Search in sources :

Example 1 with SignatureInfo

use of org.apache.poi.poifs.crypt.dsig.SignatureInfo in project poi by apache.

the class TestSignatureInfo method getSignerUnsigned.

@Test
public void getSignerUnsigned() throws Exception {
    String[] testFiles = { "hello-world-unsigned.docx", "hello-world-unsigned.pptx", "hello-world-unsigned.xlsx", "hello-world-office-2010-technical-preview-unsigned.docx" };
    for (String testFile : testFiles) {
        OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
        SignatureConfig sic = new SignatureConfig();
        sic.setOpcPackage(pkg);
        SignatureInfo si = new SignatureInfo();
        si.setSignatureConfig(sic);
        List<X509Certificate> result = new ArrayList<X509Certificate>();
        for (SignaturePart sp : si.getSignatureParts()) {
            if (sp.validate()) {
                result.add(sp.getSigner());
            }
        }
        pkg.revert();
        pkg.close();
        assertNotNull(result);
        assertTrue(result.isEmpty());
    }
}
Also used : SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo) SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig) ArrayList(java.util.ArrayList) SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart) OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 2 with SignatureInfo

use of org.apache.poi.poifs.crypt.dsig.SignatureInfo in project poi by apache.

the class TestSignatureInfo method testCertChain.

@Test
public void testCertChain() throws Exception {
    KeyStore keystore = KeyStore.getInstance("PKCS12");
    String password = "test";
    InputStream is = testdata.openResourceAsStream("chaintest.pfx");
    keystore.load(is, password.toCharArray());
    is.close();
    Key key = keystore.getKey("poitest", password.toCharArray());
    Certificate[] chainList = keystore.getCertificateChain("poitest");
    List<X509Certificate> certChain = new ArrayList<X509Certificate>();
    for (Certificate c : chainList) {
        certChain.add((X509Certificate) c);
    }
    x509 = certChain.get(0);
    keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey) key);
    String testFile = "hello-world-unsigned.xlsx";
    OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
    SignatureConfig signatureConfig = new SignatureConfig();
    signatureConfig.setKey(keyPair.getPrivate());
    signatureConfig.setSigningCertificateChain(certChain);
    Calendar oldCal = LocaleUtil.getLocaleCalendar(2007, 7, 1);
    signatureConfig.setExecutionTime(oldCal.getTime());
    signatureConfig.setDigestAlgo(HashAlgorithm.sha1);
    signatureConfig.setOpcPackage(pkg);
    SignatureInfo si = new SignatureInfo();
    si.setSignatureConfig(signatureConfig);
    si.confirmSignature();
    for (SignaturePart sp : si.getSignatureParts()) {
        assertTrue("Could not validate", sp.validate());
        X509Certificate signer = sp.getSigner();
        assertNotNull("signer undefined?!", signer);
        List<X509Certificate> certChainRes = sp.getCertChain();
        assertEquals(3, certChainRes.size());
    }
    pkg.close();
}
Also used : KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) ByteArrayInputStream(java.io.ByteArrayInputStream) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig) Calendar(java.util.Calendar) ArrayList(java.util.ArrayList) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo) SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart) OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage) Key(java.security.Key) PrivateKey(java.security.PrivateKey) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) Test(org.junit.Test)

Example 3 with SignatureInfo

use of org.apache.poi.poifs.crypt.dsig.SignatureInfo in project poi by apache.

the class TestSignatureInfo method testNonSha1.

@Test
public void testNonSha1() throws Exception {
    String testFile = "hello-world-unsigned.xlsx";
    initKeyPair("Test", "CN=Test");
    SignatureConfig signatureConfig = new SignatureConfig();
    signatureConfig.setKey(keyPair.getPrivate());
    signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));
    HashAlgorithm[] testAlgo = { HashAlgorithm.sha224, HashAlgorithm.sha256, HashAlgorithm.sha384, HashAlgorithm.sha512, HashAlgorithm.ripemd160 };
    for (HashAlgorithm ha : testAlgo) {
        OPCPackage pkg = null;
        try {
            signatureConfig.setDigestAlgo(ha);
            pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
            signatureConfig.setOpcPackage(pkg);
            SignatureInfo si = new SignatureInfo();
            si.setSignatureConfig(signatureConfig);
            si.confirmSignature();
            boolean b = si.verifySignature();
            assertTrue("Signature not correctly calculated for " + ha, b);
        } finally {
            if (pkg != null) {
                pkg.close();
            }
        }
    }
}
Also used : SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo) SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig) OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage) Test(org.junit.Test)

Example 4 with SignatureInfo

use of org.apache.poi.poifs.crypt.dsig.SignatureInfo in project poi by apache.

the class TestSignatureInfo method getMultiSigners.

