Search in sources :

Example 1 with CertIDType

use of org.etsi.uri.x01903.v13.CertIDType in project poi by apache.

the class XAdESXLSignatureFacet method postSign.

@Override
public void postSign(Document document) throws MarshalException {
    LOG.log(POILogger.DEBUG, "XAdES-X-L post sign phase");
    QualifyingPropertiesDocument qualDoc = null;
    QualifyingPropertiesType qualProps = null;
    // check for XAdES-BES
    NodeList qualNl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties");
    if (qualNl.getLength() == 1) {
        try {
            qualDoc = QualifyingPropertiesDocument.Factory.parse(qualNl.item(0), DEFAULT_XML_OPTIONS);
        } catch (XmlException e) {
            throw new MarshalException(e);
        }
        qualProps = qualDoc.getQualifyingProperties();
    } else {
        throw new MarshalException("no XAdES-BES extension present");
    }
    // create basic XML container structure
    UnsignedPropertiesType unsignedProps = qualProps.getUnsignedProperties();
    if (unsignedProps == null) {
        unsignedProps = qualProps.addNewUnsignedProperties();
    }
    UnsignedSignaturePropertiesType unsignedSigProps = unsignedProps.getUnsignedSignatureProperties();
    if (unsignedSigProps == null) {
        unsignedSigProps = unsignedProps.addNewUnsignedSignatureProperties();
    }
    // create the XAdES-T time-stamp
    NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue");
    if (nlSigVal.getLength() != 1) {
        throw new IllegalArgumentException("SignatureValue is not set.");
    }
    RevocationData tsaRevocationDataXadesT = new RevocationData();
    LOG.log(POILogger.DEBUG, "creating XAdES-T time-stamp");
    XAdESTimeStampType signatureTimeStamp = createXAdESTimeStamp(Collections.singletonList(nlSigVal.item(0)), tsaRevocationDataXadesT);
    // marshal the XAdES-T extension
    unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp);
    // xadesv141::TimeStampValidationData
    if (tsaRevocationDataXadesT.hasRevocationDataEntries()) {
        ValidationDataType validationData = createValidationData(tsaRevocationDataXadesT);
        insertXChild(unsignedSigProps, validationData);
    }
    if (signatureConfig.getRevocationDataService() == null) {
        /*
             * Without revocation data service we cannot construct the XAdES-C
             * extension.
             */
        return;
    }
    // XAdES-C: complete certificate refs
    CompleteCertificateRefsType completeCertificateRefs = unsignedSigProps.addNewCompleteCertificateRefs();
    CertIDListType certIdList = completeCertificateRefs.addNewCertRefs();
    /*
         * We skip the signing certificate itself according to section
         * 4.4.3.2 of the XAdES 1.4.1 specification.
         */
    List<X509Certificate> certChain = signatureConfig.getSigningCertificateChain();
    int chainSize = certChain.size();
    if (chainSize > 1) {
        for (X509Certificate cert : certChain.subList(1, chainSize)) {
            CertIDType certId = certIdList.addNewCert();
            XAdESSignatureFacet.setCertID(certId, signatureConfig, false, cert);
        }
    }
    // XAdES-C: complete revocation refs
    CompleteRevocationRefsType completeRevocationRefs = unsignedSigProps.addNewCompleteRevocationRefs();
    RevocationData revocationData = signatureConfig.getRevocationDataService().getRevocationData(certChain);
    if (revocationData.hasCRLs()) {
        CRLRefsType crlRefs = completeRevocationRefs.addNewCRLRefs();
        completeRevocationRefs.setCRLRefs(crlRefs);
        for (byte[] encodedCrl : revocationData.getCRLs()) {
            CRLRefType crlRef = crlRefs.addNewCRLRef();
            X509CRL crl;
            try {
                crl = (X509CRL) this.certificateFactory.generateCRL(new ByteArrayInputStream(encodedCrl));
            } catch (CRLException e) {
                throw new RuntimeException("CRL parse error: " + e.getMessage(), e);
            }
            CRLIdentifierType crlIdentifier = crlRef.addNewCRLIdentifier();
            String issuerName = crl.getIssuerDN().getName().replace(",", ", ");
            crlIdentifier.setIssuer(issuerName);
            Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
            cal.setTime(crl.getThisUpdate());
            crlIdentifier.setIssueTime(cal);
            crlIdentifier.setNumber(getCrlNumber(crl));
            DigestAlgAndValueType digestAlgAndValue = crlRef.addNewDigestAlgAndValue();
            XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, encodedCrl, signatureConfig.getDigestAlgo());
        }
    }
    if (revocationData.hasOCSPs()) {
        OCSPRefsType ocspRefs = completeRevocationRefs.addNewOCSPRefs();
