Search in sources :

Example 1 with OcspIdentifier

use of org.bouncycastle.asn1.esf.OcspIdentifier in project poi by apache.

the class XAdESXLSignatureFacet method postSign.

@Override
public void postSign(Document document) throws MarshalException {
    LOG.log(POILogger.DEBUG, "XAdES-X-L post sign phase");
    QualifyingPropertiesDocument qualDoc = null;
    QualifyingPropertiesType qualProps = null;
    // check for XAdES-BES
    NodeList qualNl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties");
    if (qualNl.getLength() == 1) {
        try {
            qualDoc = QualifyingPropertiesDocument.Factory.parse(qualNl.item(0), DEFAULT_XML_OPTIONS);
        } catch (XmlException e) {
            throw new MarshalException(e);
        }
        qualProps = qualDoc.getQualifyingProperties();
    } else {
        throw new MarshalException("no XAdES-BES extension present");
    }
    // create basic XML container structure
    UnsignedPropertiesType unsignedProps = qualProps.getUnsignedProperties();
    if (unsignedProps == null) {
        unsignedProps = qualProps.addNewUnsignedProperties();
    }
    UnsignedSignaturePropertiesType unsignedSigProps = unsignedProps.getUnsignedSignatureProperties();
    if (unsignedSigProps == null) {
        unsignedSigProps = unsignedProps.addNewUnsignedSignatureProperties();
    }
    // create the XAdES-T time-stamp
    NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue");
    if (nlSigVal.getLength() != 1) {
        throw new IllegalArgumentException("SignatureValue is not set.");
    }
    RevocationData tsaRevocationDataXadesT = new RevocationData();
    LOG.log(POILogger.DEBUG, "creating XAdES-T time-stamp");
    XAdESTimeStampType signatureTimeStamp = createXAdESTimeStamp(Collections.singletonList(nlSigVal.item(0)), tsaRevocationDataXadesT);
    // marshal the XAdES-T extension
    unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp);
    // xadesv141::TimeStampValidationData
    if (tsaRevocationDataXadesT.hasRevocationDataEntries()) {
        ValidationDataType validationData = createValidationData(tsaRevocationDataXadesT);
        insertXChild(unsignedSigProps, validationData);
    }
    if (signatureConfig.getRevocationDataService() == null) {
        /*
             * Without revocation data service we cannot construct the XAdES-C
             * extension.
             */
        return;
    }
    // XAdES-C: complete certificate refs
    CompleteCertificateRefsType completeCertificateRefs = unsignedSigProps.addNewCompleteCertificateRefs();
    CertIDListType certIdList = completeCertificateRefs.addNewCertRefs();
    /*
         * We skip the signing certificate itself according to section
         * 4.4.3.2 of the XAdES 1.4.1 specification.
         */
    List<X509Certificate> certChain = signatureConfig.getSigningCertificateChain();
    int chainSize = certChain.size();
    if (chainSize > 1) {
        for (X509Certificate cert : certChain.subList(1, chainSize)) {
            CertIDType certId = certIdList.addNewCert();
            XAdESSignatureFacet.setCertID(certId, signatureConfig, false, cert);
        }
    }
    // XAdES-C: complete revocation refs
    CompleteRevocationRefsType completeRevocationRefs = unsignedSigProps.addNewCompleteRevocationRefs();
    RevocationData revocationData = signatureConfig.getRevocationDataService().getRevocationData(certChain);
    if (revocationData.hasCRLs()) {
        CRLRefsType crlRefs = completeRevocationRefs.addNewCRLRefs();
        completeRevocationRefs.setCRLRefs(crlRefs);
        for (byte[] encodedCrl : revocationData.getCRLs()) {
            CRLRefType crlRef = crlRefs.addNewCRLRef();
            X509CRL crl;
            try {
                crl = (X509CRL) this.certificateFactory.generateCRL(new ByteArrayInputStream(encodedCrl));
            } catch (CRLException e) {
                throw new RuntimeException("CRL parse error: " + e.getMessage(), e);
            }
            CRLIdentifierType crlIdentifier = crlRef.addNewCRLIdentifier();
            String issuerName = crl.getIssuerDN().getName().replace(",", ", ");
            crlIdentifier.setIssuer(issuerName);
            Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
            cal.setTime(crl.getThisUpdate());
            crlIdentifier.setIssueTime(cal);
            crlIdentifier.setNumber(getCrlNumber(crl));
            DigestAlgAndValueType digestAlgAndValue = crlRef.addNewDigestAlgAndValue();
            XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, encodedCrl, signatureConfig.getDigestAlgo());
        }
    }
    if (revocationData.hasOCSPs()) {
