use of org.demoiselle.signer.policy.engine.asn1.etsi.ObjectIdentifier in project signer by demoiselle.
the class CAdESChecker method check.
/**
* Validation is done only on digital signatures with a single signer. Valid
* only with content of type DATA.: OID ContentType 1.2.840.113549.1.9.3 =
* OID Data 1.2.840.113549.1.7.1
*
* @params content Is only necessary to inform if the PKCS7 package is NOT
* ATTACHED type. If it is of type attached, this parameter will be
* replaced by the contents of the PKCS7 package.
* @params signedData Value in bytes of the PKCS7 package, such as the
* contents of a ".p7s" file. It is not only signature as in the
* case of PKCS1.
*/
// TODO: Implementar validação de co-assinaturas
public boolean check(byte[] content, byte[] signedData) throws SignerException {
Security.addProvider(new BouncyCastleProvider());
CMSSignedData cmsSignedData = null;
try {
if (content == null) {
if (this.checkHash) {
cmsSignedData = new CMSSignedData(this.hashes, signedData);
this.checkHash = false;
} else {
cmsSignedData = new CMSSignedData(signedData);
}
} else {
cmsSignedData = new CMSSignedData(new CMSProcessableByteArray(content), signedData);
}
} catch (CMSException ex) {
throw new SignerException(cadesMessagesBundle.getString("error.invalid.bytes.pkcs7"), ex);
}
// Quantidade inicial de assinaturas validadas
int verified = 0;
Store<?> certStore = cmsSignedData.getCertificates();
SignerInformationStore signers = cmsSignedData.getSignerInfos();
Iterator<?> it = signers.getSigners().iterator();
// Realização da verificação básica de todas as assinaturas
while (it.hasNext()) {
SignatureInformations signatureInfo = new SignatureInformations();
try {
SignerInformation signerInfo = (SignerInformation) it.next();
SignerInformationStore signerInfoStore = signerInfo.getCounterSignatures();
logger.info("Foi(ram) encontrada(s) " + signerInfoStore.size() + " contra-assinatura(s).");
@SuppressWarnings("unchecked") Collection<?> certCollection = certStore.getMatches(signerInfo.getSID());
Iterator<?> certIt = certCollection.iterator();
X509CertificateHolder certificateHolder = (X509CertificateHolder) certIt.next();
X509Certificate varCert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
PeriodValidator pV = new PeriodValidator();
try {
pV.validate(varCert);
} catch (CertificateValidatorException cve) {
signatureInfo.getValidatorErrors().add(cve.getMessage());
}
CRLValidator cV = new CRLValidator();
try {
cV.validate(varCert);
} catch (CertificateValidatorCRLException cvce) {
signatureInfo.getValidatorErrors().add(cvce.getMessage());
}
if (signerInfo.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certificateHolder))) {
verified++;
logger.info(cadesMessagesBundle.getString("info.signature.valid.seq", verified));
}
// recupera atributos assinados
logger.info(cadesMessagesBundle.getString("info.signed.attribute"));
AttributeTable signedAttributes = signerInfo.getSignedAttributes();
if ((signedAttributes == null) || (signedAttributes != null && signedAttributes.size() == 0)) {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.signed.attribute.table.not.found"));
logger.info(cadesMessagesBundle.getString("error.signed.attribute.table.not.found"));
} else {
// Validando atributos assinados de acordo com a politica
Attribute idSigningPolicy = null;
idSigningPolicy = signedAttributes.get(new ASN1ObjectIdentifier(PKCSObjectIdentifiers.id_aa_ets_sigPolicyId.getId()));
if (idSigningPolicy == null) {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.pcks7.attribute.not.found", "idSigningPolicy"));
} else {
for (Enumeration<?> p = idSigningPolicy.getAttrValues().getObjects(); p.hasMoreElements(); ) {
String policyOnSignature = p.nextElement().toString();
for (PolicyFactory.Policies pv : PolicyFactory.Policies.values()) {
if (policyOnSignature.contains(pv.getUrl())) {
setSignaturePolicy(pv);
break;
}
}
}
}
}
if (signaturePolicy == null) {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.policy.on.component.not.found", "idSigningPolicy"));
logger.info(cadesMessagesBundle.getString("error.policy.on.component.not.found", "idSigningPolicy"));
} else {
if (signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedSignedAttr().getObjectIdentifiers() != null) {
