Search in sources :

Example 1 with DERTaggedObject

use of org.bouncycastle.asn1.DERTaggedObject in project poi by apache.

the class XAdESXLSignatureFacet method postSign.

@Override
public void postSign(Document document) throws MarshalException {
    LOG.log(POILogger.DEBUG, "XAdES-X-L post sign phase");
    QualifyingPropertiesDocument qualDoc = null;
    QualifyingPropertiesType qualProps = null;
    // check for XAdES-BES
    NodeList qualNl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties");
    if (qualNl.getLength() == 1) {
        try {
            qualDoc = QualifyingPropertiesDocument.Factory.parse(qualNl.item(0), DEFAULT_XML_OPTIONS);
        } catch (XmlException e) {
            throw new MarshalException(e);
        }
        qualProps = qualDoc.getQualifyingProperties();
    } else {
        throw new MarshalException("no XAdES-BES extension present");
    }
    // create basic XML container structure
    UnsignedPropertiesType unsignedProps = qualProps.getUnsignedProperties();
    if (unsignedProps == null) {
        unsignedProps = qualProps.addNewUnsignedProperties();
    }
    UnsignedSignaturePropertiesType unsignedSigProps = unsignedProps.getUnsignedSignatureProperties();
    if (unsignedSigProps == null) {
        unsignedSigProps = unsignedProps.addNewUnsignedSignatureProperties();
    }
    // create the XAdES-T time-stamp
    NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue");
    if (nlSigVal.getLength() != 1) {
        throw new IllegalArgumentException("SignatureValue is not set.");
    }
    RevocationData tsaRevocationDataXadesT = new RevocationData();
    LOG.log(POILogger.DEBUG, "creating XAdES-T time-stamp");
    XAdESTimeStampType signatureTimeStamp = createXAdESTimeStamp(Collections.singletonList(nlSigVal.item(0)), tsaRevocationDataXadesT);
    // marshal the XAdES-T extension
    unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp);
    // xadesv141::TimeStampValidationData
    if (tsaRevocationDataXadesT.hasRevocationDataEntries()) {
        ValidationDataType validationData = createValidationData(tsaRevocationDataXadesT);
        insertXChild(unsignedSigProps, validationData);
    }
    if (signatureConfig.getRevocationDataService() == null) {
        /*
             * Without revocation data service we cannot construct the XAdES-C
             * extension.
             */
        return;
    }
    // XAdES-C: complete certificate refs
    CompleteCertificateRefsType completeCertificateRefs = unsignedSigProps.addNewCompleteCertificateRefs();
    CertIDListType certIdList = completeCertificateRefs.addNewCertRefs();
    /*
         * We skip the signing certificate itself according to section
         * 4.4.3.2 of the XAdES 1.4.1 specification.
         */
    List<X509Certificate> certChain = signatureConfig.getSigningCertificateChain();
    int chainSize = certChain.size();
    if (chainSize > 1) {
        for (X509Certificate cert : certChain.subList(1, chainSize)) {
            CertIDType certId = certIdList.addNewCert();
            XAdESSignatureFacet.setCertID(certId, signatureConfig, false, cert);
        }
    }
    // XAdES-C: complete revocation refs
    CompleteRevocationRefsType completeRevocationRefs = unsignedSigProps.addNewCompleteRevocationRefs();
    RevocationData revocationData = signatureConfig.getRevocationDataService().getRevocationData(certChain);
    if (revocationData.hasCRLs()) {
        CRLRefsType crlRefs = completeRevocationRefs.addNewCRLRefs();
        completeRevocationRefs.setCRLRefs(crlRefs);
        for (byte[] encodedCrl : revocationData.getCRLs()) {
            CRLRefType crlRef = crlRefs.addNewCRLRef();
            X509CRL crl;
            try {
                crl = (X509CRL) this.certificateFactory.generateCRL(new ByteArrayInputStream(encodedCrl));
            } catch (CRLException e) {
                throw new RuntimeException("CRL parse error: " + e.getMessage(), e);
            }
            CRLIdentifierType crlIdentifier = crlRef.addNewCRLIdentifier();
            String issuerName = crl.getIssuerDN().getName().replace(",", ", ");
            crlIdentifier.setIssuer(issuerName);
            Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
            cal.setTime(crl.getThisUpdate());
            crlIdentifier.setIssueTime(cal);
            crlIdentifier.setNumber(getCrlNumber(crl));
            DigestAlgAndValueType digestAlgAndValue = crlRef.addNewDigestAlgAndValue();
            XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, encodedCrl, signatureConfig.getDigestAlgo());
        }
    }
    if (revocationData.hasOCSPs()) {
