Example 1 with SignaturePart
use of org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart in project poi by apache.
the class TestSignatureInfo method getSignerUnsigned.
@Test
public void getSignerUnsigned() throws Exception {
String[] testFiles = { "hello-world-unsigned.docx", "hello-world-unsigned.pptx", "hello-world-unsigned.xlsx", "hello-world-office-2010-technical-preview-unsigned.docx" };
for (String testFile : testFiles) {
OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
SignatureConfig sic = new SignatureConfig();
sic.setOpcPackage(pkg);
SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(sic);
List<X509Certificate> result = new ArrayList<X509Certificate>();
for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
pkg.revert();
pkg.close();
assertNotNull(result);
assertTrue(result.isEmpty());
}
}
Also used :
SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo)
SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig)
ArrayList(java.util.ArrayList)
SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)
OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 2 with SignaturePart
use of org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart in project poi by apache.
the class TestSignatureInfo method testCertChain.
@Test
public void testCertChain() throws Exception {
KeyStore keystore = KeyStore.getInstance("PKCS12");
String password = "test";
InputStream is = testdata.openResourceAsStream("chaintest.pfx");
keystore.load(is, password.toCharArray());
is.close();
Key key = keystore.getKey("poitest", password.toCharArray());
Certificate[] chainList = keystore.getCertificateChain("poitest");
List<X509Certificate> certChain = new ArrayList<X509Certificate>();
for (Certificate c : chainList) {
certChain.add((X509Certificate) c);
}
x509 = certChain.get(0);
keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey) key);
String testFile = "hello-world-unsigned.xlsx";
OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
SignatureConfig signatureConfig = new SignatureConfig();
signatureConfig.setKey(keyPair.getPrivate());
signatureConfig.setSigningCertificateChain(certChain);
Calendar oldCal = LocaleUtil.getLocaleCalendar(2007, 7, 1);
signatureConfig.setExecutionTime(oldCal.getTime());
signatureConfig.setDigestAlgo(HashAlgorithm.sha1);
signatureConfig.setOpcPackage(pkg);
SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(signatureConfig);
si.confirmSignature();
for (SignaturePart sp : si.getSignatureParts()) {
assertTrue("Could not validate", sp.validate());
X509Certificate signer = sp.getSigner();
assertNotNull("signer undefined?!", signer);
List<X509Certificate> certChainRes = sp.getCertChain();
assertEquals(3, certChainRes.size());
}
pkg.close();
}
Also used :
KeyPair(java.security.KeyPair)
PrivateKey(java.security.PrivateKey)
ByteArrayInputStream(java.io.ByteArrayInputStream)
FileInputStream(java.io.FileInputStream)
InputStream(java.io.InputStream)
SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig)
Calendar(java.util.Calendar)
ArrayList(java.util.ArrayList)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo)
SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)
OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Test(org.junit.Test)
Example 3 with SignaturePart
use of org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart in project poi by apache.
the class TestSignatureInfo method getMultiSigners.
@Test
public void getMultiSigners() throws Exception {
String testFile = "hello-world-signed-twice.docx";
OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
try {
SignatureConfig sic = new SignatureConfig();
sic.setOpcPackage(pkg);
SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(sic);
List<X509Certificate> result = new ArrayList<X509Certificate>();
for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
assertNotNull(result);
assertEquals("test-file: " + testFile, 2, result.size());
X509Certificate signer1 = result.get(0);
X509Certificate signer2 = result.get(1);
LOG.log(POILogger.DEBUG, "signer 1: " + signer1.getSubjectX500Principal());
LOG.log(POILogger.DEBUG, "signer 2: " + signer2.getSubjectX500Principal());
boolean b = si.verifySignature();
assertTrue("test-file: " + testFile, b);
pkg.revert();
} finally {
pkg.close();
}
}
Also used :
SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo)
SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig)
ArrayList(java.util.ArrayList)
SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)
OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 4 with SignaturePart
use of org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart in project poi by apache.
the class TestSignatureInfo method testSignEnvelopingDocument.
@Test
public void testSignEnvelopingDocument() throws Exception {
String testFile = "hello-world-unsigned.xlsx";
OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
initKeyPair("Test", "CN=Test");
final X509CRL crl = PkiTestUtils.generateCrl(x509, keyPair.getPrivate());
// setup
SignatureConfig signatureConfig = new SignatureConfig();
signatureConfig.setOpcPackage(pkg);
signatureConfig.setKey(keyPair.getPrivate());
/*
* We need at least 2 certificates for the XAdES-C complete certificate
* refs construction.
