Search in sources :

Example 16 with XMLStructure

use of javax.xml.crypto.XMLStructure in project poi by apache.

the class XAdESSignatureFacet method preSign.

@Override
public void preSign(Document document, List<Reference> references, List<XMLObject> objects) throws XMLSignatureException {
    LOG.log(POILogger.DEBUG, "preSign");
    // QualifyingProperties
    QualifyingPropertiesDocument qualDoc = QualifyingPropertiesDocument.Factory.newInstance();
    QualifyingPropertiesType qualifyingProperties = qualDoc.addNewQualifyingProperties();
    qualifyingProperties.setTarget("#" + signatureConfig.getPackageSignatureId());
    // SignedProperties
    SignedPropertiesType signedProperties = qualifyingProperties.addNewSignedProperties();
    signedProperties.setId(signatureConfig.getXadesSignatureId());
    // SignedSignatureProperties
    SignedSignaturePropertiesType signedSignatureProperties = signedProperties.addNewSignedSignatureProperties();
    // SigningTime
    Calendar xmlGregorianCalendar = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
    xmlGregorianCalendar.setTime(signatureConfig.getExecutionTime());
    xmlGregorianCalendar.clear(Calendar.MILLISECOND);
    signedSignatureProperties.setSigningTime(xmlGregorianCalendar);
    // SigningCertificate
    if (signatureConfig.getSigningCertificateChain() == null || signatureConfig.getSigningCertificateChain().isEmpty()) {
        throw new RuntimeException("no signing certificate chain available");
    }
    CertIDListType signingCertificates = signedSignatureProperties.addNewSigningCertificate();
    CertIDType certId = signingCertificates.addNewCert();
    X509Certificate certificate = signatureConfig.getSigningCertificateChain().get(0);
    setCertID(certId, signatureConfig, signatureConfig.isXadesIssuerNameNoReverseOrder(), certificate);
    // ClaimedRole
    String role = signatureConfig.getXadesRole();
    if (role != null && !role.isEmpty()) {
        SignerRoleType signerRole = signedSignatureProperties.addNewSignerRole();
        signedSignatureProperties.setSignerRole(signerRole);
        ClaimedRolesListType claimedRolesList = signerRole.addNewClaimedRoles();
        AnyType claimedRole = claimedRolesList.addNewClaimedRole();
        XmlString roleString = XmlString.Factory.newInstance();
        roleString.setStringValue(role);
        insertXChild(claimedRole, roleString);
    }
    // XAdES-EPES
    SignaturePolicyService policyService = signatureConfig.getSignaturePolicyService();
    if (policyService != null) {
        SignaturePolicyIdentifierType signaturePolicyIdentifier = signedSignatureProperties.addNewSignaturePolicyIdentifier();
        SignaturePolicyIdType signaturePolicyId = signaturePolicyIdentifier.addNewSignaturePolicyId();
        ObjectIdentifierType objectIdentifier = signaturePolicyId.addNewSigPolicyId();
        objectIdentifier.setDescription(policyService.getSignaturePolicyDescription());
        IdentifierType identifier = objectIdentifier.addNewIdentifier();
        identifier.setStringValue(policyService.getSignaturePolicyIdentifier());
        byte[] signaturePolicyDocumentData = policyService.getSignaturePolicyDocument();
        DigestAlgAndValueType sigPolicyHash = signaturePolicyId.addNewSigPolicyHash();
        setDigestAlgAndValue(sigPolicyHash, signaturePolicyDocumentData, signatureConfig.getDigestAlgo());
        String signaturePolicyDownloadUrl = policyService.getSignaturePolicyDownloadUrl();
        if (null != signaturePolicyDownloadUrl) {
            SigPolicyQualifiersListType sigPolicyQualifiers = signaturePolicyId.addNewSigPolicyQualifiers();
            AnyType sigPolicyQualifier = sigPolicyQualifiers.addNewSigPolicyQualifier();
            XmlString spUriElement = XmlString.Factory.newInstance();
