mirror of https://github.com/apache/poi.git
#64186 - Decrease usage of ThreadLocals in XML Signature API
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1874671 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
3691704678
commit
b04379bc4c
|
@ -18,9 +18,9 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig;
|
package org.apache.poi.poifs.crypt.dsig;
|
||||||
|
|
||||||
|
@ -42,33 +42,29 @@ import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
|
||||||
import org.apache.poi.openxml4j.opc.PackagePart;
|
import org.apache.poi.openxml4j.opc.PackagePart;
|
||||||
import org.apache.poi.openxml4j.opc.PackagePartName;
|
import org.apache.poi.openxml4j.opc.PackagePartName;
|
||||||
import org.apache.poi.openxml4j.opc.PackagingURIHelper;
|
import org.apache.poi.openxml4j.opc.PackagingURIHelper;
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable;
|
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
import org.apache.poi.util.POILogger;
|
import org.apache.poi.util.POILogger;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* JSR105 URI dereferencer for Office Open XML documents.
|
* JSR105 URI dereferencer for Office Open XML documents.
|
||||||
*/
|
*/
|
||||||
public class OOXMLURIDereferencer implements URIDereferencer, SignatureConfigurable {
|
public class OOXMLURIDereferencer implements URIDereferencer {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(OOXMLURIDereferencer.class);
|
private static final POILogger LOG = POILogFactory.getLogger(OOXMLURIDereferencer.class);
|
||||||
|
|
||||||
private SignatureConfig signatureConfig;
|
private SignatureInfo signatureInfo;
|
||||||
private URIDereferencer baseUriDereferencer;
|
private URIDereferencer baseUriDereferencer;
|
||||||
|
|
||||||
public void setSignatureConfig(SignatureConfig signatureConfig) {
|
public void setSignatureInfo(SignatureInfo signatureInfo) {
|
||||||
this.signatureConfig = signatureConfig;
|
this.signatureInfo = signatureInfo;
|
||||||
|
baseUriDereferencer = signatureInfo.getSignatureFactory().getURIDereferencer();
|
||||||
}
|
}
|
||||||
|
|
||||||
public Data dereference(URIReference uriReference, XMLCryptoContext context) throws URIReferenceException {
|
public Data dereference(URIReference uriReference, XMLCryptoContext context) throws URIReferenceException {
|
||||||
if (baseUriDereferencer == null) {
|
if (uriReference == null) {
|
||||||
baseUriDereferencer = signatureConfig.getSignatureFactory().getURIDereferencer();
|
throw new NullPointerException("URIReference cannot be null - call setSignatureInfo(...) before");
|
||||||
}
|
}
|
||||||
|
if (context == null) {
|
||||||
if (null == uriReference) {
|
|
||||||
throw new NullPointerException("URIReference cannot be null");
|
|
||||||
}
|
|
||||||
if (null == context) {
|
|
||||||
throw new NullPointerException("XMLCryptoContext cannot be null");
|
throw new NullPointerException("XMLCryptoContext cannot be null");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -82,7 +78,7 @@ public class OOXMLURIDereferencer implements URIDereferencer, SignatureConfigura
|
||||||
PackagePart part = findPart(uri);
|
PackagePart part = findPart(uri);
|
||||||
if (part == null) {
|
if (part == null) {
|
||||||
LOG.log(POILogger.DEBUG, "cannot resolve, delegating to base DOM URI dereferencer", uri);
|
LOG.log(POILogger.DEBUG, "cannot resolve, delegating to base DOM URI dereferencer", uri);
|
||||||
return this.baseUriDereferencer.dereference(uriReference, context);
|
return baseUriDereferencer.dereference(uriReference, context);
|
||||||
}
|
}
|
||||||
|
|
||||||
InputStream dataStream;
|
InputStream dataStream;
|
||||||
|
@ -116,15 +112,14 @@ public class OOXMLURIDereferencer implements URIDereferencer, SignatureConfigura
|
||||||
LOG.log(POILogger.DEBUG, "illegal part name (expected)", uri);
|
LOG.log(POILogger.DEBUG, "illegal part name (expected)", uri);
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
PackagePartName ppn;
|
PackagePartName ppn;
|
||||||
try {
|
try {
|
||||||
ppn = PackagingURIHelper.createPartName(path);
|
ppn = PackagingURIHelper.createPartName(path);
|
||||||
|
return signatureInfo.getOpcPackage().getPart(ppn);
|
||||||
} catch (InvalidFormatException e) {
|
} catch (InvalidFormatException e) {
|
||||||
LOG.log(POILogger.WARN, "illegal part name (not expected)", uri);
|
LOG.log(POILogger.WARN, "illegal part name (not expected)", uri);
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
return signatureConfig.getOpcPackage().getPart(ppn);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,12 +27,15 @@ import java.text.DateFormat;
|
||||||
import java.text.ParseException;
|
import java.text.ParseException;
|
||||||
import java.text.SimpleDateFormat;
|
import java.text.SimpleDateFormat;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
import java.util.Arrays;
|
||||||
import java.util.Date;
|
import java.util.Date;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Locale;
|
import java.util.Locale;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
import java.util.function.Supplier;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
import javax.xml.crypto.URIDereferencer;
|
import javax.xml.crypto.URIDereferencer;
|
||||||
import javax.xml.crypto.dsig.CanonicalizationMethod;
|
import javax.xml.crypto.dsig.CanonicalizationMethod;
|
||||||
|
@ -53,11 +56,12 @@ import org.apache.poi.poifs.crypt.dsig.services.SignaturePolicyService;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService;
|
import org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.TimeStampService;
|
import org.apache.poi.poifs.crypt.dsig.services.TimeStampService;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator;
|
import org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator;
|
||||||
|
import org.apache.poi.util.Internal;
|
||||||
import org.apache.poi.util.LocaleUtil;
|
import org.apache.poi.util.LocaleUtil;
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
import org.apache.poi.util.POILogger;
|
import org.apache.poi.util.POILogger;
|
||||||
|
import org.apache.poi.util.Removal;
|
||||||
import org.apache.xml.security.signature.XMLSignature;
|
import org.apache.xml.security.signature.XMLSignature;
|
||||||
import org.w3c.dom.events.EventListener;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class bundles the configuration options used for the existing
|
* This class bundles the configuration options used for the existing
|
||||||
|
@ -73,11 +77,16 @@ public class SignatureConfig {
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(SignatureConfig.class);
|
private static final POILogger LOG = POILogFactory.getLogger(SignatureConfig.class);
|
||||||
private static final String DigestMethod_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#sha224";
|
private static final String DigestMethod_SHA224 = "http://www.w3.org/2001/04/xmldsig-more#sha224";
|
||||||
private static final String DigestMethod_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384";
|
private static final String DigestMethod_SHA384 = "http://www.w3.org/2001/04/xmldsig-more#sha384";
|
||||||
|
private static final String XMLSEC_SANTUARIO = "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI";
|
||||||
|
private static final String XMLSEC_JDK = "org.jcp.xml.dsig.internal.dom.XMLDSigRI";
|
||||||
|
|
||||||
|
private static final List<Supplier<SignatureFacet>> DEFAULT_FACETS = Arrays.asList(
|
||||||
|
OOXMLSignatureFacet::new,
|
||||||
|
KeyInfoSignatureFacet::new,
|
||||||
|
XAdESSignatureFacet::new,
|
||||||
|
Office2010SignatureFacet::new
|
||||||
|
);
|
||||||
|
|
||||||
public interface SignatureConfigurable {
|
|
||||||
void setSignatureConfig(SignatureConfig signatureConfig);
|
|
||||||
}
|
|
||||||
|
|
||||||
private ThreadLocal<OPCPackage> opcPackage = new ThreadLocal<>();
|
private ThreadLocal<OPCPackage> opcPackage = new ThreadLocal<>();
|
||||||
private ThreadLocal<XMLSignatureFactory> signatureFactory = new ThreadLocal<>();
|
private ThreadLocal<XMLSignatureFactory> signatureFactory = new ThreadLocal<>();
|
||||||
|
@ -94,7 +103,7 @@ public class SignatureConfig {
|
||||||
* the optional signature policy service used for XAdES-EPES.
|
* the optional signature policy service used for XAdES-EPES.
|
||||||
*/
|
*/
|
||||||
private SignaturePolicyService signaturePolicyService;
|
private SignaturePolicyService signaturePolicyService;
|
||||||
private URIDereferencer uriDereferencer;
|
private URIDereferencer uriDereferencer = new OOXMLURIDereferencer();
|
||||||
private String canonicalizationMethod = CanonicalizationMethod.INCLUSIVE;
|
private String canonicalizationMethod = CanonicalizationMethod.INCLUSIVE;
|
||||||
|
|
||||||
private boolean includeEntireCertificateChain = true;
|
private boolean includeEntireCertificateChain = true;
|
||||||
|
@ -161,7 +170,7 @@ public class SignatureConfig {
|
||||||
* with certain namespaces, so this EventListener is used to interfere
|
* with certain namespaces, so this EventListener is used to interfere
|
||||||
* with the marshalling process.
|
* with the marshalling process.
|
||||||
*/
|
*/
|
||||||
private EventListener signatureMarshalListener;
|
private SignatureMarshalListener signatureMarshalListener = new SignatureMarshalDefaultListener();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Map of namespace uris to prefix
|
* Map of namespace uris to prefix
|
||||||
|
@ -181,61 +190,11 @@ public class SignatureConfig {
|
||||||
*/
|
*/
|
||||||
private boolean allowMultipleSignatures = false;
|
private boolean allowMultipleSignatures = false;
|
||||||
|
|
||||||
|
public SignatureConfig() {
|
||||||
/**
|
// OOo doesn't like ds namespaces so per default prefixing is off.
|
||||||
* Inits and checks the config object.
|
// namespacePrefixes.put(XML_DIGSIG_NS, "");
|
||||||
* If not set previously, complex configuration properties also get
|
namespacePrefixes.put(OO_DIGSIG_NS, "mdssi");
|
||||||
* created/initialized via this initialization call.
|
namespacePrefixes.put(XADES_132_NS, "xd");
|
||||||
*
|
|
||||||
* @param onlyValidation if true, only a subset of the properties
|
|
||||||
* is initialized, which are necessary for validation. If false,
|
|
||||||
* also the other properties needed for signing are been taken care of
|
|
||||||
*/
|
|
||||||
protected void init(boolean onlyValidation) {
|
|
||||||
if (opcPackage == null) {
|
|
||||||
throw new EncryptedDocumentException("opcPackage is null");
|
|
||||||
}
|
|
||||||
if (uriDereferencer == null) {
|
|
||||||
uriDereferencer = new OOXMLURIDereferencer();
|
|
||||||
}
|
|
||||||
if (uriDereferencer instanceof SignatureConfigurable) {
|
|
||||||
((SignatureConfigurable)uriDereferencer).setSignatureConfig(this);
|
|
||||||
}
|
|
||||||
if (namespacePrefixes.isEmpty()) {
|
|
||||||
/*
|
|
||||||
* OOo doesn't like ds namespaces so per default prefixing is off.
|
|
||||||
*/
|
|
||||||
// namespacePrefixes.put(XML_DIGSIG_NS, "");
|
|
||||||
namespacePrefixes.put(OO_DIGSIG_NS, "mdssi");
|
|
||||||
namespacePrefixes.put(XADES_132_NS, "xd");
|
|
||||||
}
|
|
||||||
|
|
||||||
if (onlyValidation) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (signatureMarshalListener == null) {
|
|
||||||
signatureMarshalListener = new SignatureMarshalListener();
|
|
||||||
}
|
|
||||||
|
|
||||||
if (signatureMarshalListener instanceof SignatureConfigurable) {
|
|
||||||
((SignatureConfigurable)signatureMarshalListener).setSignatureConfig(this);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (tspService != null) {
|
|
||||||
tspService.setSignatureConfig(this);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (signatureFacets.isEmpty()) {
|
|
||||||
addSignatureFacet(new OOXMLSignatureFacet());
|
|
||||||
addSignatureFacet(new KeyInfoSignatureFacet());
|
|
||||||
addSignatureFacet(new XAdESSignatureFacet());
|
|
||||||
addSignatureFacet(new Office2010SignatureFacet());
|
|
||||||
}
|
|
||||||
|
|
||||||
for (SignatureFacet sf : signatureFacets) {
|
|
||||||
sf.setSignatureConfig(this);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -249,7 +208,11 @@ public class SignatureConfig {
|
||||||
* @return the list of facets, may be empty when the config object is not initialized
|
* @return the list of facets, may be empty when the config object is not initialized
|
||||||
*/
|
*/
|
||||||
public List<SignatureFacet> getSignatureFacets() {
|
public List<SignatureFacet> getSignatureFacets() {
|
||||||
return signatureFacets;
|
if (signatureFacets.isEmpty()) {
|
||||||
|
return DEFAULT_FACETS.stream().map(Supplier::get).collect(Collectors.toList());
|
||||||
|
} else {
|
||||||
|
return signatureFacets;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -275,14 +238,22 @@ public class SignatureConfig {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the opc package to be used by this thread, stored as thread-local
|
* @return the opc package to be used by this thread, stored as thread-local
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - use {@link SignatureInfo#setOpcPackage(OPCPackage)} instead
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public OPCPackage getOpcPackage() {
|
public OPCPackage getOpcPackage() {
|
||||||
return opcPackage.get();
|
return opcPackage.get();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param opcPackage the opc package to be handled by this thread, stored as thread-local
|
* @param opcPackage the opc package to be handled by this thread, stored as thread-local
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - use {@link SignatureInfo#setOpcPackage(OPCPackage)} instead
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public void setOpcPackage(OPCPackage opcPackage) {
|
public void setOpcPackage(OPCPackage opcPackage) {
|
||||||
this.opcPackage.set(opcPackage);
|
this.opcPackage.set(opcPackage);
|
||||||
}
|
}
|
||||||
|
@ -378,14 +349,22 @@ public class SignatureConfig {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the dereferencer used for Reference/@URI attributes, defaults to {@link OOXMLURIDereferencer}
|
* @return the dereferencer used for Reference/@URI attributes, defaults to {@link OOXMLURIDereferencer}
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - use {@link SignatureInfo#getUriDereferencer()} instead
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public URIDereferencer getUriDereferencer() {
|
public URIDereferencer getUriDereferencer() {
|
||||||
return uriDereferencer;
|
return uriDereferencer;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param uriDereferencer the dereferencer used for Reference/@URI attributes
|
* @param uriDereferencer the dereferencer used for Reference/@URI attributes
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - use {@link SignatureInfo#setUriDereferencer(URIDereferencer)} instead
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public void setUriDereferencer(URIDereferencer uriDereferencer) {
|
public void setUriDereferencer(URIDereferencer uriDereferencer) {
|
||||||
this.uriDereferencer = uriDereferencer;
|
this.uriDereferencer = uriDereferencer;
|
||||||
}
|
}
|
||||||
|
@ -753,11 +732,10 @@ public class SignatureConfig {
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the event listener which is active while xml structure for
|
* @return the event listener which is active while xml structure for the signature is created.
|
||||||
* the signature is created.
|
|
||||||
* Defaults to {@link SignatureMarshalListener}
|
* Defaults to {@link SignatureMarshalListener}
|
||||||
*/
|
*/
|
||||||
public EventListener getSignatureMarshalListener() {
|
public SignatureMarshalListener getSignatureMarshalListener() {
|
||||||
return signatureMarshalListener;
|
return signatureMarshalListener;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -765,7 +743,7 @@ public class SignatureConfig {
|
||||||
* @param signatureMarshalListener the event listener watching the xml structure
|
* @param signatureMarshalListener the event listener watching the xml structure
|
||||||
* generation for the signature
|
* generation for the signature
|
||||||
*/
|
*/
|
||||||
public void setSignatureMarshalListener(EventListener signatureMarshalListener) {
|
public void setSignatureMarshalListener(SignatureMarshalListener signatureMarshalListener) {
|
||||||
this.signatureMarshalListener = signatureMarshalListener;
|
this.signatureMarshalListener = signatureMarshalListener;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -898,85 +876,91 @@ public class SignatureConfig {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param signatureFactory the xml signature factory, saved as thread-local
|
* @param signatureFactory the xml signature factory, saved as thread-local
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - use {@link SignatureInfo#setSignatureFactory(XMLSignatureFactory)}
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public void setSignatureFactory(XMLSignatureFactory signatureFactory) {
|
public void setSignatureFactory(XMLSignatureFactory signatureFactory) {
|
||||||
this.signatureFactory.set(signatureFactory);
|
this.signatureFactory.set(signatureFactory);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the xml signature factory (thread-local)
|
* @return the xml signature factory (thread-local)
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - will be handled by SignatureInfo internally
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public XMLSignatureFactory getSignatureFactory() {
|
public XMLSignatureFactory getSignatureFactory() {
|
||||||
XMLSignatureFactory sigFac = signatureFactory.get();
|
return signatureFactory.get();
|
||||||
if (sigFac == null) {
|
|
||||||
sigFac = XMLSignatureFactory.getInstance("DOM", getProvider());
|
|
||||||
setSignatureFactory(sigFac);
|
|
||||||
}
|
|
||||||
return sigFac;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param keyInfoFactory the key factory, saved as thread-local
|
* @param keyInfoFactory the key factory, saved as thread-local
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - use {@link SignatureInfo#setKeyInfoFactory(KeyInfoFactory)}
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public void setKeyInfoFactory(KeyInfoFactory keyInfoFactory) {
|
public void setKeyInfoFactory(KeyInfoFactory keyInfoFactory) {
|
||||||
this.keyInfoFactory.set(keyInfoFactory);
|
this.keyInfoFactory.set(keyInfoFactory);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the key factory (thread-local)
|
* @return the key factory (thread-local)
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - will be handled by SignatureInfo internally
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
public KeyInfoFactory getKeyInfoFactory() {
|
public KeyInfoFactory getKeyInfoFactory() {
|
||||||
KeyInfoFactory keyFac = keyInfoFactory.get();
|
return keyInfoFactory.get();
|
||||||
if (keyFac == null) {
|
|
||||||
keyFac = KeyInfoFactory.getInstance("DOM", getProvider());
|
|
||||||
setKeyInfoFactory(keyFac);
|
|
||||||
}
|
|
||||||
return keyFac;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This method tests the existence of xml signature provider in the following order:
|
* Helper method to set provider
|
||||||
* <ul>
|
* @param provider the provider
|
||||||
|
* @deprecated in POI 4.1.3 - use {@link SignatureInfo#setProvider(Provider)}
|
||||||
|
*/
|
||||||
|
@Internal
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
|
public void setProvider(Provider provider) {
|
||||||
|
this.provider.set(provider);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return the cached provider or null if not set before
|
||||||
|
*
|
||||||
|
* @deprecated in POI 4.1.3 - will be handled by SignatureInfo internally
|
||||||
|
*/
|
||||||
|
@Deprecated
|
||||||
|
@Removal(version = "5.0.0")
|
||||||
|
public Provider getProvider() {
|
||||||
|
return provider.get();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Determine the possible classes for XMLSEC.
|
||||||
|
* The order is
|
||||||
|
* <ol>
|
||||||
* <li>the class pointed to by the system property "jsr105Provider"</li>
|
* <li>the class pointed to by the system property "jsr105Provider"</li>
|
||||||
* <li>the Santuario xmlsec provider</li>
|
* <li>the Santuario xmlsec provider</li>
|
||||||
* <li>the JDK xmlsec provider</li>
|
* <li>the JDK xmlsec provider</li>
|
||||||
* </ul>
|
* </ol>
|
||||||
*
|
*
|
||||||
* For signing the classes are linked against the Santuario xmlsec, so this might
|
* @return a list of possible XMLSEC provider class names
|
||||||
* only work for validation (not tested).
|
|
||||||
*
|
|
||||||
* @return the xml dsig provider
|
|
||||||
*/
|
*/
|
||||||
public Provider getProvider() {
|
public static String[] getProviderNames() {
|
||||||
Provider prov = provider.get();
|
// need to check every time, as the system property might have been changed in the meantime
|
||||||
if (prov == null) {
|
String sysProp = System.getProperty("jsr105Provider");
|
||||||
String[] dsigProviderNames = {
|
return (sysProp == null || "".equals(sysProp))
|
||||||
System.getProperty("jsr105Provider"),
|
? new String[]{XMLSEC_SANTUARIO, XMLSEC_JDK}
|
||||||
// Santuario xmlsec
|
: new String[]{sysProp, XMLSEC_SANTUARIO, XMLSEC_JDK};
|
||||||
"org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI",
|
|
||||||
// JDK xmlsec
|
|
||||||
"org.jcp.xml.dsig.internal.dom.XMLDSigRI"
|
|
||||||
};
|
|
||||||
for (String pn : dsigProviderNames) {
|
|
||||||
if (pn == null) {
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
try {
|
|
||||||
prov = (Provider)Class.forName(pn).newInstance();
|
|
||||||
break;
|
|
||||||
} catch (Exception e) {
|
|
||||||
LOG.log(POILogger.DEBUG, "XMLDsig-Provider '"+pn+"' can't be found - trying next.");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (prov == null) {
|
|
||||||
throw new RuntimeException("JRE doesn't support default xml signature provider - set jsr105Provider system property!");
|
|
||||||
}
|
|
||||||
|
|
||||||
return prov;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the cannonicalization method for XAdES-XL signing.
|
* @return the cannonicalization method for XAdES-XL signing.
