompleted(new ValidationReportsWrapper(reports, job)));
+    }
+
+    private void checkSignatures(SigningJob job) {
+        var reports = SignatureValidator.getSignatureCheckReport(job.getDocument());
+        ui.onUIThreadDo(() -> ui.onSignatureCheckCompleted(new ValidationReportsWrapper(reports, job)));
     }
 
     public void checkPDFACompliance(SigningJob job) {
@@ -77,7 +95,7 @@ public void sign(SigningJob job, SigningKey signingKey) {
 
     /**
      * Starts a batch - ask user - get signing key - start batch - return batch ID
-     * 
+     *
      * @param totalNumberOfDocuments - expected number of documents to be signed
      * @param responder              - callback for http response
      */
@@ -95,7 +113,7 @@ public void batchStart(int totalNumberOfDocuments, BatchResponder responder) {
 
     /**
      * Sign a single document
-     * 
+     *
      * @param job
      * @param batchId - current batch ID, used to authenticate the request
      */
@@ -111,7 +129,7 @@ public void batchSign(SigningJob job, String batchId) {
 
     /**
      * End the batch
-     * 
+     *
      * @param batchId - current batch ID, used to authenticate the request
      */
     public boolean batchEnd(String batchId) {
@@ -171,4 +189,21 @@ public void onDocumentBatchSaved(BatchUiResult result) {
     public void onSigningFailed(AutogramException e) {
         ui.onUIThreadDo(() -> ui.onSigningFailed(e));
     }
+
+    public Timer initializeSignatureValidator() {
+        ui.onWorkThreadDo(() -> {
+            SignatureValidator.getInstance().initialize();
+        });
+
+        var timer = new Timer();
+        timer.scheduleAtFixedRate(new TimerTask() {
+                public void run() {
+                    SignatureValidator.getInstance().refresh();
+                }
+            },
+             3600000L,
+             3600000L);
+
+        return timer;
+    }
 }