        for (byte[] ocsp : revocationData.getOCSPs()) {
            try {
                OCSPRefType ocspRef = ocspRefs.addNewOCSPRef();
                DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue();
                XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo());
                OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier();
                OCSPResp ocspResp = new OCSPResp(ocsp);
                BasicOCSPResp basicOcspResp = (BasicOCSPResp) ocspResp.getResponseObject();
                Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
                cal.setTime(basicOcspResp.getProducedAt());
                ocspIdentifier.setProducedAt(cal);
                ResponderIDType responderId = ocspIdentifier.addNewResponderID();
                RespID respId = basicOcspResp.getResponderId();
                ResponderID ocspResponderId = respId.toASN1Primitive();
                DERTaggedObject derTaggedObject = (DERTaggedObject) ocspResponderId.toASN1Primitive();
                if (2 == derTaggedObject.getTagNo()) {
                    ASN1OctetString keyHashOctetString = (ASN1OctetString) derTaggedObject.getObject();
                    byte[] key = keyHashOctetString.getOctets();
                    responderId.setByKey(key);
                } else {
                    X500Name name = X500Name.getInstance(derTaggedObject.getObject());
                    String nameStr = name.toString();
                    responderId.setByName(nameStr);
                }
            } catch (Exception e) {
                throw new RuntimeException("OCSP decoding error: " + e.getMessage(), e);
            }
        }
    }
    // marshal XAdES-C
    // XAdES-X Type 1 timestamp
    List<Node> timeStampNodesXadesX1 = new ArrayList<Node>();
    timeStampNodesXadesX1.add(nlSigVal.item(0));
    timeStampNodesXadesX1.add(signatureTimeStamp.getDomNode());
    timeStampNodesXadesX1.add(completeCertificateRefs.getDomNode());
    timeStampNodesXadesX1.add(completeRevocationRefs.getDomNode());
    RevocationData tsaRevocationDataXadesX1 = new RevocationData();
    LOG.log(POILogger.DEBUG, "creating XAdES-X time-stamp");
    XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp(timeStampNodesXadesX1, tsaRevocationDataXadesX1);
    if (tsaRevocationDataXadesX1.hasRevocationDataEntries()) {
        ValidationDataType timeStampXadesX1ValidationData = createValidationData(tsaRevocationDataXadesX1);
        insertXChild(unsignedSigProps, timeStampXadesX1ValidationData);
    }
    // marshal XAdES-X
    unsignedSigProps.addNewSigAndRefsTimeStamp().set(timeStampXadesX1);
    // XAdES-X-L
    CertificateValuesType certificateValues = unsignedSigProps.addNewCertificateValues();
    for (X509Certificate certificate : certChain) {
        EncapsulatedPKIDataType encapsulatedPKIDataType = certificateValues.addNewEncapsulatedX509Certificate();
        try {
            encapsulatedPKIDataType.setByteArrayValue(certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);
        }
    }
    RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues();
    createRevocationValues(revocationValues, revocationData);
    // marshal XAdES-X-L
    Node n = document.importNode(qualProps.getDomNode(), true);
    qualNl.item(0).getParentNode().replaceChild(n, qualNl.item(0));
}
Also used : ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) MarshalException(javax.xml.crypto.MarshalException) X509CRL(java.security.cert.X509CRL) ValidationDataType(org.etsi.uri.x01903.v14.ValidationDataType) Node(org.w3c.dom.Node) ResponderID(org.bouncycastle.asn1.ocsp.ResponderID) ArrayList(java.util.ArrayList) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) X500Name(org.bouncycastle.asn1.x500.X500Name) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) CRLException(java.security.cert.CRLException) RevocationData(org.apache.poi.poifs.crypt.dsig.services.RevocationData) DERTaggedObject(org.bouncycastle.asn1.DERTaggedObject) NodeList(org.w3c.dom.NodeList) Calendar(java.util.Calendar) CertificateEncodingException(java.security.cert.CertificateEncodingException) X509Certificate(java.security.cert.X509Certificate) MarshalException(javax.xml.crypto.MarshalException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) XmlException(org.apache.xmlbeans.XmlException) CRLException(java.security.cert.CRLException) CertificateEncodingException(java.security.cert.CertificateEncodingException) ByteArrayInputStream(java.io.ByteArrayInputStream) XmlException(org.apache.xmlbeans.XmlException) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) RespID(org.bouncycastle.cert.ocsp.RespID)