for (ObjectIdentifier objectIdentifier : signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedSignedAttr().getObjectIdentifiers()) {
String oi = objectIdentifier.getValue();
Attribute signedAtt = signedAttributes.get(new ASN1ObjectIdentifier(oi));
logger.info(oi);
if (signedAtt == null) {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.signed.attribute.not.found", oi, signaturePolicy.getSignPolicyInfo().getSignPolicyIdentifier().getValue()));
}
}
}
}
// Mostra data e hora da assinatura, não é carimbo de tempo
Attribute timeAttribute = signedAttributes.get(CMSAttributes.signingTime);
Date dataHora = null;
if (timeAttribute != null) {
dataHora = (((ASN1UTCTime) timeAttribute.getAttrValues().getObjectAt(0)).getDate());
logger.info(cadesMessagesBundle.getString("info.date.utc", dataHora));
} else {
logger.info(cadesMessagesBundle.getString("info.date.utc", "N/D"));
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("info.date.utc", "N/D"));
}
// recupera os atributos NÃO assinados
logger.info(cadesMessagesBundle.getString("info.unsigned.attribute"));
AttributeTable unsignedAttributes = signerInfo.getUnsignedAttributes();
if ((unsignedAttributes == null) || (unsignedAttributes != null && unsignedAttributes.size() == 0)) {
// Apenas info pois a RB não tem atributos não assinados
logger.info(cadesMessagesBundle.getString("error.unsigned.attribute.table.not.found"));
}
if (signaturePolicy != null) {
// Validando atributos NÃO assinados de acordo com a politica
if (signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedUnsignedAttr().getObjectIdentifiers() != null) {
for (ObjectIdentifier objectIdentifier : signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedUnsignedAttr().getObjectIdentifiers()) {
String oi = objectIdentifier.getValue();
Attribute unSignedAtt = unsignedAttributes.get(new ASN1ObjectIdentifier(oi));
logger.info(oi);
if (unSignedAtt == null) {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.unsigned.attribute.not.found", oi, signaturePolicy.getSignPolicyInfo().getSignPolicyIdentifier().getValue()));
}
if (oi.equalsIgnoreCase(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken.getId())) {
// Verificando timeStamp
try {
byte[] varSignature = signerInfo.getSignature();
Timestamp varTimeStampSigner = validateTimestamp(unSignedAtt, varSignature);
signatureInfo.setTimeStampSigner(varTimeStampSigner);
} catch (Exception ex) {
signatureInfo.getValidatorErrors().add(ex.getMessage());
// nas assinaturas feitas na applet o unsignedAttributes.get gera exceção.
}
}
if (oi.equalsIgnoreCase("1.2.840.113549.1.9.16.2.25")) {
logger.info("++++++++++ EscTimeStamp ++++++++++++");
}
}
}
}
LinkedList<X509Certificate> varChain = (LinkedList<X509Certificate>) CAManager.getInstance().getCertificateChain(varCert);
if (varChain.size() < 3) {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.no.ca", varCert.getIssuerDN()));
logger.info(cadesMessagesBundle.getString("error.no.ca", varCert.getIssuerDN()));
}
signatureInfo.setSignDate(dataHora);
signatureInfo.setChain(varChain);
signatureInfo.setSignaturePolicy(signaturePolicy);
this.getSignaturesInfo().add(signatureInfo);
} catch (OperatorCreationException | java.security.cert.CertificateException ex) {
signatureInfo.getValidatorErrors().add(ex.getMessage());
logger.info(ex.getMessage());
} catch (CMSException ex) {
// When file is mismatch with sign
if (ex instanceof CMSSignerDigestMismatchException) {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.signature.mismatch"));
logger.info(cadesMessagesBundle.getString("error.signature.mismatch"));
} else {
signatureInfo.getValidatorErrors().add(cadesMessagesBundle.getString("error.signature.invalid"));
logger.info(cadesMessagesBundle.getString("error.signature.invalid"));
}
} catch (ParseException e) {
signatureInfo.getValidatorErrors().add(e.getMessage());
logger.info(e.getMessage());
} catch (Exception e) {
signatureInfo.getValidatorErrors().add(e.getMessage());
logger.info(e.getMessage());
}
}
logger.info(cadesMessagesBundle.getString("info.signature.verified", verified));
// TODO Efetuar o parsing da estrutura CMS
return true;
}
use of org.demoiselle.signer.policy.engine.asn1.etsi.ObjectIdentifier in project signer by demoiselle.
the class PolicyInfo method parse.