src/main/java/digital/slovensko/autogram/core/SignatureValidator.java

@@ -0,0 +1,175 @@
+package digital.slovensko.autogram.core;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.nio.file.Path;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.concurrent.Executors;
+
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import eu.europa.esig.dss.model.DSSDocument;
+import eu.europa.esig.dss.model.DSSException;
+import eu.europa.esig.dss.service.crl.OnlineCRLSource;
+import eu.europa.esig.dss.service.http.commons.CommonsDataLoader;
+import eu.europa.esig.dss.service.http.commons.FileCacheDataLoader;
+import eu.europa.esig.dss.service.ocsp.OnlineOCSPSource;
+import eu.europa.esig.dss.spi.tsl.TrustedListsCertificateSource;
+import eu.europa.esig.dss.spi.x509.CertificateSource;
+import eu.europa.esig.dss.spi.x509.KeyStoreCertificateSource;
+import eu.europa.esig.dss.tsl.function.OfficialJournalSchemeInformationURI;
+import eu.europa.esig.dss.tsl.function.TLPredicateFactory;
+import eu.europa.esig.dss.tsl.job.TLValidationJob;
+import eu.europa.esig.dss.tsl.source.LOTLSource;
+import eu.europa.esig.dss.tsl.sync.ExpirationAndSignatureCheckStrategy;
+import eu.europa.esig.dss.validation.CertificateVerifier;
+import eu.europa.esig.dss.validation.CommonCertificateVerifier;
+import eu.europa.esig.dss.validation.SignedDocumentValidator;
+import eu.europa.esig.dss.validation.reports.Reports;
+
+import static digital.slovensko.autogram.util.DSSUtils.*;
+
+public class SignatureValidator {
+    private static final String LOTL_URL = "https://ec.europa.eu/tools/lotl/eu-lotl.xml";
+    private static final String OJ_URL = "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.276.01.0001.01.ENG";
+    private CertificateVerifier verifier;
+    private TLValidationJob validationJob;
+    private static Logger logger = LoggerFactory.getLogger(SignatureValidator.class);
+
+    // Singleton
+    private static SignatureValidator instance;
+
+    private SignatureValidator() {
+    }
+
+    public synchronized static SignatureValidator getInstance() {
+        if (instance == null)
+            instance = new SignatureValidator();
+
+        return instance;
+    }
+
+    public synchronized Reports validate(SignedDocumentValidator docValidator) {
+        docValidator.setCertificateVerifier(verifier);
+        return docValidator.validateDocument();
+    }
+
+    public synchronized void refresh() {
+        System.out.println("Refreshing signature validator...");
+        validationJob.offlineRefresh();
+        System.out.println("Signature validator refreshed");
+    }
+
+    public synchronized void initialize() {
+        SimpleDateFormat formatter = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
+        logger.debug("Initializing signature validator at {}", formatter.format(new Date()));
+
+        validationJob = new TLValidationJob();
+
+        var lotlSource = new LOTLSource();
+        lotlSource.setCertificateSource(getJournalCertificateSource());
+        lotlSource.setSigningCertificatesAnnouncementPredicate(new OfficialJournalSchemeInformationURI(OJ_URL));
+        lotlSource.setUrl(LOTL_URL);
+        lotlSource.setPivotSupport(true);
+        lotlSource.setTlPredicate(TLPredicateFactory.createEUTLCountryCodePredicate("SK", "CZ", "AT", "HU", "PL"));
+
+        var targetLocation = Path.of(System.getProperty("user.dir"), "cache", "certs").toFile();
+        targetLocation.mkdirs();
+
+        var offlineFileLoader = new FileCacheDataLoader();
+        offlineFileLoader.setCacheExpirationTime(21600000);
+        offlineFileLoader.setDataLoader(new CommonsDataLoader());
+        offlineFileLoader.setFileCacheDirectory(targetLocation);
+        validationJob.setOfflineDataLoader(offlineFileLoader);
+
+        var onlineFileLoader = new FileCacheDataLoader();
+        onlineFileLoader.setCacheExpirationTime(0);
+        onlineFileLoader.setDataLoader(new CommonsDataLoader());
+        onlineFileLoader.setFileCacheDirectory(targetLocation);
+        validationJob.setOnlineDataLoader(onlineFileLoader);
+
+        var trustedListCertificateSource = new TrustedListsCertificateSource();
+        validationJob.setTrustedListCertificateSource(trustedListCertificateSource);
+        validationJob.setListOfTrustedListSources(lotlSource);
+        validationJob.setSynchronizationStrategy(new ExpirationAndSignatureCheckStrategy());
+        validationJob.setExecutorService(Executors.newFixedThreadPool(4));
+        validationJob.setDebug(true);
+
+        logger.debug("Starting signature validator offline refresh");
+        validationJob.offlineRefresh();
+
+        verifier = new CommonCertificateVerifier();
+        verifier.setTrustedCertSources(trustedListCertificateSource);
+        verifier.setCrlSource(new OnlineCRLSource());
+        verifier.setOcspSource(new OnlineOCSPSource());
+
+        logger.debug("Signature validator initialized at {}", formatter.format(new Date()));
+    }
+
+    private CertificateSource getJournalCertificateSource() throws AssertionError {
+        try {
+            var keystore = getClass().getResourceAsStream("lotlKeyStore.p12");
+            return new KeyStoreCertificateSource(keystore, "PKCS12", "dss-password");
+
+        } catch (DSSException | NullPointerException e) {
+            throw new AssertionError("Cannot load LOTL keystore", e);
+        }
+    }
+
+    public synchronized Reports getSignatureValidationReport(DSSDocument document) {
+        return validate(createDocumentValidator(document));
+    }
+
+    public static String getSignatureValidationReportHTML(Reports signatureValidationReport) {
+        var builderFactory = DocumentBuilderFactory.newInstance();
+        builderFactory.setNamespaceAware(true);
+
+        try {
+            var document = builderFactory.newDocumentBuilder().parse(new InputSource(new StringReader(signatureValidationReport.getXmlSimpleReport())));
+            var xmlSource = new DOMSource(document);
+
+            var xsltFile = SignatureValidator.class.getResourceAsStream("simple-report-bootstrap4.xslt");
+            var xsltSource = new StreamSource(xsltFile);
+
+            var outputTarget = new StreamResult(new StringWriter());
+            var transformer = TransformerFactory.newInstance().newTransformer(xsltSource);
+            transformer.transform(xmlSource, outputTarget);
+
+            var r = outputTarget.getWriter().toString().trim();
+
+            var templateFile = SignatureValidator.class.getResourceAsStream("simple-report-template.html");
+            var templateString = new String(templateFile.readAllBytes());
+            return templateString.replace("{{content}}", r);
+
+        } catch (SAXException | IOException | ParserConfigurationException | TransformerException e) {
+            return "Error transforming validation report";
+        }
+    }
+
+    public static Reports getSignatureCheckReport(DSSDocument document) {
+        var validator = createDocumentValidator(document);
+        if (validator == null)
+            return null;
+
+        validator.setCertificateVerifier(new CommonCertificateVerifier());
+        return validator.validateDocument();
+    }
+
+    public static boolean hasSignatures(DSSDocument document) {
+        var signatureCheckReport = getSignatureCheckReport(document);
+        return signatureCheckReport != null && signatureCheckReport.getSimpleReport().getSignaturesCount() > 0;
+    }
+}

src/main/java/digital/slovensko/autogram/core/ValidationReportsWrapper.java

@@ -0,0 +1,21 @@
+package digital.slovensko.autogram.core;
+
+import eu.europa.esig.dss.validation.reports.Reports;
+
+public class ValidationReportsWrapper {
+    private final Reports reports;
+    private final SigningJob signingJob;
+
+    public ValidationReportsWrapper(Reports reports, SigningJob signingJob) {
+        this.reports = reports;
+        this.signingJob = signingJob;
+    }
+
+    public Reports getReports() {
+        return reports;
+    }
+
+    public SigningJob getSigningJob() {
+        return signingJob;
+    }
+}

src/main/java/digital/slovensko/autogram/ui/UI.java

@@ -48,5 +48,9 @@ public interface UI {
 
     void onPDFAComplianceCheckFailed(SigningJob job);
 