        OCSPRefsType ocspRefs = completeRevocationRefs.addNewOCSPRefs();
        for (byte[] ocsp : revocationData.getOCSPs()) {
            try {
                OCSPRefType ocspRef = ocspRefs.addNewOCSPRef();
                DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue();
                XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo());
                OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier();
                OCSPResp ocspResp = new OCSPResp(ocsp);
                BasicOCSPResp basicOcspResp = (BasicOCSPResp) ocspResp.getResponseObject();
                Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
                cal.setTime(basicOcspResp.getProducedAt());
                ocspIdentifier.setProducedAt(cal);
                ResponderIDType responderId = ocspIdentifier.addNewResponderID();
                RespID respId = basicOcspResp.getResponderId();
                ResponderID ocspResponderId = respId.toASN1Primitive();
                DERTaggedObject derTaggedObject = (DERTaggedObject) ocspResponderId.toASN1Primitive();
                if (2 == derTaggedObject.getTagNo()) {
                    ASN1OctetString keyHashOctetString = (ASN1OctetString) derTaggedObject.getObject();
                    byte[] key = keyHashOctetString.getOctets();
                    responderId.setByKey(key);
                } else {
                    X500Name name = X500Name.getInstance(derTaggedObject.getObject());
                    String nameStr = name.toString();
                    responderId.setByName(nameStr);
                }
            } catch (Exception e) {
                throw new RuntimeException("OCSP decoding error: " + e.getMessage(), e);
            }
        }
    }
    // marshal XAdES-C
    // XAdES-X Type 1 timestamp
    List<Node> timeStampNodesXadesX1 = new ArrayList<Node>();
    timeStampNodesXadesX1.add(nlSigVal.item(0));
    timeStampNodesXadesX1.add(signatureTimeStamp.getDomNode());
    timeStampNodesXadesX1.add(completeCertificateRefs.getDomNode());
    timeStampNodesXadesX1.add(completeRevocationRefs.getDomNode());
    RevocationData tsaRevocationDataXadesX1 = new RevocationData();
    LOG.log(POILogger.DEBUG, "creating XAdES-X time-stamp");
    XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp(timeStampNodesXadesX1, tsaRevocationDataXadesX1);
    if (tsaRevocationDataXadesX1.hasRevocationDataEntries()) {
        ValidationDataType timeStampXadesX1ValidationData = createValidationData(tsaRevocationDataXadesX1);
        insertXChild(unsignedSigProps, timeStampXadesX1ValidationData);
    }
    // marshal XAdES-X
    unsignedSigProps.addNewSigAndRefsTimeStamp().set(timeStampXadesX1);
    // XAdES-X-L
    CertificateValuesType certificateValues = unsignedSigProps.addNewCertificateValues();
    for (X509Certificate certificate : certChain) {
        EncapsulatedPKIDataType encapsulatedPKIDataType = certificateValues.addNewEncapsulatedX509Certificate();
        try {
            encapsulatedPKIDataType.setByteArrayValue(certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);
        }
    }
    RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues();
    createRevocationValues(revocationValues, revocationData);
    // marshal XAdES-X-L
    Node n = document.importNode(qualProps.getDomNode(), true);
    qualNl.item(0).getParentNode().replaceChild(n, qualNl.item(0));
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) MarshalException(javax.xml.crypto.MarshalException) X509CRL(java.security.cert.X509CRL) ValidationDataType(org.etsi.uri.x01903.v14.ValidationDataType) Node(org.w3c.dom.Node) ResponderID(org.bouncycastle.asn1.ocsp.ResponderID) ArrayList(java.util.ArrayList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) X500Name(org.bouncycastle.asn1.x500.X500Name) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) CRLException(java.security.cert.CRLException) RevocationData(org.apache.poi.poifs.crypt.dsig.services.RevocationData) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) NodeList(org.w3c.dom.NodeList) Calendar(java.util.Calendar) CertificateEncodingException(java.security.cert.CertificateEncodingException) X509Certificate(java.security.cert.X509Certificate) MarshalException(javax.xml.crypto.MarshalException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) XmlException(org.apache.xmlbeans.XmlException) CRLException(java.security.cert.CRLException) CertificateEncodingException(java.security.cert.CertificateEncodingException) ByteArrayInputStream(java.io.ByteArrayInputStream) XmlException(org.apache.xmlbeans.XmlException) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) RespID(org.bouncycastle.cert.ocsp.RespID)

