mirrors
/
fop
espejo de https://github.com/apache/fop.git
Seguir 1
Destacar 0
Fork 0
Código Incidencias 0 Lanzamientos 48 Wiki Actividad
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8522 Commits
70 Ramas
Árbol: 08d676ebd1
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde '08d676ebd1'
${ noResults }
fop/fop-core/src/main/java/org/apache/fop/pdf/PDFSignature.java

PDFSignature.java 11KB
Original Blame Histórico

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277 
  1. /*

  2.  * Licensed to the Apache Software Foundation (ASF) under one or more

  3.  * contributor license agreements.  See the NOTICE file distributed with

  4.  * this work for additional information regarding copyright ownership.

  5.  * The ASF licenses this file to You under the Apache License, Version 2.0

  6.  * (the "License"); you may not use this file except in compliance with

  7.  * the License.  You may obtain a copy of the License at

  8.  *

  9.  *      http://www.apache.org/licenses/LICENSE-2.0

  10.  *

  11.  * Unless required by applicable law or agreed to in writing, software

  12.  * distributed under the License is distributed on an "AS IS" BASIS,

  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.  * See the License for the specific language governing permissions and

  15.  * limitations under the License.

  16.  */

  17. 

  18. /* $Id$ */

  19. package org.apache.fop.pdf;

  20. 

  21. import java.io.BufferedInputStream;

  22. import java.io.BufferedOutputStream;

  23. import java.io.IOException;

  24. import java.io.InputStream;

  25. import java.io.OutputStream;

  26. import java.net.URI;

  27. import java.net.URISyntaxException;

  28. import java.security.GeneralSecurityException;

  29. import java.security.KeyStore;

  30. import java.security.PrivateKey;

  31. import java.security.cert.Certificate;

  32. import java.security.cert.X509Certificate;

  33. import java.util.Arrays;

  34. import java.util.Date;

  35. import java.util.Enumeration;

  36. 

  37. import org.bouncycastle.cert.jcajce.JcaCertStore;

  38. import org.bouncycastle.cms.CMSException;

  39. import org.bouncycastle.cms.CMSSignedData;

  40. import org.bouncycastle.cms.CMSSignedDataGenerator;

  41. import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;

  42. import org.bouncycastle.operator.ContentSigner;

  43. import org.bouncycastle.operator.OperatorException;

  44. import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

  45. import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

  46. 

  47. import org.apache.commons.io.IOUtils;

  48. import org.apache.commons.io.output.CountingOutputStream;

  49. 

  50. import org.apache.xmlgraphics.io.TempResourceURIGenerator;

  51. 

  52. import org.apache.fop.apps.FOUserAgent;

  53. 

  54. public class PDFSignature {

  55.     private static final int SIZE_OF_CONTENTS = 18944;

  56.     private static final TempResourceURIGenerator TEMP_URI_GENERATOR = new TempResourceURIGenerator("pdfsign2");

  57.     private Perms perms;

  58.     private PDFRoot root;

  59.     private PrivateKey privateKey;

  60.     private long startOfDocMDP;

  61.     private long startOfContents;

  62.     private FOUserAgent userAgent;

  63.     private URI tempURI;

  64.     private PDFSignParams signParams;

  65. 

  66.     static class TransformParams extends PDFDictionary {

  67.         TransformParams() {

  68.             put("Type", new PDFName("TransformParams"));

  69.             put("P", 2);

  70.             put("V", new PDFName("1.2"));

  71.         }

  72.     }

  73. 

  74.     static class SigRef extends PDFDictionary {

  75.         SigRef() {

  76.             put("Type", new PDFName("SigRef"));

  77.             put("TransformMethod", new PDFName("DocMDP"));

  78.             put("DigestMethod", new PDFName("SHA1"));

  79.             put("TransformParams", new TransformParams());

  80.         }

  81.     }

  82. 

  83.     class Contents extends PDFObject {

  84.         protected String toPDFString() {

  85.             return PDFText.toHex(new byte[SIZE_OF_CONTENTS / 2]);

  86.         }

  87. 

  88.         public int output(OutputStream stream) throws IOException {

  89.             CountingOutputStream countingOutputStream = (CountingOutputStream) stream;

  90.             startOfContents = startOfDocMDP + countingOutputStream.getByteCount();

  91.             return super.output(stream);

  92.         }

  93.     }

  94. 

