private Attribute handleReaderListsRecursively(Attribute attribute, boolean encrypt)
throws NetInfCheckedSecurityException {
List<Attribute> subattributes = attribute.getSubattributes();
boolean readerList = false;
for (Attribute subattribute : subattributes) {
if (subattribute
.getIdentification()
.equals(DefinedAttributeIdentification.AUTHORIZED_READERS.getURI())) {
readerList = true;
} else {
Attribute newSubattribute = handleReaderListsRecursively(subattribute, encrypt);
// if a new Attribute was created the old one gets replaced.
if (newSubattribute != subattribute) {
attribute.removeSubattribute(subattribute);
if (newSubattribute != null) {
attribute.addSubattribute(newSubattribute);
}
}
}
}
// A ReaderList-Attribute without a corresponding signature attribute is an instruction to
// encrypt if possible. This will
// only be done if the user who pushes the InformationObject is trusted.
if (encrypt && readerList) {
return this.cryptography.encrypt(attribute);
} else {
// If the user is not trusted the instruction to encrypt is removed.
if (readerList) {
attribute.removeSubattribute(DefinedAttributeIdentification.AUTHORIZED_READERS.getURI());
}
return attribute;
}
}
private Attribute removeSignCommandRecursiveley(Attribute attribute)
throws NetInfCheckedException {
List<Attribute> subattributes = attribute.getSubattributes();
boolean writer = false;
boolean signature = false;
for (Attribute subattribute : subattributes) {
if (subattribute.getIdentification().equals(DefinedAttributeIdentification.WRITER.getURI())) {
writer = true;
} else if (subattribute
.getIdentification()
.equals(DefinedAttributeIdentification.SIGNATURE.getURI())) {
signature = true;
} else {
Attribute newSubattribute = removeSignCommandRecursiveley(subattribute);
// if a new Attribute was created the old one gets replaced.
if (newSubattribute != subattribute) {
attribute.removeSubattribute(subattribute);
if (newSubattribute != null) {
attribute.addSubattribute(newSubattribute);
}
}
}
}
if (writer && !signature) {
attribute.removeSubattribute(DefinedAttributeIdentification.WRITER.getURI());
}
return attribute;
}
private Attribute handleSignCommandRecursiveley(
Attribute attribute, String userName, String privateKey) throws NetInfCheckedException {
List<Attribute> subattributes = attribute.getSubattributes();
boolean writer = false;
boolean signature = false;
for (Attribute subattribute : subattributes) {
if (subattribute.getIdentification().equals(DefinedAttributeIdentification.WRITER.getURI())) {
writer = true;
} else if (subattribute
.getIdentification()
.equals(DefinedAttributeIdentification.SIGNATURE.getURI())) {
signature = true;
} else {
Attribute newSubattribute =
handleSignCommandRecursiveley(subattribute, userName, privateKey);
// if a new Attribute was created the old one gets replaced.
if (newSubattribute != subattribute) {
attribute.removeSubattribute(subattribute);
if (newSubattribute != null) {
attribute.addSubattribute(newSubattribute);
}
}
}
}
// A Writer-Attribute without a corresponding signature attribute is an instruction to sign if
// possible.
if (writer && !signature) {
switch (this.integrity.sign(attribute, userName, privateKey)) {
case SIGNING_FAILED:
throw new NetInfCheckedSecurityException("Sign failed.");
case SIGNING_SUCCEEDED:
break;
default:
throw new NetInfCheckedSecurityException("Sign result unknown.");
}
}
return attribute;
}
private Attribute decryptAttributesRecursively(
Attribute attribute, boolean superAttributeWasEncrypted, String userName, String privateKey) {
Attribute newAttribute = attribute;
boolean wasEncrypted = false;
if (attribute
.getIdentification()
.equalsIgnoreCase(DefinedAttributeIdentification.ENCRYPTED_CONTENT.getURI())) {
try {
newAttribute = this.cryptography.decrypt(attribute, userName, privateKey);
wasEncrypted = true;
} catch (NetInfCheckedSecurityException securityException) {
LOG.warn("Unable to decrypt attribute: " + securityException.getMessage());
return attribute;
}
} else if (!superAttributeWasEncrypted
&& attribute
.getIdentification()
.equalsIgnoreCase(DefinedAttributeIdentification.ENCRYPTED_CONTENT.getURI())) {
return null;
}
List<Attribute> subattributes = newAttribute.getSubattributes();
for (Attribute subattribute : subattributes) {
Attribute newSubattribute =
decryptAttributesRecursively(subattribute, wasEncrypted, userName, privateKey);
// if a new Attribute was created the old one gets replaced.
