Search in sources :

Example 1 with KeyInfoSignatureFacet

use of org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet in project poi by apache.

the class SignatureConfig method init.

/**
     * Inits and checks the config object.
     * If not set previously, complex configuration properties also get 
     * created/initialized via this initialization call.
     *
     * @param onlyValidation if true, only a subset of the properties
     * is initialized, which are necessary for validation. If false,
     * also the other properties needed for signing are been taken care of
     */
protected void init(boolean onlyValidation) {
    if (opcPackage == null) {
        throw new EncryptedDocumentException("opcPackage is null");
    }
    if (uriDereferencer == null) {
        uriDereferencer = new OOXMLURIDereferencer();
    }
    if (uriDereferencer instanceof SignatureConfigurable) {
        ((SignatureConfigurable) uriDereferencer).setSignatureConfig(this);
    }
    if (namespacePrefixes.isEmpty()) {
        /*
             * OOo doesn't like ds namespaces so per default prefixing is off.
             */
        // namespacePrefixes.put(XML_DIGSIG_NS, "");
        namespacePrefixes.put(OO_DIGSIG_NS, "mdssi");
        namespacePrefixes.put(XADES_132_NS, "xd");
    }
    if (onlyValidation)
        return;
    if (signatureMarshalListener == null) {
        signatureMarshalListener = new SignatureMarshalListener();
    }
    if (signatureMarshalListener instanceof SignatureConfigurable) {
        ((SignatureConfigurable) signatureMarshalListener).setSignatureConfig(this);
    }
    if (tspService != null) {
        tspService.setSignatureConfig(this);
    }
    if (signatureFacets.isEmpty()) {
        addSignatureFacet(new OOXMLSignatureFacet());
        addSignatureFacet(new KeyInfoSignatureFacet());
        addSignatureFacet(new XAdESSignatureFacet());
        addSignatureFacet(new Office2010SignatureFacet());
    }
    for (SignatureFacet sf : signatureFacets) {
        sf.setSignatureConfig(this);
    }
}
Also used : EncryptedDocumentException(org.apache.poi.EncryptedDocumentException) Office2010SignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.Office2010SignatureFacet) KeyInfoSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet) XAdESSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet) OOXMLSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.OOXMLSignatureFacet) SignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet) KeyInfoSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet) OOXMLSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.OOXMLSignatureFacet) Office2010SignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.Office2010SignatureFacet) XAdESSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet)

Example 2 with KeyInfoSignatureFacet

use of org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet in project poi by apache.

the class TestSignatureInfo method testSignEnvelopingDocument.

@Test
public void testSignEnvelopingDocument() throws Exception {
    String testFile = "hello-world-unsigned.xlsx";
    OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
    initKeyPair("Test", "CN=Test");
    final X509CRL crl = PkiTestUtils.generateCrl(x509, keyPair.getPrivate());
    // setup
    SignatureConfig signatureConfig = new SignatureConfig();
    signatureConfig.setOpcPackage(pkg);
    signatureConfig.setKey(keyPair.getPrivate());
    /*
         * We need at least 2 certificates for the XAdES-C complete certificate
         * refs construction.
         */
    List<X509Certificate> certificateChain = new ArrayList<X509Certificate>();
    certificateChain.add(x509);
    certificateChain.add(x509);
    signatureConfig.setSigningCertificateChain(certificateChain);
    signatureConfig.addSignatureFacet(new EnvelopedSignatureFacet());
    signatureConfig.addSignatureFacet(new KeyInfoSignatureFacet());
    signatureConfig.addSignatureFacet(new XAdESSignatureFacet());
    signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet());
    // check for internet, no error means it works
    boolean mockTsp = (getAccessError("http://timestamp.comodoca.com/rfc3161", true, 10000) != null);
    // http://timestamping.edelweb.fr/service/tsp
    // http://tsa.belgium.be/connect
    // http://timestamp.comodoca.com/authenticode
    // http://timestamp.comodoca.com/rfc3161
    // http://services.globaltrustfinder.com/adss/tsa
    signatureConfig.setTspUrl("http://timestamp.comodoca.com/rfc3161");
    // comodoca request fails, if default policy is set ...
    signatureConfig.setTspRequestPolicy(null);
    signatureConfig.setTspOldProtocol(false);
    //set proxy info if any
    String proxy = System.getProperty("http_proxy");
    if (proxy != null && proxy.trim().length() > 0) {
        signatureConfig.setProxyUrl(proxy);
    }
    if (mockTsp) {
        TimeStampService tspService = new TimeStampService() {

            @Override
            public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception {
                revocationData.addCRL(crl);
                return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);
            }

            @Override
            public void setSignatureConfig(SignatureConfig config) {
            // empty on purpose
            }
        };
        signatureConfig.setTspService(tspService);
    } else {
        TimeStampServiceValidator tspValidator = new TimeStampServiceValidator() {

            @Override
            public void validate(List<X509Certificate> validateChain, RevocationData revocationData) throws Exception {
                for (X509Certificate certificate : validateChain) {
                    LOG.log(POILogger.DEBUG, "certificate: " + certificate.getSubjectX500Principal());
                    LOG.log(POILogger.DEBUG, "validity: " + certificate.getNotBefore() + " - " + certificate.getNotAfter());
                }
            }
        };
        signatureConfig.setTspValidator(tspValidator);
        signatureConfig.setTspOldProtocol(signatureConfig.getTspUrl().contains("edelweb"));
    }
    final RevocationData revocationData = new RevocationData();
    revocationData.addCRL(crl);
    OCSPResp ocspResp = PkiTestUtils.createOcspResp(x509, false, x509, x509, keyPair.getPrivate(), "SHA1withRSA", cal.getTimeInMillis());
    revocationData.addOCSP(ocspResp.getEncoded());
    RevocationDataService revocationDataService = new RevocationDataService() {