  95.     class DocMDP extends PDFDictionary {

  96.         DocMDP() {

  97.             put("Type", new PDFName("Sig"));

  98.             put("Filter", new PDFName("Adobe.PPKLite"));

  99.             put("SubFilter", new PDFName("adbe.pkcs7.detached"));

  100.             if (signParams.getName() != null) {

  101.                 put("Name", signParams.getName());

  102.             }

  103.             if (signParams.getLocation() != null) {

  104.                 put("Location", signParams.getLocation());

  105.             }

  106.             if (signParams.getReason() != null) {

  107.                 put("Reason", signParams.getReason());

  108.             }

  109.             put("M", PDFInfo.formatDateTime(new Date()));

  110.             PDFArray array = new PDFArray();

  111.             array.add(new SigRef());

  112.             put("Reference", array);

  113.             put("Contents", new Contents());

  114.             put("ByteRange", new PDFArray(0, 1000000000, 1000000000, 1000000000));

  115.         }

  116. 

  117.         public int output(OutputStream stream) throws IOException {

  118.             if (stream instanceof CountingOutputStream) {

  119.                 CountingOutputStream countingOutputStream = (CountingOutputStream) stream;

  120.                 startOfDocMDP = countingOutputStream.getByteCount();

  121.                 return super.output(stream);

  122.             }

  123.             throw new IOException("Disable pdf linearization");

  124.         }

  125.     }

  126. 

  127.     static class Perms extends PDFDictionary {

  128.         DocMDP docMDP;

  129.         Perms(PDFRoot root, DocMDP docMDP) {

  130.             this.docMDP = docMDP;

  131.             root.getDocument().registerObject(docMDP);

  132.             put("DocMDP", docMDP);

  133.         }

  134.     }

  135. 

  136.     static class SigField extends PDFDictionary {

  137.         SigField(Perms perms, PDFPage page, PDFRoot root) {

  138.             root.getDocument().registerObject(this);

  139.             put("FT", new PDFName("Sig"));

  140.             put("Type", new PDFName("Annot"));

  141.             put("Subtype", new PDFName("Widget"));

  142.             put("F", 132);

  143.             put("T", "Signature1");

  144.             put("Rect", new PDFRectangle(0, 0, 0, 0));

  145.             put("V", perms.docMDP);

  146.             put("P", new PDFReference(page));

  147.             put("AP", new AP(root));

  148.         }

  149.     }

  150. 

  151.     static class AP extends PDFDictionary {

  152.         AP(PDFRoot root) {

  153.             put("N", new FormXObject(root));

  154.         }

  155.     }

  156. 

  157.     static class FormXObject extends PDFStream {

  158.         FormXObject(PDFRoot root) {

  159.             root.getDocument().registerObject(this);

  160.             put("Length", 0);

  161.             put("Type", new PDFName("XObject"));

  162.             put("Subtype", new PDFName("Form"));

  163.             put("BBox", new PDFRectangle(0, 0, 0, 0));

  164.         }

  165.     }

  166. 

  167.     static class AcroForm extends PDFDictionary {

  168.         AcroForm(SigField sigField) {

  169.             PDFArray fields = new PDFArray();

  170.             fields.add(sigField);

  171.             put("Fields", fields);

  172.             put("SigFlags", 3);

  173.         }

  174.     }

  175. 

  176.     public PDFSignature(PDFRoot root, FOUserAgent userAgent, PDFSignParams signParams) {

  177.         this.root = root;

  178.         this.userAgent = userAgent;

  179.         this.signParams = signParams;

  180.         perms = new Perms(root, new DocMDP());

  181.         root.put("Perms", perms);

  182.         tempURI = TEMP_URI_GENERATOR.generate();

  183.     }

  184. 

  185.     public void add(PDFPage page) {

  186.         SigField sigField = new SigField(perms, page, root);

  187.         root.put("AcroForm", new AcroForm(sigField));

  188.         page.addAnnotation(sigField);

  189.     }

  190. 

  191.     public void signPDF(URI uri, OutputStream os) throws IOException {

  192.         try (InputStream pdfIS = getTempIS(uri)) {

  193.             pdfIS.mark(Integer.MAX_VALUE);

  194.             String byteRangeValues = "0 1000000000 1000000000 1000000000";

  195.             String byteRange = "\n  /ByteRange [" + byteRangeValues + "]";

  196.             int pdfLength = pdfIS.available();

  197.             long offsetToPDFEnd = startOfContents + SIZE_OF_CONTENTS + 2 + byteRange.length();

  198.             long endOfPDFSize = pdfLength - offsetToPDFEnd;