            spUriElement.setStringValue(signaturePolicyDownloadUrl);
            insertXChild(sigPolicyQualifier, spUriElement);
        }
    } else if (signatureConfig.isXadesSignaturePolicyImplied()) {
        SignaturePolicyIdentifierType signaturePolicyIdentifier = signedSignatureProperties.addNewSignaturePolicyIdentifier();
        signaturePolicyIdentifier.addNewSignaturePolicyImplied();
    }
    // DataObjectFormat
    if (!dataObjectFormatMimeTypes.isEmpty()) {
        SignedDataObjectPropertiesType signedDataObjectProperties = signedProperties.addNewSignedDataObjectProperties();
        List<DataObjectFormatType> dataObjectFormats = signedDataObjectProperties.getDataObjectFormatList();
        for (Map.Entry<String, String> dataObjectFormatMimeType : this.dataObjectFormatMimeTypes.entrySet()) {
            DataObjectFormatType dataObjectFormat = DataObjectFormatType.Factory.newInstance();
            dataObjectFormat.setObjectReference("#" + dataObjectFormatMimeType.getKey());
            dataObjectFormat.setMimeType(dataObjectFormatMimeType.getValue());
            dataObjectFormats.add(dataObjectFormat);
        }
    }
    // add XAdES ds:Object
    List<XMLStructure> xadesObjectContent = new ArrayList<XMLStructure>();
    Element qualDocElSrc = (Element) qualifyingProperties.getDomNode();
    Element qualDocEl = (Element) document.importNode(qualDocElSrc, true);
    xadesObjectContent.add(new DOMStructure(qualDocEl));
    XMLObject xadesObject = getSignatureFactory().newXMLObject(xadesObjectContent, null, null, null);
    objects.add(xadesObject);
    // add XAdES ds:Reference
    List<Transform> transforms = new ArrayList<Transform>();
    Transform exclusiveTransform = newTransform(CanonicalizationMethod.INCLUSIVE);
    transforms.add(exclusiveTransform);
    Reference reference = newReference("#" + signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE, null, null);
    references.add(reference);
}
Also used : SignaturePolicyIdentifierType(org.etsi.uri.x01903.v13.SignaturePolicyIdentifierType) SigPolicyQualifiersListType(org.etsi.uri.x01903.v13.SigPolicyQualifiersListType) QualifyingPropertiesDocument(org.etsi.uri.x01903.v13.QualifyingPropertiesDocument) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) XmlString(org.apache.xmlbeans.XmlString) XMLStructure(javax.xml.crypto.XMLStructure) DigestAlgAndValueType(org.etsi.uri.x01903.v13.DigestAlgAndValueType) SignedSignaturePropertiesType(org.etsi.uri.x01903.v13.SignedSignaturePropertiesType) DOMStructure(javax.xml.crypto.dom.DOMStructure) AnyType(org.etsi.uri.x01903.v13.AnyType) CertIDListType(org.etsi.uri.x01903.v13.CertIDListType) SignedPropertiesType(org.etsi.uri.x01903.v13.SignedPropertiesType) SignedDataObjectPropertiesType(org.etsi.uri.x01903.v13.SignedDataObjectPropertiesType) ClaimedRolesListType(org.etsi.uri.x01903.v13.ClaimedRolesListType) DataObjectFormatType(org.etsi.uri.x01903.v13.DataObjectFormatType) Reference(javax.xml.crypto.dsig.Reference) Calendar(java.util.Calendar) XmlString(org.apache.xmlbeans.XmlString) XMLObject(javax.xml.crypto.dsig.XMLObject) SignaturePolicyService(org.apache.poi.poifs.crypt.dsig.services.SignaturePolicyService) ObjectIdentifierType(org.etsi.uri.x01903.v13.ObjectIdentifierType) IdentifierType(org.etsi.uri.x01903.v13.IdentifierType) SignaturePolicyIdentifierType(org.etsi.uri.x01903.v13.SignaturePolicyIdentifierType) X509Certificate(java.security.cert.X509Certificate) CertIDType(org.etsi.uri.x01903.v13.CertIDType) QualifyingPropertiesType(org.etsi.uri.x01903.v13.QualifyingPropertiesType) SignerRoleType(org.etsi.uri.x01903.v13.SignerRoleType) ObjectIdentifierType(org.etsi.uri.x01903.v13.ObjectIdentifierType) SignaturePolicyIdType(org.etsi.uri.x01903.v13.SignaturePolicyIdType) Transform(javax.xml.crypto.dsig.Transform) HashMap(java.util.HashMap) Map(java.util.Map)