Example 2 with DERTaggedObject

use of org.bouncycastle.asn1.DERTaggedObject in project robovm by robovm.

the class CMSUtils method getAttributeCertificatesFromStore.

static List getAttributeCertificatesFromStore(Store attrStore) throws CMSException {
    List certs = new ArrayList();
    try {
        for (Iterator it = attrStore.getMatches(null).iterator(); it.hasNext(); ) {
            X509AttributeCertificateHolder attrCert = (X509AttributeCertificateHolder) it.next();
            certs.add(new DERTaggedObject(false, 2, attrCert.toASN1Structure()));
        }
        return certs;
    } catch (ClassCastException e) {
        throw new CMSException("error processing certs", e);
    }
}
Also used : DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) ArrayList(java.util.ArrayList) Iterator(java.util.Iterator) ArrayList(java.util.ArrayList) CertificateList(org.bouncycastle.asn1.x509.CertificateList) List(java.util.List) X509AttributeCertificateHolder(org.bouncycastle.cert.X509AttributeCertificateHolder)

Example 3 with DERTaggedObject

use of org.bouncycastle.asn1.DERTaggedObject in project robovm by robovm.

the class SignedData method toASN1Primitive.

/**
     * Produce an object suitable for an ASN1OutputStream.
     * <pre>
     *  SignedData ::= SEQUENCE {
     *      version Version,
     *      digestAlgorithms DigestAlgorithmIdentifiers,
     *      contentInfo ContentInfo,
     *      certificates
     *          [0] IMPLICIT ExtendedCertificatesAndCertificates
     *                   OPTIONAL,
     *      crls
     *          [1] IMPLICIT CertificateRevocationLists OPTIONAL,
     *      signerInfos SignerInfos }
     * </pre>
     */
public ASN1Primitive toASN1Primitive() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(version);
    v.add(digestAlgorithms);
    v.add(contentInfo);
    if (certificates != null) {
        v.add(new DERTaggedObject(false, 0, certificates));
    }
    if (crls != null) {
        v.add(new DERTaggedObject(false, 1, crls));
    }
    v.add(signerInfos);
    return new BERSequence(v);
}
Also used : DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) BERSequence(org.bouncycastle.asn1.BERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Example 4 with DERTaggedObject

use of org.bouncycastle.asn1.DERTaggedObject in project robovm by robovm.

the class TBSCertList method toASN1Primitive.

public ASN1Primitive toASN1Primitive() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    if (version != null) {
        v.add(version);
    }
    v.add(signature);
    v.add(issuer);
    v.add(thisUpdate);
    if (nextUpdate != null) {
        v.add(nextUpdate);
    }
    // Add CRLEntries if they exist
    if (revokedCertificates != null) {
        v.add(revokedCertificates);
    }
    if (crlExtensions != null) {
        v.add(new DERTaggedObject(0, crlExtensions));
    }
    return new DERSequence(v);
}
Also used : DERSequence(org.bouncycastle.asn1.DERSequence) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)

Example 5 with DERTaggedObject

use of org.bouncycastle.asn1.DERTaggedObject in project robovm by robovm.

the class SignedData method toASN1Primitive.

/**
     * Produce an object suitable for an ASN1OutputStream.
     * <pre>
     * SignedData ::= SEQUENCE {
     *     version CMSVersion,
     *     digestAlgorithms DigestAlgorithmIdentifiers,
     *     encapContentInfo EncapsulatedContentInfo,
     *     certificates [0] IMPLICIT CertificateSet OPTIONAL,
     *     crls [1] IMPLICIT CertificateRevocationLists OPTIONAL,
     *     signerInfos SignerInfos
     *   }
     * </pre>
     */
public ASN1Primitive toASN1Primitive() {
    ASN1EncodableVector v = new ASN1EncodableVector();
    v.add(version);
    v.add(digestAlgorithms);
    v.add(contentInfo);
    if (certificates != null) {
        if (certsBer) {
            v.add(new BERTaggedObject(false, 0, certificates));
        } else {
            v.add(new DERTaggedObject(false, 0, certificates));
        }
    }
    if (crls != null) {
        if (crlsBer) {
            v.add(new BERTaggedObject(false, 1, crls));
        } else {
            v.add(new DERTaggedObject(false, 1, crls));
        }
    }
    v.add(signerInfos);
    return new BERSequence(v);
}
Also used : DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) BERSequence(org.bouncycastle.asn1.BERSequence) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) BERTaggedObject(org.bouncycastle.asn1.BERTaggedObject)

Aggregations

DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)73 ASN1EncodableVector (org.bouncycastle.asn1.ASN1EncodableVector)42 DERSequence (org.bouncycastle.asn1.DERSequence)40 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)22 DEROctetString (org.bouncycastle.asn1.DEROctetString)21 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)18 ASN1Primitive (org.bouncycastle.asn1.ASN1Primitive)16 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 DLSequence (org.bouncycastle.asn1.DLSequence)14 IOException (java.io.IOException)11 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)11 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)11 DERIA5String (org.bouncycastle.asn1.DERIA5String)10 GeneralName (org.bouncycastle.asn1.x509.GeneralName)10 ASN1Integer (org.bouncycastle.asn1.ASN1Integer)9 BigInteger (java.math.BigInteger)7 DERPrintableString (org.bouncycastle.asn1.DERPrintableString)7 BERSequence (org.bouncycastle.asn1.BERSequence)6 DERGeneralizedTime (org.bouncycastle.asn1.DERGeneralizedTime)6 DERSet (org.bouncycastle.asn1.DERSet)6