|
||||||
* Defaults to <code>EXCLUSIVE</code>
|
* Defaults to <code>EXCLUSIVE</code>
|
||||||
|
|
|
@ -31,6 +31,7 @@ import java.io.IOException;
|
||||||
import java.io.OutputStream;
|
import java.io.OutputStream;
|
||||||
import java.security.GeneralSecurityException;
|
import java.security.GeneralSecurityException;
|
||||||
import java.security.PrivateKey;
|
import java.security.PrivateKey;
|
||||||
|
import java.security.Provider;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Base64;
|
import java.util.Base64;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
@ -38,6 +39,8 @@ import java.util.Iterator;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.NoSuchElementException;
|
import java.util.NoSuchElementException;
|
||||||
|
import java.util.Objects;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
import javax.xml.crypto.MarshalException;
|
import javax.xml.crypto.MarshalException;
|
||||||
import javax.xml.crypto.URIDereferencer;
|
import javax.xml.crypto.URIDereferencer;
|
||||||
|
@ -52,6 +55,7 @@ import javax.xml.crypto.dsig.XMLObject;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureException;
|
import javax.xml.crypto.dsig.XMLSignatureException;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureFactory;
|
import javax.xml.crypto.dsig.XMLSignatureFactory;
|
||||||
import javax.xml.crypto.dsig.dom.DOMSignContext;
|
import javax.xml.crypto.dsig.dom.DOMSignContext;
|
||||||
|
import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
|
||||||
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
|
import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
|
||||||
|
|
||||||
import org.apache.jcp.xml.dsig.internal.dom.DOMReference;
|
import org.apache.jcp.xml.dsig.internal.dom.DOMReference;
|
||||||
|
@ -70,7 +74,6 @@ import org.apache.poi.openxml4j.opc.PackagingURIHelper;
|
||||||
import org.apache.poi.openxml4j.opc.TargetMode;
|
import org.apache.poi.openxml4j.opc.TargetMode;
|
||||||
import org.apache.poi.poifs.crypt.CryptoFunctions;
|
import org.apache.poi.poifs.crypt.CryptoFunctions;
|
||||||
import org.apache.poi.poifs.crypt.HashAlgorithm;
|
import org.apache.poi.poifs.crypt.HashAlgorithm;
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable;
|
|
||||||
import org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet;
|
import org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.RelationshipTransformService;
|
import org.apache.poi.poifs.crypt.dsig.services.RelationshipTransformService;
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
|
@ -84,6 +87,7 @@ import org.w3c.dom.Element;
|
||||||
import org.w3c.dom.NodeList;
|
import org.w3c.dom.NodeList;
|
||||||
import org.w3c.dom.events.EventListener;
|
import org.w3c.dom.events.EventListener;
|
||||||
import org.w3c.dom.events.EventTarget;
|
import org.w3c.dom.events.EventTarget;
|
||||||
|
import org.w3c.dom.events.MutationEvent;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -153,20 +157,16 @@ import org.w3c.dom.events.EventTarget;
|
||||||
* <li>and slf4j-api (tested against 1.7.30)</li>
|
* <li>and slf4j-api (tested against 1.7.30)</li>
|
||||||
* </ul>
|
* </ul>
|
||||||
*/
|
*/
|
||||||
public class SignatureInfo implements SignatureConfigurable {
|
public class SignatureInfo {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(SignatureInfo.class);
|
private static final POILogger LOG = POILogFactory.getLogger(SignatureInfo.class);
|
||||||
private static boolean isInitialized;
|
|
||||||
|
|
||||||
private SignatureConfig signatureConfig;
|
private SignatureConfig signatureConfig;
|
||||||
|
private OPCPackage opcPackage;
|
||||||
|
private Provider provider;
|
||||||
/**
|
private XMLSignatureFactory signatureFactory;
|
||||||
* Constructor initializes xml signature environment, if it hasn't been initialized before
|
private KeyInfoFactory keyInfoFactory;
|
||||||
*/
|
private URIDereferencer uriDereferencer;
|
||||||
public SignatureInfo() {
|
|
||||||
initXmlProvider();
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the signature config
|
* @return the signature config
|
||||||
|
@ -178,30 +178,45 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
/**
|
/**
|
||||||
* @param signatureConfig the signature config, needs to be set before a SignatureInfo object is used
|
* @param signatureConfig the signature config, needs to be set before a SignatureInfo object is used
|
||||||
*/
|
*/
|
||||||
@Override
|
|
||||||
public void setSignatureConfig(SignatureConfig signatureConfig) {
|
public void setSignatureConfig(SignatureConfig signatureConfig) {
|
||||||
this.signatureConfig = signatureConfig;
|
this.signatureConfig = signatureConfig;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void setOpcPackage(OPCPackage opcPackage) {
|
||||||
|
this.opcPackage = opcPackage;
|
||||||
|
}
|
||||||
|
|
||||||
|
public OPCPackage getOpcPackage() {
|
||||||
|
return opcPackage;
|
||||||
|
}
|
||||||
|
|
||||||
|
public URIDereferencer getUriDereferencer() {
|
||||||
|
return uriDereferencer;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUriDereferencer(URIDereferencer uriDereferencer) {
|
||||||
|
this.uriDereferencer = uriDereferencer;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return true, if first signature part is valid
|
* @return true, if first signature part is valid
|
||||||
*/
|
*/
|
||||||
public boolean verifySignature() {
|
public boolean verifySignature() {
|
||||||
|
initXmlProvider();
|
||||||
// http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html
|
// http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html
|
||||||
for (SignaturePart sp : getSignatureParts()){
|
// only validate first part
|
||||||
// only validate first part
|
Iterator<SignaturePart> iter = getSignatureParts().iterator();
|
||||||
return sp.validate();
|
return iter.hasNext() && iter.next().validate();
|
||||||
}
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* add the xml signature to the document
|
* add the xml signature to the document
|
||||||
*
|
*
|
||||||
* @throws XMLSignatureException
|
* @throws XMLSignatureException if the signature can't be calculated
|
||||||
* @throws MarshalException
|
* @throws MarshalException if the document can't be serialized
|
||||||
*/
|
*/
|
||||||
public void confirmSignature() throws XMLSignatureException, MarshalException {
|
public void confirmSignature() throws XMLSignatureException, MarshalException {
|
||||||
|
initXmlProvider();
|
||||||
final Document document = DocumentHelper.createDocument();
|
final Document document = DocumentHelper.createDocument();
|
||||||
final DOMSignContext xmlSignContext = createXMLSignContext(document);
|
final DOMSignContext xmlSignContext = createXMLSignContext(document);
|
||||||
|
|
||||||
|
@ -223,6 +238,7 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
* @return the initialized signature context
|
* @return the initialized signature context
|
||||||
*/
|
*/
|
||||||
public DOMSignContext createXMLSignContext(final Document document) {
|
public DOMSignContext createXMLSignContext(final Document document) {
|
||||||
|
initXmlProvider();
|
||||||
return new DOMSignContext(signatureConfig.getKey(), document);
|
return new DOMSignContext(signatureConfig.getKey(), document);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -231,10 +247,10 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
* Sign (encrypt) the digest with the private key.
|
* Sign (encrypt) the digest with the private key.
|
||||||
* Currently only rsa is supported.
|
* Currently only rsa is supported.
|
||||||
*
|
*
|
||||||
* @param digest the hashed input
|
|
||||||
* @return the encrypted hash
|
* @return the encrypted hash
|
||||||
*/
|
*/
|
||||||
public String signDigest(final DOMSignContext xmlSignContext, final DOMSignedInfo signedInfo) {
|
public String signDigest(final DOMSignContext xmlSignContext, final DOMSignedInfo signedInfo) {
|
||||||
|
initXmlProvider();
|
||||||
final PrivateKey key = signatureConfig.getKey();
|
final PrivateKey key = signatureConfig.getKey();
|
||||||
final HashAlgorithm algo = signatureConfig.getDigestAlgo();
|
final HashAlgorithm algo = signatureConfig.getDigestAlgo();
|
||||||
|
|
||||||
|
@ -243,12 +259,12 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
|
|
||||||
|
|
||||||
if (algo.hashSize*4/3 > BASE64DEFAULTLENGTH && !XMLUtils.ignoreLineBreaks()) {
|
if (algo.hashSize*4/3 > BASE64DEFAULTLENGTH && !XMLUtils.ignoreLineBreaks()) {
|
||||||
throw new EncryptedDocumentException("The hash size of the choosen hash algorithm ("+algo+" = "+algo.hashSize+" bytes), "+
|
throw new EncryptedDocumentException("The hash size of the chosen hash algorithm ("+algo+" = "+algo.hashSize+" bytes), "+
|
||||||
"will motivate XmlSec to add linebreaks to the generated digest, which results in an invalid signature (... at least "+
|
"will motivate XmlSec to add linebreaks to the generated digest, which results in an invalid signature (... at least "+
|
||||||
"for Office) - please persuade it otherwise by adding '-Dorg.apache.xml.security.ignoreLineBreaks=true' to the JVM "+
|
"for Office) - please persuade it otherwise by adding '-Dorg.apache.xml.security.ignoreLineBreaks=true' to the JVM "+
|
||||||
"system properties.");
|
"system properties.");
|
||||||
}
|
}
|
||||||
|
|
||||||
try (final DigestOutputStream dos = getDigestStream(algo, key)) {
|
try (final DigestOutputStream dos = getDigestStream(algo, key)) {
|
||||||
dos.init();
|
dos.init();
|
||||||
|
|
||||||
|
@ -277,78 +293,61 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
* the parts can be validated independently.
|
* the parts can be validated independently.
|
||||||
*/
|
*/
|
||||||
public Iterable<SignaturePart> getSignatureParts() {
|
public Iterable<SignaturePart> getSignatureParts() {
|
||||||
signatureConfig.init(true);
|
initXmlProvider();
|
||||||
return new Iterable<SignaturePart>() {
|
return SignaturePartIterator::new;
|
||||||
@Override
|
}
|
||||||
public Iterator<SignaturePart> iterator() {
|
|
||||||
return new Iterator<SignaturePart>() {
|
|
||||||
OPCPackage pkg = signatureConfig.getOpcPackage();
|
|
||||||
Iterator<PackageRelationship> sigOrigRels =
|
|
||||||
pkg.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN).iterator();
|
|
||||||
Iterator<PackageRelationship> sigRels;
|
|
||||||
PackagePart sigPart;
|
|
||||||
|
|
||||||
@Override
|
private final class SignaturePartIterator implements Iterator<SignaturePart> {
|
||||||
public boolean hasNext() {
|
Iterator<PackageRelationship> sigOrigRels;
|
||||||
while (sigRels == null || !sigRels.hasNext()) {
|
private Iterator<PackageRelationship> sigRels;
|
||||||
if (!sigOrigRels.hasNext()) {
|
private PackagePart sigPart;
|
||||||
return false;
|
|
||||||
}
|
|
||||||
sigPart = pkg.getPart(sigOrigRels.next());
|
|
||||||
LOG.log(POILogger.DEBUG, "Digital Signature Origin part", sigPart);
|
|
||||||
try {
|
|
||||||
sigRels = sigPart.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE).iterator();
|
|
||||||
} catch (InvalidFormatException e) {
|
|
||||||
LOG.log(POILogger.WARN, "Reference to signature is invalid.", e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
private SignaturePartIterator() {
|
||||||
public SignaturePart next() {
|
sigOrigRels = opcPackage.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN).iterator();
|
||||||
PackagePart sigRelPart = null;
|
}
|
||||||
do {
|
|
||||||
try {
|
|
||||||
if (!hasNext()) {
|
|
||||||
throw new NoSuchElementException();
|
|
||||||
}
|
|
||||||
sigRelPart = sigPart.getRelatedPart(sigRels.next());
|
|
||||||
LOG.log(POILogger.DEBUG, "XML Signature part", sigRelPart);
|
|
||||||
} catch (InvalidFormatException e) {
|
|
||||||
LOG.log(POILogger.WARN, "Reference to signature is invalid.", e);
|
|
||||||
}
|
|
||||||
} while (sigRelPart == null);
|
|
||||||
return new SignaturePart(sigRelPart, signatureConfig);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void remove() {
|
public boolean hasNext() {
|
||||||
throw new UnsupportedOperationException();
|
while (sigRels == null || !sigRels.hasNext()) {
|
||||||
}
|
if (!sigOrigRels.hasNext()) {
|
||||||
};
|
return false;
|
||||||
|
}
|
||||||
|
sigPart = opcPackage.getPart(sigOrigRels.next());
|
||||||
|
LOG.log(POILogger.DEBUG, "Digital Signature Origin part", sigPart);
|
||||||
|
try {
|
||||||
|
sigRels = sigPart.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE).iterator();
|
||||||
|
} catch (InvalidFormatException e) {
|
||||||
|
LOG.log(POILogger.WARN, "Reference to signature is invalid.", e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
};
|
return true;
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Initialize the xml signing environment and the bouncycastle provider
|
|
||||||
*/
|
|
||||||
protected static synchronized void initXmlProvider() {
|
|
||||||
if (isInitialized) {
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
isInitialized = true;
|
|
||||||
|
|
||||||
try {
|
@Override
|
||||||
Init.init();
|
public SignaturePart next() {
|
||||||
RelationshipTransformService.registerDsigProvider();
|
PackagePart sigRelPart = null;
|
||||||
CryptoFunctions.registerBouncyCastle();
|
do {
|
||||||
} catch (Exception e) {
|
try {
|
||||||
throw new RuntimeException("Xml & BouncyCastle-Provider initialization failed", e);
|
if (!hasNext()) {
|
||||||
|
throw new NoSuchElementException();
|
||||||
|
}
|
||||||
|
sigRelPart = sigPart.getRelatedPart(sigRels.next());
|
||||||
|
LOG.log(POILogger.DEBUG, "XML Signature part", sigRelPart);
|
||||||
|
} catch (InvalidFormatException e) {
|
||||||
|
LOG.log(POILogger.WARN, "Reference to signature is invalid.", e);
|
||||||
|
}
|
||||||
|
} while (sigRelPart == null);
|
||||||
|
return new SignaturePart(sigRelPart, SignatureInfo.this);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void remove() {
|
||||||
|
throw new UnsupportedOperationException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Helper method for adding informations before the signing.
|
* Helper method for adding informations before the signing.
|
||||||
* Normally {@link #confirmSignature()} is sufficient to be used.
|
* Normally {@link #confirmSignature()} is sufficient to be used.
|
||||||
|
@ -356,35 +355,18 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public DOMSignedInfo preSign(final DOMSignContext xmlSignContext)
|
public DOMSignedInfo preSign(final DOMSignContext xmlSignContext)
|
||||||
throws XMLSignatureException, MarshalException {
|
throws XMLSignatureException, MarshalException {
|
||||||
signatureConfig.init(false);
|
|
||||||
|
|
||||||
final Document document = (Document)xmlSignContext.getParent();
|
final Document document = (Document)xmlSignContext.getParent();
|
||||||
|
|
||||||
// it's necessary to explicitly set the mdssi namespace, but the sign() method has no
|
registerEventListener(document);
|
||||||
// normal way to interfere with, so we need to add the namespace under the hand ...
|
|
||||||
EventTarget target = (EventTarget)document;
|
|
||||||
EventListener creationListener = signatureConfig.getSignatureMarshalListener();
|
|
||||||
if (creationListener != null) {
|
|
||||||
if (creationListener instanceof SignatureMarshalListener) {
|
|
||||||
((SignatureMarshalListener)creationListener).setEventTarget(target);
|
|
||||||
}
|
|
||||||
SignatureMarshalListener.setListener(target, creationListener, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
// Signature context construction.
|
||||||
* Signature context construction.
|
if (uriDereferencer != null) {
|
||||||
*/
|
|
||||||
URIDereferencer uriDereferencer = signatureConfig.getUriDereferencer();
|
|
||||||
if (null != uriDereferencer) {
|
|
||||||
xmlSignContext.setURIDereferencer(uriDereferencer);
|
xmlSignContext.setURIDereferencer(uriDereferencer);
|
||||||
}
|
}
|
||||||
|
|
||||||
signatureConfig.getNamespacePrefixes().forEach(xmlSignContext::putNamespacePrefix);
|
signatureConfig.getNamespacePrefixes().forEach(xmlSignContext::putNamespacePrefix);
|
||||||
|
|
||||||
xmlSignContext.setDefaultNamespacePrefix("");
|
xmlSignContext.setDefaultNamespacePrefix("");
|
||||||
// signatureConfig.getNamespacePrefixes().get(XML_DIGSIG_NS));
|
|
||||||
|
|
||||||
XMLSignatureFactory signatureFactory = signatureConfig.getSignatureFactory();
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Add ds:References that come from signing client local files.
|
* Add ds:References that come from signing client local files.
|
||||||
|
@ -397,7 +379,7 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
List<XMLObject> objects = new ArrayList<>();
|
List<XMLObject> objects = new ArrayList<>();
|
||||||
for (SignatureFacet signatureFacet : signatureConfig.getSignatureFacets()) {
|
for (SignatureFacet signatureFacet : signatureConfig.getSignatureFacets()) {
|
||||||
LOG.log(POILogger.DEBUG, "invoking signature facet: " + signatureFacet.getClass().getSimpleName());
|
LOG.log(POILogger.DEBUG, "invoking signature facet: " + signatureFacet.getClass().getSimpleName());
|
||||||
signatureFacet.preSign(document, references, objects);
|
signatureFacet.preSign(this, document, references, objects);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -471,6 +453,35 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
return (DOMSignedInfo)signedInfo;
|
return (DOMSignedInfo)signedInfo;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// it's necessary to explicitly set the mdssi namespace, but the sign() method has no
|
||||||
|
// normal way to interfere with, so we need to add the namespace under the hand ...
|
||||||
|
protected void registerEventListener(Document document) {
|
||||||
|
final SignatureMarshalListener sml = signatureConfig.getSignatureMarshalListener();
|
||||||
|
if (sml == null) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
EventTarget target = (EventTarget)document;
|
||||||
|
|
||||||
|
final EventListener[] el = { null };
|
||||||
|
el[0] = (e) -> {
|
||||||
|
if (!(e instanceof MutationEvent)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
MutationEvent mutEvt = (MutationEvent) e;
|
||||||
|
EventTarget et = mutEvt.getTarget();
|
||||||
|
if (!(et instanceof Element)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
sml.handleElement(this, (Element) et, target, el[0]);
|
||||||
|
};
|
||||||
|
|
||||||
|
SignatureMarshalListener.setListener(target, el[0], true);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Helper method for adding informations after the signing.
|
* Helper method for adding informations after the signing.
|
||||||
* Normally {@link #confirmSignature()} is sufficient to be used.
|
* Normally {@link #confirmSignature()} is sufficient to be used.
|
||||||
|
@ -492,7 +503,7 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
/*
|
/*
|
||||||
* Insert signature value into the ds:SignatureValue element
|
* Insert signature value into the ds:SignatureValue element
|
||||||
*/
|
*/
|
||||||
final Element signatureNode = getDsigElement(document, "SignatureValue");
|
final Element signatureNode = getDsigElement(document, "SignatureValue");
|
||||||
if (signatureNode == null) {
|
if (signatureNode == null) {
|
||||||
throw new RuntimeException("preSign has to be called before postSign");
|
throw new RuntimeException("preSign has to be called before postSign");
|
||||||
}
|
}
|
||||||
|
@ -502,7 +513,7 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
* Allow signature facets to inject their own stuff.
|
* Allow signature facets to inject their own stuff.
|
||||||
*/
|
*/
|
||||||
for (SignatureFacet signatureFacet : signatureConfig.getSignatureFacets()) {
|
for (SignatureFacet signatureFacet : signatureConfig.getSignatureFacets()) {
|
||||||
signatureFacet.postSign(document);
|
signatureFacet.postSign(this, document);
|
||||||
}
|
}
|
||||||
|
|
||||||
writeDocument(document);
|
writeDocument(document);
|
||||||
|
@ -512,7 +523,7 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
* Write XML signature into the OPC package
|
* Write XML signature into the OPC package
|
||||||
*
|
*
|
||||||
* @param document the xml signature document
|
* @param document the xml signature document
|
||||||
* @throws MarshalException
|
* @throws MarshalException if the document can't be serialized
|
||||||
*/
|
*/
|
||||||
protected void writeDocument(Document document) throws MarshalException {
|
protected void writeDocument(Document document) throws MarshalException {
|
||||||
XmlOptions xo = new XmlOptions();
|
XmlOptions xo = new XmlOptions();
|
||||||
|
@ -527,23 +538,21 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
* Copy the original OOXML content to the signed OOXML package. During
|
* Copy the original OOXML content to the signed OOXML package. During
|
||||||
* copying some files need to changed.
|
* copying some files need to changed.
|
||||||
*/
|
*/
|
||||||
OPCPackage pkg = signatureConfig.getOpcPackage();
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// <Default Extension="sigs" ContentType="application/vnd.openxmlformats-package.digital-signature-origin"/>
|
// <Default Extension="sigs" ContentType="application/vnd.openxmlformats-package.digital-signature-origin"/>
|
||||||
final DSigRelation originDesc = DSigRelation.ORIGIN_SIGS;
|
final DSigRelation originDesc = DSigRelation.ORIGIN_SIGS;
|
||||||
PackagePartName originPartName = PackagingURIHelper.createPartName(originDesc.getFileName(0));
|
PackagePartName originPartName = PackagingURIHelper.createPartName(originDesc.getFileName(0));
|
||||||
|
|
||||||
PackagePart originPart = pkg.getPart(originPartName);
|
PackagePart originPart = opcPackage.getPart(originPartName);
|
||||||
if (originPart == null) {
|
if (originPart == null) {
|
||||||
// touch empty marker file
|
// touch empty marker file
|
||||||
originPart = pkg.createPart(originPartName, originDesc.getContentType());
|
originPart = opcPackage.createPart(originPartName, originDesc.getContentType());
|
||||||
pkg.addRelationship(originPartName, TargetMode.INTERNAL, originDesc.getRelation());
|
opcPackage.addRelationship(originPartName, TargetMode.INTERNAL, originDesc.getRelation());
|
||||||
}
|
}
|
||||||
|
|
||||||
// <Override PartName="/_xmlsignatures/sig1.xml" ContentType="application/vnd.openxmlformats-package.digital-signature-xmlsignature+xml"/>
|
// <Override PartName="/_xmlsignatures/sig1.xml" ContentType="application/vnd.openxmlformats-package.digital-signature-xmlsignature+xml"/>
|
||||||
final DSigRelation sigDesc = DSigRelation.SIG;
|
final DSigRelation sigDesc = DSigRelation.SIG;
|
||||||
int nextSigIdx = pkg.getUnusedPartIndex(sigDesc.getDefaultFileName());
|
int nextSigIdx = opcPackage.getUnusedPartIndex(sigDesc.getDefaultFileName());
|
||||||
|
|
||||||
if (!signatureConfig.isAllowMultipleSignatures()) {
|
if (!signatureConfig.isAllowMultipleSignatures()) {
|
||||||
PackageRelationshipCollection prc = originPart.getRelationshipsByType(sigDesc.getRelation());
|
PackageRelationshipCollection prc = originPart.getRelationshipsByType(sigDesc.getRelation());
|
||||||
|
@ -558,16 +567,16 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pkg.removePart(pkg.getPart(pn));
|
opcPackage.removePart(opcPackage.getPart(pn));
|
||||||
}
|
}
|
||||||
nextSigIdx = 1;
|
nextSigIdx = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
PackagePartName sigPartName = PackagingURIHelper.createPartName(sigDesc.getFileName(nextSigIdx));
|
PackagePartName sigPartName = PackagingURIHelper.createPartName(sigDesc.getFileName(nextSigIdx));
|
||||||
PackagePart sigPart = pkg.getPart(sigPartName);
|
PackagePart sigPart = opcPackage.getPart(sigPartName);
|
||||||
if (sigPart == null) {
|
if (sigPart == null) {
|
||||||
sigPart = pkg.createPart(sigPartName, sigDesc.getContentType());
|
sigPart = opcPackage.createPart(sigPartName, sigDesc.getContentType());
|
||||||
originPart.addRelationship(sigPartName, TargetMode.INTERNAL, sigDesc.getRelation());
|
originPart.addRelationship(sigPartName, TargetMode.INTERNAL, sigDesc.getRelation());
|
||||||
} else {
|
} else {
|
||||||
sigPart.clear();
|
sigPart.clear();
|
||||||
|
@ -590,7 +599,123 @@ public class SignatureInfo implements SignatureConfigurable {
|
||||||
}
|
}
|
||||||
|
|
||||||
LOG.log(POILogger.WARN, "Signature element '"+localName+"' was "+(sigValNl.getLength() == 0 ? "not found" : "multiple times"));
|
LOG.log(POILogger.WARN, "Signature element '"+localName+"' was "+(sigValNl.getLength() == 0 ? "not found" : "multiple times"));
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void setProvider(Provider provider) {
|
||||||
|
this.provider = provider;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setSignatureFactory(XMLSignatureFactory signatureFactory) {
|
||||||
|
this.signatureFactory = signatureFactory;
|
||||||
|
}
|
||||||
|
|
||||||
|
public XMLSignatureFactory getSignatureFactory() {
|
||||||
|
return signatureFactory;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setKeyInfoFactory(KeyInfoFactory keyInfoFactory) {
|
||||||
|
this.keyInfoFactory = keyInfoFactory;
|
||||||
|
}
|
||||||
|
|
||||||
|
public KeyInfoFactory getKeyInfoFactory() {
|
||||||
|
return keyInfoFactory;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initialize the xml signing environment and the bouncycastle provider
|
||||||
|
*/
|
||||||
|
@SuppressWarnings("deprecation")
|
||||||
|
protected void initXmlProvider() {
|
||||||
|
if (opcPackage == null) {
|
||||||
|
opcPackage = signatureConfig.getOpcPackage();
|
||||||
|
}
|
||||||
|
if (provider == null) {
|
||||||
|
provider = signatureConfig.getProvider();
|
||||||
|
if (provider == null) {
|
||||||
|
provider = XmlProviderInitSingleton.getInstance().findProvider();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (signatureFactory == null) {
|
||||||
|
signatureFactory = signatureConfig.getSignatureFactory();
|
||||||
|
if (signatureFactory == null) {
|
||||||
|
signatureFactory = XMLSignatureFactory.getInstance("DOM", provider);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (keyInfoFactory == null) {
|
||||||
|
keyInfoFactory = signatureConfig.getKeyInfoFactory();
|
||||||
|
if (keyInfoFactory == null) {
|
||||||
|
keyInfoFactory = KeyInfoFactory.getInstance("DOM", provider);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (uriDereferencer == null) {
|
||||||
|
uriDereferencer = signatureConfig.getUriDereferencer();
|
||||||
|
if (uriDereferencer == null) {
|
||||||
|
uriDereferencer = new OOXMLURIDereferencer();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (uriDereferencer instanceof OOXMLURIDereferencer) {
|
||||||
|
((OOXMLURIDereferencer)uriDereferencer).setSignatureInfo(this);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static final class XmlProviderInitSingleton {
|
||||||
|
|
||||||
|
// Bill Pugh Singleton
|
||||||
|
private static class SingletonHelper {
|
||||||
|
private static final XmlProviderInitSingleton INSTANCE = new XmlProviderInitSingleton();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static XmlProviderInitSingleton getInstance(){
|
||||||
|
return SingletonHelper.INSTANCE;
|
||||||
|
}
|
||||||
|
|
||||||
|
private XmlProviderInitSingleton() {
|
||||||
|
try {
|
||||||
|
Init.init();
|
||||||
|
RelationshipTransformService.registerDsigProvider();
|
||||||
|
CryptoFunctions.registerBouncyCastle();
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new RuntimeException("Xml & BouncyCastle-Provider initialization failed", e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method tests the existence of xml signature provider in the following order:
|
||||||
|
* <ul>
|
||||||
|
* <li>the class pointed to by the system property "jsr105Provider"</li>
|
||||||
|
* <li>the Santuario xmlsec provider</li>
|
||||||
|
* <li>the JDK xmlsec provider</li>
|
||||||
|
* </ul>
|
||||||
|
*
|
||||||
|
* For signing the classes are linked against the Santuario xmlsec, so this might
|
||||||
|
* only work for validation (not tested).