        OCSPRefsType ocspRefs = completeRevocationRefs.addNewOCSPRefs();
        for (byte[] ocsp : revocationData.getOCSPs()) {
            try {
                OCSPRefType ocspRef = ocspRefs.addNewOCSPRef();
                DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue();
                XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo());
                OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier();
                OCSPResp ocspResp = new OCSPResp(ocsp);
                BasicOCSPResp basicOcspResp = (BasicOCSPResp) ocspResp.getResponseObject();
                Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
                cal.setTime(basicOcspResp.getProducedAt());
                ocspIdentifier.setProducedAt(cal);
                ResponderIDType responderId = ocspIdentifier.addNewResponderID();
                RespID respId = basicOcspResp.getResponderId();
                ResponderID ocspResponderId = respId.toASN1Primitive();
                DERTaggedObject derTaggedObject = (DERTaggedObject) ocspResponderId.toASN1Primitive();
                if (2 == derTaggedObject.getTagNo()) {
                    ASN1OctetString keyHashOctetString = (ASN1OctetString) derTaggedObject.getObject();
                    byte[] key = keyHashOctetString.getOctets();
                    responderId.setByKey(key);
                } else {
                    X500Name name = X500Name.getInstance(derTaggedObject.getObject());
                    String nameStr = name.toString();
                    responderId.setByName(nameStr);
                }
            } catch (Exception e) {
                throw new RuntimeException("OCSP decoding error: " + e.getMessage(), e);
            }
        }
    }
    // marshal XAdES-C
    // XAdES-X Type 1 timestamp
    List<Node> timeStampNodesXadesX1 = new ArrayList<Node>();
    timeStampNodesXadesX1.add(nlSigVal.item(0));
    timeStampNodesXadesX1.add(signatureTimeStamp.getDomNode());
    timeStampNodesXadesX1.add(completeCertificateRefs.getDomNode());
    timeStampNodesXadesX1.add(completeRevocationRefs.getDomNode());
    RevocationData tsaRevocationDataXadesX1 = new RevocationData();
    LOG.log(POILogger.DEBUG, "creating XAdES-X time-stamp");
    XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp(timeStampNodesXadesX1, tsaRevocationDataXadesX1);
    if (tsaRevocationDataXadesX1.hasRevocationDataEntries()) {
        ValidationDataType timeStampXadesX1ValidationData = createValidationData(tsaRevocationDataXadesX1);
        insertXChild(unsignedSigProps, timeStampXadesX1ValidationData);
    }
    // marshal XAdES-X
    unsignedSigProps.addNewSigAndRefsTimeStamp().set(timeStampXadesX1);
    // XAdES-X-L
    CertificateValuesType certificateValues = unsignedSigProps.addNewCertificateValues();
    for (X509Certificate certificate : certChain) {
        EncapsulatedPKIDataType encapsulatedPKIDataType = certificateValues.addNewEncapsulatedX509Certificate();
        try {
            encapsulatedPKIDataType.setByteArrayValue(certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);
        }
    }
    RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues();
    createRevocationValues(revocationValues, revocationData);
    // marshal XAdES-X-L
    Node n = document.importNode(qualProps.getDomNode(), true);
    qualNl.item(0).getParentNode().replaceChild(n, qualNl.item(0));
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) MarshalException(javax.xml.crypto.MarshalException) X509CRL(java.security.cert.X509CRL) ValidationDataType(org.etsi.uri.x01903.v14.ValidationDataType) Node(org.w3c.dom.Node) ResponderID(org.bouncycastle.asn1.ocsp.ResponderID) ArrayList(java.util.ArrayList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) X500Name(org.bouncycastle.asn1.x500.X500Name) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) CRLException(java.security.cert.CRLException) RevocationData(org.apache.poi.poifs.crypt.dsig.services.RevocationData) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) NodeList(org.w3c.dom.NodeList) Calendar(java.util.Calendar) CertificateEncodingException(java.security.cert.CertificateEncodingException) X509Certificate(java.security.cert.X509Certificate) MarshalException(javax.xml.crypto.MarshalException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) XmlException(org.apache.xmlbeans.XmlException) CRLException(java.security.cert.CRLException) CertificateEncodingException(java.security.cert.CertificateEncodingException) ByteArrayInputStream(java.io.ByteArrayInputStream) XmlException(org.apache.xmlbeans.XmlException) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) RespID(org.bouncycastle.cert.ocsp.RespID)

