mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9549 Commits
26 Branches
Tree: 200d579e45
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '200d579e45'
${ noResults }
poi/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/SignaturePart.java

SignaturePart.java 8.1KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. 

  18. package org.apache.poi.poifs.crypt.dsig;

  19. 

  20. import static org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS;

  21. import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet.MS_DIGSIG_NS;

  22. import static org.apache.poi.poifs.crypt.dsig.facets.SignatureFacet.XML_DIGSIG_NS;

  23. 

  24. import java.io.IOException;

  25. import java.security.cert.X509Certificate;

  26. import java.util.HashMap;

  27. import java.util.Iterator;

  28. import java.util.List;

  29. import java.util.Map;

  30. import java.util.function.Consumer;

  31. 

  32. import javax.xml.crypto.MarshalException;

  33. import javax.xml.crypto.dsig.XMLSignature;

  34. import javax.xml.crypto.dsig.XMLSignatureException;

  35. import javax.xml.crypto.dsig.XMLSignatureFactory;

  36. import javax.xml.crypto.dsig.dom.DOMValidateContext;

  37. import javax.xml.namespace.NamespaceContext;

  38. import javax.xml.xpath.XPath;

  39. import javax.xml.xpath.XPathConstants;

  40. import javax.xml.xpath.XPathExpressionException;

  41. import javax.xml.xpath.XPathFactory;

  42. 

  43. import org.apache.poi.EncryptedDocumentException;

  44. import org.apache.poi.ooxml.util.DocumentHelper;

  45. import org.apache.poi.openxml4j.opc.PackagePart;

  46. import org.apache.poi.util.POILogFactory;

  47. import org.apache.poi.util.POILogger;

  48. import org.apache.xmlbeans.XmlException;

  49. import org.w3.x2000.x09.xmldsig.SignatureDocument;

  50. import org.w3c.dom.Document;

  51. import org.w3c.dom.Element;

  52. import org.w3c.dom.NodeList;

  53. import org.xml.sax.SAXException;

  54. 

  55. public class SignaturePart {

  56.     private static final POILogger LOG = POILogFactory.getLogger(SignaturePart.class);

  57.     private static final String XMLSEC_VALIDATE_MANIFEST = "org.jcp.xml.dsig.validateManifests"; 

  58. 

  59.     

  60.     private final PackagePart signaturePart;

  61.     private final SignatureConfig signatureConfig;

  62.     private X509Certificate signer;

  63.     private List<X509Certificate> certChain;

  64.     

  65.     /* package */ SignaturePart(final PackagePart signaturePart, final SignatureConfig signatureConfig) {

  66.         this.signaturePart = signaturePart;

  67.         this.signatureConfig = signatureConfig;

  68.     }

  69.     

  70.     /**

  71.      * @return the package part containing the signature

  72.      */

  73.     public PackagePart getPackagePart() {

  74.         return signaturePart;

  75.     }

  76.     

  77.     /**

  78.      * @return the signer certificate

  79.      */

  80.     public X509Certificate getSigner() {

  81.         return signer;

  82.     }

  83.     

  84.     /**

  85.      * @return the certificate chain of the signer

  86.      */

  87.     public List<X509Certificate> getCertChain() {

  88.         return certChain;

  89.     }

  90.     

  91.     /**

  92.      * Helper method for examining the xml signature

  93.      *

  94.      * @return the xml signature document

  95.      * @throws IOException if the xml signature doesn't exist or can't be read

  96.      * @throws XmlException if the xml signature is malformed

  97.      */

  98.     public SignatureDocument getSignatureDocument() throws IOException, XmlException {

  99.         // TODO: check for XXE

  100.         return SignatureDocument.Factory.parse(signaturePart.getInputStream(), DEFAULT_XML_OPTIONS);

  101.     }

  102. 

  103.     /**

  104.      * @return true, when the xml signature is valid, false otherwise

  105.      * 

  106.      * @throws EncryptedDocumentException if the signature can't be extracted or if its malformed

  107.      */

  108.     public boolean validate() {

  109.         KeyInfoKeySelector keySelector = new KeyInfoKeySelector();

  110.         XPath xpath = XPathFactory.newInstance().newXPath();

  111.         xpath.setNamespaceContext(new XPathNSContext());

  112. 