|
||||||
|
*
|
||||||
|
* @return the xml dsig provider
|
||||||
|
*/
|
||||||
|
public Provider findProvider() {
|
||||||
|
return
|
||||||
|
Stream.of(SignatureConfig.getProviderNames())
|
||||||
|
.map(this::getProvider)
|
||||||
|
.filter(Objects::nonNull).findFirst()
|
||||||
|
.orElseThrow(this::providerNotFound);
|
||||||
|
}
|
||||||
|
|
||||||
|
private Provider getProvider(String className) {
|
||||||
|
try {
|
||||||
|
return (Provider)Class.forName(className).newInstance();
|
||||||
|
} catch (Exception e) {
|
||||||
|
LOG.log(POILogger.DEBUG, "XMLDsig-Provider '"+className+"' can't be found - trying next.");
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private RuntimeException providerNotFound() {
|
||||||
|
return new RuntimeException("JRE doesn't support default xml signature provider - set jsr105Provider system property!");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
/* ====================================================================
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
contributor license agreements. See the NOTICE file distributed with
|
||||||
|
this work for additional information regarding copyright ownership.
|
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
(the "License"); you may not use this file except in compliance with
|
||||||
|
the License. You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
==================================================================== */
|
||||||
|
|
||||||
|
package org.apache.poi.poifs.crypt.dsig;
|
||||||
|
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.SignatureMarshalListener.setListener;
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet.OO_DIGSIG_NS;
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet.XML_NS;
|
||||||
|
|
||||||
|
import org.w3c.dom.Element;
|
||||||
|
import org.w3c.dom.Node;
|
||||||
|
import org.w3c.dom.NodeList;
|
||||||
|
import org.w3c.dom.events.EventListener;
|
||||||
|
import org.w3c.dom.events.EventTarget;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This listener class is used, to modify the to be digested xml document,
|
||||||
|
* e.g. to register id attributes or set prefixes for registered namespaces
|
||||||
|
*/
|
||||||
|
public class SignatureMarshalDefaultListener implements SignatureMarshalListener {
|
||||||
|
@Override
|
||||||
|
public void handleElement(SignatureInfo signatureInfo, Element el, EventTarget target, EventListener parentListener) {
|
||||||
|
if (el.hasAttribute("Id")) {
|
||||||
|
el.setIdAttribute("Id", true);
|
||||||
|
}
|
||||||
|
|
||||||
|
setListener(target, parentListener, false);
|
||||||
|
if (OO_DIGSIG_NS.equals(el.getNamespaceURI())) {
|
||||||
|
String parentNS = el.getParentNode().getNamespaceURI();
|
||||||
|
if (!OO_DIGSIG_NS.equals(parentNS) && !el.hasAttributeNS(XML_NS, "mdssi")) {
|
||||||
|
el.setAttributeNS(XML_NS, "xmlns:mdssi", OO_DIGSIG_NS);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
setPrefix(signatureInfo, el);
|
||||||
|
setListener(target, parentListener, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected static void setPrefix(SignatureInfo signatureInfo, Node el) {
|
||||||
|
String prefix = signatureInfo.getSignatureConfig().getNamespacePrefixes().get(el.getNamespaceURI());
|
||||||
|
if (prefix != null && el.getPrefix() == null) {
|
||||||
|
el.setPrefix(prefix);
|
||||||
|
}
|
||||||
|
|
||||||
|
NodeList nl = el.getChildNodes();
|
||||||
|
for (int i=0; i<nl.getLength(); i++) {
|
||||||
|
setPrefix(signatureInfo, nl.item(i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -17,85 +17,25 @@
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig;
|
package org.apache.poi.poifs.crypt.dsig;
|
||||||
|
|
||||||
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet.OO_DIGSIG_NS;
|
|
||||||
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet.XML_NS;
|
|
||||||
|
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable;
|
|
||||||
import org.w3c.dom.Element;
|
import org.w3c.dom.Element;
|
||||||
import org.w3c.dom.Node;
|
|
||||||
import org.w3c.dom.NodeList;
|
|
||||||
import org.w3c.dom.events.Event;
|
|
||||||
import org.w3c.dom.events.EventListener;
|
import org.w3c.dom.events.EventListener;
|
||||||
import org.w3c.dom.events.EventTarget;
|
import org.w3c.dom.events.EventTarget;
|
||||||
import org.w3c.dom.events.MutationEvent;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This listener class is used, to modify the to be digested xml document,
|
* This listener interface is used, to modify the to be digested xml document,
|
||||||
* e.g. to register id attributes or set prefixes for registered namespaces
|
* e.g. to register id attributes or set prefixes for registered namespaces
|
||||||
*/
|
*/
|
||||||
public class SignatureMarshalListener implements EventListener, SignatureConfigurable {
|
public interface SignatureMarshalListener {
|
||||||
ThreadLocal<EventTarget> target = new ThreadLocal<>();
|
void handleElement(SignatureInfo signatureInfo, Element el, EventTarget target, EventListener parentListener);
|
||||||
SignatureConfig signatureConfig;
|
|
||||||
public void setEventTarget(EventTarget target) {
|
|
||||||
this.target.set(target);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void handleEvent(Event e) {
|
|
||||||
if (!(e instanceof MutationEvent)) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
MutationEvent mutEvt = (MutationEvent)e;
|
|
||||||
EventTarget et = mutEvt.getTarget();
|
|
||||||
if (!(et instanceof Element)) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
handleElement((Element)et);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void handleElement(Element el) {
|
|
||||||
EventTarget target = this.target.get();
|
|
||||||
|
|
||||||
if (el.hasAttribute("Id")) {
|
|
||||||
el.setIdAttribute("Id", true);
|
|
||||||
}
|
|
||||||
|
|
||||||
setListener(target, this, false);
|
|
||||||
if (OO_DIGSIG_NS.equals(el.getNamespaceURI())) {
|
|
||||||
String parentNS = el.getParentNode().getNamespaceURI();
|
|
||||||
if (!OO_DIGSIG_NS.equals(parentNS) && !el.hasAttributeNS(XML_NS, "mdssi")) {
|
|
||||||
el.setAttributeNS(XML_NS, "xmlns:mdssi", OO_DIGSIG_NS);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
setPrefix(el);
|
|
||||||
setListener(target, this, true);
|
|
||||||
}
|
|
||||||
|
|
||||||
// helper method to keep it in one place
|
// helper method to keep it in one place
|
||||||
public static void setListener(EventTarget target, EventListener listener, boolean enabled) {
|
static void setListener(EventTarget target, EventListener listener, boolean enabled) {
|
||||||
String type = "DOMSubtreeModified";
|
final String type = "DOMSubtreeModified";
|
||||||
boolean useCapture = false;
|
final boolean DONT_USE_CAPTURE = false;
|
||||||
if (enabled) {
|
if (enabled) {
|
||||||
target.addEventListener(type, listener, useCapture);
|
target.addEventListener(type, listener, DONT_USE_CAPTURE);
|
||||||
} else {
|
} else {
|
||||||
target.removeEventListener(type, listener, useCapture);
|
target.removeEventListener(type, listener, DONT_USE_CAPTURE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void setPrefix(Node el) {
|
|
||||||
String prefix = signatureConfig.getNamespacePrefixes().get(el.getNamespaceURI());
|
|
||||||
if (prefix != null && el.getPrefix() == null) {
|
|
||||||
el.setPrefix(prefix);
|
|
||||||
}
|
|
||||||
|
|
||||||
NodeList nl = el.getChildNodes();
|
|
||||||
for (int i=0; i<nl.getLength(); i++) {
|
|
||||||
setPrefix(nl.item(i));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setSignatureConfig(SignatureConfig signatureConfig) {
|
|
||||||
this.signatureConfig = signatureConfig;
|
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -30,6 +30,7 @@ import java.util.Map;
|
||||||
import java.util.function.Consumer;
|
import java.util.function.Consumer;
|
||||||
|
|
||||||
import javax.xml.crypto.MarshalException;
|
import javax.xml.crypto.MarshalException;
|
||||||
|
import javax.xml.crypto.URIDereferencer;
|
||||||
import javax.xml.crypto.dsig.XMLSignature;
|
import javax.xml.crypto.dsig.XMLSignature;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureException;
|
import javax.xml.crypto.dsig.XMLSignatureException;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureFactory;
|
import javax.xml.crypto.dsig.XMLSignatureFactory;
|
||||||
|
@ -54,40 +55,40 @@ import org.xml.sax.SAXException;
|
||||||
|
|
||||||
public class SignaturePart {
|
public class SignaturePart {
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(SignaturePart.class);
|
private static final POILogger LOG = POILogFactory.getLogger(SignaturePart.class);
|
||||||
private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests";
|
private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
private final PackagePart signaturePart;
|
private final PackagePart signaturePart;
|
||||||
private final SignatureConfig signatureConfig;
|
private final SignatureInfo signatureInfo;
|
||||||
private X509Certificate signer;
|
private X509Certificate signer;
|
||||||
private List<X509Certificate> certChain;
|
private List<X509Certificate> certChain;
|
||||||
|
|
||||||
/* package */ SignaturePart(final PackagePart signaturePart, final SignatureConfig signatureConfig) {
|
/* package */ SignaturePart(final PackagePart signaturePart, final SignatureInfo signatureInfo) {
|
||||||
this.signaturePart = signaturePart;
|
this.signaturePart = signaturePart;
|
||||||
this.signatureConfig = signatureConfig;
|
this.signatureInfo = signatureInfo;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the package part containing the signature
|
* @return the package part containing the signature
|
||||||
*/
|
*/
|
||||||
public PackagePart getPackagePart() {
|
public PackagePart getPackagePart() {
|
||||||
return signaturePart;
|
return signaturePart;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the signer certificate
|
* @return the signer certificate
|
||||||
*/
|
*/
|
||||||
public X509Certificate getSigner() {
|
public X509Certificate getSigner() {
|
||||||
return signer;
|
return signer;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return the certificate chain of the signer
|
* @return the certificate chain of the signer
|
||||||
*/
|
*/
|
||||||
public List<X509Certificate> getCertChain() {
|
public List<X509Certificate> getCertChain() {
|
||||||
return certChain;
|
return certChain;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Helper method for examining the xml signature
|
* Helper method for examining the xml signature
|
||||||
*
|
*
|
||||||
|
@ -102,7 +103,7 @@ public class SignaturePart {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return true, when the xml signature is valid, false otherwise
|
* @return true, when the xml signature is valid, false otherwise
|
||||||
*
|
*
|
||||||
* @throws EncryptedDocumentException if the signature can't be extracted or if its malformed
|
* @throws EncryptedDocumentException if the signature can't be extracted or if its malformed
|
||||||
*/
|
*/
|
||||||
public boolean validate() {
|
public boolean validate() {
|
||||||
|
@ -117,14 +118,16 @@ public class SignaturePart {
|
||||||
for (int i=0; i<length; i++) {
|
for (int i=0; i<length; i++) {
|
||||||
((Element)nl.item(i)).setIdAttribute("Id", true);
|
((Element)nl.item(i)).setIdAttribute("Id", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
|
DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
|
||||||
domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE);
|
domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE);
|
||||||
domValidateContext.setURIDereferencer(signatureConfig.getUriDereferencer());
|
|
||||||
|
|
||||||
XMLSignatureFactory xmlSignatureFactory = signatureConfig.getSignatureFactory();
|
URIDereferencer uriDereferencer = signatureInfo.getUriDereferencer();
|
||||||
|
domValidateContext.setURIDereferencer(uriDereferencer);
|
||||||
|
|
||||||
|
XMLSignatureFactory xmlSignatureFactory = signatureInfo.getSignatureFactory();
|
||||||
XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);
|
XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);
|
||||||
|
|
||||||
boolean valid = xmlSignature.validate(domValidateContext);
|
boolean valid = xmlSignature.validate(domValidateContext);
|
||||||
|
|
||||||
if (valid) {
|
if (valid) {
|
||||||
|
@ -132,7 +135,7 @@ public class SignaturePart {
|
||||||
certChain = keySelector.getCertChain();
|
certChain = keySelector.getCertChain();
|
||||||
extractConfig(doc, xmlSignature);
|
extractConfig(doc, xmlSignature);
|
||||||
}
|
}
|
||||||
|
|
||||||
return valid;
|
return valid;
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
String s = "error in reading document";
|
String s = "error in reading document";
|
||||||
|
@ -158,6 +161,7 @@ public class SignaturePart {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void extractConfig(final Document doc, final XMLSignature xmlSignature) throws XPathExpressionException {
|
private void extractConfig(final Document doc, final XMLSignature xmlSignature) throws XPathExpressionException {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
if (!signatureConfig.isUpdateConfigOnValidate()) {
|
if (!signatureConfig.isUpdateConfigOnValidate()) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -168,7 +172,7 @@ public class SignaturePart {
|
||||||
final XPath xpath = XPathHelper.getFactory().newXPath();
|
final XPath xpath = XPathHelper.getFactory().newXPath();
|
||||||
xpath.setNamespaceContext(new XPathNSContext());
|
xpath.setNamespaceContext(new XPathNSContext());
|
||||||
|
|
||||||
final Map<String,Consumer<String>> m = new HashMap();
|
final Map<String,Consumer<String>> m = new HashMap<>();
|
||||||
m.put("//mdssi:SignatureTime/mdssi:Value", signatureConfig::setExecutionTime);
|
m.put("//mdssi:SignatureTime/mdssi:Value", signatureConfig::setExecutionTime);
|
||||||
m.put("//xd:ClaimedRole", signatureConfig::setXadesRole);
|
m.put("//xd:ClaimedRole", signatureConfig::setXadesRole);
|
||||||
m.put("//dsss:SignatureComments", signatureConfig::setSignatureDescription);
|
m.put("//dsss:SignatureComments", signatureConfig::setSignatureDescription);
|
||||||
|
@ -185,7 +189,7 @@ public class SignaturePart {
|
||||||
final Map<String,String> nsMap = new HashMap<>();
|
final Map<String,String> nsMap = new HashMap<>();
|
||||||
|
|
||||||
{
|
{
|
||||||
signatureConfig.getNamespacePrefixes().forEach((k,v) -> nsMap.put(v,k));
|
signatureInfo.getSignatureConfig().getNamespacePrefixes().forEach((k,v) -> nsMap.put(v,k));
|
||||||
nsMap.put("dsss", MS_DIGSIG_NS);
|
nsMap.put("dsss", MS_DIGSIG_NS);
|
||||||
nsMap.put("ds", XML_DIGSIG_NS);
|
nsMap.put("ds", XML_DIGSIG_NS);
|
||||||
}
|
}
|
||||||
|
@ -193,6 +197,8 @@ public class SignaturePart {
|
||||||
public String getNamespaceURI(String prefix) {
|
public String getNamespaceURI(String prefix) {
|
||||||
return nsMap.get(prefix);
|
return nsMap.get(prefix);
|
||||||
}
|
}
|
||||||
|
@SuppressWarnings("rawtypes")
|
||||||
|
@Override
|
||||||
public Iterator getPrefixes(String val) {
|
public Iterator getPrefixes(String val) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,12 +18,15 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.facets;
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacetHelper.newReference;
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacetHelper.newTransform;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
|
@ -33,28 +36,29 @@ import javax.xml.crypto.dsig.Transform;
|
||||||
import javax.xml.crypto.dsig.XMLObject;
|
import javax.xml.crypto.dsig.XMLObject;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureException;
|
import javax.xml.crypto.dsig.XMLSignatureException;
|
||||||
|
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.w3c.dom.Document;
|
import org.w3c.dom.Document;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Signature Facet implementation to create enveloped signatures.
|
* Signature Facet implementation to create enveloped signatures.
|
||||||
*
|
*
|
||||||
* @author Frank Cornelis
|
* @author Frank Cornelis
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
public class EnvelopedSignatureFacet extends SignatureFacet {
|
public class EnvelopedSignatureFacet implements SignatureFacet {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void preSign(Document document
|
public void preSign(SignatureInfo signatureInfo
|
||||||
|
, Document document
|
||||||
, List<Reference> references
|
, List<Reference> references
|
||||||
, List<XMLObject> objects)
|
, List<XMLObject> objects)
|
||||||
throws XMLSignatureException {
|
throws XMLSignatureException {
|
||||||
List<Transform> transforms = new ArrayList<>();
|
List<Transform> transforms = new ArrayList<>();
|
||||||
Transform envelopedTransform = newTransform(CanonicalizationMethod.ENVELOPED);
|
Transform envelopedTransform = newTransform(signatureInfo, CanonicalizationMethod.ENVELOPED);
|
||||||
transforms.add(envelopedTransform);
|
transforms.add(envelopedTransform);
|
||||||
Transform exclusiveTransform = newTransform(CanonicalizationMethod.EXCLUSIVE);
|
Transform exclusiveTransform = newTransform(signatureInfo, CanonicalizationMethod.EXCLUSIVE);
|
||||||
transforms.add(exclusiveTransform);
|
transforms.add(exclusiveTransform);
|
||||||
|
|
||||||
Reference reference = newReference("", transforms, null, null, null);
|
Reference reference = newReference(signatureInfo, "", transforms, null, null, null);
|
||||||
references.add(reference);
|
references.add(reference);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,9 +18,9 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.facets;
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
|
@ -29,7 +29,6 @@ import java.security.KeyException;
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
|
||||||
|
|
||||||
import javax.xml.crypto.MarshalException;
|
import javax.xml.crypto.MarshalException;
|
||||||
import javax.xml.crypto.XMLStructure;
|
import javax.xml.crypto.XMLStructure;
|
||||||
|
@ -41,6 +40,8 @@ import javax.xml.crypto.dsig.keyinfo.KeyValue;
|
||||||
import javax.xml.crypto.dsig.keyinfo.X509Data;
|
import javax.xml.crypto.dsig.keyinfo.X509Data;
|
||||||
|
|
||||||
import org.apache.jcp.xml.dsig.internal.dom.DOMKeyInfo;
|
import org.apache.jcp.xml.dsig.internal.dom.DOMKeyInfo;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
import org.apache.poi.util.POILogger;
|
import org.apache.poi.util.POILogger;
|
||||||
import org.w3c.dom.Document;
|
import org.w3c.dom.Document;
|
||||||
|
@ -50,21 +51,20 @@ import org.w3c.dom.NodeList;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Signature Facet implementation that adds ds:KeyInfo to the XML signature.
|
* Signature Facet implementation that adds ds:KeyInfo to the XML signature.
|
||||||
*
|
*
|
||||||
* @author Frank Cornelis
|
* @author Frank Cornelis
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
public class KeyInfoSignatureFacet extends SignatureFacet {
|
public class KeyInfoSignatureFacet implements SignatureFacet {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(KeyInfoSignatureFacet.class);
|
private static final POILogger LOG = POILogFactory.getLogger(KeyInfoSignatureFacet.class);
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void postSign(Document document)
|
public void postSign(SignatureInfo signatureInfo, Document document)
|
||||||
throws MarshalException {
|
throws MarshalException {
|
||||||
LOG.log(POILogger.DEBUG, "postSign");
|
LOG.log(POILogger.DEBUG, "postSign");
|
||||||
|
|
||||||
NodeList nl = document.getElementsByTagNameNS(XML_DIGSIG_NS, "Object");
|
NodeList nl = document.getElementsByTagNameNS(XML_DIGSIG_NS, "Object");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Make sure we insert right after the ds:SignatureValue element, just
|
* Make sure we insert right after the ds:SignatureValue element, just
|
||||||
* before the first ds:Object element.
|
* before the first ds:Object element.
|
||||||
|
@ -74,8 +74,9 @@ public class KeyInfoSignatureFacet extends SignatureFacet {
|
||||||
/*
|
/*
|
||||||
* Construct the ds:KeyInfo element using JSR 105.
|
* Construct the ds:KeyInfo element using JSR 105.
|
||||||
*/
|
*/
|
||||||
KeyInfoFactory keyInfoFactory = signatureConfig.getKeyInfoFactory();
|
KeyInfoFactory keyInfoFactory = signatureInfo.getKeyInfoFactory();
|
||||||
List<Object> x509DataObjects = new ArrayList<>();
|
List<Object> x509DataObjects = new ArrayList<>();
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
X509Certificate signingCertificate = signatureConfig.getSigningCertificateChain().get(0);
|
X509Certificate signingCertificate = signatureConfig.getSigningCertificateChain().get(0);
|
||||||
|
|
||||||
List<XMLStructure> keyInfoContent = new ArrayList<>();
|
List<XMLStructure> keyInfoContent = new ArrayList<>();
|
||||||
|
@ -107,7 +108,7 @@ public class KeyInfoSignatureFacet extends SignatureFacet {
|
||||||
keyInfoContent.add(x509Data);
|
keyInfoContent.add(x509Data);
|
||||||
}
|
}
|
||||||
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(keyInfoContent);
|
KeyInfo keyInfo = keyInfoFactory.newKeyInfo(keyInfoContent);
|
||||||
DOMKeyInfo domKeyInfo = (DOMKeyInfo)keyInfo;
|
DOMKeyInfo domKeyInfo = (DOMKeyInfo)keyInfo;
|
||||||
|
|
||||||
Key key = new Key() {
|
Key key = new Key() {
|
||||||
private static final long serialVersionUID = 1L;
|
private static final long serialVersionUID = 1L;
|
||||||
|
@ -133,7 +134,7 @@ public class KeyInfoSignatureFacet extends SignatureFacet {
|
||||||
|
|
||||||
DOMStructure domStructure = new DOMStructure(n);
|
DOMStructure domStructure = new DOMStructure(n);
|
||||||
domKeyInfo.marshal(domStructure, domSignContext);
|
domKeyInfo.marshal(domStructure, domSignContext);
|
||||||
|
|
||||||
// move keyinfo into the right place
|
// move keyinfo into the right place
|
||||||
if (nextSibling != null) {
|
if (nextSibling != null) {
|
||||||
NodeList kiNl = document.getElementsByTagNameNS(XML_DIGSIG_NS, "KeyInfo");
|
NodeList kiNl = document.getElementsByTagNameNS(XML_DIGSIG_NS, "KeyInfo");
|
||||||
|
|
|
@ -24,20 +24,21 @@
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.facets;
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacetHelper.newReference;
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacetHelper.newTransform;
|
||||||
|
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
import java.net.URISyntaxException;
|
import java.net.URISyntaxException;
|
||||||
import java.text.DateFormat;
|
|
||||||
import java.text.SimpleDateFormat;
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.Comparator;
|
import java.util.Comparator;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Locale;
|
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
import javax.xml.XMLConstants;
|
import javax.xml.XMLConstants;
|
||||||
|
import javax.xml.crypto.URIReference;
|
||||||
import javax.xml.crypto.XMLStructure;
|
import javax.xml.crypto.XMLStructure;
|
||||||
import javax.xml.crypto.dom.DOMStructure;
|
import javax.xml.crypto.dom.DOMStructure;
|
||||||
import javax.xml.crypto.dsig.CanonicalizationMethod;
|
import javax.xml.crypto.dsig.CanonicalizationMethod;
|
||||||
|
@ -48,7 +49,10 @@ import javax.xml.crypto.dsig.SignatureProperty;
|
||||||
import javax.xml.crypto.dsig.Transform;
|
import javax.xml.crypto.dsig.Transform;
|
||||||
import javax.xml.crypto.dsig.XMLObject;
|
import javax.xml.crypto.dsig.XMLObject;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureException;
|
import javax.xml.crypto.dsig.XMLSignatureException;
|
||||||
|
import javax.xml.crypto.dsig.XMLSignatureFactory;
|
||||||
|
|
||||||
|
import com.microsoft.schemas.office.x2006.digsig.CTSignatureInfoV1;
|
||||||
|
import com.microsoft.schemas.office.x2006.digsig.SignatureInfoV1Document;
|
||||||
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
|
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
|
||||||
import org.apache.poi.openxml4j.opc.ContentTypes;
|
import org.apache.poi.openxml4j.opc.ContentTypes;
|
||||||
import org.apache.poi.openxml4j.opc.OPCPackage;
|
import org.apache.poi.openxml4j.opc.OPCPackage;
|
||||||
|
@ -58,9 +62,10 @@ import org.apache.poi.openxml4j.opc.PackageRelationship;
|
||||||
import org.apache.poi.openxml4j.opc.PackageRelationshipCollection;
|
import org.apache.poi.openxml4j.opc.PackageRelationshipCollection;
|
||||||
import org.apache.poi.openxml4j.opc.PackagingURIHelper;
|
import org.apache.poi.openxml4j.opc.PackagingURIHelper;
|
||||||
import org.apache.poi.openxml4j.opc.TargetMode;
|
import org.apache.poi.openxml4j.opc.TargetMode;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.RelationshipTransformService;
|
import org.apache.poi.poifs.crypt.dsig.services.RelationshipTransformService;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.RelationshipTransformService.RelationshipTransformParameterSpec;
|
import org.apache.poi.poifs.crypt.dsig.services.RelationshipTransformService.RelationshipTransformParameterSpec;
|
||||||
import org.apache.poi.util.LocaleUtil;
|
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
import org.apache.poi.util.POILogger;
|
import org.apache.poi.util.POILogger;
|
||||||
import org.openxmlformats.schemas.xpackage.x2006.digitalSignature.CTSignatureTime;
|
import org.openxmlformats.schemas.xpackage.x2006.digitalSignature.CTSignatureTime;
|
||||||
|
@ -68,58 +73,58 @@ import org.openxmlformats.schemas.xpackage.x2006.digitalSignature.SignatureTimeD
|
||||||
import org.w3c.dom.Document;
|
import org.w3c.dom.Document;
|
||||||
import org.w3c.dom.Element;
|
import org.w3c.dom.Element;
|
||||||
|
|
||||||
import com.microsoft.schemas.office.x2006.digsig.CTSignatureInfoV1;
|
|
||||||
import com.microsoft.schemas.office.x2006.digsig.SignatureInfoV1Document;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Office OpenXML Signature Facet implementation.