Example 17 with XMLStructure

use of javax.xml.crypto.XMLStructure in project testcases by coheigea.

the class SignatureJSR105EnvelopedTest method testSignatureUsingJSR105.

// Sign + Verify an XML Document using the JSR-105 API
@org.junit.Test
public void testSignatureUsingJSR105() throws Exception {
    // Read in plaintext document
    InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("plaintext.xml");
    DocumentBuilder builder = XMLUtils.createDocumentBuilder(false);
    Document document = builder.parse(sourceDocument);
    // Set up the Key
    KeyStore keyStore = KeyStore.getInstance("jks");
    keyStore.load(this.getClass().getClassLoader().getResource("clientstore.jks").openStream(), "cspass".toCharArray());
    Key key = keyStore.getKey("myclientkey", "ckpass".toCharArray());
    X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclientkey");
    String signatureId = "_" + UUID.randomUUID().toString();
    String signaturePropertyId = "_" + UUID.randomUUID().toString();
    // Sign using DOM
    XMLSignatureFactory signatureFactory = XMLSignatureFactory.getInstance("DOM");
    CanonicalizationMethod c14nMethod = signatureFactory.newCanonicalizationMethod("http://www.w3.org/2001/10/xml-exc-c14n#", (C14NMethodParameterSpec) null);
    KeyInfoFactory keyInfoFactory = signatureFactory.getKeyInfoFactory();
    X509Data x509Data = keyInfoFactory.newX509Data(Collections.singletonList(cert));
    javax.xml.crypto.dsig.keyinfo.KeyInfo keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(x509Data));
    SignatureMethod signatureMethod = signatureFactory.newSignatureMethod("http://www.w3.org/2000/09/xmldsig#rsa-sha1", null);
    Transform transform = signatureFactory.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null);
    DigestMethod digestMethod = signatureFactory.newDigestMethod("http://www.w3.org/2000/09/xmldsig#sha1", null);
    Reference reference = signatureFactory.newReference("", digestMethod, Collections.singletonList(transform), null, null);
    Transform objectTransform = signatureFactory.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null);
    Reference objectReference = signatureFactory.newReference("#" + signaturePropertyId, digestMethod, Collections.singletonList(objectTransform), "http://www.w3.org/2000/09/xmldsig#SignatureProperties", null);
    List<Reference> references = new ArrayList<>();
    references.add(reference);
    references.add(objectReference);
    SignedInfo signedInfo = signatureFactory.newSignedInfo(c14nMethod, signatureMethod, references);
    // Add a SignatureProperty containing a Timestamp
    Element timestamp = document.createElementNS(null, "Timestamp");
    timestamp.setTextContent(new Date().toString());
    XMLStructure content = new DOMStructure(timestamp);
    SignatureProperty signatureProperty = signatureFactory.newSignatureProperty(Collections.singletonList(content), "#" + signatureId, signaturePropertyId);
    SignatureProperties signatureProperties = signatureFactory.newSignatureProperties(Collections.singletonList(signatureProperty), null);
    XMLObject object = signatureFactory.newXMLObject(Collections.singletonList(signatureProperties), null, null, null);
    XMLSignature sig = signatureFactory.newXMLSignature(signedInfo, keyInfo, Collections.singletonList(object), signatureId, null);
    XMLSignContext signContext = new DOMSignContext(key, document.getDocumentElement());
    sig.sign(signContext);
    // XMLUtils.outputDOM(document, System.out);
    // Verify using JSR-105
    // Find the Signature Element
    Element sigElement = SignatureUtils.getSignatureElement(document);
    Assert.assertNotNull(sigElement);
    XMLValidateContext context = new DOMValidateContext(cert.getPublicKey(), sigElement);
    context.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
    context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
    context.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
    signatureFactory = XMLSignatureFactory.getInstance("DOM");
    XMLSignature xmlSignature = signatureFactory.unmarshalXMLSignature(context);
    // Check the Signature value
    Assert.assertTrue(xmlSignature.validate(context));
    // First find the Timestamp
    SignatureProperty timestampSignatureProperty = getTimestampSignatureProperty(xmlSignature);
    assertNotNull(timestampSignatureProperty);
    // Check that what was signed is what we expected to be signed.
    boolean foundEnvelopedSig = false;
    boolean foundSignedTimestamp = false;
    for (Object refObject : signedInfo.getReferences()) {
        Reference ref = (Reference) refObject;
        if ("".equals(ref.getURI())) {
            List<Transform> transforms = (List<Transform>) ref.getTransforms();