@Override
public void parse(ASN1Primitive primitive) {
ASN1Sequence sequence1 = ASN1Object.getDERSequence(primitive);
this.signingPeriod = new SigningPeriod();
this.signingPeriod.parse(sequence1.getObjectAt(0).toASN1Primitive());
int indice = 2;
ASN1Primitive secondObject = sequence1.getObjectAt(1).toASN1Primitive();
if (secondObject instanceof ASN1ObjectIdentifier) {
indice = 1;
}
if (indice == 2) {
this.revocationDate = new GeneralizedTime();
this.revocationDate.parse(secondObject);
}
this.policyOID = new ObjectIdentifier();
this.policyOID.parse(sequence1.getObjectAt(indice).toASN1Primitive());
DERIA5String policyURI = (DERIA5String) sequence1.getObjectAt(indice + 1);
this.policyURI = policyURI.getString();
ASN1Primitive policyDigest = sequence1.getObjectAt(indice + 2).toASN1Primitive();
ASN1Sequence sequence2 = ASN1Sequence.getInstance(policyDigest);
DEROctetString derOctetString = (DEROctetString) sequence2.getObjectAt(1).toASN1Primitive();
ASN1Sequence sequence3 = ASN1Object.getDERSequence(sequence2.getObjectAt(0).toASN1Primitive());
ASN1ObjectIdentifier objectIdentifier = (ASN1ObjectIdentifier) sequence3.getObjectAt(0).toASN1Primitive();
AlgorithmIdentifier algorithmIdentifier = new AlgorithmIdentifier(objectIdentifier);
this.policyDigest = new OtherHashAlgAndValue(algorithmIdentifier, derOctetString);
}
use of org.demoiselle.signer.policy.engine.asn1.etsi.ObjectIdentifier in project signer by demoiselle.
the class CAdESSigner method doSign.
private byte[] doSign(byte[] content, byte[] previewSignature) {
try {
Security.addProvider(new BouncyCastleProvider());
// Completa os certificados ausentes da cadeia, se houver
if (this.certificate == null && this.certificateChain != null && this.certificateChain.length > 0) {
this.certificate = (X509Certificate) this.certificateChain[0];
}
this.certificateChain = CAManager.getInstance().getCertificateChainArray(this.certificate);
if (this.certificateChain.length < 3) {
throw new SignerException(cadesMessagesBundle.getString("error.no.ca", this.certificate.getIssuerDN()));
}
Certificate[] certStore = new Certificate[] {};
CMSSignedData cmsPreviewSignedData = null;
// Importar todos os certificados da assinatura anterior
if (previewSignature != null && previewSignature.length > 0) {
cmsPreviewSignedData = new CMSSignedData(new CMSAbsentContent(), previewSignature);
Collection<X509Certificate> previewCerts = this.getSignersCertificates(cmsPreviewSignedData);
// previewCerts.add(this.certificate);
certStore = previewCerts.toArray(new Certificate[] {});
}
setCertificateManager(new CertificateManager(this.certificate));
// Recupera a lista de algoritmos da politica e o tamanho minimo da
// chave
List<AlgAndLength> listOfAlgAndLength = new ArrayList<AlgAndLength>();
for (AlgAndLength algLength : signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getAlgorithmConstraintSet().getSignerAlgorithmConstraints().getAlgAndLengths()) {
listOfAlgAndLength.add(algLength);
}
AlgAndLength algAndLength = null;
// verificar se o mesmo é permitido pela politica
if (this.pkcs1.getAlgorithm() != null) {
String varSetedAlgorithmOID = AlgorithmNames.getOIDByAlgorithmName(this.pkcs1.getAlgorithm());
for (AlgAndLength algLength : listOfAlgAndLength) {
if (algLength.getAlgID().getValue().equalsIgnoreCase(varSetedAlgorithmOID)) {
algAndLength = algLength;
SignerAlgorithmEnum varSignerAlgorithmEnum = SignerAlgorithmEnum.valueOf(this.pkcs1.getAlgorithm());
String varOIDAlgorithmHash = varSignerAlgorithmEnum.getOIDAlgorithmHash();
ObjectIdentifier varObjectIdentifier = signaturePolicy.getSignPolicyHashAlg().getAlgorithm();
varObjectIdentifier.setValue(varOIDAlgorithmHash);