@Test
public void getMultiSigners() throws Exception {
    String testFile = "hello-world-signed-twice.docx";
    OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
    try {
        SignatureConfig sic = new SignatureConfig();
        sic.setOpcPackage(pkg);
        SignatureInfo si = new SignatureInfo();
        si.setSignatureConfig(sic);
        List<X509Certificate> result = new ArrayList<X509Certificate>();
        for (SignaturePart sp : si.getSignatureParts()) {
            if (sp.validate()) {
                result.add(sp.getSigner());
            }
        }
        assertNotNull(result);
        assertEquals("test-file: " + testFile, 2, result.size());
        X509Certificate signer1 = result.get(0);
        X509Certificate signer2 = result.get(1);
        LOG.log(POILogger.DEBUG, "signer 1: " + signer1.getSubjectX500Principal());
        LOG.log(POILogger.DEBUG, "signer 2: " + signer2.getSubjectX500Principal());
        boolean b = si.verifySignature();
        assertTrue("test-file: " + testFile, b);
        pkg.revert();
    } finally {
        pkg.close();
    }
}
Also used : SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo) SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig) ArrayList(java.util.ArrayList) SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart) OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 5 with SignatureInfo

use of org.apache.poi.poifs.crypt.dsig.SignatureInfo in project poi by apache.

the class TestSignatureInfo method testSignEnvelopingDocument.

@Test
public void testSignEnvelopingDocument() throws Exception {
    String testFile = "hello-world-unsigned.xlsx";
    OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
    initKeyPair("Test", "CN=Test");
    final X509CRL crl = PkiTestUtils.generateCrl(x509, keyPair.getPrivate());
    // setup
    SignatureConfig signatureConfig = new SignatureConfig();
    signatureConfig.setOpcPackage(pkg);
    signatureConfig.setKey(keyPair.getPrivate());
    /*
         * We need at least 2 certificates for the XAdES-C complete certificate
         * refs construction.
         */
    List<X509Certificate> certificateChain = new ArrayList<X509Certificate>();
    certificateChain.add(x509);
    certificateChain.add(x509);
    signatureConfig.setSigningCertificateChain(certificateChain);
    signatureConfig.addSignatureFacet(new EnvelopedSignatureFacet());
    signatureConfig.addSignatureFacet(new KeyInfoSignatureFacet());
    signatureConfig.addSignatureFacet(new XAdESSignatureFacet());
    signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet());
    // check for internet, no error means it works
    boolean mockTsp = (getAccessError("http://timestamp.comodoca.com/rfc3161", true, 10000) != null);
    // http://timestamping.edelweb.fr/service/tsp
    // http://tsa.belgium.be/connect
    // http://timestamp.comodoca.com/authenticode
    // http://timestamp.comodoca.com/rfc3161
    // http://services.globaltrustfinder.com/adss/tsa
    signatureConfig.setTspUrl("http://timestamp.comodoca.com/rfc3161");
    // comodoca request fails, if default policy is set ...
    signatureConfig.setTspRequestPolicy(null);
    signatureConfig.setTspOldProtocol(false);
    //set proxy info if any
    String proxy = System.getProperty("http_proxy");
    if (proxy != null && proxy.trim().length() > 0) {
        signatureConfig.setProxyUrl(proxy);
    }
    if (mockTsp) {
        TimeStampService tspService = new TimeStampService() {

            @Override
            public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception {
                revocationData.addCRL(crl);
                return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);
            }

            @Override
            public void setSignatureConfig(SignatureConfig config) {
            // empty on purpose
            }
        };
        signatureConfig.setTspService(tspService);
    } else {
        TimeStampServiceValidator tspValidator = new TimeStampServiceValidator() {

            @Override
            public void validate(List<X509Certificate> validateChain, RevocationData revocationData) throws Exception {
                for (X509Certificate certificate : validateChain) {
                    LOG.log(POILogger.DEBUG, "certificate: " + certificate.getSubjectX500Principal());
                    LOG.log(POILogger.DEBUG, "validity: " + certificate.getNotBefore() + " - " + certificate.getNotAfter());
                }
            }
        };
        signatureConfig.setTspValidator(tspValidator);
        signatureConfig.setTspOldProtocol(signatureConfig.getTspUrl().contains("edelweb"));
    }
    final RevocationData revocationData = new RevocationData();
    revocationData.addCRL(crl);
    OCSPResp ocspResp = PkiTestUtils.createOcspResp(x509, false, x509, x509, keyPair.getPrivate(), "SHA1withRSA", cal.getTimeInMillis());
    revocationData.addOCSP(ocspResp.getEncoded());
    RevocationDataService revocationDataService = new RevocationDataService() {