  113.         try {

  114.             Document doc = DocumentHelper.readDocument(signaturePart.getInputStream());

  115.             NodeList nl = (NodeList)xpath.compile("//*[@Id]").evaluate(doc, XPathConstants.NODESET);

  116.             final int length = nl.getLength();

  117.             for (int i=0; i<length; i++) {

  118.                 ((Element)nl.item(i)).setIdAttribute("Id", true);

  119.             }

  120.             

  121.             DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);

  122.             domValidateContext.setProperty(XMLSEC_VALIDATE_MANIFEST, Boolean.TRUE);

  123.             domValidateContext.setURIDereferencer(signatureConfig.getUriDereferencer());

  124. 

  125.             XMLSignatureFactory xmlSignatureFactory = signatureConfig.getSignatureFactory();

  126.             XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);

  127.             

  128.             boolean valid = xmlSignature.validate(domValidateContext);

  129. 

  130.             if (valid) {

  131.                 signer = keySelector.getSigner();

  132.                 certChain = keySelector.getCertChain();

  133.                 extractConfig(doc, xmlSignature);

  134.             }

  135.             

  136.             return valid;

  137.         } catch (IOException e) {

  138.             String s = "error in reading document";

  139.             LOG.log(POILogger.ERROR, s, e);

  140.             throw new EncryptedDocumentException(s, e);

  141.         } catch (SAXException e) {

  142.             String s = "error in parsing document";

  143.             LOG.log(POILogger.ERROR, s, e);

  144.             throw new EncryptedDocumentException(s, e);

  145.         } catch (XPathExpressionException e) {

  146.             String s = "error in searching document with xpath expression";

  147.             LOG.log(POILogger.ERROR, s, e);

  148.             throw new EncryptedDocumentException(s, e);

  149.         } catch (MarshalException e) {

  150.             String s = "error in unmarshalling the signature";

  151.             LOG.log(POILogger.ERROR, s, e);

  152.             throw new EncryptedDocumentException(s, e);

  153.         } catch (XMLSignatureException e) {

  154.             String s = "error in validating the signature";

  155.             LOG.log(POILogger.ERROR, s, e);

  156.             throw new EncryptedDocumentException(s, e);

  157.         }

  158.     }

  159. 

  160.     private void extractConfig(final Document doc, final XMLSignature xmlSignature) throws XPathExpressionException {

  161.         if (!signatureConfig.isUpdateConfigOnValidate()) {

  162.             return;

  163.         }

  164. 

  165.         signatureConfig.setSigningCertificateChain(certChain);

  166.         signatureConfig.setSignatureMethodFromUri(xmlSignature.getSignedInfo().getSignatureMethod().getAlgorithm());

  167. 

  168.         final XPath xpath = XPathFactory.newInstance().newXPath();

  169.         xpath.setNamespaceContext(new XPathNSContext());

  170. 

  171.         final Map<String,Consumer<String>> m = new HashMap();

  172.         m.put("//mdssi:SignatureTime/mdssi:Value", signatureConfig::setExecutionTime);

  173.         m.put("//xd:ClaimedRole", signatureConfig::setXadesRole);

  174.         m.put("//dsss:SignatureComments", signatureConfig::setSignatureDescription);

  175.         m.put("//xd:QualifyingProperties//xd:SignedSignatureProperties//ds:DigestMethod/@Algorithm", signatureConfig::setXadesDigestAlgo);

  176.         m.put("//ds:CanonicalizationMethod", signatureConfig::setCanonicalizationMethod);

  177. 

  178.         for (Map.Entry<String,Consumer<String>> me : m.entrySet()) {

  179.             String val = (String)xpath.compile(me.getKey()).evaluate(doc, XPathConstants.STRING);

  180.             me.getValue().accept(val);

  181.         }

  182.     }

  183. 

  184.     private class XPathNSContext implements NamespaceContext {

  185.         final Map<String,String> nsMap = new HashMap<>();

  186. 

  187.         {

  188.             signatureConfig.getNamespacePrefixes().forEach((k,v) -> nsMap.put(v,k));

  189.             nsMap.put("dsss", MS_DIGSIG_NS);

  190.             nsMap.put("ds", XML_DIGSIG_NS);

  191.         }

  192. 

  193.         public String getNamespaceURI(String prefix) {

  194.             return nsMap.get(prefix);

  195.         }

  196.         public Iterator getPrefixes(String val) {

  197.             return null;

  198.         }

  199.         public String getPrefix(String uri) {

  200.             return null;

  201.         }

  202.     }

  203. }