if (newSubattribute != subattribute) {
newAttribute.removeSubattribute(subattribute);
if (newSubattribute != null) {
newAttribute.addSubattribute(newSubattribute);
}
}
}
return newAttribute;
}
private Attribute verifyAttributesRecursively(Attribute attribute) throws NetInfCheckedException {
// Result of Verification should not be present before Attribute has been verified. Delete such
// information
if (attribute.getSingleSubattribute(
DefinedAttributeIdentification.SIGNATURE_VERIFICATION_FAILED.getURI())
!= null) {
attribute.removeSubattribute(
DefinedAttributeIdentification.SIGNATURE_VERIFICATION_FAILED.getURI());
}
if (attribute.getSingleSubattribute(DefinedAttributeIdentification.SIGNATURE.getURI())
!= null) {
// A Signature-Attribute without a corresponding SignatureIdentification-Subattribute is
// invalid. Remove
// Signature.
if (attribute
.getSingleSubattribute(DefinedAttributeIdentification.SIGNATURE.getURI())
.getSingleSubattribute(
DefinedAttributeIdentification.SIGNATURE_IDENTIFICATION.getURI())
== null) {
attribute.removeSubattribute(DefinedAttributeIdentification.SIGNATURE.getURI());
// A Writer-Attribute without a corresponding signature attribute is an instruction to sign
// if possible. An incoming
// object should have no instructions since the sender is not trusted. The instruction is
// deleted.
if (attribute.getSingleSubattribute(DefinedAttributeIdentification.WRITER.getURI())
== null) {
attribute.removeSubattribute(DefinedAttributeIdentification.WRITER.getURI());
}
}
IntegrityResult integrityResult = this.integrity.isSignatureValid(attribute);
if (this.suppressCorruptedIOs) {
switch (integrityResult) {
case INTEGRITY_CHECK_FAIL:
throw new NetInfCheckedSecurityException("Integrity check failed.");
case INTEGRITY_NOT_TESTABLE:
throw new NetInfCheckedSecurityException("Integrity not testable.");
case INTEGRITY_CHECK_SUCCEEDED:
break;
default:
throw new NetInfCheckedSecurityException("Integrity check result unknown.");
}
} else {
// A Writer-Attribute without a corresponding signature attribute is an instruction to sign
// if possible. An incoming
// object should have no instructions since the sender is not trusted. The instruction is
// deleted.
if (attribute.getSingleSubattribute(DefinedAttributeIdentification.WRITER.getURI())
== null) {
attribute.removeSubattribute(DefinedAttributeIdentification.SIGNATURE.getURI());
}
}
// TODO wait for convenient methods to create IOs
IdentityVerificationResult identityResult =
this.identityVerification.isWriterVerified(attribute);
if (this.suppressCorruptedIOs) {
switch (identityResult) {
case IDENTITY_NOT_VERIFIABLE:
throw new NetInfCheckedSecurityException("Identity not verifiable.");
case IDENTITY_VERIFICATION_FAILED:
throw new NetInfCheckedSecurityException("Identity verification failed.");
case IDENTITY_VERIFICATION_SUCCEEDED:
break;
default:
throw new NetInfCheckedSecurityException("Identity verification result unknown.");
}
}
}
List<Attribute> subattributes = attribute.getSubattributes();
for (Attribute subattribute : subattributes) {
Attribute newSubattribute = verifyAttributesRecursively(subattribute);
// if a new Attribute was created the old one gets replaced.
if (newSubattribute != subattribute) {
attribute.removeSubattribute(subattribute);
if (newSubattribute != null) {
attribute.addSubattribute(newSubattribute);
}
}
}
return attribute;
}