*/
List<X509Certificate> certificateChain = new ArrayList<X509Certificate>();
certificateChain.add(x509);
certificateChain.add(x509);
signatureConfig.setSigningCertificateChain(certificateChain);
signatureConfig.addSignatureFacet(new EnvelopedSignatureFacet());
signatureConfig.addSignatureFacet(new KeyInfoSignatureFacet());
signatureConfig.addSignatureFacet(new XAdESSignatureFacet());
signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet());
// check for internet, no error means it works
boolean mockTsp = (getAccessError("http://timestamp.comodoca.com/rfc3161", true, 10000) != null);
// http://timestamping.edelweb.fr/service/tsp
// http://tsa.belgium.be/connect
// http://timestamp.comodoca.com/authenticode
// http://timestamp.comodoca.com/rfc3161
// http://services.globaltrustfinder.com/adss/tsa
signatureConfig.setTspUrl("http://timestamp.comodoca.com/rfc3161");
// comodoca request fails, if default policy is set ...
signatureConfig.setTspRequestPolicy(null);
signatureConfig.setTspOldProtocol(false);
//set proxy info if any
String proxy = System.getProperty("http_proxy");
if (proxy != null && proxy.trim().length() > 0) {
signatureConfig.setProxyUrl(proxy);
}
if (mockTsp) {
TimeStampService tspService = new TimeStampService() {
@Override
public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception {
revocationData.addCRL(crl);
return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);
}
@Override
public void setSignatureConfig(SignatureConfig config) {
// empty on purpose
}
};
signatureConfig.setTspService(tspService);
} else {
TimeStampServiceValidator tspValidator = new TimeStampServiceValidator() {
@Override
public void validate(List<X509Certificate> validateChain, RevocationData revocationData) throws Exception {
for (X509Certificate certificate : validateChain) {
LOG.log(POILogger.DEBUG, "certificate: " + certificate.getSubjectX500Principal());
LOG.log(POILogger.DEBUG, "validity: " + certificate.getNotBefore() + " - " + certificate.getNotAfter());
}
}
};
signatureConfig.setTspValidator(tspValidator);
signatureConfig.setTspOldProtocol(signatureConfig.getTspUrl().contains("edelweb"));
}
final RevocationData revocationData = new RevocationData();
revocationData.addCRL(crl);
OCSPResp ocspResp = PkiTestUtils.createOcspResp(x509, false, x509, x509, keyPair.getPrivate(), "SHA1withRSA", cal.getTimeInMillis());
revocationData.addOCSP(ocspResp.getEncoded());
RevocationDataService revocationDataService = new RevocationDataService() {
@Override
public RevocationData getRevocationData(List<X509Certificate> revocationChain) {
return revocationData;
}
};
signatureConfig.setRevocationDataService(revocationDataService);
// operate
SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(signatureConfig);
try {
si.confirmSignature();
} catch (RuntimeException e) {
pkg.close();
// only allow a ConnectException because of timeout, we see this in Jenkins from time to time...
if (e.getCause() == null) {
throw e;
}
if ((e.getCause() instanceof ConnectException) || (e.getCause() instanceof SocketTimeoutException)) {
Assume.assumeFalse("Only allowing ConnectException with 'timed out' as message here, but had: " + e, e.getCause().getMessage().contains("timed out"));
} else if (e.getCause() instanceof IOException) {
Assume.assumeFalse("Only allowing IOException with 'Error contacting TSP server' as message here, but had: " + e, e.getCause().getMessage().contains("Error contacting TSP server"));
} else if (e.getCause() instanceof RuntimeException) {
Assume.assumeFalse("Only allowing RuntimeException with 'This site is cur' as message here, but had: " + e, e.getCause().getMessage().contains("This site is cur"));
}
throw e;
}
// verify
Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();
assertTrue("Had: " + si.getSignatureConfig().getOpcPackage().getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN), spIter.hasNext());
SignaturePart sp = spIter.next();
boolean valid = sp.validate();
assertTrue(valid);
SignatureDocument sigDoc = sp.getSignatureDocument();
String declareNS = "declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; " + "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; ";
String digestValXQuery = declareNS + "$this/ds:Signature/ds:SignedInfo/ds:Reference";
for (ReferenceType rt : (ReferenceType[]) sigDoc.selectPath(digestValXQuery)) {
assertNotNull(rt.getDigestValue());
assertEquals(signatureConfig.getDigestMethodUri(), rt.getDigestMethod().getAlgorithm());
}
String certDigestXQuery = declareNS + "$this//xades:SigningCertificate/xades:Cert/xades:CertDigest";
XmlObject[] xoList = sigDoc.selectPath(certDigestXQuery);