|
* Office OpenXML Signature Facet implementation.
|
||||||
*
|
*
|
||||||
* @see <a href="http://msdn.microsoft.com/en-us/library/cc313071.aspx">[MS-OFFCRYPTO]: Office Document Cryptography Structure</a>
|
* @see <a href="http://msdn.microsoft.com/en-us/library/cc313071.aspx">[MS-OFFCRYPTO]: Office Document Cryptography Structure</a>
|
||||||
*/
|
*/
|
||||||
public class OOXMLSignatureFacet extends SignatureFacet {
|
public class OOXMLSignatureFacet implements SignatureFacet {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(OOXMLSignatureFacet.class);
|
private static final POILogger LOG = POILogFactory.getLogger(OOXMLSignatureFacet.class);
|
||||||
private static final String ID_PACKAGE_OBJECT = "idPackageObject";
|
private static final String ID_PACKAGE_OBJECT = "idPackageObject";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void preSign(
|
public void preSign(
|
||||||
Document document
|
SignatureInfo signatureInfo
|
||||||
|
, Document document
|
||||||
, List<Reference> references
|
, List<Reference> references
|
||||||
, List<XMLObject> objects)
|
, List<XMLObject> objects)
|
||||||
throws XMLSignatureException {
|
throws XMLSignatureException {
|
||||||
LOG.log(POILogger.DEBUG, "pre sign");
|
LOG.log(POILogger.DEBUG, "pre sign");
|
||||||
addManifestObject(document, references, objects);
|
addManifestObject(signatureInfo, document, references, objects);
|
||||||
addSignatureInfo(document, references, objects);
|
addSignatureInfo(signatureInfo, document, references, objects);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void addManifestObject(
|
protected void addManifestObject(
|
||||||
Document document
|
SignatureInfo signatureInfo
|
||||||
|
, Document document
|
||||||
, List<Reference> references
|
, List<Reference> references
|
||||||
, List<XMLObject> objects)
|
, List<XMLObject> objects)
|
||||||
throws XMLSignatureException {
|
throws XMLSignatureException {
|
||||||
|
|
||||||
|
final XMLSignatureFactory sigFac = signatureInfo.getSignatureFactory();
|
||||||
|
|
||||||
List<Reference> manifestReferences = new ArrayList<>();
|
List<Reference> manifestReferences = new ArrayList<>();
|
||||||
addManifestReferences(manifestReferences);
|
addManifestReferences(signatureInfo, manifestReferences);
|
||||||
Manifest manifest = getSignatureFactory().newManifest(manifestReferences);
|
Manifest manifest = sigFac.newManifest(manifestReferences);
|
||||||
|
|
||||||
List<XMLStructure> objectContent = new ArrayList<>();
|
List<XMLStructure> objectContent = new ArrayList<>();
|
||||||
objectContent.add(manifest);
|
objectContent.add(manifest);
|
||||||
|
|
||||||
addSignatureTime(document, objectContent);
|
addSignatureTime(signatureInfo, document, objectContent);
|
||||||
|
|
||||||
XMLObject xo = getSignatureFactory().newXMLObject(objectContent, ID_PACKAGE_OBJECT, null, null);
|
XMLObject xo = sigFac.newXMLObject(objectContent, ID_PACKAGE_OBJECT, null, null);
|
||||||
objects.add(xo);
|
objects.add(xo);
|
||||||
|
|
||||||
Reference reference = newReference("#"+ID_PACKAGE_OBJECT, null, XML_DIGSIG_NS+"Object", null, null);
|
Reference reference = newReference(signatureInfo, "#"+ID_PACKAGE_OBJECT, null, XML_DIGSIG_NS+"Object", null, null);
|
||||||
references.add(reference);
|
references.add(reference);
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings("resource")
|
@SuppressWarnings("resource")
|
||||||
protected void addManifestReferences(List<Reference> manifestReferences)
|
protected void addManifestReferences(SignatureInfo signatureInfo, List<Reference> manifestReferences)
|
||||||
throws XMLSignatureException {
|
throws XMLSignatureException {
|
||||||
|
OPCPackage opcPackage = signatureInfo.getOpcPackage();
|
||||||
OPCPackage ooxml = signatureConfig.getOpcPackage();
|
List<PackagePart> relsEntryNames = opcPackage.getPartsByContentType(ContentTypes.RELATIONSHIPS_PART);
|
||||||
List<PackagePart> relsEntryNames = ooxml.getPartsByContentType(ContentTypes.RELATIONSHIPS_PART);
|
|
||||||
|
|
||||||
Set<String> digestedPartNames = new HashSet<>();
|
Set<String> digestedPartNames = new HashSet<>();
|
||||||
for (PackagePart pp : relsEntryNames) {
|
for (PackagePart pp : relsEntryNames) {
|
||||||
|
@ -127,7 +132,7 @@ public class OOXMLSignatureFacet extends SignatureFacet {
|
||||||
|
|
||||||
PackageRelationshipCollection prc;
|
PackageRelationshipCollection prc;
|
||||||
try {
|
try {
|
||||||
prc = new PackageRelationshipCollection(ooxml);
|
prc = new PackageRelationshipCollection(opcPackage);
|
||||||
prc.parseRelationshipsPart(pp);
|
prc.parseRelationshipsPart(pp);
|
||||||
} catch (InvalidFormatException e) {
|
} catch (InvalidFormatException e) {
|
||||||
throw new XMLSignatureException("Invalid relationship descriptor: "+pp.getPartName().getName(), e);
|
throw new XMLSignatureException("Invalid relationship descriptor: "+pp.getPartName().getName(), e);
|
||||||
|
@ -163,7 +168,7 @@ public class OOXMLSignatureFacet extends SignatureFacet {
|
||||||
String contentType;
|
String contentType;
|
||||||
try {
|
try {
|
||||||
PackagePartName relName = PackagingURIHelper.createPartName(partName);
|
PackagePartName relName = PackagingURIHelper.createPartName(partName);
|
||||||
PackagePart pp2 = ooxml.getPart(relName);
|
PackagePart pp2 = opcPackage.getPart(relName);
|
||||||
contentType = pp2.getContentType();
|
contentType = pp2.getContentType();
|
||||||
} catch (InvalidFormatException e) {
|
} catch (InvalidFormatException e) {
|
||||||
throw new XMLSignatureException(e);
|
throw new XMLSignatureException(e);
|
||||||
|
@ -176,26 +181,22 @@ public class OOXMLSignatureFacet extends SignatureFacet {
|
||||||
}
|
}
|
||||||
|
|
||||||
String uri = partName + "?ContentType=" + contentType;
|
String uri = partName + "?ContentType=" + contentType;
|
||||||
Reference reference = newReference(uri, null, null, null, null);
|
Reference reference = newReference(signatureInfo, uri, null, null, null, null);
|
||||||
manifestReferences.add(reference);
|
manifestReferences.add(reference);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (parameterSpec.hasSourceIds()) {
|
if (parameterSpec.hasSourceIds()) {
|
||||||
List<Transform> transforms = new ArrayList<>();
|
List<Transform> transforms = new ArrayList<>();
|
||||||
transforms.add(newTransform(RelationshipTransformService.TRANSFORM_URI, parameterSpec));
|
transforms.add(newTransform(signatureInfo, RelationshipTransformService.TRANSFORM_URI, parameterSpec));
|
||||||
transforms.add(newTransform(CanonicalizationMethod.INCLUSIVE));
|
transforms.add(newTransform(signatureInfo, CanonicalizationMethod.INCLUSIVE));
|
||||||
String uri = normalizePartName(pp.getPartName().getURI(), baseUri)
|
String uri = normalizePartName(pp.getPartName().getURI(), baseUri)
|
||||||
+ "?ContentType=application/vnd.openxmlformats-package.relationships+xml";
|
+ "?ContentType=application/vnd.openxmlformats-package.relationships+xml";
|
||||||
Reference reference = newReference(uri, transforms, null, null, null);
|
Reference reference = newReference(signatureInfo, uri, transforms, null, null, null);
|
||||||
manifestReferences.add(reference);
|
manifestReferences.add(reference);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
manifestReferences.sort(new Comparator<Reference>() {
|
manifestReferences.sort(Comparator.comparing(URIReference::getURI));
|
||||||
public int compare(Reference o1, Reference o2) {
|
|
||||||
return o1.getURI().compareTo(o2.getURI());
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -217,7 +218,9 @@ public class OOXMLSignatureFacet extends SignatureFacet {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
protected void addSignatureTime(Document document, List<XMLStructure> objectContent) {
|
protected void addSignatureTime(SignatureInfo signatureInfo, Document document, List<XMLStructure> objectContent) {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
|
XMLSignatureFactory sigFac = signatureInfo.getSignatureFactory();
|
||||||
/*
|
/*
|
||||||
* SignatureTime
|
* SignatureTime
|
||||||
*/
|
*/
|
||||||
|
@ -230,20 +233,25 @@ public class OOXMLSignatureFacet extends SignatureFacet {
|
||||||
Element n = (Element)document.importNode(ctTime.getDomNode(),true);
|
Element n = (Element)document.importNode(ctTime.getDomNode(),true);
|
||||||
List<XMLStructure> signatureTimeContent = new ArrayList<>();
|
List<XMLStructure> signatureTimeContent = new ArrayList<>();
|
||||||
signatureTimeContent.add(new DOMStructure(n));
|
signatureTimeContent.add(new DOMStructure(n));
|
||||||
SignatureProperty signatureTimeSignatureProperty = getSignatureFactory()
|
SignatureProperty signatureTimeSignatureProperty = sigFac
|
||||||
.newSignatureProperty(signatureTimeContent, "#" + signatureConfig.getPackageSignatureId(),
|
.newSignatureProperty(signatureTimeContent, "#" + signatureConfig.getPackageSignatureId(),
|
||||||
"idSignatureTime");
|
"idSignatureTime");
|
||||||
List<SignatureProperty> signaturePropertyContent = new ArrayList<>();
|
List<SignatureProperty> signaturePropertyContent = new ArrayList<>();
|
||||||
signaturePropertyContent.add(signatureTimeSignatureProperty);
|
signaturePropertyContent.add(signatureTimeSignatureProperty);
|
||||||
SignatureProperties signatureProperties = getSignatureFactory()
|
SignatureProperties signatureProperties = sigFac
|
||||||
.newSignatureProperties(signaturePropertyContent, null);
|
.newSignatureProperties(signaturePropertyContent, null);
|
||||||
objectContent.add(signatureProperties);
|
objectContent.add(signatureProperties);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void addSignatureInfo(Document document,
|
protected void addSignatureInfo(
|
||||||
List<Reference> references,
|
SignatureInfo signatureInfo
|
||||||
List<XMLObject> objects)
|
, Document document
|
||||||
|
, List<Reference> references
|
||||||
|
, List<XMLObject> objects)
|
||||||
throws XMLSignatureException {
|
throws XMLSignatureException {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
|
XMLSignatureFactory sigFac = signatureInfo.getSignatureFactory();
|
||||||
|
|
||||||
List<XMLStructure> objectContent = new ArrayList<>();
|
List<XMLStructure> objectContent = new ArrayList<>();
|
||||||
|
|
||||||
SignatureInfoV1Document sigV1 = SignatureInfoV1Document.Factory.newInstance();
|
SignatureInfoV1Document sigV1 = SignatureInfoV1Document.Factory.newInstance();
|
||||||
|
@ -259,20 +267,20 @@ public class OOXMLSignatureFacet extends SignatureFacet {
|
||||||
|
|
||||||
List<XMLStructure> signatureInfoContent = new ArrayList<>();
|
List<XMLStructure> signatureInfoContent = new ArrayList<>();
|
||||||
signatureInfoContent.add(new DOMStructure(n));
|
signatureInfoContent.add(new DOMStructure(n));
|
||||||
SignatureProperty signatureInfoSignatureProperty = getSignatureFactory()
|
SignatureProperty signatureInfoSignatureProperty = sigFac
|
||||||
.newSignatureProperty(signatureInfoContent, "#" + signatureConfig.getPackageSignatureId(),
|
.newSignatureProperty(signatureInfoContent, "#" + signatureConfig.getPackageSignatureId(),
|
||||||
"idOfficeV1Details");
|
"idOfficeV1Details");
|
||||||
|
|
||||||
List<SignatureProperty> signaturePropertyContent = new ArrayList<>();
|
List<SignatureProperty> signaturePropertyContent = new ArrayList<>();
|
||||||
signaturePropertyContent.add(signatureInfoSignatureProperty);
|
signaturePropertyContent.add(signatureInfoSignatureProperty);
|
||||||
SignatureProperties signatureProperties = getSignatureFactory()
|
SignatureProperties signatureProperties = sigFac
|
||||||
.newSignatureProperties(signaturePropertyContent, null);
|
.newSignatureProperties(signaturePropertyContent, null);
|
||||||
objectContent.add(signatureProperties);
|
objectContent.add(signatureProperties);
|
||||||
|
|
||||||
String objectId = "idOfficeObject";
|
String objectId = "idOfficeObject";
|
||||||
objects.add(getSignatureFactory().newXMLObject(objectContent, objectId, null, null));
|
objects.add(sigFac.newXMLObject(objectContent, objectId, null, null));
|
||||||
|
|
||||||
Reference reference = newReference("#" + objectId, null, XML_DIGSIG_NS+"Object", null, null);
|
Reference reference = newReference(signatureInfo, "#" + objectId, null, XML_DIGSIG_NS+"Object", null, null);
|
||||||
references.add(reference);
|
references.add(reference);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -18,9 +18,9 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.facets;
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
|
@ -28,6 +28,7 @@ import static org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS;
|
||||||
|
|
||||||
import javax.xml.crypto.MarshalException;
|
import javax.xml.crypto.MarshalException;
|
||||||
|
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.apache.xmlbeans.XmlException;
|
import org.apache.xmlbeans.XmlException;
|
||||||
import org.etsi.uri.x01903.v13.QualifyingPropertiesType;
|
import org.etsi.uri.x01903.v13.QualifyingPropertiesType;
|
||||||
import org.etsi.uri.x01903.v13.UnsignedPropertiesType;
|
import org.etsi.uri.x01903.v13.UnsignedPropertiesType;
|
||||||
|
@ -38,17 +39,15 @@ import org.w3c.dom.NodeList;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Work-around for Office2010 to accept the XAdES-BES/EPES signature.
|
* Work-around for Office2010 to accept the XAdES-BES/EPES signature.
|
||||||
*
|
*
|
||||||
* xades:UnsignedProperties/xades:UnsignedSignatureProperties needs to be
|
* xades:UnsignedProperties/xades:UnsignedSignatureProperties needs to be present.
|
||||||
* present.
|
*
|
||||||
*
|
|
||||||
* @author Frank Cornelis
|
* @author Frank Cornelis
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
public class Office2010SignatureFacet extends SignatureFacet {
|
public class Office2010SignatureFacet implements SignatureFacet {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void postSign(Document document)
|
public void postSign(SignatureInfo signatureInfo, Document document)
|
||||||
throws MarshalException {
|
throws MarshalException {
|
||||||
// check for XAdES-BES
|
// check for XAdES-BES
|
||||||
NodeList nl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties");
|
NodeList nl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties");
|
||||||
|
@ -62,7 +61,7 @@ public class Office2010SignatureFacet extends SignatureFacet {
|
||||||
} catch (XmlException e) {
|
} catch (XmlException e) {
|
||||||
throw new MarshalException(e);
|
throw new MarshalException(e);
|
||||||
}
|
}
|
||||||
|
|
||||||
// create basic XML container structure
|
// create basic XML container structure
|
||||||
UnsignedPropertiesType unsignedProps = qualProps.getUnsignedProperties();
|
UnsignedPropertiesType unsignedProps = qualProps.getUnsignedProperties();
|
||||||
if (unsignedProps == null) {
|
if (unsignedProps == null) {
|
||||||
|
@ -72,7 +71,7 @@ public class Office2010SignatureFacet extends SignatureFacet {
|
||||||
if (unsignedSigProps == null) {
|
if (unsignedSigProps == null) {
|
||||||
/* unsignedSigProps = */ unsignedProps.addNewUnsignedSignatureProperties();
|
/* unsignedSigProps = */ unsignedProps.addNewUnsignedSignatureProperties();
|
||||||
}
|
}
|
||||||
|
|
||||||
Node n = document.importNode(qualProps.getDomNode().getFirstChild(), true);
|
Node n = document.importNode(qualProps.getDomNode().getFirstChild(), true);
|
||||||
nl.item(0).getParentNode().replaceChild(n, nl.item(0));
|
nl.item(0).getParentNode().replaceChild(n, nl.item(0));
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,70 +18,57 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.facets;
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
import java.security.GeneralSecurityException;
|
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import javax.xml.XMLConstants;
|
import javax.xml.XMLConstants;
|
||||||
import javax.xml.crypto.MarshalException;
|
import javax.xml.crypto.MarshalException;
|
||||||
import javax.xml.crypto.dsig.DigestMethod;
|
|
||||||
import javax.xml.crypto.dsig.Reference;
|
import javax.xml.crypto.dsig.Reference;
|
||||||
import javax.xml.crypto.dsig.Transform;
|
|
||||||
import javax.xml.crypto.dsig.XMLObject;
|
import javax.xml.crypto.dsig.XMLObject;
|
||||||
import javax.xml.crypto.dsig.XMLSignature;
|
import javax.xml.crypto.dsig.XMLSignature;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureException;
|
import javax.xml.crypto.dsig.XMLSignatureException;
|
||||||
import javax.xml.crypto.dsig.XMLSignatureFactory;
|
|
||||||
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
|
|
||||||
|
|
||||||
import org.apache.poi.openxml4j.opc.PackageNamespaces;
|
import org.apache.poi.openxml4j.opc.PackageNamespaces;
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable;
|
import org.apache.poi.util.Internal;
|
||||||
import org.apache.poi.util.POILogFactory;
|
|
||||||
import org.apache.poi.util.POILogger;
|
|
||||||
import org.w3c.dom.Document;
|
import org.w3c.dom.Document;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* JSR105 Signature Facet base class.
|
* JSR105 Signature Facet base class.
|
||||||
*/
|
*/
|
||||||
public abstract class SignatureFacet implements SignatureConfigurable {
|
@Internal
|
||||||
|
public interface SignatureFacet {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(SignatureFacet.class);
|
String XML_NS = XMLConstants.XMLNS_ATTRIBUTE_NS_URI;
|
||||||
|
String XML_DIGSIG_NS = XMLSignature.XMLNS;
|
||||||
public static final String XML_NS = XMLConstants.XMLNS_ATTRIBUTE_NS_URI;
|
String OO_DIGSIG_NS = PackageNamespaces.DIGITAL_SIGNATURE;
|
||||||
public static final String XML_DIGSIG_NS = XMLSignature.XMLNS;
|
String MS_DIGSIG_NS = "http://schemas.microsoft.com/office/2006/digsig";
|
||||||
public static final String OO_DIGSIG_NS = PackageNamespaces.DIGITAL_SIGNATURE;
|
String XADES_132_NS = "http://uri.etsi.org/01903/v1.3.2#";
|
||||||
public static final String MS_DIGSIG_NS = "http://schemas.microsoft.com/office/2006/digsig";
|
String XADES_141_NS = "http://uri.etsi.org/01903/v1.4.1#";
|
||||||
public static final String XADES_132_NS = "http://uri.etsi.org/01903/v1.3.2#";
|
|
||||||
public static final String XADES_141_NS = "http://uri.etsi.org/01903/v1.4.1#";
|
|
||||||
|
|
||||||
protected SignatureConfig signatureConfig;
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setSignatureConfig(SignatureConfig signatureConfig) {
|
|
||||||
this.signatureConfig = signatureConfig;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This method is being invoked by the XML signature service engine during
|
* This method is being invoked by the XML signature service engine during
|
||||||
* pre-sign phase. Via this method a signature facet implementation can add
|
* pre-sign phase. Via this method a signature facet implementation can add
|
||||||
* signature facets to an XML signature.
|
* signature facets to an XML signature.
|
||||||
*
|
*
|
||||||
|
* @param signatureInfo the signature info object holding the OPCPackage and other document related data
|
||||||
* @param document the signature document to be used for imports
|
* @param document the signature document to be used for imports
|
||||||
* @param references list of reference definitions
|
* @param references list of reference definitions
|
||||||
* @param objects objects to be signed/included in the signature document
|
* @param objects objects to be signed/included in the signature document
|
||||||
* @throws XMLSignatureException
|
* @throws XMLSignatureException
|
||||||
*/
|
*/
|
||||||
public void preSign(
|
default void preSign(
|
||||||
Document document
|
SignatureInfo signatureInfo
|
||||||
|
, Document document
|
||||||
, List<Reference> references
|
, List<Reference> references
|
||||||
, List<XMLObject> objects
|
, List<XMLObject> objects
|
||||||
) throws XMLSignatureException {
|
) throws XMLSignatureException {
|
||||||
// empty
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -89,62 +76,12 @@ public abstract class SignatureFacet implements SignatureConfigurable {
|
||||||
* the post-sign phase. Via this method a signature facet can extend the XML
|
* the post-sign phase. Via this method a signature facet can extend the XML
|
||||||
* signatures with for example key information.
|
* signatures with for example key information.