  199.             String byteRangeValues2 = String.format("0 %s %s %s", startOfContents,

  200.                     startOfContents + SIZE_OF_CONTENTS + 2, byteRange.length() + endOfPDFSize);

  201.             byteRange = "\n  /ByteRange [" + byteRangeValues2 + "]";

  202.             String byteRangePadding = new String(new char[byteRangeValues.length() - byteRangeValues2.length()])

  203.                     .replace("\0", " ");

  204.             try (OutputStream editedPDF = getTempOS()) {

  205.                 IOUtils.copyLarge(pdfIS, editedPDF, 0, startOfContents);

  206.                 editedPDF.write(byteRange.getBytes("UTF-8"));

  207.                 editedPDF.write(byteRangePadding.getBytes("UTF-8"));

  208.                 IOUtils.copyLarge(pdfIS, editedPDF, offsetToPDFEnd - startOfContents, Long.MAX_VALUE);

  209.             }

  210.             pdfIS.reset();

  211.             IOUtils.copyLarge(pdfIS, os, 0, startOfContents);

  212.             try (InputStream is = getTempIS(tempURI)) {

  213.                 byte[] signed = readPKCS(is);

  214.                 String signedHexPadding = new String(new char[SIZE_OF_CONTENTS - (signed.length * 2)])

  215.                         .replace("\0", "0");

  216.                 String signedHex = "<" + PDFText.toHex(signed, false) + signedHexPadding + ">";

  217.                 os.write(signedHex.getBytes("UTF-8"));

  218.             }

  219.             os.write(byteRange.getBytes("UTF-8"));

  220.             os.write(byteRangePadding.getBytes("UTF-8"));

  221.             IOUtils.copyLarge(pdfIS, os, offsetToPDFEnd - startOfContents, Long.MAX_VALUE);

  222.         }

  223.     }

  224. 

  225.     private OutputStream getTempOS() throws IOException {

  226.         return new BufferedOutputStream(userAgent.getResourceResolver().getOutputStream(tempURI));

  227.     }

  228. 

  229.     private InputStream getTempIS(URI uri) throws IOException {

  230.         return new BufferedInputStream(userAgent.getResourceResolver().getResource(uri));

  231.     }

  232. 

  233.     private byte[] readPKCS(InputStream pdf) throws IOException {

  234.         try {

  235.             char[] password = signParams.getPassword().toCharArray();

  236.             KeyStore keystore = KeyStore.getInstance("PKCS12");

  237.             try (InputStream is = userAgent.getResourceResolver().getResource(signParams.getPkcs12())) {

  238.                 keystore.load(is, password);

  239.             }

  240.             Certificate[] certificates = readKeystore(keystore, password);

  241.             return sign(pdf, certificates);

  242.         } catch (GeneralSecurityException | URISyntaxException | OperatorException | CMSException e) {

  243.             throw new RuntimeException(e);

  244.         }

  245.     }

  246. 

  247.     private Certificate[] readKeystore(KeyStore keystore, char[] password)

  248.             throws GeneralSecurityException, IOException {

  249.         Enumeration<String> aliases = keystore.aliases();

  250.         while (aliases.hasMoreElements()) {

  251.             String alias = aliases.nextElement();

  252.             privateKey = (PrivateKey) keystore.getKey(alias, password);

  253.             Certificate[] certChain = keystore.getCertificateChain(alias);

  254.             if (certChain != null) {

  255.                 Certificate cert = certChain[0];

  256.                 if (cert instanceof X509Certificate) {

  257.                     ((X509Certificate) cert).checkValidity();

  258.                 }

  259.                 return certChain;

  260.             }

  261.         }

  262.         throw new IOException("Could not find certificate");

  263.     }

  264. 

  265.     private byte[] sign(InputStream content, Certificate[] certChain)

  266.             throws GeneralSecurityException, OperatorException, CMSException, IOException {

  267.         CMSSignedDataGenerator gen = new CMSSignedDataGenerator();

  268.         X509Certificate cert = (X509Certificate) certChain[0];

  269.         ContentSigner sha2Signer = new JcaContentSignerBuilder("SHA256WithRSA").build(privateKey);

  270.         gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(

  271.                 new JcaDigestCalculatorProviderBuilder().build()).build(sha2Signer, cert));

  272.         gen.addCertificates(new JcaCertStore(Arrays.asList(certChain)));

  273.         CMSProcessableInputStream msg = new CMSProcessableInputStream(content);

  274.         CMSSignedData signedData = gen.generate(msg, false);

  275.         return signedData.getEncoded();

  276.     }

  277. }