assertEquals(xoList.length, 1);
DigestAlgAndValueType certDigest = (DigestAlgAndValueType) xoList[0];
assertNotNull(certDigest.getDigestValue());
String qualPropXQuery = declareNS + "$this/ds:Signature/ds:Object/xades:QualifyingProperties";
xoList = sigDoc.selectPath(qualPropXQuery);
assertEquals(xoList.length, 1);
QualifyingPropertiesType qualProp = (QualifyingPropertiesType) xoList[0];
boolean qualPropXsdOk = qualProp.validate();
assertTrue(qualPropXsdOk);
pkg.close();
}
Also used :
X509CRL(java.security.cert.X509CRL)
EnvelopedSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet)
SignatureDocument(org.w3.x2000.x09.xmldsig.SignatureDocument)
ArrayList(java.util.ArrayList)
RevocationDataService(org.apache.poi.poifs.crypt.dsig.services.RevocationDataService)
XAdESXLSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet)
ReferenceType(org.w3.x2000.x09.xmldsig.ReferenceType)
DigestAlgAndValueType(org.etsi.uri.x01903.v13.DigestAlgAndValueType)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
TimeStampService(org.apache.poi.poifs.crypt.dsig.services.TimeStampService)
KeyInfoSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet)
List(java.util.List)
ArrayList(java.util.ArrayList)
ConnectException(java.net.ConnectException)
RevocationData(org.apache.poi.poifs.crypt.dsig.services.RevocationData)
SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo)
TimeStampServiceValidator(org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator)
SocketTimeoutException(java.net.SocketTimeoutException)
QualifyingPropertiesType(org.etsi.uri.x01903.v13.QualifyingPropertiesType)
XmlObject(org.apache.xmlbeans.XmlObject)
SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)
OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage)
XAdESSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet)
Test(org.junit.Test)
Example 5 with SignaturePart
use of org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart in project poi by apache.
the class TestSignatureInfo method sign.
private void sign(OPCPackage pkgCopy, String alias, String signerDn, int signerCount) throws Exception {
initKeyPair(alias, signerDn);
SignatureConfig signatureConfig = new SignatureConfig();
signatureConfig.setKey(keyPair.getPrivate());
signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));
signatureConfig.setExecutionTime(cal.getTime());
signatureConfig.setDigestAlgo(HashAlgorithm.sha1);
signatureConfig.setOpcPackage(pkgCopy);
SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(signatureConfig);
Document document = DocumentHelper.createDocument();
// operate
DigestInfo digestInfo = si.preSign(document, null);
// verify
assertNotNull(digestInfo);
LOG.log(POILogger.DEBUG, "digest algo: " + digestInfo.hashAlgo);
LOG.log(POILogger.DEBUG, "digest description: " + digestInfo.description);
assertEquals("Office OpenXML Document", digestInfo.description);
assertNotNull(digestInfo.hashAlgo);
assertNotNull(digestInfo.digestValue);
// setup: key material, signature value
byte[] signatureValue = si.signDigest(digestInfo.digestValue);
// operate: postSign
si.postSign(document, signatureValue);
// verify: signature
si.getSignatureConfig().setOpcPackage(pkgCopy);
List<X509Certificate> result = new ArrayList<X509Certificate>();
for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
assertEquals(signerCount, result.size());
}
Also used :
SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo)
DigestInfo(org.apache.poi.poifs.crypt.dsig.DigestInfo)
SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig)
ArrayList(java.util.ArrayList)
Document(org.w3c.dom.Document)
SignatureDocument(org.w3.x2000.x09.xmldsig.SignatureDocument)
SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
X509Certificate (java.security.cert.X509Certificate)7
ArrayList (java.util.ArrayList)7
SignatureConfig (org.apache.poi.poifs.crypt.dsig.SignatureConfig)7
SignatureInfo (org.apache.poi.poifs.crypt.dsig.SignatureInfo)7
SignaturePart (org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)7
OPCPackage (org.apache.poi.openxml4j.opc.OPCPackage)6
Test (org.junit.Test)6
SignatureDocument (org.w3.x2000.x09.xmldsig.SignatureDocument)2
ByteArrayInputStream (java.io.ByteArrayInputStream)1
FileInputStream (java.io.FileInputStream)1
IOException (java.io.IOException)1
InputStream (java.io.InputStream)1
ConnectException (java.net.ConnectException)1
SocketTimeoutException (java.net.SocketTimeoutException)1
Key (java.security.Key)1
KeyPair (java.security.KeyPair)1
KeyStore (java.security.KeyStore)1
PrivateKey (java.security.PrivateKey)1
Certificate (java.security.cert.Certificate)1
X509CRL (java.security.cert.X509CRL)1