|
||||||
*
|
*
|
||||||
|
* @param signatureInfo the signature info object holding the OPCPackage and other document related data
|
||||||
* @param document the signature document to be modified
|
* @param document the signature document to be modified
|
||||||
* @throws MarshalException
|
* @throws MarshalException
|
||||||
*/
|
*/
|
||||||
public void postSign(Document document) throws MarshalException {
|
default void postSign(SignatureInfo signatureInfo, Document document) throws MarshalException {
|
||||||
// empty
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected XMLSignatureFactory getSignatureFactory() {
|
|
||||||
return signatureConfig.getSignatureFactory();
|
|
||||||
}
|
|
||||||
|
|
||||||
protected Transform newTransform(String canonicalizationMethod) throws XMLSignatureException {
|
|
||||||
return newTransform(canonicalizationMethod, null);
|
|
||||||
}
|
|
||||||
|
|
||||||
protected Transform newTransform(String canonicalizationMethod, TransformParameterSpec paramSpec)
|
|
||||||
throws XMLSignatureException {
|
|
||||||
try {
|
|
||||||
return getSignatureFactory().newTransform(canonicalizationMethod, paramSpec);
|
|
||||||
} catch (GeneralSecurityException e) {
|
|
||||||
throw new XMLSignatureException("unknown canonicalization method: "+canonicalizationMethod, e);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
protected Reference newReference(String uri, List<Transform> transforms, String type, String id, byte[] digestValue)
|
|
||||||
throws XMLSignatureException {
|
|
||||||
return newReference(uri, transforms, type, id, digestValue, signatureConfig);
|
|
||||||
}
|
|
||||||
|
|
||||||
public static Reference newReference(
|
|
||||||
String uri
|
|
||||||
, List<Transform> transforms
|
|
||||||
, String type
|
|
||||||
, String id
|
|
||||||
, byte[] digestValue
|
|
||||||
, SignatureConfig signatureConfig)
|
|
||||||
throws XMLSignatureException {
|
|
||||||
// the references appear in the package signature or the package object
|
|
||||||
// so we can use the default digest algorithm
|
|
||||||
String digestMethodUri = signatureConfig.getDigestMethodUri();
|
|
||||||
XMLSignatureFactory sigFac = signatureConfig.getSignatureFactory();
|
|
||||||
DigestMethod digestMethod;
|
|
||||||
try {
|
|
||||||
digestMethod = sigFac.newDigestMethod(digestMethodUri, null);
|
|
||||||
} catch (GeneralSecurityException e) {
|
|
||||||
throw new XMLSignatureException("unknown digest method uri: "+digestMethodUri, e);
|
|
||||||
}
|
|
||||||
|
|
||||||
Reference reference;
|
|
||||||
if (digestValue == null) {
|
|
||||||
reference = sigFac.newReference(uri, digestMethod, transforms, type, id);
|
|
||||||
} else {
|
|
||||||
reference = sigFac.newReference(uri, digestMethod, transforms, type, id, digestValue);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
return reference;
|
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -0,0 +1,75 @@
|
||||||
|
/* ====================================================================
|
||||||
|
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||||
|
contributor license agreements. See the NOTICE file distributed with
|
||||||
|
this work for additional information regarding copyright ownership.
|
||||||
|
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||||
|
(the "License"); you may not use this file except in compliance with
|
||||||
|
the License. You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
==================================================================== */
|
||||||
|
|
||||||
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
|
import java.security.GeneralSecurityException;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
import javax.xml.crypto.dsig.DigestMethod;
|
||||||
|
import javax.xml.crypto.dsig.Reference;
|
||||||
|
import javax.xml.crypto.dsig.Transform;
|
||||||
|
import javax.xml.crypto.dsig.XMLSignatureException;
|
||||||
|
import javax.xml.crypto.dsig.XMLSignatureFactory;
|
||||||
|
import javax.xml.crypto.dsig.spec.TransformParameterSpec;
|
||||||
|
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
|
import org.apache.poi.util.Internal;
|
||||||
|
|
||||||
|
@Internal
|
||||||
|
final class SignatureFacetHelper {
|
||||||
|
private SignatureFacetHelper() {}
|
||||||
|
|
||||||
|
static Transform newTransform(SignatureInfo signatureInfo, String canonicalizationMethod) throws XMLSignatureException {
|
||||||
|
return newTransform(signatureInfo, canonicalizationMethod, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
static Transform newTransform(SignatureInfo signatureInfo, String canonicalizationMethod, TransformParameterSpec paramSpec)
|
||||||
|
throws XMLSignatureException {
|
||||||
|
try {
|
||||||
|
return signatureInfo.getSignatureFactory().newTransform(canonicalizationMethod, paramSpec);
|
||||||
|
} catch (GeneralSecurityException e) {
|
||||||
|
throw new XMLSignatureException("unknown canonicalization method: "+canonicalizationMethod, e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static Reference newReference(
|
||||||
|
SignatureInfo signatureInfo
|
||||||
|
, String uri
|
||||||
|
, List<Transform> transforms
|
||||||
|
, String type
|
||||||
|
, String id
|
||||||
|
, byte[] digestValue)
|
||||||
|
throws XMLSignatureException {
|
||||||
|
// the references appear in the package signature or the package object
|
||||||
|
// so we can use the default digest algorithm
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
|
String digestMethodUri = signatureConfig.getDigestMethodUri();
|
||||||
|
XMLSignatureFactory sigFac = signatureInfo.getSignatureFactory();
|
||||||
|
DigestMethod digestMethod;
|
||||||
|
try {
|
||||||
|
digestMethod = sigFac.newDigestMethod(digestMethodUri, null);
|
||||||
|
} catch (GeneralSecurityException e) {
|
||||||
|
throw new XMLSignatureException("unknown digest method uri: "+digestMethodUri, e);
|
||||||
|
}
|
||||||
|
|
||||||
|
return (digestValue == null)
|
||||||
|
? sigFac.newReference(uri, digestMethod, transforms, type, id)
|
||||||
|
: sigFac.newReference(uri, digestMethod, transforms, type, id, digestValue);
|
||||||
|
}
|
||||||
|
}
|
|
@ -18,13 +18,15 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.facets;
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
import static java.util.Collections.singletonList;
|
import static java.util.Collections.singletonList;
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacetHelper.newReference;
|
||||||
|
import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacetHelper.newTransform;
|
||||||
|
|
||||||
import java.security.MessageDigest;
|
import java.security.MessageDigest;
|
||||||
import java.security.cert.CertificateEncodingException;
|
import java.security.cert.CertificateEncodingException;
|
||||||
|
@ -48,6 +50,7 @@ import javax.xml.crypto.dsig.XMLSignatureException;
|
||||||
import org.apache.poi.poifs.crypt.CryptoFunctions;
|
import org.apache.poi.poifs.crypt.CryptoFunctions;
|
||||||
import org.apache.poi.poifs.crypt.HashAlgorithm;
|
import org.apache.poi.poifs.crypt.HashAlgorithm;
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.SignaturePolicyService;
|
import org.apache.poi.poifs.crypt.dsig.services.SignaturePolicyService;
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
import org.apache.poi.util.POILogger;
|
import org.apache.poi.util.POILogger;
|
||||||
|
@ -77,36 +80,39 @@ import org.w3c.dom.Node;
|
||||||
* XAdES Signature Facet. Implements XAdES v1.4.1 which is compatible with XAdES
|
* XAdES Signature Facet. Implements XAdES v1.4.1 which is compatible with XAdES
|
||||||
* v1.3.2. The implemented XAdES format is XAdES-BES/EPES. It's up to another
|
* v1.3.2. The implemented XAdES format is XAdES-BES/EPES. It's up to another
|
||||||
* part of the signature service to upgrade the XAdES-BES to a XAdES-X-L.
|
* part of the signature service to upgrade the XAdES-BES to a XAdES-X-L.
|
||||||
*
|
*
|
||||||
* This implementation has been tested against an implementation that
|
* This implementation has been tested against an implementation that
|
||||||
* participated multiple ETSI XAdES plugtests.
|
* participated multiple ETSI XAdES plugtests.
|
||||||
*
|
*
|
||||||
* @author Frank Cornelis
|
* @author Frank Cornelis
|
||||||
* @see <a href="http://en.wikipedia.org/wiki/XAdES">XAdES</a>
|
* @see <a href="http://en.wikipedia.org/wiki/XAdES">XAdES</a>
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class XAdESSignatureFacet extends SignatureFacet {
|
public class XAdESSignatureFacet implements SignatureFacet {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(XAdESSignatureFacet.class);
|
private static final POILogger LOG = POILogFactory.getLogger(XAdESSignatureFacet.class);
|
||||||
|
|
||||||
private static final String XADES_TYPE = "http://uri.etsi.org/01903#SignedProperties";
|
private static final String XADES_TYPE = "http://uri.etsi.org/01903#SignedProperties";
|
||||||
|
|
||||||
private final Map<String, String> dataObjectFormatMimeTypes = new HashMap<>();
|
private final Map<String, String> dataObjectFormatMimeTypes = new HashMap<>();
|
||||||
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void preSign(
|
public void preSign(
|
||||||
Document document
|
SignatureInfo signatureInfo
|
||||||
|
, Document document
|
||||||
, List<Reference> references
|
, List<Reference> references
|
||||||
, List<XMLObject> objects)
|
, List<XMLObject> objects)
|
||||||
throws XMLSignatureException {
|
throws XMLSignatureException {
|
||||||
LOG.log(POILogger.DEBUG, "preSign");
|
LOG.log(POILogger.DEBUG, "preSign");
|
||||||
|
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
|
|
||||||
// QualifyingProperties
|
// QualifyingProperties
|
||||||
QualifyingPropertiesDocument qualDoc = QualifyingPropertiesDocument.Factory.newInstance();
|
QualifyingPropertiesDocument qualDoc = QualifyingPropertiesDocument.Factory.newInstance();
|
||||||
QualifyingPropertiesType qualifyingProperties = qualDoc.addNewQualifyingProperties();
|
QualifyingPropertiesType qualifyingProperties = qualDoc.addNewQualifyingProperties();
|
||||||
qualifyingProperties.setTarget("#" + signatureConfig.getPackageSignatureId());
|
qualifyingProperties.setTarget("#" + signatureConfig.getPackageSignatureId());
|
||||||
|
|
||||||
// SignedProperties
|
// SignedProperties
|
||||||
SignedPropertiesType signedProperties = qualifyingProperties.addNewSignedProperties();
|
SignedPropertiesType signedProperties = qualifyingProperties.addNewSignedProperties();
|
||||||
signedProperties.setId(signatureConfig.getXadesSignatureId());
|
signedProperties.setId(signatureConfig.getXadesSignatureId());
|
||||||
|
@ -115,35 +121,37 @@ public class XAdESSignatureFacet extends SignatureFacet {
|
||||||
SignedSignaturePropertiesType signedSignatureProperties = signedProperties.addNewSignedSignatureProperties();
|
SignedSignaturePropertiesType signedSignatureProperties = signedProperties.addNewSignedSignatureProperties();
|
||||||
|
|
||||||
// SigningTime
|
// SigningTime
|
||||||
addSigningTime(signedSignatureProperties);
|
addSigningTime(signatureInfo, signedSignatureProperties);
|
||||||
|
|
||||||
// SigningCertificate
|
// SigningCertificate
|
||||||
addCertificate(signedSignatureProperties);
|
addCertificate(signatureInfo, signedSignatureProperties);
|
||||||
|
|
||||||
// ClaimedRole
|
// ClaimedRole
|
||||||
addXadesRole(signedSignatureProperties);
|
addXadesRole(signatureInfo, signedSignatureProperties);
|
||||||
|
|
||||||
// XAdES-EPES
|
// XAdES-EPES
|
||||||
addPolicy(signedSignatureProperties);
|
addPolicy(signatureInfo, signedSignatureProperties);
|
||||||
|
|
||||||
// DataObjectFormat
|
// DataObjectFormat
|
||||||
addMimeTypes(signedProperties);
|
addMimeTypes(signedProperties);
|
||||||
|
|
||||||
// add XAdES ds:Object
|
// add XAdES ds:Object
|
||||||
objects.add(addXadesObject(document, qualifyingProperties));
|
objects.add(addXadesObject(signatureInfo, document, qualifyingProperties));
|
||||||
|
|
||||||
// add XAdES ds:Reference
|
// add XAdES ds:Reference
|
||||||
references.add(addXadesReference());
|
references.add(addXadesReference(signatureInfo));
|
||||||
}
|
}
|
||||||
|
|
||||||
private void addSigningTime(SignedSignaturePropertiesType signedSignatureProperties) {
|
private void addSigningTime(SignatureInfo signatureInfo, SignedSignaturePropertiesType signedSignatureProperties) {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
Calendar xmlGregorianCalendar = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
|
Calendar xmlGregorianCalendar = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
|
||||||
xmlGregorianCalendar.setTime(signatureConfig.getExecutionTime());
|
xmlGregorianCalendar.setTime(signatureConfig.getExecutionTime());
|
||||||
xmlGregorianCalendar.clear(Calendar.MILLISECOND);
|
xmlGregorianCalendar.clear(Calendar.MILLISECOND);
|
||||||
signedSignatureProperties.setSigningTime(xmlGregorianCalendar);
|
signedSignatureProperties.setSigningTime(xmlGregorianCalendar);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void addCertificate(SignedSignaturePropertiesType signedSignatureProperties) {
|
private void addCertificate(SignatureInfo signatureInfo, SignedSignaturePropertiesType signedSignatureProperties) {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
List<X509Certificate> chain = signatureConfig.getSigningCertificateChain();
|
List<X509Certificate> chain = signatureConfig.getSigningCertificateChain();
|
||||||
if (chain == null || chain.isEmpty()) {
|
if (chain == null || chain.isEmpty()) {
|
||||||
throw new RuntimeException("no signing certificate chain available");
|
throw new RuntimeException("no signing certificate chain available");
|
||||||
|
@ -153,7 +161,8 @@ public class XAdESSignatureFacet extends SignatureFacet {
|
||||||
setCertID(certId, signatureConfig, signatureConfig.isXadesIssuerNameNoReverseOrder(), chain.get(0));
|
setCertID(certId, signatureConfig, signatureConfig.isXadesIssuerNameNoReverseOrder(), chain.get(0));
|
||||||
}
|
}
|
||||||
|
|
||||||
private void addXadesRole(SignedSignaturePropertiesType signedSignatureProperties) {
|
private void addXadesRole(SignatureInfo signatureInfo, SignedSignaturePropertiesType signedSignatureProperties) {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
String role = signatureConfig.getXadesRole();
|
String role = signatureConfig.getXadesRole();
|
||||||
if (role == null || role.isEmpty()) {
|
if (role == null || role.isEmpty()) {
|
||||||
return;
|
return;
|
||||||
|
@ -168,7 +177,8 @@ public class XAdESSignatureFacet extends SignatureFacet {
|
||||||
insertXChild(claimedRole, roleString);
|
insertXChild(claimedRole, roleString);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void addPolicy(SignedSignaturePropertiesType signedSignatureProperties) {
|
private void addPolicy(SignatureInfo signatureInfo, SignedSignaturePropertiesType signedSignatureProperties) {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
SignaturePolicyService policyService = signatureConfig.getSignaturePolicyService();
|
SignaturePolicyService policyService = signatureConfig.getSignaturePolicyService();
|
||||||
if (policyService == null) {
|
if (policyService == null) {
|
||||||
if (signatureConfig.isXadesSignaturePolicyImplied()) {
|
if (signatureConfig.isXadesSignaturePolicyImplied()) {
|
||||||
|
@ -221,22 +231,23 @@ public class XAdESSignatureFacet extends SignatureFacet {
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
private XMLObject addXadesObject(Document document, QualifyingPropertiesType qualifyingProperties) {
|
private XMLObject addXadesObject(SignatureInfo signatureInfo, Document document, QualifyingPropertiesType qualifyingProperties) {
|
||||||
Node qualDocElSrc = qualifyingProperties.getDomNode();
|
Node qualDocElSrc = qualifyingProperties.getDomNode();
|
||||||
Node qualDocEl = document.importNode(qualDocElSrc, true);
|
Node qualDocEl = document.importNode(qualDocElSrc, true);
|
||||||
List<XMLStructure> xadesObjectContent = Arrays.asList(new DOMStructure(qualDocEl));
|
List<XMLStructure> xadesObjectContent = Arrays.asList(new DOMStructure(qualDocEl));
|
||||||
return getSignatureFactory().newXMLObject(xadesObjectContent, null, null, null);
|
return signatureInfo.getSignatureFactory().newXMLObject(xadesObjectContent, null, null, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
private Reference addXadesReference() throws XMLSignatureException {
|
private Reference addXadesReference(SignatureInfo signatureInfo) throws XMLSignatureException {
|
||||||
List<Transform> transforms = singletonList(newTransform(CanonicalizationMethod.INCLUSIVE));
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
return newReference("#"+signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE, null, null);
|
List<Transform> transforms = singletonList(newTransform(signatureInfo, CanonicalizationMethod.INCLUSIVE));
|
||||||
|
return newReference(signatureInfo, "#"+signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE, null, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gives back the JAXB DigestAlgAndValue data structure.
|
* Gives back the JAXB DigestAlgAndValue data structure.
|
||||||
*
|
*
|
||||||
* @param digestAlgAndValue the parent for the new digest element
|
* @param digestAlgAndValue the parent for the new digest element
|
||||||
* @param data the data to be digested
|
* @param data the data to be digested
|
||||||
* @param digestAlgo the digest algorithm
|
* @param digestAlgo the digest algorithm
|
||||||
*/
|
*/
|
||||||
|
@ -246,7 +257,7 @@ public class XAdESSignatureFacet extends SignatureFacet {
|
||||||
HashAlgorithm digestAlgo) {
|
HashAlgorithm digestAlgo) {
|
||||||
DigestMethodType digestMethod = digestAlgAndValue.addNewDigestMethod();
|
DigestMethodType digestMethod = digestAlgAndValue.addNewDigestMethod();
|
||||||
digestMethod.setAlgorithm(SignatureConfig.getDigestMethodUri(digestAlgo));
|
digestMethod.setAlgorithm(SignatureConfig.getDigestMethodUri(digestAlgo));
|
||||||
|
|
||||||
MessageDigest messageDigest = CryptoFunctions.getMessageDigest(digestAlgo);
|
MessageDigest messageDigest = CryptoFunctions.getMessageDigest(digestAlgo);
|
||||||
byte[] digestValue = messageDigest.digest(data);
|
byte[] digestValue = messageDigest.digest(data);
|
||||||
digestAlgAndValue.setDigestValue(digestValue);
|
digestAlgAndValue.setDigestValue(digestValue);
|
||||||
|
@ -264,7 +275,7 @@ public class XAdESSignatureFacet extends SignatureFacet {
|
||||||
* Make sure the DN is encoded using the same order as present
|
* Make sure the DN is encoded using the same order as present
|
||||||
* within the certificate. This is an Office2010 work-around.
|
* within the certificate. This is an Office2010 work-around.
|
||||||
* Should be reverted back.
|
* Should be reverted back.
|
||||||
*
|
*
|
||||||
* XXX: not correct according to RFC 4514.
|
* XXX: not correct according to RFC 4514.
|
||||||
*/
|
*/
|
||||||
// TODO: check if issuerName is different on getTBSCertificate
|
// TODO: check if issuerName is different on getTBSCertificate
|
||||||
|
@ -283,14 +294,14 @@ public class XAdESSignatureFacet extends SignatureFacet {
|
||||||
throw new RuntimeException("certificate encoding error: "
|
throw new RuntimeException("certificate encoding error: "
|
||||||
+ e.getMessage(), e);
|
+ e.getMessage(), e);
|
||||||
}
|
}
|
||||||
DigestAlgAndValueType certDigest = certId.addNewCertDigest();
|
DigestAlgAndValueType certDigest = certId.addNewCertDigest();
|
||||||
setDigestAlgAndValue(certDigest, encodedCertificate, signatureConfig.getXadesDigestAlgo());
|
setDigestAlgAndValue(certDigest, encodedCertificate, signatureConfig.getXadesDigestAlgo());
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Adds a mime-type for the given ds:Reference (referred via its @URI). This
|
* Adds a mime-type for the given ds:Reference (referred via its @URI). This
|
||||||
* information is added via the xades:DataObjectFormat element.
|
* information is added via the xades:DataObjectFormat element.
|
||||||
*
|
*
|
||||||
* @param dsReferenceUri
|
* @param dsReferenceUri
|
||||||
* @param mimetype
|
* @param mimetype
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -18,9 +18,9 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.facets;
|
package org.apache.poi.poifs.crypt.dsig.facets;
|
||||||
|
|
||||||
|
@ -47,6 +47,8 @@ import java.util.UUID;
|
||||||
|
|
||||||
import javax.xml.crypto.MarshalException;
|
import javax.xml.crypto.MarshalException;
|
||||||
|
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.apache.poi.poifs.crypt.dsig.services.RevocationData;
|
import org.apache.poi.poifs.crypt.dsig.services.RevocationData;
|
||||||
import org.apache.poi.util.IOUtils;
|
import org.apache.poi.util.IOUtils;
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
|
@ -73,18 +75,18 @@ import org.w3c.dom.NodeList;
|
||||||
/**
|
/**
|
||||||
* XAdES-X-L v1.4.1 signature facet. This signature facet implementation will
|
* XAdES-X-L v1.4.1 signature facet. This signature facet implementation will
|
||||||
* upgrade a given XAdES-BES/EPES signature to XAdES-X-L.
|
* upgrade a given XAdES-BES/EPES signature to XAdES-X-L.
|
||||||
*
|
*
|
||||||
* We don't inherit from XAdESSignatureFacet as we also want to be able to use
|
* We don't inherit from XAdESSignatureFacet as we also want to be able to use
|
||||||
* this facet out of the context of a signature creation. This signature facet
|
* this facet out of the context of a signature creation. This signature facet
|
||||||
* assumes that the signature is already XAdES-BES/EPES compliant.
|
* assumes that the signature is already XAdES-BES/EPES compliant.
|
||||||
*
|
*
|
||||||
* This implementation has been tested against an implementation that
|
* This implementation has been tested against an implementation that
|
||||||
* participated multiple ETSI XAdES plugtests.
|
* participated multiple ETSI XAdES plugtests.