Example 2 with OcspIdentifier

use of org.bouncycastle.asn1.esf.OcspIdentifier in project signer by demoiselle.

the class RevocationRefs method makeOcspResponsesID.

/**
 * make OcspResponsesID from BasicOCSPResp
 *
 * @param ocspResp
 * @return OcspResponsesID
 * @throws NoSuchAlgorithmException
 * @throws OCSPException
 * @throws IOException
 */
@SuppressWarnings("unused")
private OcspResponsesID makeOcspResponsesID(BasicOCSPResp ocspResp) throws NoSuchAlgorithmException, OCSPException, IOException {
    Digest digest = DigestFactory.getInstance().factoryDefault();
    digest.setAlgorithm(DigestAlgorithmEnum.SHA_256);
    byte[] digestValue = digest.digest(ocspResp.getEncoded());
    OtherHash hash = new OtherHash(digestValue);
    OcspResponsesID ocsprespid = new OcspResponsesID(new OcspIdentifier(ocspResp.getResponderId().toASN1Object(), new DERGeneralizedTime(ocspResp.getProducedAt())), hash);
    return ocsprespid;
}
Also used : OcspResponsesID(org.bouncycastle.asn1.esf.OcspResponsesID) DERGeneralizedTime(org.bouncycastle.asn1.DERGeneralizedTime) Digest(org.demoiselle.signer.cryptography.Digest) OcspIdentifier(org.bouncycastle.asn1.esf.OcspIdentifier) OtherHash(org.bouncycastle.asn1.esf.OtherHash)

Aggregations

ByteArrayInputStream (java.io.ByteArrayInputStream)1 IOException (java.io.IOException)1 CRLException (java.security.cert.CRLException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 CertificateException (java.security.cert.CertificateException)1 X509CRL (java.security.cert.X509CRL)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Calendar (java.util.Calendar)1 MarshalException (javax.xml.crypto.MarshalException)1 RevocationData (org.apache.poi.poifs.crypt.dsig.services.RevocationData)1 XmlException (org.apache.xmlbeans.XmlException)1 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)1 DERGeneralizedTime (org.bouncycastle.asn1.DERGeneralizedTime)1 DERTaggedObject (org.bouncycastle.asn1.DERTaggedObject)1 OcspIdentifier (org.bouncycastle.asn1.esf.OcspIdentifier)1 OcspResponsesID (org.bouncycastle.asn1.esf.OcspResponsesID)1 OtherHash (org.bouncycastle.asn1.esf.OtherHash)1 ResponderID (org.bouncycastle.asn1.ocsp.ResponderID)1 X500Name (org.bouncycastle.asn1.x500.X500Name)1