Example 2 with CertIDType

use of org.etsi.uri.x01903.v13.CertIDType in project poi by apache.

the class XAdESSignatureFacet method setCertID.

/**
     * Gives back the JAXB CertID data structure.
     */
protected static void setCertID(CertIDType certId, SignatureConfig signatureConfig, boolean issuerNameNoReverseOrder, X509Certificate certificate) {
    X509IssuerSerialType issuerSerial = certId.addNewIssuerSerial();
    String issuerName;
    if (issuerNameNoReverseOrder) {
        /*
             * Make sure the DN is encoded using the same order as present
             * within the certificate. This is an Office2010 work-around.
             * Should be reverted back.
             * 
             * XXX: not correct according to RFC 4514.
             */
        // TODO: check if issuerName is different on getTBSCertificate
        // issuerName = PrincipalUtil.getIssuerX509Principal(certificate).getName().replace(",", ", ");
        issuerName = certificate.getIssuerDN().getName().replace(",", ", ");
    } else {
        issuerName = certificate.getIssuerX500Principal().toString();
    }
    issuerSerial.setX509IssuerName(issuerName);
    issuerSerial.setX509SerialNumber(certificate.getSerialNumber());
    byte[] encodedCertificate;
    try {
        encodedCertificate = certificate.getEncoded();
    } catch (CertificateEncodingException e) {
        throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);
    }
    DigestAlgAndValueType certDigest = certId.addNewCertDigest();
    setDigestAlgAndValue(certDigest, encodedCertificate, signatureConfig.getXadesDigestAlgo());
}
Also used : CertificateEncodingException(java.security.cert.CertificateEncodingException) XmlString(org.apache.xmlbeans.XmlString) DigestAlgAndValueType(org.etsi.uri.x01903.v13.DigestAlgAndValueType) X509IssuerSerialType(org.w3.x2000.x09.xmldsig.X509IssuerSerialType)

Example 3 with CertIDType

use of org.etsi.uri.x01903.v13.CertIDType in project poi by apache.

the class XAdESSignatureFacet method preSign.