|
||||||
*
|
*
|
||||||
* @author Frank Cornelis
|
* @author Frank Cornelis
|
||||||
* @see XAdESSignatureFacet
|
* @see XAdESSignatureFacet
|
||||||
*/
|
*/
|
||||||
public class XAdESXLSignatureFacet extends SignatureFacet {
|
public class XAdESXLSignatureFacet implements SignatureFacet {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(XAdESXLSignatureFacet.class);
|
private static final POILogger LOG = POILogFactory.getLogger(XAdESXLSignatureFacet.class);
|
||||||
|
|
||||||
|
@ -99,9 +101,11 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void postSign(Document document) throws MarshalException {
|
public void postSign(SignatureInfo signatureInfo, Document document) throws MarshalException {
|
||||||
LOG.log(POILogger.DEBUG, "XAdES-X-L post sign phase");
|
LOG.log(POILogger.DEBUG, "XAdES-X-L post sign phase");
|
||||||
|
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
|
|
||||||
QualifyingPropertiesDocument qualDoc = null;
|
QualifyingPropertiesDocument qualDoc = null;
|
||||||
QualifyingPropertiesType qualProps = null;
|
QualifyingPropertiesType qualProps = null;
|
||||||
|
|
||||||
|
@ -127,18 +131,18 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
if (unsignedSigProps == null) {
|
if (unsignedSigProps == null) {
|
||||||
unsignedSigProps = unsignedProps.addNewUnsignedSignatureProperties();
|
unsignedSigProps = unsignedProps.addNewUnsignedSignatureProperties();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
// create the XAdES-T time-stamp
|
// create the XAdES-T time-stamp
|
||||||
NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue");
|
NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue");
|
||||||
if (nlSigVal.getLength() != 1) {
|
if (nlSigVal.getLength() != 1) {
|
||||||
throw new IllegalArgumentException("SignatureValue is not set.");
|
throw new IllegalArgumentException("SignatureValue is not set.");
|
||||||
}
|
}
|
||||||
|
|
||||||
RevocationData tsaRevocationDataXadesT = new RevocationData();
|
RevocationData tsaRevocationDataXadesT = new RevocationData();
|
||||||
LOG.log(POILogger.DEBUG, "creating XAdES-T time-stamp");
|
LOG.log(POILogger.DEBUG, "creating XAdES-T time-stamp");
|
||||||
XAdESTimeStampType signatureTimeStamp = createXAdESTimeStamp
|
XAdESTimeStampType signatureTimeStamp = createXAdESTimeStamp
|
||||||
(Collections.singletonList(nlSigVal.item(0)), tsaRevocationDataXadesT);
|
(signatureInfo, Collections.singletonList(nlSigVal.item(0)), tsaRevocationDataXadesT);
|
||||||
|
|
||||||
// marshal the XAdES-T extension
|
// marshal the XAdES-T extension
|
||||||
unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp);
|
unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp);
|
||||||
|
@ -158,7 +162,7 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
}
|
}
|
||||||
|
|
||||||
// XAdES-C: complete certificate refs
|
// XAdES-C: complete certificate refs
|
||||||
CompleteCertificateRefsType completeCertificateRefs =
|
CompleteCertificateRefsType completeCertificateRefs =
|
||||||
unsignedSigProps.addNewCompleteCertificateRefs();
|
unsignedSigProps.addNewCompleteCertificateRefs();
|
||||||
|
|
||||||
CertIDListType certIdList = completeCertificateRefs.addNewCertRefs();
|
CertIDListType certIdList = completeCertificateRefs.addNewCertRefs();
|
||||||
|
@ -176,7 +180,7 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
}
|
}
|
||||||
|
|
||||||
// XAdES-C: complete revocation refs
|
// XAdES-C: complete revocation refs
|
||||||
CompleteRevocationRefsType completeRevocationRefs =
|
CompleteRevocationRefsType completeRevocationRefs =
|
||||||
unsignedSigProps.addNewCompleteRevocationRefs();
|
unsignedSigProps.addNewCompleteRevocationRefs();
|
||||||
RevocationData revocationData = signatureConfig.getRevocationDataService()
|
RevocationData revocationData = signatureConfig.getRevocationDataService()
|
||||||
.getRevocationData(certChain);
|
.getRevocationData(certChain);
|
||||||
|
@ -212,22 +216,22 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
for (byte[] ocsp : revocationData.getOCSPs()) {
|
for (byte[] ocsp : revocationData.getOCSPs()) {
|
||||||
try {
|
try {
|
||||||
OCSPRefType ocspRef = ocspRefs.addNewOCSPRef();
|
OCSPRefType ocspRef = ocspRefs.addNewOCSPRef();
|
||||||
|
|
||||||
DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue();
|
DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue();
|
||||||
XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo());
|
XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo());
|
||||||
|
|
||||||
OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier();
|
OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier();
|
||||||
|
|
||||||
OCSPResp ocspResp = new OCSPResp(ocsp);
|
OCSPResp ocspResp = new OCSPResp(ocsp);
|
||||||
|
|
||||||
BasicOCSPResp basicOcspResp = (BasicOCSPResp)ocspResp.getResponseObject();
|
BasicOCSPResp basicOcspResp = (BasicOCSPResp)ocspResp.getResponseObject();
|
||||||
|
|
||||||
Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
|
Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
|
||||||
cal.setTime(basicOcspResp.getProducedAt());
|
cal.setTime(basicOcspResp.getProducedAt());
|
||||||
ocspIdentifier.setProducedAt(cal);
|
ocspIdentifier.setProducedAt(cal);
|
||||||
|
|
||||||
ResponderIDType responderId = ocspIdentifier.addNewResponderID();
|
ResponderIDType responderId = ocspIdentifier.addNewResponderID();
|
||||||
|
|
||||||
RespID respId = basicOcspResp.getResponderId();
|
RespID respId = basicOcspResp.getResponderId();
|
||||||
ResponderID ocspResponderId = respId.toASN1Primitive();
|
ResponderID ocspResponderId = respId.toASN1Primitive();
|
||||||
DERTaggedObject derTaggedObject = (DERTaggedObject)ocspResponderId.toASN1Primitive();
|
DERTaggedObject derTaggedObject = (DERTaggedObject)ocspResponderId.toASN1Primitive();
|
||||||
|
@ -247,7 +251,7 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
}
|
}
|
||||||
|
|
||||||
// marshal XAdES-C
|
// marshal XAdES-C
|
||||||
|
|
||||||
// XAdES-X Type 1 timestamp
|
// XAdES-X Type 1 timestamp
|
||||||
List<Node> timeStampNodesXadesX1 = new ArrayList<>();
|
List<Node> timeStampNodesXadesX1 = new ArrayList<>();
|
||||||
timeStampNodesXadesX1.add(nlSigVal.item(0));
|
timeStampNodesXadesX1.add(nlSigVal.item(0));
|
||||||
|
@ -258,7 +262,7 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
RevocationData tsaRevocationDataXadesX1 = new RevocationData();
|
RevocationData tsaRevocationDataXadesX1 = new RevocationData();
|
||||||
LOG.log(POILogger.DEBUG, "creating XAdES-X time-stamp");
|
LOG.log(POILogger.DEBUG, "creating XAdES-X time-stamp");
|
||||||
XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp
|
XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp
|
||||||
(timeStampNodesXadesX1, tsaRevocationDataXadesX1);
|
(signatureInfo, timeStampNodesXadesX1, tsaRevocationDataXadesX1);
|
||||||
if (tsaRevocationDataXadesX1.hasRevocationDataEntries()) {
|
if (tsaRevocationDataXadesX1.hasRevocationDataEntries()) {
|
||||||
ValidationDataType timeStampXadesX1ValidationData = createValidationData(tsaRevocationDataXadesX1);
|
ValidationDataType timeStampXadesX1ValidationData = createValidationData(tsaRevocationDataXadesX1);
|
||||||
insertXChild(unsignedSigProps, timeStampXadesX1ValidationData);
|
insertXChild(unsignedSigProps, timeStampXadesX1ValidationData);
|
||||||
|
@ -277,7 +281,7 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);
|
throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues();
|
RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues();
|
||||||
createRevocationValues(revocationValues, revocationData);
|
createRevocationValues(revocationValues, revocationData);
|
||||||
|
|
||||||
|
@ -330,18 +334,21 @@ public class XAdESXLSignatureFacet extends SignatureFacet {
|
||||||
}
|
}
|
||||||
|
|
||||||
private XAdESTimeStampType createXAdESTimeStamp(
|
private XAdESTimeStampType createXAdESTimeStamp(
|
||||||
|
SignatureInfo signatureInfo,
|
||||||
List<Node> nodeList,
|
List<Node> nodeList,
|
||||||
RevocationData revocationData) {
|
RevocationData revocationData) {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
byte[] c14nSignatureValueElement = getC14nValue(nodeList, signatureConfig.getXadesCanonicalizationMethod());
|
byte[] c14nSignatureValueElement = getC14nValue(nodeList, signatureConfig.getXadesCanonicalizationMethod());
|
||||||
|
|
||||||
return createXAdESTimeStamp(c14nSignatureValueElement, revocationData);
|
return createXAdESTimeStamp(signatureInfo, c14nSignatureValueElement, revocationData);
|
||||||
}
|
}
|
||||||
|
|
||||||
private XAdESTimeStampType createXAdESTimeStamp(byte[] data, RevocationData revocationData) {
|
private XAdESTimeStampType createXAdESTimeStamp(SignatureInfo signatureInfo, byte[] data, RevocationData revocationData) {
|
||||||
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
// create the time-stamp
|
// create the time-stamp
|
||||||
byte[] timeStampToken;
|
byte[] timeStampToken;
|
||||||
try {
|
try {
|
||||||
timeStampToken = signatureConfig.getTspService().timeStamp(data, revocationData);
|
timeStampToken = signatureConfig.getTspService().timeStamp(signatureInfo, data, revocationData);
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
throw new RuntimeException("error while creating a time-stamp: "
|
throw new RuntimeException("error while creating a time-stamp: "
|
||||||
+ e.getMessage(), e);
|
+ e.getMessage(), e);
|
||||||
|
|
|
@ -18,9 +18,9 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.services;
|
package org.apache.poi.poifs.crypt.dsig.services;
|
||||||
|
|
||||||
|
@ -47,6 +47,7 @@ import java.util.Map;
|
||||||
import org.apache.poi.poifs.crypt.CryptoFunctions;
|
import org.apache.poi.poifs.crypt.CryptoFunctions;
|
||||||
import org.apache.poi.poifs.crypt.HashAlgorithm;
|
import org.apache.poi.poifs.crypt.HashAlgorithm;
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
|
||||||
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
import org.apache.poi.util.HexDump;
|
import org.apache.poi.util.HexDump;
|
||||||
import org.apache.poi.util.IOUtils;
|
import org.apache.poi.util.IOUtils;
|
||||||
import org.apache.poi.util.POILogFactory;
|
import org.apache.poi.util.POILogFactory;
|
||||||
|
@ -72,16 +73,14 @@ import org.bouncycastle.tsp.TimeStampToken;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A TSP time-stamp service implementation.
|
* A TSP time-stamp service implementation.
|
||||||
*
|
*
|
||||||
* @author Frank Cornelis
|
* @author Frank Cornelis
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
public class TSPTimeStampService implements TimeStampService {
|
public class TSPTimeStampService implements TimeStampService {
|
||||||
|
|
||||||
private static final POILogger LOG = POILogFactory.getLogger(TSPTimeStampService.class);
|
private static final POILogger LOG = POILogFactory.getLogger(TSPTimeStampService.class);
|
||||||
|
|
||||||
private SignatureConfig signatureConfig;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Maps the digest algorithm to corresponding OID value.
|
* Maps the digest algorithm to corresponding OID value.
|
||||||
*/
|
*/
|
||||||
|
@ -97,8 +96,9 @@ public class TSPTimeStampService implements TimeStampService {
|
||||||
}
|
}
|
||||||
|
|
||||||
@SuppressWarnings({"unchecked","squid:S2647"})
|
@SuppressWarnings({"unchecked","squid:S2647"})
|
||||||
public byte[] timeStamp(byte[] data, RevocationData revocationData)
|
public byte[] timeStamp(SignatureInfo signatureInfo, byte[] data, RevocationData revocationData) throws Exception {
|
||||||
throws Exception {
|
SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();
|
||||||
|
|
||||||
// digest the message
|
// digest the message
|
||||||
MessageDigest messageDigest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo());
|
MessageDigest messageDigest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo());
|
||||||
byte[] digest = messageDigest.digest(data);
|
byte[] digest = messageDigest.digest(data);
|
||||||
|
@ -170,7 +170,7 @@ public class TSPTimeStampService implements TimeStampService {
|
||||||
huc.disconnect();
|
huc.disconnect();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!contentType.startsWith(signatureConfig.isTspOldProtocol()
|
if (!contentType.startsWith(signatureConfig.isTspOldProtocol()
|
||||||
? "application/timestamp-response"
|
? "application/timestamp-response"
|
||||||
: "application/timestamp-reply"
|
: "application/timestamp-reply"
|
||||||
)) {
|
)) {
|
||||||
|
@ -178,7 +178,7 @@ public class TSPTimeStampService implements TimeStampService {
|
||||||
// dump the first few bytes
|
// dump the first few bytes
|
||||||
": " + HexDump.dump(bos.toByteArray(), 0, 0, 200));
|
": " + HexDump.dump(bos.toByteArray(), 0, 0, 200));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (bos.size() == 0) {
|
if (bos.size() == 0) {
|
||||||
throw new RuntimeException("Content-Length is zero");
|
throw new RuntimeException("Content-Length is zero");
|
||||||
}
|
}
|
||||||
|
@ -209,7 +209,7 @@ public class TSPTimeStampService implements TimeStampService {
|
||||||
|
|
||||||
// TSP signer certificates retrieval
|
// TSP signer certificates retrieval
|
||||||
Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null);
|
Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null);
|
||||||
|
|
||||||
X509CertificateHolder signerCert = null;
|
X509CertificateHolder signerCert = null;
|
||||||
Map<X500Name, X509CertificateHolder> certificateMap = new HashMap<>();
|
Map<X500Name, X509CertificateHolder> certificateMap = new HashMap<>();
|
||||||
for (X509CertificateHolder certificate : certificates) {
|
for (X509CertificateHolder certificate : certificates) {
|
||||||
|
@ -245,7 +245,7 @@ public class TSPTimeStampService implements TimeStampService {
|
||||||
BcDigestCalculatorProvider calculator = new BcDigestCalculatorProvider();
|
BcDigestCalculatorProvider calculator = new BcDigestCalculatorProvider();
|
||||||
BcRSASignerInfoVerifierBuilder verifierBuilder = new BcRSASignerInfoVerifierBuilder(nameGen, sigAlgoFinder, hashAlgoFinder, calculator);
|
BcRSASignerInfoVerifierBuilder verifierBuilder = new BcRSASignerInfoVerifierBuilder(nameGen, sigAlgoFinder, hashAlgoFinder, calculator);
|
||||||
SignerInformationVerifier verifier = verifierBuilder.build(holder);
|
SignerInformationVerifier verifier = verifierBuilder.build(holder);
|
||||||
|
|
||||||
timeStampToken.validate(verifier);
|
timeStampToken.validate(verifier);
|
||||||
|
|
||||||
// verify TSP signer certificate
|
// verify TSP signer certificate
|
||||||
|
@ -258,8 +258,4 @@ public class TSPTimeStampService implements TimeStampService {
|
||||||
|
|
||||||
return timeStampToken.getEncoded();
|
return timeStampToken.getEncoded();
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setSignatureConfig(SignatureConfig signatureConfig) {
|
|
||||||
this.signatureConfig = signatureConfig;
|
|
||||||
}
|
|
||||||
}
|
}
|
|
@ -18,28 +18,26 @@
|
||||||
/* ====================================================================
|
/* ====================================================================
|
||||||
This product contains an ASLv2 licensed version of the OOXML signer
|
This product contains an ASLv2 licensed version of the OOXML signer
|
||||||
package from the eID Applet project
|
package from the eID Applet project
|
||||||
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
http://code.google.com/p/eid-applet/source/browse/trunk/README.txt
|
||||||
Copyright (C) 2008-2014 FedICT.
|
Copyright (C) 2008-2014 FedICT.
|
||||||
================================================================= */
|
================================================================= */
|
||||||
|
|
||||||
package org.apache.poi.poifs.crypt.dsig.services;
|
package org.apache.poi.poifs.crypt.dsig.services;
|
||||||
|
|
||||||
import org.apache.poi.poifs.crypt.dsig.SignatureConfig.SignatureConfigurable;
|
import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Interface for a time-stamp service.
|
* Interface for a time-stamp service.
|
||||||
*
|
*
|
||||||
* @author Frank Cornelis
|
* @author Frank Cornelis
|
||||||
*
|
|
||||||
*/
|
*/
|
||||||
public interface TimeStampService extends SignatureConfigurable {
|
public interface TimeStampService {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gives back the encoded time-stamp token for the given array of data
|
* Gives back the encoded time-stamp token for the given array of data
|
||||||
* bytes. We assume that the time-stamp token itself contains its full
|
* bytes. We assume that the time-stamp token itself contains its full
|
||||||
* certificate chain required for proper validation.
|
* certificate chain required for proper validation.
|
||||||
*
|
*
|
||||||
* @param data
|
* @param data
|
||||||
* the data to be time-stamped.
|
* the data to be time-stamped.
|
||||||
* @param revocationData
|
* @param revocationData
|
||||||
|
@ -49,6 +47,5 @@ public interface TimeStampService extends SignatureConfigurable {
|
||||||
* @throws Exception
|
* @throws Exception
|
||||||
* in case something went wrong.
|
* in case something went wrong.
|
||||||
*/
|
*/
|
||||||
byte[] timeStamp(byte[] data, RevocationData revocationData)
|
byte[] timeStamp(SignatureInfo signatureInfo, byte[] data, RevocationData revocationData) throws Exception;
|
||||||
throws Exception;
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -104,27 +104,18 @@ import org.apache.poi.xssf.streaming.SXSSFWorkbook;
|
||||||
import org.apache.poi.xssf.usermodel.XSSFWorkbook;
|
import org.apache.poi.xssf.usermodel.XSSFWorkbook;
|
||||||
import org.apache.xmlbeans.SystemProperties;
|
import org.apache.xmlbeans.SystemProperties;
|
||||||
import org.apache.xmlbeans.XmlObject;
|
import org.apache.xmlbeans.XmlObject;
|
||||||
import org.bouncycastle.asn1.DERIA5String;
|
|
||||||
import org.bouncycastle.asn1.DEROctetString;
|
import org.bouncycastle.asn1.DEROctetString;
|
||||||
import org.bouncycastle.asn1.DERSequence;
|
|
||||||
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
|
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
|
||||||
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
|
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
|
||||||
import org.bouncycastle.asn1.x500.X500Name;
|
import org.bouncycastle.asn1.x500.X500Name;
|
||||||
import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
|
|
||||||
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
|
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
|
||||||
import org.bouncycastle.asn1.x509.BasicConstraints;
|
import org.bouncycastle.asn1.x509.BasicConstraints;
|
||||||
import org.bouncycastle.asn1.x509.CRLNumber;
|
import org.bouncycastle.asn1.x509.CRLNumber;
|
||||||
import org.bouncycastle.asn1.x509.CRLReason;
|
|
||||||
import org.bouncycastle.asn1.x509.DistributionPoint;
|
|
||||||
import org.bouncycastle.asn1.x509.DistributionPointName;
|
|
||||||
import org.bouncycastle.asn1.x509.Extension;
|
import org.bouncycastle.asn1.x509.Extension;
|
||||||
import org.bouncycastle.asn1.x509.Extensions;
|
import org.bouncycastle.asn1.x509.Extensions;
|
||||||
import org.bouncycastle.asn1.x509.GeneralName;
|
|
||||||
import org.bouncycastle.asn1.x509.GeneralNames;
|
|
||||||
import org.bouncycastle.asn1.x509.KeyUsage;
|
import org.bouncycastle.asn1.x509.KeyUsage;
|
||||||
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
|
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
|
||||||
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
|
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
|
||||||
import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
|
|
||||||
import org.bouncycastle.cert.X509CRLHolder;
|
import org.bouncycastle.cert.X509CRLHolder;
|
||||||
import org.bouncycastle.cert.X509CertificateHolder;
|
import org.bouncycastle.cert.X509CertificateHolder;
|
||||||
import org.bouncycastle.cert.X509ExtensionUtils;
|
import org.bouncycastle.cert.X509ExtensionUtils;
|
||||||
|
@ -141,7 +132,6 @@ import org.bouncycastle.cert.ocsp.OCSPReqBuilder;
|
||||||
import org.bouncycastle.cert.ocsp.OCSPResp;
|
import org.bouncycastle.cert.ocsp.OCSPResp;
|
||||||
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
|
import org.bouncycastle.cert.ocsp.OCSPRespBuilder;
|
||||||
import org.bouncycastle.cert.ocsp.Req;
|
import org.bouncycastle.cert.ocsp.Req;
|
||||||
import org.bouncycastle.cert.ocsp.RevokedStatus;
|
|
||||||
import org.bouncycastle.crypto.params.RSAKeyParameters;
|
import org.bouncycastle.crypto.params.RSAKeyParameters;
|
||||||
import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
|
import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;
|
||||||
import org.bouncycastle.openssl.PEMParser;
|
import org.bouncycastle.openssl.PEMParser;
|
||||||
|
@ -196,7 +186,7 @@ public class TestSignatureInfo {
|
||||||
String additionalJar = System.getProperty("additionaljar");
|
String additionalJar = System.getProperty("additionaljar");
|
||||||
//System.out.println("Having: " + additionalJar);
|
//System.out.println("Having: " + additionalJar);
|