        @Override
        public RevocationData getRevocationData(List<X509Certificate> revocationChain) {
            return revocationData;
        }
    };
    signatureConfig.setRevocationDataService(revocationDataService);
    // operate
    SignatureInfo si = new SignatureInfo();
    si.setSignatureConfig(signatureConfig);
    try {
        si.confirmSignature();
    } catch (RuntimeException e) {
        pkg.close();
        // only allow a ConnectException because of timeout, we see this in Jenkins from time to time...
        if (e.getCause() == null) {
            throw e;
        }
        if ((e.getCause() instanceof ConnectException) || (e.getCause() instanceof SocketTimeoutException)) {
            Assume.assumeFalse("Only allowing ConnectException with 'timed out' as message here, but had: " + e, e.getCause().getMessage().contains("timed out"));
        } else if (e.getCause() instanceof IOException) {
            Assume.assumeFalse("Only allowing IOException with 'Error contacting TSP server' as message here, but had: " + e, e.getCause().getMessage().contains("Error contacting TSP server"));
        } else if (e.getCause() instanceof RuntimeException) {
            Assume.assumeFalse("Only allowing RuntimeException with 'This site is cur' as message here, but had: " + e, e.getCause().getMessage().contains("This site is cur"));
        }
        throw e;
    }
    // verify
    Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();
    assertTrue("Had: " + si.getSignatureConfig().getOpcPackage().getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN), spIter.hasNext());
    SignaturePart sp = spIter.next();
    boolean valid = sp.validate();
    assertTrue(valid);
    SignatureDocument sigDoc = sp.getSignatureDocument();
    String declareNS = "declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; " + "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; ";
    String digestValXQuery = declareNS + "$this/ds:Signature/ds:SignedInfo/ds:Reference";
    for (ReferenceType rt : (ReferenceType[]) sigDoc.selectPath(digestValXQuery)) {
        assertNotNull(rt.getDigestValue());
        assertEquals(signatureConfig.getDigestMethodUri(), rt.getDigestMethod().getAlgorithm());
    }
    String certDigestXQuery = declareNS + "$this//xades:SigningCertificate/xades:Cert/xades:CertDigest";
    XmlObject[] xoList = sigDoc.selectPath(certDigestXQuery);
    assertEquals(xoList.length, 1);
    DigestAlgAndValueType certDigest = (DigestAlgAndValueType) xoList[0];
    assertNotNull(certDigest.getDigestValue());
    String qualPropXQuery = declareNS + "$this/ds:Signature/ds:Object/xades:QualifyingProperties";
    xoList = sigDoc.selectPath(qualPropXQuery);
    assertEquals(xoList.length, 1);
    QualifyingPropertiesType qualProp = (QualifyingPropertiesType) xoList[0];
    boolean qualPropXsdOk = qualProp.validate();
    assertTrue(qualPropXsdOk);
    pkg.close();
}
Also used : X509CRL(java.security.cert.X509CRL) EnvelopedSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet) SignatureDocument(org.w3.x2000.x09.xmldsig.SignatureDocument) ArrayList(java.util.ArrayList) RevocationDataService(org.apache.poi.poifs.crypt.dsig.services.RevocationDataService) XAdESXLSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet) ReferenceType(org.w3.x2000.x09.xmldsig.ReferenceType) DigestAlgAndValueType(org.etsi.uri.x01903.v13.DigestAlgAndValueType) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) TimeStampService(org.apache.poi.poifs.crypt.dsig.services.TimeStampService) KeyInfoSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet) List(java.util.List) ArrayList(java.util.ArrayList) ConnectException(java.net.ConnectException) RevocationData(org.apache.poi.poifs.crypt.dsig.services.RevocationData) SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo) TimeStampServiceValidator(org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator) SocketTimeoutException(java.net.SocketTimeoutException) QualifyingPropertiesType(org.etsi.uri.x01903.v13.QualifyingPropertiesType) XmlObject(org.apache.xmlbeans.XmlObject) SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart) OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage) XAdESSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet) Test(org.junit.Test)

Aggregations

SignatureConfig (org.apache.poi.poifs.crypt.dsig.SignatureConfig)11 SignatureInfo (org.apache.poi.poifs.crypt.dsig.SignatureInfo)11 OPCPackage (org.apache.poi.openxml4j.opc.OPCPackage)10 Test (org.junit.Test)10 X509Certificate (java.security.cert.X509Certificate)7 ArrayList (java.util.ArrayList)7 SignaturePart (org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)7 ByteArrayInputStream (java.io.ByteArrayInputStream)2 SXSSFWorkbook (org.apache.poi.xssf.streaming.SXSSFWorkbook)2 SignatureDocument (org.w3.x2000.x09.xmldsig.SignatureDocument)2 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 File (java.io.File)1 FileInputStream (java.io.FileInputStream)1 IOException (java.io.IOException)1 InputStream (java.io.InputStream)1 ConnectException (java.net.ConnectException)1 SocketTimeoutException (java.net.SocketTimeoutException)1 Key (java.security.Key)1 KeyPair (java.security.KeyPair)1 KeyStore (java.security.KeyStore)1