@Override
public void preSign(Document document, List<Reference> references, List<XMLObject> objects) throws XMLSignatureException {
    LOG.log(POILogger.DEBUG, "preSign");
    // QualifyingProperties
    QualifyingPropertiesDocument qualDoc = QualifyingPropertiesDocument.Factory.newInstance();
    QualifyingPropertiesType qualifyingProperties = qualDoc.addNewQualifyingProperties();
    qualifyingProperties.setTarget("#" + signatureConfig.getPackageSignatureId());
    // SignedProperties
    SignedPropertiesType signedProperties = qualifyingProperties.addNewSignedProperties();
    signedProperties.setId(signatureConfig.getXadesSignatureId());
    // SignedSignatureProperties
    SignedSignaturePropertiesType signedSignatureProperties = signedProperties.addNewSignedSignatureProperties();
    // SigningTime
    Calendar xmlGregorianCalendar = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);
    xmlGregorianCalendar.setTime(signatureConfig.getExecutionTime());
    xmlGregorianCalendar.clear(Calendar.MILLISECOND);
    signedSignatureProperties.setSigningTime(xmlGregorianCalendar);
    // SigningCertificate
    if (signatureConfig.getSigningCertificateChain() == null || signatureConfig.getSigningCertificateChain().isEmpty()) {
        throw new RuntimeException("no signing certificate chain available");
    }
    CertIDListType signingCertificates = signedSignatureProperties.addNewSigningCertificate();
    CertIDType certId = signingCertificates.addNewCert();
    X509Certificate certificate = signatureConfig.getSigningCertificateChain().get(0);
    setCertID(certId, signatureConfig, signatureConfig.isXadesIssuerNameNoReverseOrder(), certificate);
    // ClaimedRole
    String role = signatureConfig.getXadesRole();
    if (role != null && !role.isEmpty()) {
        SignerRoleType signerRole = signedSignatureProperties.addNewSignerRole();
        signedSignatureProperties.setSignerRole(signerRole);
        ClaimedRolesListType claimedRolesList = signerRole.addNewClaimedRoles();
        AnyType claimedRole = claimedRolesList.addNewClaimedRole();
        XmlString roleString = XmlString.Factory.newInstance();
        roleString.setStringValue(role);
        insertXChild(claimedRole, roleString);
    }
    // XAdES-EPES
    SignaturePolicyService policyService = signatureConfig.getSignaturePolicyService();
    if (policyService != null) {
        SignaturePolicyIdentifierType signaturePolicyIdentifier = signedSignatureProperties.addNewSignaturePolicyIdentifier();
        SignaturePolicyIdType signaturePolicyId = signaturePolicyIdentifier.addNewSignaturePolicyId();
        ObjectIdentifierType objectIdentifier = signaturePolicyId.addNewSigPolicyId();
        objectIdentifier.setDescription(policyService.getSignaturePolicyDescription());
        IdentifierType identifier = objectIdentifier.addNewIdentifier();
        identifier.setStringValue(policyService.getSignaturePolicyIdentifier());
        byte[] signaturePolicyDocumentData = policyService.getSignaturePolicyDocument();
        DigestAlgAndValueType sigPolicyHash = signaturePolicyId.addNewSigPolicyHash();
        setDigestAlgAndValue(sigPolicyHash, signaturePolicyDocumentData, signatureConfig.getDigestAlgo());
        String signaturePolicyDownloadUrl = policyService.getSignaturePolicyDownloadUrl();
        if (null != signaturePolicyDownloadUrl) {
            SigPolicyQualifiersListType sigPolicyQualifiers = signaturePolicyId.addNewSigPolicyQualifiers();
            AnyType sigPolicyQualifier = sigPolicyQualifiers.addNewSigPolicyQualifier();
            XmlString spUriElement = XmlString.Factory.newInstance();
            spUriElement.setStringValue(signaturePolicyDownloadUrl);
            insertXChild(sigPolicyQualifier, spUriElement);
        }
    } else if (signatureConfig.isXadesSignaturePolicyImplied()) {
        SignaturePolicyIdentifierType signaturePolicyIdentifier = signedSignatureProperties.addNewSignaturePolicyIdentifier();
        signaturePolicyIdentifier.addNewSignaturePolicyImplied();
    }
    // DataObjectFormat
    if (!dataObjectFormatMimeTypes.isEmpty()) {
        SignedDataObjectPropertiesType signedDataObjectProperties = signedProperties.addNewSignedDataObjectProperties();