        @Override
        public RevocationData getRevocationData(List<X509Certificate> revocationChain) {
            return revocationData;
        }
    };
    signatureConfig.setRevocationDataService(revocationDataService);
    // operate
    SignatureInfo si = new SignatureInfo();
    si.setSignatureConfig(signatureConfig);
    try {
        si.confirmSignature();
    } catch (RuntimeException e) {
        pkg.close();
        // only allow a ConnectException because of timeout, we see this in Jenkins from time to time...
        if (e.getCause() == null) {
            throw e;
        }
        if ((e.getCause() instanceof ConnectException) || (e.getCause() instanceof SocketTimeoutException)) {
            Assume.assumeFalse("Only allowing ConnectException with 'timed out' as message here, but had: " + e, e.getCause().getMessage().contains("timed out"));
        } else if (e.getCause() instanceof IOException) {
            Assume.assumeFalse("Only allowing IOException with 'Error contacting TSP server' as message here, but had: " + e, e.getCause().getMessage().contains("Error contacting TSP server"));
        } else if (e.getCause() instanceof RuntimeException) {
            Assume.assumeFalse("Only allowing RuntimeException with 'This site is cur' as message here, but had: " + e, e.getCause().getMessage().contains("This site is cur"));
        }
        throw e;
    }
    // verify
    Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();
    assertTrue("Had: " + si.getSignatureConfig().getOpcPackage().getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN), spIter.hasNext());
    SignaturePart sp = spIter.next();
    boolean valid = sp.validate();
    assertTrue(valid);
    SignatureDocument sigDoc = sp.getSignatureDocument();
    String declareNS = "declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; " + "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; ";
    String digestValXQuery = declareNS + "$this/ds:Signature/ds:SignedInfo/ds:Reference";
    for (ReferenceType rt : (ReferenceType[]) sigDoc.selectPath(digestValXQuery)) {
        assertNotNull(rt.getDigestValue());
        assertEquals(signatureConfig.getDigestMethodUri(), rt.getDigestMethod().getAlgorithm());
    }
    String certDigestXQuery = declareNS + "$this//xades:SigningCertificate/xades:Cert/xades:CertDigest";
    XmlObject[] xoList = sigDoc.selectPath(certDigestXQuery);
    assertEquals(xoList.length, 1);
    DigestAlgAndValueType certDigest = (DigestAlgAndValueType) xoList[0];
    assertNotNull(certDigest.getDigestValue());
    String qualPropXQuery = declareNS + "$this/ds:Signature/ds:Object/xades:QualifyingProperties";
    xoList = sigDoc.selectPath(qualPropXQuery);
    assertEquals(xoList.length, 1);
    QualifyingPropertiesType qualProp = (QualifyingPropertiesType) xoList[0];
    boolean qualPropXsdOk = qualProp.validate();
    assertTrue(qualPropXsdOk);
    pkg.close();
}
Also used : X509CRL(java.security.cert.X509CRL) EnvelopedSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet) SignatureDocument(org.w3.x2000.x09.xmldsig.SignatureDocument) ArrayList(java.util.ArrayList) RevocationDataService(org.apache.poi.poifs.crypt.dsig.services.RevocationDataService) XAdESXLSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet) ReferenceType(org.w3.x2000.x09.xmldsig.ReferenceType) DigestAlgAndValueType(org.etsi.uri.x01903.v13.DigestAlgAndValueType) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) TimeStampService(org.apache.poi.poifs.crypt.dsig.services.TimeStampService) KeyInfoSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet) List(java.util.List) ArrayList(java.util.ArrayList) ConnectException(java.net.ConnectException) RevocationData(org.apache.poi.poifs.crypt.dsig.services.RevocationData) SignatureConfig(org.apache.poi.poifs.crypt.dsig.SignatureConfig) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) SignatureInfo(org.apache.poi.poifs.crypt.dsig.SignatureInfo) TimeStampServiceValidator(org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator) SocketTimeoutException(java.net.SocketTimeoutException) QualifyingPropertiesType(org.etsi.uri.x01903.v13.QualifyingPropertiesType) XmlObject(org.apache.xmlbeans.XmlObject) SignaturePart(org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart) OPCPackage(org.apache.poi.openxml4j.opc.OPCPackage) XAdESSignatureFacet(org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet) Test(org.junit.Test)

Aggregations

KeyInfoSignatureFacet (org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet)2 XAdESSignatureFacet (org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet)2 IOException (java.io.IOException)1 ConnectException (java.net.ConnectException)1 SocketTimeoutException (java.net.SocketTimeoutException)1 X509CRL (java.security.cert.X509CRL)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 List (java.util.List)1 EncryptedDocumentException (org.apache.poi.EncryptedDocumentException)1 OPCPackage (org.apache.poi.openxml4j.opc.OPCPackage)1 SignatureConfig (org.apache.poi.poifs.crypt.dsig.SignatureConfig)1 SignatureInfo (org.apache.poi.poifs.crypt.dsig.SignatureInfo)1 SignaturePart (org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart)1 EnvelopedSignatureFacet (org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet)1 OOXMLSignatureFacet (org.apache.poi.poifs.crypt.dsig.facets.OOXMLSignatureFacet)1 Office2010SignatureFacet (org.apache.poi.poifs.crypt.dsig.facets.Office2010SignatureFacet)1 SignatureFacet (org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet)1 XAdESXLSignatureFacet (org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet)1 RevocationData (org.apache.poi.poifs.crypt.dsig.services.RevocationData)1