+    public void onSignatureValidationCompleted(ValidationReportsWrapper wrapper);
+
+    public void onSignatureCheckCompleted(ValidationReportsWrapper wrapper);
+
     void showIgnorableExceptionDialog(IgnorableException exception);
 }

src/main/java/digital/slovensko/autogram/ui/cli/CliUI.java

@@ -13,6 +13,7 @@
 import digital.slovensko.autogram.core.SigningJob;
 import digital.slovensko.autogram.core.SigningKey;
 import digital.slovensko.autogram.core.Updater;
+import digital.slovensko.autogram.core.ValidationReportsWrapper;
 import digital.slovensko.autogram.core.errors.AutogramException;
 import digital.slovensko.autogram.core.errors.FunctionCanceledException;
 import digital.slovensko.autogram.core.errors.InitializationFailedException;
@@ -209,6 +210,15 @@ public void showVisualization(Visualization visualization, Autogram autogram) {
     }
 
     @Override
+    public void onSignatureValidationCompleted(ValidationReportsWrapper wrapper) {
+
+    }
+
+    @Override
+    public void onSignatureCheckCompleted(ValidationReportsWrapper wrapper) {
+
+    }
+
     public void showIgnorableExceptionDialog(IgnorableException exception) {
         throw exception;
     }

src/main/java/digital/slovensko/autogram/ui/gui/ErrorSummaryComponentController.java

@@ -1,8 +1,5 @@
 package digital.slovensko.autogram.ui.gui;
 
-import java.io.PrintWriter;
-import java.io.StringWriter;
-
 import digital.slovensko.autogram.core.errors.AutogramException;
 import javafx.fxml.FXML;
 import javafx.scene.control.Button;

src/main/java/digital/slovensko/autogram/ui/gui/GUI.java

@@ -13,6 +13,7 @@
 import digital.slovensko.autogram.core.Batch;
 import digital.slovensko.autogram.core.SigningJob;
 import digital.slovensko.autogram.core.SigningKey;
+import digital.slovensko.autogram.core.ValidationReportsWrapper;
 import digital.slovensko.autogram.core.errors.AutogramException;
 import digital.slovensko.autogram.core.errors.NoDriversDetectedException;
 import digital.slovensko.autogram.core.errors.NoKeysDetectedException;
@@ -47,6 +48,9 @@ public GUI(HostServices hostServices) {
 
     @Override
     public void startSigning(SigningJob job, Autogram autogram) {
+        onWorkThreadDo(()
+        -> autogram.checkAndValidateSignatures(job));
+
         autogram.startVisualization(job);
     }
 
@@ -236,6 +240,17 @@ public void onPDFAComplianceCheckFailed(SigningJob job) {
     }
 
     @Override
+    public void onSignatureValidationCompleted(ValidationReportsWrapper wrapper) {
+        var controller = jobControllers.get(wrapper.getSigningJob());
+        controller.onSignatureValidationCompleted(wrapper.getReports());
+    }
+
+    @Override
+    public void onSignatureCheckCompleted(ValidationReportsWrapper wrapper) {
+        var controller = jobControllers.get(wrapper.getSigningJob());
+        controller.onSignatureCheckCompleted(wrapper.getReports());
+    }
+
     public void showVisualization(Visualization visualization, Autogram autogram) {
         var controller = new SigningDialogController(visualization, autogram, this);
         jobControllers.put(visualization.getJob(), controller);

src/main/java/digital/slovensko/autogram/ui/gui/GUIApp.java

@@ -16,6 +16,7 @@ public void start(Stage windowStage) throws Exception {
 
         Platform.setImplicitExit(false);
         autogram.checkForUpdate();
+        var timer = autogram.initializeSignatureValidator();
 
         setUserAgentStylesheet(getClass().getResource("idsk.css").toExternalForm());
 
@@ -31,6 +32,8 @@ public void start(Stage windowStage) throws Exception {
 
         windowStage.setOnCloseRequest(event -> {
             new Thread(server::stop).start();
+            timer.cancel();
+            System.out.println("Closing application");
 
             Platform.exit();
         });