||||||
Assume.assumeTrue("Not running TestSignatureInfo because we are testing with additionaljar set to " + additionalJar,
|
Assume.assumeTrue("Not running TestSignatureInfo because we are testing with additionaljar set to " + additionalJar,
|
||||||
additionalJar == null || additionalJar.trim().length() == 0);
|
additionalJar == null || additionalJar.trim().length() == 0);
|
||||||
|
|
||||||
System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");
|
System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");
|
||||||
|
|
||||||
|
@ -207,98 +197,97 @@ public class TestSignatureInfo {
|
||||||
@Ignore("This test is very sensitive, it breaks with every little change to the produced XML")
|
@Ignore("This test is very sensitive, it breaks with every little change to the produced XML")
|
||||||
@Test
|
@Test
|
||||||
public void bug61182() throws Exception {
|
public void bug61182() throws Exception {
|
||||||
String pfxInput =
|
final String pfxInput =
|
||||||
"H4sIAAAAAAAAAFXTfzzTeRwH8P2uGRmG6hKSmJh9a2HsuPy60VnHCEU6v86sieZH2Jr2qFl+s+ZHJ5tfUcfKb4uho/OjiFq1qTv5ceFyp0PqEK"+
|
"H4sIAAAAAAAAAFXTfzzTeRwH8P2uGRmG6hKSmJh9a2HsuPy60VnHCEU6v86sieZH2Jr2qFl+s+ZHJ5tfUcfKb4uho/OjiFq1qTv5ceFyp0PqEK"+
|
||||||
"fH4+66++Pz+Dwer9fj8f7r9cRzEd4QMBTPRWxDIM14ZN47NfAWsJgL34Bx4at4Lvwdngvd9b8KqgbjQpGbMXzzgRGovytVFTBEzIXU47kQCd4U"+
|
"fH4+66++Pz+Dwer9fj8f7r9cRzEd4QMBTPRWxDIM14ZN47NfAWsJgL34Bx4at4Lvwdngvd9b8KqgbjQpGbMXzzgRGovytVFTBEzIXU47kQCd4U"+
|
||||||
"ofJPvHl8JwyTjRS55hbKoor3UJLDE1i/PcPKCBAIDATjQlKiK67XjVYdcnkZgD2txroiAUb8W9dtn57DvTsbM+3wIsdocXDEN7TdPKgaSl+tU1"+
|
"ofJPvHl8JwyTjRS55hbKoor3UJLDE1i/PcPKCBAIDATjQlKiK67XjVYdcnkZgD2txroiAUb8W9dtn57DvTsbM+3wIsdocXDEN7TdPKgaSl+tU1"+
|
||||||
"xq9oqiB5yMaZCPho8uUEbFU9U6u3N7lEMLTJGeA0RfX+5FMRrpXPFrbrlJ8uNUCE2H247P28Ckyfqlsy32yeKg/HTbH5JpqUDNw2B32+SaiRw7"+
|
"xq9oqiB5yMaZCPho8uUEbFU9U6u3N7lEMLTJGeA0RfX+5FMRrpXPFrbrlJ8uNUCE2H247P28Ckyfqlsy32yeKg/HTbH5JpqUDNw2B32+SaiRw7"+
|
||||||
"ofRMePUpaAoK7KYgmd5ZIc0rLLYjJBfOWCb28xlrGhbpJvdToFdqt5PXVjEz5YOJ6g7W0fskuKW9/iZP0yLEVpR9XkkHmb6tfpcE8YwCdWNCan"+
|
"ofRMePUpaAoK7KYgmd5ZIc0rLLYjJBfOWCb28xlrGhbpJvdToFdqt5PXVjEz5YOJ6g7W0fskuKW9/iZP0yLEVpR9XkkHmb6tfpcE8YwCdWNCan"+
|
||||||
"LvAsco25JdF1j2/FLAMVU79HdOex07main90dy40511OZtTGZ+TdVd3lKZ7D3clEg9hLESHwSNnZ6239X4yLM4xYSElQ/hqSbwdmiozYG9PhF2"+
|
"LvAsco25JdF1j2/FLAMVU79HdOex07main90dy40511OZtTGZ+TdVd3lKZ7D3clEg9hLESHwSNnZ6239X4yLM4xYSElQ/hqSbwdmiozYG9PhF2"+
|
||||||
"Zf0XaZnxzTK0Iot+rJ3kYoxWTLE8DR9leV62Ywbtlg4mapYOxb3lT7fQ1x4EQ44flh2oFWSPLR8LMbsc6jzJsV6OZ3TrODjHEdw9W+8OD32vd8"+
|
"Zf0XaZnxzTK0Iot+rJ3kYoxWTLE8DR9leV62Ywbtlg4mapYOxb3lT7fQ1x4EQ44flh2oFWSPLR8LMbsc6jzJsV6OZ3TrODjHEdw9W+8OD32vd8"+
|
||||||
"XQ6iCaIHcrSOn6qS0TKLr786234eeSAhvAQbEsVn7vrvc/487Be/O2e/+5Y5zRq2zAtz6pfcNyraJNDqMW1inNkgJ3t3VESbZ3pNzyl3KHILs0"+
|
"XQ6iCaIHcrSOn6qS0TKLr786234eeSAhvAQbEsVn7vrvc/487Be/O2e/+5Y5zRq2zAtz6pfcNyraJNDqMW1inNkgJ3t3VESbZ3pNzyl3KHILs0"+
|
||||||
"51dY6msDYSlWhw40TglXxj9rw95O6gFWIuN012W/vhS50jpKXcao4gc1aLaXtJXxirbRkpZ/0e7a0pD6TDa7+GxEdEEML3VGo9udD5YUKhU3y7"+
|
"51dY6msDYSlWhw40TglXxj9rw95O6gFWIuN012W/vhS50jpKXcao4gc1aLaXtJXxirbRkpZ/0e7a0pD6TDa7+GxEdEEML3VGo9udD5YUKhU3y7"+
|
||||||
"SzWAgN6WIEIglq7LilvCjqIVLIfg8CvVGL9f5iSsCDf5hef4vMxbyvcjINuy06gZu+iPYOWNxjfrwKGYzoqqotK2aywgYVrPMh0JovfkDuN95n"+
|
"SzWAgN6WIEIglq7LilvCjqIVLIfg8CvVGL9f5iSsCDf5hef4vMxbyvcjINuy06gZu+iPYOWNxjfrwKGYzoqqotK2aywgYVrPMh0JovfkDuN95n"+
|
||||||
"MdVlYHbN1Mnn4TxAwuv+u3AkBlDZvRUUCwoDMUGxeMNPhTaAgWl60xhhBgCBaEMgAACReMAav7n3x598IDYJ9GxGXRAwaPOT/kfO/1AgPqLQkp"+
|
"MdVlYHbN1Mnn4TxAwuv+u3AkBlDZvRUUCwoDMUGxeMNPhTaAgWl60xhhBgCBaEMgAACReMAav7n3x598IDYJ9GxGXRAwaPOT/kfO/1AgPqLQkp"+
|
||||||
"MiIVaHthnUS4v2y32e2BjdMPyIImUTBW3cV3R5tjVQm0MOm+D2C5+bBW9vHLjLR4lun4toQiY3Ls/v4bES/OJ4EmpZk5xhL9i5ClofYZNEsxFn"+
|
"MiIVaHthnUS4v2y32e2BjdMPyIImUTBW3cV3R5tjVQm0MOm+D2C5+bBW9vHLjLR4lun4toQiY3Ls/v4bES/OJ4EmpZk5xhL9i5ClofYZNEsxFn"+
|
||||||
"An/q821Tg+Cq9Er4XYGQe8ogjjLJ2b7dUsJ3auFQFNUJF7Ke7yUL2EeYYxl6vz5l4q5u8704mRbFts1E1eWMp6WIy91GPrsVlRGvtuNERfrjfE"+
|
"An/q821Tg+Cq9Er4XYGQe8ogjjLJ2b7dUsJ3auFQFNUJF7Ke7yUL2EeYYxl6vz5l4q5u8704mRbFts1E1eWMp6WIy91GPrsVlRGvtuNERfrjfE"+
|
||||||
"YtzUI3Flcv65zJUbUBEzUnTS0fEYso2XyToAl8kb251mUY2o2lJzv5dp/1htmcjeeP2MjxC+3S45ljx7jd52Pv9XAat+ryiauFOF7YgztkoWWD"+
|
"YtzUI3Flcv65zJUbUBEzUnTS0fEYso2XyToAl8kb251mUY2o2lJzv5dp/1htmcjeeP2MjxC+3S45ljx7jd52Pv9XAat+ryiauFOF7YgztkoWWD"+
|
||||||
"h62tplPH1bzDV+d0NLdaE5AfVJ09HuUYTFS+iggtvT5Euyk+unj4N2XvzW91n+GNjtgWfKOHmkinUPvYRh70Jv+wlPJrVaT8mL7GxJLqDC9jbv"+
|
"h62tplPH1bzDV+d0NLdaE5AfVJ09HuUYTFS+iggtvT5Euyk+unj4N2XvzW91n+GNjtgWfKOHmkinUPvYRh70Jv+wlPJrVaT8mL7GxJLqDC9jbv"+
|
||||||
"Gznoiae6es+wQejnk3XjU366MrK/zXxngBYj9J6NnXc9mMiTFLX8WqQ8iTelTAFs2NJzPoDzrBUz4JFIEOa6Dja6dULc68g1jFDTeEHZyra7RZ"+
|
"Gznoiae6es+wQejnk3XjU366MrK/zXxngBYj9J6NnXc9mMiTFLX8WqQ8iTelTAFs2NJzPoDzrBUz4JFIEOa6Dja6dULc68g1jFDTeEHZyra7RZ"+
|
||||||
"2ElqGDEqcNRo3SNX6feMy9EF1GOyZK0Sa87KwjKw8aM68dpsIYjfLcTXaZ6atg0BKfMnl6axeUGEaIFSP7rzj9wjzumRbG3jgUVp2lX5AK/tsO"+
|
"2ElqGDEqcNRo3SNX6feMy9EF1GOyZK0Sa87KwjKw8aM68dpsIYjfLcTXaZ6atg0BKfMnl6axeUGEaIFSP7rzj9wjzumRbG3jgUVp2lX5AK/tsO"+
|
||||||
"7R4TQX/9/H6RiN34c9KldmPZZGANXzzTajZS9mR2OSvlJ+F4AgSko4htrMAKFTBu51/5SWNsO1vlRaaG48ZRJ+8PzuHQMdvS36gNpRPi7jhF1S"+
|
"7R4TQX/9/H6RiN34c9KldmPZZGANXzzTajZS9mR2OSvlJ+F4AgSko4htrMAKFTBu51/5SWNsO1vlRaaG48ZRJ+8PzuHQMdvS36gNpRPi7jhF1S"+
|
||||||
"H3B2ycI4y0VURv6SrqJNUY/X645ZFJQ+eBO+ptG7o8axf1dcqh2beiQk+GRTeZ37LVeUlaeo9vl1/+8tyBfyT2v5lFC5E19WdKIyCuZe7r99Px"+
|
"H3B2ycI4y0VURv6SrqJNUY/X645ZFJQ+eBO+ptG7o8axf1dcqh2beiQk+GRTeZ37LVeUlaeo9vl1/+8tyBfyT2v5lFC5E19WdKIyCuZe7r99Px"+
|
||||||
"D/Od4Qj0TA92+DQnbCQTCMy/wwse9O4gsEebkkpPIP5GBV3Q0YBsj75XE0uSFQ1tCZSW8bNa9MUJZ/nPBfExohHlgGAAA=";
|
"D/Od4Qj0TA92+DQnbCQTCMy/wwse9O4gsEebkkpPIP5GBV3Q0YBsj75XE0uSFQ1tCZSW8bNa9MUJZ/nPBfExohHlgGAAA=";
|
||||||
|
|
||||||
|
// Unix
|
||||||
|
final String unixSignExp =
|
||||||
|
"QkqTFQZjXagjRAoOWKpAGa8AR0rKqkSfBtfSWqtjBmTgyjarn+t2POHkpySIpheHAbg+90GKSH88ACMtPHbG7q" +
|
||||||
|
"FL4gtgAD9Kjew6j16j0IRBwy145UlPrSLFMfF7YF7UlU1k1LBkIlRJ6Fv4MAJl6XspuzZOZIUmHZrWrdxycUQ=";
|
||||||
|
|
||||||
|
// Windows
|
||||||
|
final String winSignExp =
|
||||||
|
"GmAlL7+bT1r3FsMHJOp3pKg8betblYieZTjhMIrPZPRBbSzjO7KsYRGNtr0aOE3qr8xzyYJN6/8QdF5X7pUEUc" +
|
||||||
|
"2m8ctrm7s5o2vZTkAqk9ENJGDjBPXX7TnuVOiVeL1cJdtjHC2QpjtRwkFR+B54G6b1OXLOFuQpP3vqR3+/XXE=";
|
||||||
|
|
||||||
|
// Mac
|
||||||
|
final String macSignExp =
|
||||||
|
"NZedY/LNTYU4nAUEUhIOg5+fKdgVtzRXKmdD3v+47E7Mb84oeiUGv9cCEE91DU3StF/JFIhjOJqavOzKnCsNcz" +
|
||||||
|
"NJ4j/inggUl1OJUsicqIGQnA7E8vzWnN1kf5lINgJLv+0PyrrX9sQZbItzxUpgqyOFYcD0trid+31nRt4wtaA=";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Calendar cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);
|
Calendar cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);
|
||||||
cal.clear();
|
cal.clear();
|
||||||
cal.setTimeZone(LocaleUtil.TIMEZONE_UTC);
|
cal.setTimeZone(LocaleUtil.TIMEZONE_UTC);
|
||||||
cal.set(2017, Calendar.JULY, 1);
|
cal.set(2017, Calendar.JULY, 1);
|
||||||
|
|
||||||
SignatureConfig signatureConfig = prepareConfig("test", "CN=Test", pfxInput);
|
SignatureConfig signatureConfig = prepareConfig(pfxInput);
|
||||||
signatureConfig.setExecutionTime(cal.getTime());
|
signatureConfig.setExecutionTime(cal.getTime());
|
||||||
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
si.setSignatureConfig(signatureConfig);
|
si.setSignatureConfig(signatureConfig);
|
||||||
|
|
||||||
XSSFWorkbook wb1 = new XSSFWorkbook();
|
|
||||||
wb1.createSheet().createRow(1).createCell(1).setCellValue("Test");
|
|
||||||
ByteArrayOutputStream bos = new ByteArrayOutputStream(100000);
|
ByteArrayOutputStream bos = new ByteArrayOutputStream(100000);
|
||||||
wb1.write(bos);
|
try (XSSFWorkbook wb1 = new XSSFWorkbook()) {
|
||||||
wb1.close();
|
wb1.createSheet().createRow(1).createCell(1).setCellValue("Test");
|
||||||
|
wb1.write(bos);
|
||||||
OPCPackage pkg1 = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()));
|
|
||||||
|
|
||||||
signatureConfig.setOpcPackage(pkg1);
|
|
||||||
si.confirmSignature();
|
|
||||||
assertTrue(si.verifySignature());
|
|
||||||
bos.reset();
|
|
||||||
pkg1.save(bos);
|
|
||||||
pkg1.close();
|
|
||||||
|
|
||||||
XSSFWorkbook wb2 = new XSSFWorkbook(new ByteArrayInputStream(bos.toByteArray()));
|
|
||||||
assertEquals("Test", wb2.getSheetAt(0).getRow(1).getCell(1).getStringCellValue());
|
|
||||||
OPCPackage pkg2 = wb2.getPackage();
|
|
||||||
signatureConfig.setOpcPackage(pkg2);
|
|
||||||
assertTrue(si.verifySignature());
|
|
||||||
|
|
||||||
// xmlbeans adds line-breaks depending on the system setting, so we get different
|
|
||||||
// test results on Unix/Mac/Windows
|
|
||||||
// if the xml documents eventually change, this test needs to be run with the
|
|
||||||
// separator set to the various system configurations
|
|
||||||
String sep = SystemProperties.getProperty( "line.separator" );
|
|
||||||
String signExp;
|
|
||||||
assumeTrue("Hashes only known for Windows/Unix/Mac", sep == null || "\n".equals(sep) || "\r\n".equals(sep) || "\r".equals(sep));
|
|
||||||
if (sep == null || "\n".equals(sep)) {
|
|
||||||
// Unix
|
|
||||||
signExp =
|
|
||||||
"QkqTFQZjXagjRAoOWKpAGa8AR0rKqkSfBtfSWqtjBmTgyjarn+t2POHkpySIpheHAbg+90GKSH88ACMtPHbG7q"+
|
|
||||||
"FL4gtgAD9Kjew6j16j0IRBwy145UlPrSLFMfF7YF7UlU1k1LBkIlRJ6Fv4MAJl6XspuzZOZIUmHZrWrdxycUQ=";
|
|
||||||
} else if ("\r\n".equals(sep)){
|
|
||||||
// Windows
|
|
||||||
signExp =
|
|
||||||
"GmAlL7+bT1r3FsMHJOp3pKg8betblYieZTjhMIrPZPRBbSzjO7KsYRGNtr0aOE3qr8xzyYJN6/8QdF5X7pUEUc"+
|
|
||||||
"2m8ctrm7s5o2vZTkAqk9ENJGDjBPXX7TnuVOiVeL1cJdtjHC2QpjtRwkFR+B54G6b1OXLOFuQpP3vqR3+/XXE=";
|
|
||||||
} else {
|
|
||||||
// Mac
|
|
||||||
signExp =
|
|
||||||
"NZedY/LNTYU4nAUEUhIOg5+fKdgVtzRXKmdD3v+47E7Mb84oeiUGv9cCEE91DU3StF/JFIhjOJqavOzKnCsNcz"+
|
|
||||||
"NJ4j/inggUl1OJUsicqIGQnA7E8vzWnN1kf5lINgJLv+0PyrrX9sQZbItzxUpgqyOFYcD0trid+31nRt4wtaA=";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
String signAct = si.getSignatureParts().iterator().next().
|
try (OPCPackage pkg1 = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {
|
||||||
getSignatureDocument().getSignature().getSignatureValue().getStringValue();
|
si.setOpcPackage(pkg1);
|
||||||
assertEquals(signExp, signAct);
|
si.confirmSignature();
|
||||||
|
assertTrue(si.verifySignature());
|
||||||
|
bos.reset();
|
||||||
|
pkg1.save(bos);
|
||||||
|
}
|
||||||
|
|
||||||
pkg2.close();
|
try (XSSFWorkbook wb2 = new XSSFWorkbook(new ByteArrayInputStream(bos.toByteArray()))) {
|
||||||
wb2.close();
|
assertEquals("Test", wb2.getSheetAt(0).getRow(1).getCell(1).getStringCellValue());
|
||||||
|
OPCPackage pkg2 = wb2.getPackage();
|
||||||
|
si.setOpcPackage(pkg2);
|
||||||
|
assertTrue(si.verifySignature());
|
||||||
|
|
||||||
|
// xmlbeans adds line-breaks depending on the system setting, so we get different
|
||||||
|
// test results on Unix/Mac/Windows
|
||||||
|
// if the xml documents eventually change, this test needs to be run with the
|
||||||
|
// separator set to the various system configurations
|
||||||
|
String sep = SystemProperties.getProperty("line.separator");
|
||||||
|
String signExp;
|
||||||
|
assumeTrue("Hashes only known for Windows/Unix/Mac", sep == null || "\n".equals(sep) || "\r\n".equals(sep) || "\r".equals(sep));
|
||||||
|
signExp = (sep == null || "\n".equals(sep)) ? unixSignExp : ("\r\n".equals(sep)) ? winSignExp : macSignExp;
|
||||||
|
|
||||||
|
String signAct = si.getSignatureParts().iterator().next().
|
||||||
|
getSignatureDocument().getSignature().getSignatureValue().getStringValue();
|
||||||
|
assertEquals(signExp, signAct);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void office2007prettyPrintedRels() throws Exception {
|
public void office2007prettyPrintedRels() throws Exception {
|
||||||
try (OPCPackage pkg = OPCPackage.open(testdata.getFile("office2007prettyPrintedRels.docx"), PackageAccess.READ)) {
|
try (OPCPackage pkg = OPCPackage.open(testdata.getFile("office2007prettyPrintedRels.docx"), PackageAccess.READ)) {
|
||||||
SignatureConfig sic = new SignatureConfig();
|
SignatureConfig sic = new SignatureConfig();
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(sic);
|
si.setSignatureConfig(sic);
|
||||||
boolean isValid = si.verifySignature();
|
boolean isValid = si.verifySignature();
|
||||||
assertTrue(isValid);
|
assertTrue(isValid);
|
||||||
|
@ -315,19 +304,19 @@ public class TestSignatureInfo {
|
||||||
};
|
};
|
||||||
|
|
||||||
for (String testFile : testFiles) {
|
for (String testFile : testFiles) {
|
||||||
OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
|
|
||||||
SignatureConfig sic = new SignatureConfig();
|
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
|
||||||
si.setSignatureConfig(sic);
|
|
||||||
List<X509Certificate> result = new ArrayList<>();
|
List<X509Certificate> result = new ArrayList<>();
|
||||||
for (SignaturePart sp : si.getSignatureParts()) {
|
try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
|
||||||
if (sp.validate()) {
|
SignatureConfig sic = new SignatureConfig();
|
||||||
result.add(sp.getSigner());
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
|
si.setSignatureConfig(sic);
|
||||||
|
for (SignaturePart sp : si.getSignatureParts()) {
|
||||||
|
if (sp.validate()) {
|
||||||
|
result.add(sp.getSigner());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
pkg.revert();
|
||||||
}
|
}
|
||||||
pkg.revert();
|
|
||||||
pkg.close();
|
|
||||||
assertNotNull(result);
|
assertNotNull(result);
|
||||||
assertTrue(result.isEmpty());
|
assertTrue(result.isEmpty());
|
||||||
}
|
}
|
||||||
|
@ -345,14 +334,14 @@ public class TestSignatureInfo {
|
||||||
"ms-office-2010-signed.pptx",
|
"ms-office-2010-signed.pptx",
|
||||||
"ms-office-2010-signed.xlsx",
|
"ms-office-2010-signed.xlsx",
|
||||||
"Office2010-SP1-XAdES-X-L.docx",
|
"Office2010-SP1-XAdES-X-L.docx",
|
||||||
"signed.docx",
|
"signed.docx"
|
||||||
};
|
};
|
||||||
|
|
||||||
for (String testFile : testFiles) {
|
for (String testFile : testFiles) {
|
||||||
try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
|
try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
|
||||||
SignatureConfig sic = new SignatureConfig();
|
SignatureConfig sic = new SignatureConfig();
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(sic);
|
si.setSignatureConfig(sic);
|
||||||
List<X509Certificate> result = new ArrayList<>();
|
List<X509Certificate> result = new ArrayList<>();
|
||||||
for (SignaturePart sp : si.getSignatureParts()) {
|
for (SignaturePart sp : si.getSignatureParts()) {
|
||||||
|
@ -378,8 +367,8 @@ public class TestSignatureInfo {
|
||||||
String testFile = "hello-world-signed-twice.docx";
|
String testFile = "hello-world-signed-twice.docx";
|
||||||
try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
|
try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {
|
||||||
SignatureConfig sic = new SignatureConfig();
|
SignatureConfig sic = new SignatureConfig();
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(sic);
|
si.setSignatureConfig(sic);
|
||||||
List<X509Certificate> result = new ArrayList<>();
|
List<X509Certificate> result = new ArrayList<>();
|
||||||
for (SignaturePart sp : si.getSignatureParts()) {
|
for (SignaturePart sp : si.getSignatureParts()) {
|
||||||
|
@ -404,9 +393,9 @@ public class TestSignatureInfo {
|
||||||
@Test
|
@Test
|
||||||
public void testSignSpreadsheet() throws Exception {
|
public void testSignSpreadsheet() throws Exception {
|
||||||
String testFile = "hello-world-unsigned.xlsx";
|
String testFile = "hello-world-unsigned.xlsx";
|
||||||
OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
|
try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {
|
||||||
sign(pkg, "Test", "CN=Test", 1);
|
sign(pkg);
|
||||||
pkg.close();
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static class CommitableWorkbook extends XSSFWorkbook {
|
private static class CommitableWorkbook extends XSSFWorkbook {
|
||||||
|
@ -423,7 +412,7 @@ public class TestSignatureInfo {
|
||||||
// sign & validate
|
// sign & validate
|
||||||
String testFile = "hello-world-unsigned.xlsx";
|
String testFile = "hello-world-unsigned.xlsx";
|
||||||
try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {
|
try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {
|
||||||
sign(pkg, "Test", "CN=Test", 1);
|
sign(pkg);
|
||||||
|
|
||||||
// manipulate
|
// manipulate
|
||||||
try (CommitableWorkbook wb = new CommitableWorkbook(pkg)) {
|
try (CommitableWorkbook wb = new CommitableWorkbook(pkg)) {
|
||||||
|
@ -436,8 +425,8 @@ public class TestSignatureInfo {
|
||||||
|
|
||||||
// validate
|
// validate
|
||||||
SignatureConfig sic = new SignatureConfig();
|
SignatureConfig sic = new SignatureConfig();
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(sic);
|
si.setSignatureConfig(sic);
|
||||||
boolean b = si.verifySignature();
|
boolean b = si.verifySignature();
|
||||||
assertFalse("signature should be broken", b);
|
assertFalse("signature should be broken", b);
|
||||||
|
@ -449,14 +438,14 @@ public class TestSignatureInfo {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testSignSpreadsheetWithSignatureInfo() throws Exception {
|
public void testSignSpreadsheetWithSignatureInfo() throws Exception {
|
||||||
initKeyPair("Test", "CN=Test");
|
initKeyPair();
|
||||||
String testFile = "hello-world-unsigned.xlsx";
|
String testFile = "hello-world-unsigned.xlsx";
|
||||||
try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {
|
try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {
|
||||||
SignatureConfig sic = new SignatureConfig();
|
SignatureConfig sic = new SignatureConfig();
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
sic.setKey(keyPair.getPrivate());
|
sic.setKey(keyPair.getPrivate());
|
||||||
sic.setSigningCertificateChain(Collections.singletonList(x509));
|
sic.setSigningCertificateChain(Collections.singletonList(x509));
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(sic);
|
si.setSignatureConfig(sic);
|
||||||
// hash > sha1 doesn't work in excel viewer ...
|
// hash > sha1 doesn't work in excel viewer ...
|
||||||
si.confirmSignature();
|
si.confirmSignature();
|
||||||
|
@ -481,12 +470,11 @@ public class TestSignatureInfo {
|
||||||
|
|
||||||
try (OPCPackage pkg = OPCPackage.open(copy(sigCopy), PackageAccess.READ_WRITE)) {
|
try (OPCPackage pkg = OPCPackage.open(copy(sigCopy), PackageAccess.READ_WRITE)) {
|
||||||
|
|
||||||
initKeyPair("Test", "CN=Test");
|
initKeyPair();
|
||||||
final X509CRL crl = generateCrl(x509, keyPair.getPrivate());
|
final X509CRL crl = generateCrl(x509, keyPair.getPrivate());
|
||||||
|
|
||||||
// setup
|
// setup
|
||||||
SignatureConfig signatureConfig = new SignatureConfig();
|
SignatureConfig signatureConfig = new SignatureConfig();
|
||||||
signatureConfig.setOpcPackage(pkg);
|
|
||||||
signatureConfig.setKey(keyPair.getPrivate());
|
signatureConfig.setKey(keyPair.getPrivate());
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -529,17 +517,9 @@ public class TestSignatureInfo {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mockTsp) {
|
if (mockTsp) {
|
||||||
TimeStampService tspService = new TimeStampService() {
|
TimeStampService tspService = (signatureInfo, data, revocationData) -> {
|
||||||
@Override
|
revocationData.addCRL(crl);
|
||||||
public byte[] timeStamp(byte[] data, RevocationData revocationData) {
|
return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);
|
||||||
revocationData.addCRL(crl);
|
|
||||||
return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void setSignatureConfig(SignatureConfig config) {
|
|
||||||
// empty on purpose
|
|
||||||
}
|
|
||||||
};
|
};
|
||||||
signatureConfig.setTspService(tspService);
|
signatureConfig.setTspService(tspService);
|
||||||
} else {
|
} else {
|
||||||
|
@ -555,8 +535,7 @@ public class TestSignatureInfo {
|
||||||
|
|
||||||
final RevocationData revocationData = new RevocationData();
|
final RevocationData revocationData = new RevocationData();
|
||||||
revocationData.addCRL(crl);
|
revocationData.addCRL(crl);
|
||||||
OCSPResp ocspResp = createOcspResp(x509, false,
|
OCSPResp ocspResp = createOcspResp(x509, x509, x509, keyPair.getPrivate(), cal.getTimeInMillis());
|
||||||
x509, x509, keyPair.getPrivate(), "SHA1withRSA", cal.getTimeInMillis());
|
|
||||||
revocationData.addOCSP(ocspResp.getEncoded());
|
revocationData.addOCSP(ocspResp.getEncoded());
|
||||||
|
|
||||||
RevocationDataService revocationDataService = revocationChain -> revocationData;
|
RevocationDataService revocationDataService = revocationChain -> revocationData;
|
||||||
|
@ -564,33 +543,31 @@ public class TestSignatureInfo {
|
||||||
|
|
||||||
// operate
|
// operate
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(signatureConfig);
|
si.setSignatureConfig(signatureConfig);
|
||||||
try {
|
try {
|
||||||
si.confirmSignature();
|
si.confirmSignature();
|
||||||
} catch (RuntimeException e) {
|
} catch (RuntimeException e) {
|
||||||
pkg.close();
|
|
||||||
// only allow a ConnectException because of timeout, we see this in Jenkins from time to time...