AlgorithmIdentifier varAlgorithmIdentifier = signaturePolicy.getSignPolicyHashAlg();
varAlgorithmIdentifier.setAlgorithm(varObjectIdentifier);
signaturePolicy.setSignPolicyHashAlg(varAlgorithmIdentifier);
}
}
} else {
algAndLength = listOfAlgAndLength.get(0);
}
if (algAndLength == null) {
throw new SignerException(cadesMessagesBundle.getString("error.no.algorithm.policy"));
}
logger.info(cadesMessagesBundle.getString("info.algorithm.id", algAndLength.getAlgID().getValue()));
logger.info(cadesMessagesBundle.getString("info.algorithm.name", AlgorithmNames.getAlgorithmNameByOID(algAndLength.getAlgID().getValue())));
logger.info(cadesMessagesBundle.getString("info.algorithm.policy.default", AlgorithmNames.getOIDByAlgorithmName(getAlgorithm())));
logger.info(cadesMessagesBundle.getString("info.min.key.length", algAndLength.getMinKeyLength()));
// Recupera o tamanho minimo da chave para validacao
logger.info(cadesMessagesBundle.getString("info.validating.key.length"));
int keyLegth = ((RSAKey) certificate.getPublicKey()).getModulus().bitLength();
if (keyLegth < algAndLength.getMinKeyLength()) {
throw new SignerException(cadesMessagesBundle.getString("error.min.key.length", algAndLength.getMinKeyLength().toString(), keyLegth));
}
AttributeFactory attributeFactory = AttributeFactory.getInstance();
// Consulta e adiciona os atributos assinados
ASN1EncodableVector signedAttributes = new ASN1EncodableVector();
logger.info(cadesMessagesBundle.getString("info.signed.attribute"));
if (signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedSignedAttr().getObjectIdentifiers() != null) {
for (ObjectIdentifier objectIdentifier : signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedSignedAttr().getObjectIdentifiers()) {
SignedOrUnsignedAttribute signedOrUnsignedAttribute = attributeFactory.factory(objectIdentifier.getValue());
signedOrUnsignedAttribute.initialize(this.pkcs1.getPrivateKey(), certificateChain, content, signaturePolicy, this.hash);
signedAttributes.add(signedOrUnsignedAttribute.getValue());
}
}
// Monta a tabela de atributos assinados
AttributeTable signedAttributesTable = new AttributeTable(signedAttributes);
// Create the table table generator that will added to the Signer
// builder
CMSAttributeTableGenerator signedAttributeGenerator = new DefaultSignedAttributeTableGenerator(signedAttributesTable);
// Recupera o(s) certificado(s) de confianca para validacao
Collection<X509Certificate> trustedCAs = new HashSet<X509Certificate>();
Collection<CertificateTrustPoint> ctp = signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSigningCertTrustCondition().getSignerTrustTrees().getCertificateTrustPoints();
for (CertificateTrustPoint certificateTrustPoint : ctp) {
logger.info(cadesMessagesBundle.getString("info.trust.point", certificateTrustPoint.getTrustpoint().getSubjectDN().toString()));
trustedCAs.add(certificateTrustPoint.getTrustpoint());
}
// Efetua a validacao das cadeias do certificado baseado na politica
Collection<X509Certificate> certificateChainTrusted = new HashSet<X509Certificate>();
for (Certificate certCA : certificateChain) {
certificateChainTrusted.add((X509Certificate) certCA);
}
X509Certificate rootOfCertificate = null;
for (X509Certificate tcac : certificateChainTrusted) {
logger.info(tcac.getIssuerDN().toString());
if (CAManager.getInstance().isRootCA(tcac)) {
rootOfCertificate = tcac;
}
}
if (trustedCAs.contains(rootOfCertificate)) {
logger.info(cadesMessagesBundle.getString("info.trust.in.point", rootOfCertificate.getSubjectDN()));
} else {
// Não encontrou na política, verificará nas cadeias do
// componente chain-icp-brasil provavelmente certificado de
// homologação.