        List<DataObjectFormatType> dataObjectFormats = signedDataObjectProperties.getDataObjectFormatList();
        for (Map.Entry<String, String> dataObjectFormatMimeType : this.dataObjectFormatMimeTypes.entrySet()) {
            DataObjectFormatType dataObjectFormat = DataObjectFormatType.Factory.newInstance();
            dataObjectFormat.setObjectReference("#" + dataObjectFormatMimeType.getKey());
            dataObjectFormat.setMimeType(dataObjectFormatMimeType.getValue());
            dataObjectFormats.add(dataObjectFormat);
        }
    }
    // add XAdES ds:Object
    List<XMLStructure> xadesObjectContent = new ArrayList<XMLStructure>();
    Element qualDocElSrc = (Element) qualifyingProperties.getDomNode();
    Element qualDocEl = (Element) document.importNode(qualDocElSrc, true);
    xadesObjectContent.add(new DOMStructure(qualDocEl));
    XMLObject xadesObject = getSignatureFactory().newXMLObject(xadesObjectContent, null, null, null);
    objects.add(xadesObject);
    // add XAdES ds:Reference
    List<Transform> transforms = new ArrayList<Transform>();
    Transform exclusiveTransform = newTransform(CanonicalizationMethod.INCLUSIVE);
    transforms.add(exclusiveTransform);
    Reference reference = newReference("#" + signatureConfig.getXadesSignatureId(), transforms, XADES_TYPE, null, null);
    references.add(reference);
}
Also used : SignaturePolicyIdentifierType(org.etsi.uri.x01903.v13.SignaturePolicyIdentifierType) SigPolicyQualifiersListType(org.etsi.uri.x01903.v13.SigPolicyQualifiersListType) QualifyingPropertiesDocument(org.etsi.uri.x01903.v13.QualifyingPropertiesDocument) Element(org.w3c.dom.Element) ArrayList(java.util.ArrayList) XmlString(org.apache.xmlbeans.XmlString) XMLStructure(javax.xml.crypto.XMLStructure) DigestAlgAndValueType(org.etsi.uri.x01903.v13.DigestAlgAndValueType) SignedSignaturePropertiesType(org.etsi.uri.x01903.v13.SignedSignaturePropertiesType) DOMStructure(javax.xml.crypto.dom.DOMStructure) AnyType(org.etsi.uri.x01903.v13.AnyType) CertIDListType(org.etsi.uri.x01903.v13.CertIDListType) SignedPropertiesType(org.etsi.uri.x01903.v13.SignedPropertiesType) SignedDataObjectPropertiesType(org.etsi.uri.x01903.v13.SignedDataObjectPropertiesType) ClaimedRolesListType(org.etsi.uri.x01903.v13.ClaimedRolesListType) DataObjectFormatType(org.etsi.uri.x01903.v13.DataObjectFormatType) Reference(javax.xml.crypto.dsig.Reference) Calendar(java.util.Calendar) XmlString(org.apache.xmlbeans.XmlString) XMLObject(javax.xml.crypto.dsig.XMLObject) SignaturePolicyService(org.apache.poi.poifs.crypt.dsig.services.SignaturePolicyService) ObjectIdentifierType(org.etsi.uri.x01903.v13.ObjectIdentifierType) IdentifierType(org.etsi.uri.x01903.v13.IdentifierType) SignaturePolicyIdentifierType(org.etsi.uri.x01903.v13.SignaturePolicyIdentifierType) X509Certificate(java.security.cert.X509Certificate) CertIDType(org.etsi.uri.x01903.v13.CertIDType) QualifyingPropertiesType(org.etsi.uri.x01903.v13.QualifyingPropertiesType) SignerRoleType(org.etsi.uri.x01903.v13.SignerRoleType) ObjectIdentifierType(org.etsi.uri.x01903.v13.ObjectIdentifierType) SignaturePolicyIdType(org.etsi.uri.x01903.v13.SignaturePolicyIdType) Transform(javax.xml.crypto.dsig.Transform) HashMap(java.util.HashMap) Map(java.util.Map)

Aggregations

CertificateEncodingException (java.security.cert.CertificateEncodingException)2 X509Certificate (java.security.cert.X509Certificate)2 ArrayList (java.util.ArrayList)2 Calendar (java.util.Calendar)2 XmlString (org.apache.xmlbeans.XmlString)2 DigestAlgAndValueType (org.etsi.uri.x01903.v13.DigestAlgAndValueType)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 IOException (java.io.IOException)1 CRLException (java.security.cert.CRLException)1 CertificateException (java.security.cert.CertificateException)1 X509CRL (java.security.cert.X509CRL)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 MarshalException (javax.xml.crypto.MarshalException)1 XMLStructure (javax.xml.crypto.XMLStructure)1 DOMStructure (javax.xml.crypto.dom.DOMStructure)1 Reference (javax.xml.crypto.dsig.Reference)1 Transform (javax.xml.crypto.dsig.Transform)1 XMLObject (javax.xml.crypto.dsig.XMLObject)1 RevocationData (org.apache.poi.poifs.crypt.dsig.services.RevocationData)1