            if (transforms != null && transforms.stream().anyMatch(t -> t.getAlgorithm().equals(Transform.ENVELOPED))) {
                foundEnvelopedSig = true;
            }
        } else if ("http://www.w3.org/2000/09/xmldsig#SignatureProperties".equals(ref.getType()) && ref.getURI().equals("#" + timestampSignatureProperty.getId())) {
            // Found matching SignatureProperties Object
            // Now validate Timestamp
            validateTimestamp(signatureProperty, cert);
            foundSignedTimestamp = true;
        }
    }
    assertEquals(sigElement.getParentNode(), document.getDocumentElement());
    assertTrue(foundEnvelopedSig);
    assertTrue(foundSignedTimestamp);
}
Also used : X509Certificate(java.security.cert.X509Certificate) DOMSignContext(javax.xml.crypto.dsig.dom.DOMSignContext) CanonicalizationMethod(javax.xml.crypto.dsig.CanonicalizationMethod) SignatureMethod(javax.xml.crypto.dsig.SignatureMethod) Date(java.util.Date) SignatureProperty(javax.xml.crypto.dsig.SignatureProperty) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) Transform(javax.xml.crypto.dsig.Transform) XMLValidateContext(javax.xml.crypto.dsig.XMLValidateContext) CertificateExpiredException(java.security.cert.CertificateExpiredException) ArrayList(java.util.ArrayList) Document(org.w3c.dom.Document) X509Data(javax.xml.crypto.dsig.keyinfo.X509Data) XMLObject(javax.xml.crypto.dsig.XMLObject) XMLStructure(javax.xml.crypto.XMLStructure) DOMStructure(javax.xml.crypto.dom.DOMStructure) Iterator(java.util.Iterator) C14NMethodParameterSpec(javax.xml.crypto.dsig.spec.C14NMethodParameterSpec) XMLSignContext(javax.xml.crypto.dsig.XMLSignContext) KeyStore(java.security.KeyStore) UUID(java.util.UUID) XMLSignatureFactory(javax.xml.crypto.dsig.XMLSignatureFactory) Key(java.security.Key) List(java.util.List) Element(org.w3c.dom.Element) SignedInfo(javax.xml.crypto.dsig.SignedInfo) Reference(javax.xml.crypto.dsig.Reference) DOMValidateContext(javax.xml.crypto.dsig.dom.DOMValidateContext) DocumentBuilder(javax.xml.parsers.DocumentBuilder) DigestMethod(javax.xml.crypto.dsig.DigestMethod) KeyInfoFactory(javax.xml.crypto.dsig.keyinfo.KeyInfoFactory) TransformParameterSpec(javax.xml.crypto.dsig.spec.TransformParameterSpec) XMLUtils(org.apache.xml.security.utils.XMLUtils) SignatureProperties(javax.xml.crypto.dsig.SignatureProperties) Assert(org.junit.Assert) Collections(java.util.Collections) Init(org.apache.xml.security.Init) InputStream(java.io.InputStream) XMLSignature(javax.xml.crypto.dsig.XMLSignature) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) DigestMethod(javax.xml.crypto.dsig.DigestMethod) XMLStructure(javax.xml.crypto.XMLStructure) Document(org.w3c.dom.Document) SignatureProperty(javax.xml.crypto.dsig.SignatureProperty) X509Data(javax.xml.crypto.dsig.keyinfo.X509Data) KeyInfoFactory(javax.xml.crypto.dsig.keyinfo.KeyInfoFactory) XMLSignature(javax.xml.crypto.dsig.XMLSignature) DOMValidateContext(javax.xml.crypto.dsig.dom.DOMValidateContext) DOMStructure(javax.xml.crypto.dom.DOMStructure) XMLSignContext(javax.xml.crypto.dsig.XMLSignContext) ArrayList(java.util.ArrayList) List(java.util.List) XMLSignatureFactory(javax.xml.crypto.dsig.XMLSignatureFactory) XMLValidateContext(javax.xml.crypto.dsig.XMLValidateContext) InputStream(java.io.InputStream) Reference(javax.xml.crypto.dsig.Reference) CanonicalizationMethod(javax.xml.crypto.dsig.CanonicalizationMethod) XMLObject(javax.xml.crypto.dsig.XMLObject) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date) SignedInfo(javax.xml.crypto.dsig.SignedInfo) DocumentBuilder(javax.xml.parsers.DocumentBuilder) DOMSignContext(javax.xml.crypto.dsig.dom.DOMSignContext) SignatureProperties(javax.xml.crypto.dsig.SignatureProperties) SignatureMethod(javax.xml.crypto.dsig.SignatureMethod) XMLObject(javax.xml.crypto.dsig.XMLObject) Transform(javax.xml.crypto.dsig.Transform) Key(java.security.Key)

Aggregations

XMLStructure (javax.xml.crypto.XMLStructure)17 ArrayList (java.util.ArrayList)8 DOMSignContext (javax.xml.crypto.dsig.dom.DOMSignContext)7 DOMStructure (javax.xml.crypto.dom.DOMStructure)6 Reference (javax.xml.crypto.dsig.Reference)6 XMLObject (javax.xml.crypto.dsig.XMLObject)6 DOMValidateContext (javax.xml.crypto.dsig.dom.DOMValidateContext)5 Element (org.w3c.dom.Element)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4 X509Certificate (java.security.cert.X509Certificate)4 URIReference (javax.xml.crypto.URIReference)4 URIReferenceException (javax.xml.crypto.URIReferenceException)4 Map (java.util.Map)3 Manifest (javax.xml.crypto.dsig.Manifest)3 SignatureProperties (javax.xml.crypto.dsig.SignatureProperties)3 SignatureProperty (javax.xml.crypto.dsig.SignatureProperty)3 Key (java.security.Key)2 HashMap (java.util.HashMap)2 List (java.util.List)2 CanonicalizationMethod (javax.xml.crypto.dsig.CanonicalizationMethod)2