logger.warn(cadesMessagesBundle.getString("info.trust.poin.homolog"));
CAManager.getInstance().validateRootCAs(certificateChainTrusted, certificate);
}
// validade da politica
logger.info(cadesMessagesBundle.getString("info.policy.valid.period"));
PolicyValidator pv = new PolicyValidator(this.signaturePolicy, this.policyName);
pv.validate();
// Realiza a assinatura do conteudo
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addCertificates(this.generatedCertStore(certStore));
String algorithmOID = algAndLength.getAlgID().getValue();
logger.info(cadesMessagesBundle.getString("info.algorithm.id", algorithmOID));
SignerInfoGenerator signerInfoGenerator = new JcaSimpleSignerInfoGeneratorBuilder().setSignedAttributeGenerator(signedAttributeGenerator).setUnsignedAttributeGenerator(null).build(AlgorithmNames.getAlgorithmNameByOID(algorithmOID), this.pkcs1.getPrivateKey(), this.certificate);
gen.addSignerInfoGenerator(signerInfoGenerator);
CMSTypedData cmsTypedData;
// para assinatura do hash, content nulo
if (content == null) {
cmsTypedData = new CMSAbsentContent();
} else {
cmsTypedData = new CMSProcessableByteArray(content);
}
// Efetua a assinatura digital do conteúdo
CMSSignedData cmsSignedData = gen.generate(cmsTypedData, this.attached);
setAttached(false);
// Consulta e adiciona os atributos não assinados//
ASN1EncodableVector unsignedAttributes = new ASN1EncodableVector();
logger.info(cadesMessagesBundle.getString("info.unsigned.attribute"));
Collection<SignerInformation> vNewSigners = cmsSignedData.getSignerInfos().getSigners();
Iterator<SignerInformation> it = vNewSigners.iterator();
SignerInformation oSi = it.next();
if (signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedUnsignedAttr().getObjectIdentifiers() != null) {
for (ObjectIdentifier objectIdentifier : signaturePolicy.getSignPolicyInfo().getSignatureValidationPolicy().getCommonRules().getSignerAndVeriferRules().getSignerRules().getMandatedUnsignedAttr().getObjectIdentifiers()) {
SignedOrUnsignedAttribute signedOrUnsignedAttribute = attributeFactory.factory(objectIdentifier.getValue());
if (signedOrUnsignedAttribute.getOID().equalsIgnoreCase(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken.getId())) {
signedOrUnsignedAttribute.initialize(this.pkcs1.getPrivateKey(), this.certificateChainTimeStamp, oSi.getSignature(), signaturePolicy, this.hash);
}
if (// EscTimeStamp
signedOrUnsignedAttribute.getOID().equalsIgnoreCase("1.2.840.113549.1.9.16.2.25")) {
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
outputStream.write(oSi.getSignature());
AttributeTable varUnsignedAttributes = oSi.getUnsignedAttributes();
Attribute varAttribute = varUnsignedAttributes.get(new ASN1ObjectIdentifier(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken.getId()));
outputStream.write(varAttribute.getAttrType().getEncoded());
outputStream.write(varAttribute.getAttrValues().getEncoded());
varAttribute = varUnsignedAttributes.get(new ASN1ObjectIdentifier(PKCSObjectIdentifiers.id_aa_ets_certificateRefs.getId()));
outputStream.write(varAttribute.getAttrType().getEncoded());
outputStream.write(varAttribute.getAttrValues().getEncoded());
varAttribute = varUnsignedAttributes.get(new ASN1ObjectIdentifier(PKCSObjectIdentifiers.id_aa_ets_revocationRefs.getId()));
outputStream.write(varAttribute.getAttrType().getEncoded());
outputStream.write(varAttribute.getAttrValues().getEncoded());
escTimeStampContent = outputStream.toByteArray();
signedOrUnsignedAttribute.initialize(this.pkcs1.getPrivateKey(), this.certificateChainTimeStamp, escTimeStampContent, signaturePolicy, this.hash);
} else {
signedOrUnsignedAttribute.initialize(this.pkcs1.getPrivateKey(), certificateChain, oSi.getSignature(), signaturePolicy, this.hash);
}
unsignedAttributes.add(signedOrUnsignedAttribute.getValue());
AttributeTable unsignedAttributesTable = new AttributeTable(unsignedAttributes);
vNewSigners.remove(oSi);
oSi = SignerInformation.replaceUnsignedAttributes(oSi, unsignedAttributesTable);
vNewSigners.add(oSi);
}
}
// TODO Estudar este método de contra-assinatura posteriormente
if (previewSignature != null && previewSignature.length > 0) {
vNewSigners.addAll(cmsPreviewSignedData.getSignerInfos().getSigners());
}
SignerInformationStore oNewSignerInformationStore = new SignerInformationStore(vNewSigners);
CMSSignedData oSignedData = cmsSignedData;
cmsSignedData = CMSSignedData.replaceSigners(oSignedData, oNewSignerInformationStore);
byte[] result = cmsSignedData.getEncoded();
logger.info(cadesMessagesBundle.getString("info.signature.ok"));
return result;
} catch (CMSException | IOException | OperatorCreationException | CertificateEncodingException ex) {
throw new SignerException(ex);
}
}
Aggregations