|
// only allow a ConnectException because of timeout, we see this in Jenkins from time to time...
|
||||||
if (e.getCause() == null) {
|
if (e.getCause() == null) {
|
||||||
throw e;
|
throw e;
|
||||||
}
|
}
|
||||||
if ((e.getCause() instanceof ConnectException) || (e.getCause() instanceof SocketTimeoutException)) {
|
if ((e.getCause() instanceof ConnectException) || (e.getCause() instanceof SocketTimeoutException)) {
|
||||||
Assume.assumeFalse("Only allowing ConnectException with 'timed out' as message here, but had: " + e,
|
Assume.assumeFalse("Only allowing ConnectException with 'timed out' as message here, but had: " + e,
|
||||||
e.getCause().getMessage().contains("timed out"));
|
e.getCause().getMessage().contains("timed out"));
|
||||||
} else if (e.getCause() instanceof IOException) {
|
} else if (e.getCause() instanceof IOException) {
|
||||||
Assume.assumeFalse("Only allowing IOException with 'Error contacting TSP server' as message here, but had: " + e,
|
Assume.assumeFalse("Only allowing IOException with 'Error contacting TSP server' as message here, but had: " + e,
|
||||||
e.getCause().getMessage().contains("Error contacting TSP server"));
|
e.getCause().getMessage().contains("Error contacting TSP server"));
|
||||||
} else if (e.getCause() instanceof RuntimeException) {
|
} else if (e.getCause() instanceof RuntimeException) {
|
||||||
Assume.assumeFalse("Only allowing RuntimeException with 'This site is cur' as message here, but had: " + e,
|
Assume.assumeFalse("Only allowing RuntimeException with 'This site is cur' as message here, but had: " + e,
|
||||||
e.getCause().getMessage().contains("This site is cur"));
|
e.getCause().getMessage().contains("This site is cur"));
|
||||||
}
|
}
|
||||||
throw e;
|
throw e;
|
||||||
}
|
}
|
||||||
|
|
||||||
// verify
|
// verify
|
||||||
Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();
|
Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();
|
||||||
assertTrue("Had: " + si.getSignatureConfig().getOpcPackage().
|
assertTrue("Had: " + pkg.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN), spIter.hasNext());
|
||||||
getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN),
|
|
||||||
spIter.hasNext());
|
|
||||||
SignaturePart sp = spIter.next();
|
SignaturePart sp = spIter.next();
|
||||||
boolean valid = sp.validate();
|
boolean valid = sp.validate();
|
||||||
assertTrue(valid);
|
assertTrue(valid);
|
||||||
|
@ -627,10 +604,10 @@ public class TestSignatureInfo {
|
||||||
|
|
||||||
try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {
|
try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {
|
||||||
SignatureConfig signatureConfig = new SignatureConfig();
|
SignatureConfig signatureConfig = new SignatureConfig();
|
||||||
signatureConfig.setOpcPackage(pkg);
|
|
||||||
signatureConfig.setUpdateConfigOnValidate(true);
|
signatureConfig.setUpdateConfigOnValidate(true);
|
||||||
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(signatureConfig);
|
si.setSignatureConfig(signatureConfig);
|
||||||
|
|
||||||
assertTrue(si.verifySignature());
|
assertTrue(si.verifySignature());
|
||||||
|
@ -667,13 +644,7 @@ public class TestSignatureInfo {
|
||||||
conn.connect();
|
conn.connect();
|
||||||
|
|
||||||
if (fireRequest) {
|
if (fireRequest) {
|
||||||
InputStream is = null;
|
conn.getInputStream().close();
|
||||||
try {
|
|
||||||
is = conn.getInputStream();
|
|
||||||
} finally {
|
|
||||||
IOUtils.closeQuietly(is);
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
/* if connecting is possible we return true here */
|
/* if connecting is possible we return true here */
|
||||||
return null;
|
return null;
|
||||||
|
@ -692,9 +663,9 @@ public class TestSignatureInfo {
|
||||||
public void testCertChain() throws Exception {
|
public void testCertChain() throws Exception {
|
||||||
KeyStore keystore = KeyStore.getInstance("PKCS12");
|
KeyStore keystore = KeyStore.getInstance("PKCS12");
|
||||||
String password = "test";
|
String password = "test";
|
||||||
InputStream is = testdata.openResourceAsStream("chaintest.pfx");
|
try (InputStream is = testdata.openResourceAsStream("chaintest.pfx")) {
|
||||||
keystore.load(is, password.toCharArray());
|
keystore.load(is, password.toCharArray());
|
||||||
is.close();
|
}
|
||||||
|
|
||||||
Key key = keystore.getKey("poitest", password.toCharArray());
|
Key key = keystore.getKey("poitest", password.toCharArray());
|
||||||
Certificate[] chainList = keystore.getCertificateChain("poitest");
|
Certificate[] chainList = keystore.getCertificateChain("poitest");
|
||||||
|
@ -714,9 +685,9 @@ public class TestSignatureInfo {
|
||||||
Calendar oldCal = LocaleUtil.getLocaleCalendar(2007, 7, 1);
|
Calendar oldCal = LocaleUtil.getLocaleCalendar(2007, 7, 1);
|
||||||
signatureConfig.setExecutionTime(oldCal.getTime());
|
signatureConfig.setExecutionTime(oldCal.getTime());
|
||||||
signatureConfig.setDigestAlgo(HashAlgorithm.sha1);
|
signatureConfig.setDigestAlgo(HashAlgorithm.sha1);
|
||||||
signatureConfig.setOpcPackage(pkg);
|
|
||||||
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(signatureConfig);
|
si.setSignatureConfig(signatureConfig);
|
||||||
|
|
||||||
si.confirmSignature();
|
si.confirmSignature();
|
||||||
|
@ -735,7 +706,7 @@ public class TestSignatureInfo {
|
||||||
@Test
|
@Test
|
||||||
public void testNonSha1() throws Exception {
|
public void testNonSha1() throws Exception {
|
||||||
String testFile = "hello-world-unsigned.xlsx";
|
String testFile = "hello-world-unsigned.xlsx";
|
||||||
initKeyPair("Test", "CN=Test");
|
initKeyPair();
|
||||||
|
|
||||||
SignatureConfig signatureConfig = new SignatureConfig();
|
SignatureConfig signatureConfig = new SignatureConfig();
|
||||||
signatureConfig.setKey(keyPair.getPrivate());
|
signatureConfig.setKey(keyPair.getPrivate());
|
||||||
|
@ -745,13 +716,10 @@ public class TestSignatureInfo {
|
||||||
, HashAlgorithm.sha384, HashAlgorithm.sha512, HashAlgorithm.ripemd160};
|
, HashAlgorithm.sha384, HashAlgorithm.sha512, HashAlgorithm.ripemd160};
|
||||||
|
|
||||||
for (HashAlgorithm ha : testAlgo) {
|
for (HashAlgorithm ha : testAlgo) {
|
||||||
OPCPackage pkg = null;
|
signatureConfig.setDigestAlgo(ha);
|
||||||
try {
|
try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {
|
||||||
signatureConfig.setDigestAlgo(ha);
|
|
||||||
pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
|
|
||||||
signatureConfig.setOpcPackage(pkg);
|
|
||||||
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(signatureConfig);
|
si.setSignatureConfig(signatureConfig);
|
||||||
|
|
||||||
si.confirmSignature();
|
si.confirmSignature();
|
||||||
|
@ -759,10 +727,6 @@ public class TestSignatureInfo {
|
||||||
assertTrue("Signature not correctly calculated for " + ha, b);
|
assertTrue("Signature not correctly calculated for " + ha, b);
|
||||||
} catch (EncryptedDocumentException e) {
|
} catch (EncryptedDocumentException e) {
|
||||||
Assume.assumeTrue(e.getMessage().startsWith("Export Restrictions"));
|
Assume.assumeTrue(e.getMessage().startsWith("Export Restrictions"));
|
||||||
} finally {
|
|
||||||
if (pkg != null) {
|
|
||||||
pkg.close();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -776,20 +740,18 @@ public class TestSignatureInfo {
|
||||||
wb1.removeSheetAt(0);
|
wb1.removeSheetAt(0);
|
||||||
ByteArrayOutputStream os = new ByteArrayOutputStream();
|
ByteArrayOutputStream os = new ByteArrayOutputStream();
|
||||||
wb1.write(os);
|
wb1.write(os);
|
||||||
wb1.close();
|
|
||||||
try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(os.toByteArray()))) {
|
|
||||||
|
|
||||||
initKeyPair("Test", "CN=Test");
|
try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(os.toByteArray()))) {
|
||||||
|
initKeyPair();
|
||||||
SignatureConfig signatureConfig = new SignatureConfig();
|
SignatureConfig signatureConfig = new SignatureConfig();
|
||||||
signatureConfig.setKey(keyPair.getPrivate());
|
signatureConfig.setKey(keyPair.getPrivate());
|
||||||
signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));
|
signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));
|
||||||
signatureConfig.setOpcPackage(pkg);
|
|
||||||
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(signatureConfig);
|
si.setSignatureConfig(signatureConfig);
|
||||||
si.confirmSignature();
|
si.confirmSignature();
|
||||||
assertTrue("invalid signature", si.verifySignature());
|
assertTrue("invalid signature", si.verifySignature());
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -833,8 +795,8 @@ public class TestSignatureInfo {
|
||||||
private void verifyPkg63011(File tpl, boolean multi) throws InvalidFormatException, IOException {
|
private void verifyPkg63011(File tpl, boolean multi) throws InvalidFormatException, IOException {
|
||||||
try (OPCPackage pkg = OPCPackage.open(tpl, PackageAccess.READ)) {
|
try (OPCPackage pkg = OPCPackage.open(tpl, PackageAccess.READ)) {
|
||||||
SignatureConfig sic = new SignatureConfig();
|
SignatureConfig sic = new SignatureConfig();
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(sic);
|
si.setSignatureConfig(sic);
|
||||||
List<X509Certificate> result = new ArrayList<>();
|
List<X509Certificate> result = new ArrayList<>();
|
||||||
for (SignaturePart sp : si.getSignatureParts()) {
|
for (SignaturePart sp : si.getSignatureParts()) {
|
||||||
|
@ -860,7 +822,7 @@ public class TestSignatureInfo {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void signPkg63011(OPCPackage pkg, String pemFile, boolean multi)
|
private void signPkg63011(OPCPackage pkg, String pemFile, boolean multi)
|
||||||
throws IOException, CertificateException, XMLSignatureException, MarshalException {
|
throws IOException, CertificateException, XMLSignatureException, MarshalException {
|
||||||
assertNotNull(pkg);
|
assertNotNull(pkg);
|
||||||
initKeyFromPEM(testdata.getFile(pemFile));
|
initKeyFromPEM(testdata.getFile(pemFile));
|
||||||
|
|
||||||
|
@ -869,9 +831,9 @@ public class TestSignatureInfo {
|
||||||
config.setSigningCertificateChain(Collections.singletonList(x509));
|
config.setSigningCertificateChain(Collections.singletonList(x509));
|
||||||
config.setExecutionTime(cal.getTime());
|
config.setExecutionTime(cal.getTime());
|
||||||
config.setAllowMultipleSignatures(multi);
|
config.setAllowMultipleSignatures(multi);
|
||||||
config.setOpcPackage(pkg);
|
|
||||||
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(config);
|
si.setSignatureConfig(config);
|
||||||
si.confirmSignature();
|
si.confirmSignature();
|
||||||
}
|
}
|
||||||
|
@ -881,9 +843,9 @@ public class TestSignatureInfo {
|
||||||
SignatureConfig sic = new SignatureConfig();
|
SignatureConfig sic = new SignatureConfig();
|
||||||
final File file = testdata.getFile("PPT2016withComment.pptx");
|
final File file = testdata.getFile("PPT2016withComment.pptx");
|
||||||
try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) {
|
try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) {
|
||||||
sic.setOpcPackage(pkg);
|
|
||||||
sic.setUpdateConfigOnValidate(true);
|
sic.setUpdateConfigOnValidate(true);
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkg);
|
||||||
si.setSignatureConfig(sic);
|
si.setSignatureConfig(sic);
|
||||||
assertTrue(si.verifySignature());
|
assertTrue(si.verifySignature());
|
||||||
}
|
}
|
||||||
|
@ -897,8 +859,8 @@ public class TestSignatureInfo {
|
||||||
assertEquals(CanonicalizationMethod.INCLUSIVE, sic.getCanonicalizationMethod());
|
assertEquals(CanonicalizationMethod.INCLUSIVE, sic.getCanonicalizationMethod());
|
||||||
}
|
}
|
||||||
|
|
||||||
private SignatureConfig prepareConfig(String alias, String signerDn, String pfxInput) throws Exception {
|
private SignatureConfig prepareConfig(String pfxInput) throws Exception {
|
||||||
initKeyPair(alias, signerDn, pfxInput);
|
initKeyPair(pfxInput);
|
||||||
|
|
||||||
SignatureConfig signatureConfig = new SignatureConfig();
|
SignatureConfig signatureConfig = new SignatureConfig();
|
||||||
signatureConfig.setKey(keyPair.getPrivate());
|
signatureConfig.setKey(keyPair.getPrivate());
|
||||||
|
@ -909,11 +871,13 @@ public class TestSignatureInfo {
|
||||||
return signatureConfig;
|
return signatureConfig;
|
||||||
}
|
}
|
||||||
|
|
||||||
private void sign(OPCPackage pkgCopy, String alias, String signerDn, int signerCount) throws Exception {
|
private void sign(OPCPackage pkgCopy) throws Exception {
|
||||||
SignatureConfig signatureConfig = prepareConfig(alias, signerDn, null);
|
int signerCount = 1;
|
||||||
signatureConfig.setOpcPackage(pkgCopy);
|
|
||||||
|
SignatureConfig signatureConfig = prepareConfig(null);
|
||||||
|
|
||||||
SignatureInfo si = new SignatureInfo();
|
SignatureInfo si = new SignatureInfo();
|
||||||
|
si.setOpcPackage(pkgCopy);
|
||||||
si.setSignatureConfig(signatureConfig);
|
si.setSignatureConfig(signatureConfig);
|
||||||
|
|
||||||
final Document document = DocumentHelper.createDocument();
|
final Document document = DocumentHelper.createDocument();
|
||||||
|
@ -933,7 +897,7 @@ public class TestSignatureInfo {
|
||||||
si.postSign(xmlSignContext, signatureValue);
|
si.postSign(xmlSignContext, signatureValue);
|
||||||
|
|
||||||
// verify: signature
|
// verify: signature
|
||||||
si.getSignatureConfig().setOpcPackage(pkgCopy);
|
si.setOpcPackage(pkgCopy);
|
||||||
List<X509Certificate> result = new ArrayList<>();
|
List<X509Certificate> result = new ArrayList<>();
|
||||||
for (SignaturePart sp : si.getSignatureParts()) {
|
for (SignaturePart sp : si.getSignatureParts()) {
|
||||||
if (sp.validate()) {
|
if (sp.validate()) {
|
||||||
|
@ -943,24 +907,25 @@ public class TestSignatureInfo {
|
||||||
assertEquals(signerCount, result.size());
|
assertEquals(signerCount, result.size());
|
||||||
}
|
}
|
||||||
|
|
||||||
private void initKeyPair(String alias, String subjectDN) throws Exception {
|
private void initKeyPair() throws Exception {
|
||||||
initKeyPair(alias, subjectDN, null);
|
initKeyPair(null);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void initKeyPair(String alias, String subjectDN, String pfxInput) throws Exception {
|
private void initKeyPair(String pfxInput) throws Exception {
|
||||||
|
final String alias = "Test";
|
||||||
final char[] password = "test".toCharArray();
|
final char[] password = "test".toCharArray();
|
||||||
File file = new File("build/test.pfx");
|
File file = new File("build/test.pfx");
|
||||||
|
|
||||||
KeyStore keystore = KeyStore.getInstance("PKCS12");
|
KeyStore keystore = KeyStore.getInstance("PKCS12");
|
||||||
|
|
||||||
if (pfxInput != null) {
|
if (pfxInput != null) {
|
||||||
InputStream fis = new ByteArrayInputStream(RawDataUtil.decompress(pfxInput));
|
try (InputStream fis = new ByteArrayInputStream(RawDataUtil.decompress(pfxInput))) {
|
||||||
keystore.load(fis, password);
|
keystore.load(fis, password);
|
||||||
fis.close();
|
}
|
||||||
} else if (file.exists()) {
|
} else if (file.exists()) {
|
||||||
InputStream fis = new FileInputStream(file);
|
try (InputStream fis = new FileInputStream(file)) {
|
||||||
keystore.load(fis, password);
|
keystore.load(fis, password);
|
||||||
fis.close();
|
}
|
||||||
} else {
|
} else {
|
||||||
keystore.load(null, password);
|
keystore.load(null, password);
|
||||||
}
|
}
|
||||||
|
@ -977,15 +942,14 @@ public class TestSignatureInfo {
|
||||||
Date notAfter = cal2.getTime();
|
Date notAfter = cal2.getTime();
|
||||||
KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);
|
KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);
|
||||||
|
|
||||||
x509 = generateCertificate(keyPair.getPublic(), subjectDN
|
x509 = generateCertificate(keyPair.getPublic(), notBefore, notAfter, keyPair.getPrivate(), keyUsage);
|
||||||
, notBefore, notAfter, null, keyPair.getPrivate(), true, 0, null, null, keyUsage);
|
|
||||||
|
|
||||||
keystore.setKeyEntry(alias, keyPair.getPrivate(), password, new Certificate[]{x509});
|
keystore.setKeyEntry(alias, keyPair.getPrivate(), password, new Certificate[]{x509});
|
||||||
|
|
||||||
if (pfxInput == null) {
|
if (pfxInput == null) {
|
||||||
FileOutputStream fos = new FileOutputStream(file);
|
try (FileOutputStream fos = new FileOutputStream(file)) {
|
||||||
keystore.store(fos, password);
|
keystore.store(fos, password);
|
||||||
fos.close();
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1038,24 +1002,18 @@ public class TestSignatureInfo {
|
||||||
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
|
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
|
||||||
SecureRandom random = new SecureRandom();
|
SecureRandom random = new SecureRandom();
|
||||||
keyPairGenerator.initialize(new RSAKeyGenParameterSpec(1024,
|
keyPairGenerator.initialize(new RSAKeyGenParameterSpec(1024,
|
||||||
RSAKeyGenParameterSpec.F4), random);
|
RSAKeyGenParameterSpec.F4), random);
|
||||||
return keyPairGenerator.generateKeyPair();
|
return keyPairGenerator.generateKeyPair();
|
||||||
}
|
}
|
||||||
|
|
||||||
private static X509Certificate generateCertificate(PublicKey subjectPublicKey,
|
private static X509Certificate generateCertificate(PublicKey subjectPublicKey,
|
||||||
String subjectDn, Date notBefore, Date notAfter,
|
Date notBefore, Date notAfter,
|
||||||
X509Certificate issuerCertificate, PrivateKey issuerPrivateKey,
|
PrivateKey issuerPrivateKey,
|
||||||
boolean caFlag, int pathLength, String crlUri, String ocspUri,
|
KeyUsage keyUsage)
|
||||||
KeyUsage keyUsage)
|
throws IOException, OperatorCreationException, CertificateException {
|
||||||
throws IOException, OperatorCreationException, CertificateException
|
final String signatureAlgorithm = "SHA1withRSA";
|
||||||
{
|
final String subjectDn = "CN=Test";
|
||||||
String signatureAlgorithm = "SHA1withRSA";
|
X500Name issuerName = new X500Name(subjectDn);
|
||||||
X500Name issuerName;
|
|
||||||
if (issuerCertificate != null) {
|
|
||||||
issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer();
|
|
||||||
} else {
|
|
||||||
issuerName = new X500Name(subjectDn);
|
|
||||||
}
|
|
||||||
|
|
||||||
RSAPublicKey rsaPubKey = (RSAPublicKey)subjectPublicKey;
|
RSAPublicKey rsaPubKey = (RSAPublicKey)subjectPublicKey;
|
||||||
RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());
|
RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());
|
||||||
|
@ -1077,47 +1035,13 @@ public class TestSignatureInfo {
|
||||||
|
|
||||||
X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);
|
X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);
|
||||||
SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
|
SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
|
||||||
AuthorityKeyIdentifier autKeyId = (issuerCertificate != null)
|
AuthorityKeyIdentifier autKeyId = exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);
|
||||||
? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded()))
|
|
||||||
: exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);
|
|
||||||
|
|
||||||
certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);
|
certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);
|
||||||
certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);
|
certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);
|
||||||
|
|
||||||
if (caFlag) {
|
BasicConstraints bc = new BasicConstraints(0);
|
||||||
BasicConstraints bc;
|
certificateGenerator.addExtension(Extension.basicConstraints, false, bc);
|
||||||
|
|
||||||
if (-1 == pathLength) {
|
|
||||||
bc = new BasicConstraints(true);
|
|
||||||
} else {
|
|
||||||
bc = new BasicConstraints(pathLength);
|
|
||||||
}
|
|
||||||
certificateGenerator.addExtension(Extension.basicConstraints, false, bc);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (null != crlUri) {
|
|
||||||
int uri = GeneralName.uniformResourceIdentifier;
|
|
||||||
DERIA5String crlUriDer = new DERIA5String(crlUri);
|
|
||||||
GeneralName gn = new GeneralName(uri, crlUriDer);
|
|
||||||
|
|
||||||
DERSequence gnDer = new DERSequence(gn);
|
|
||||||
GeneralNames gns = GeneralNames.getInstance(gnDer);
|
|
||||||
|
|
||||||
DistributionPointName dpn = new DistributionPointName(0, gns);
|
|
||||||
DistributionPoint distp = new DistributionPoint(dpn, null, null);
|
|
||||||
DERSequence distpDer = new DERSequence(distp);
|
|
||||||
certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (null != ocspUri) {
|
|
||||||
int uri = GeneralName.uniformResourceIdentifier;
|
|
||||||
GeneralName ocspName = new GeneralName(uri, ocspUri);
|
|
||||||
|
|
||||||
AuthorityInformationAccess authorityInformationAccess =
|
|
||||||
new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, ocspName);
|
|
||||||
|
|
||||||
certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (null != keyUsage) {
|
if (null != keyUsage) {
|
||||||
certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);
|
certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);
|
||||||
|
@ -1158,10 +1082,10 @@ public class TestSignatureInfo {
|
||||||
}
|
}
|
||||||
|
|
||||||
private static OCSPResp createOcspResp(X509Certificate certificate,
|
private static OCSPResp createOcspResp(X509Certificate certificate,
|
||||||
boolean revoked, X509Certificate issuerCertificate,
|
X509Certificate issuerCertificate,
|
||||||
X509Certificate ocspResponderCertificate,
|
X509Certificate ocspResponderCertificate,
|
||||||
PrivateKey ocspResponderPrivateKey, String signatureAlgorithm,
|
PrivateKey ocspResponderPrivateKey,
|
||||||
long nonceTimeinMillis)
|
long nonceTimeinMillis)
|
||||||
throws Exception {
|
throws Exception {
|
||||||
DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()
|
DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()
|
||||||
.setProvider("BC").build().get(CertificateID.HASH_SHA1);
|
.setProvider("BC").build().get(CertificateID.HASH_SHA1);
|
||||||
|
@ -1192,9 +1116,6 @@ public class TestSignatureInfo {
|
||||||
for (Req ocspRequest : requestList) {
|
for (Req ocspRequest : requestList) {
|
||||||
CertificateID certificateID = ocspRequest.getCertID();
|
CertificateID certificateID = ocspRequest.getCertID();
|
||||||
CertificateStatus certificateStatus = CertificateStatus.GOOD;
|
CertificateStatus certificateStatus = CertificateStatus.GOOD;
|
||||||
if (revoked) {
|
|
||||||
certificateStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
|
|
||||||
}
|
|
||||||
basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);
|
basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue