mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9549 Commits
26 Branches
Tree: 200d579e45
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '200d579e45'
${ noResults }
poi/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java

TestSignatureInfo.java 53KB
Raw Blame History

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. 

  18. /* ====================================================================

  19.    This product contains an ASLv2 licensed version of the OOXML signer

  20.    package from the eID Applet project

  21.    http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  

  22.    Copyright (C) 2008-2014 FedICT.

  23.    ================================================================= */ 

  24. package org.apache.poi.poifs.crypt;

  25. 

  26. import static org.junit.Assert.assertEquals;

  27. import static org.junit.Assert.assertFalse;

  28. import static org.junit.Assert.assertNotNull;

  29. import static org.junit.Assert.assertTrue;

  30. import static org.junit.Assume.assumeTrue;

  31. 

  32. import java.io.BufferedReader;

  33. import java.io.ByteArrayInputStream;

  34. import java.io.ByteArrayOutputStream;

  35. import java.io.File;

  36. import java.io.FileInputStream;

  37. import java.io.FileOutputStream;

  38. import java.io.IOException;

  39. import java.io.InputStream;

  40. import java.io.InputStreamReader;

  41. import java.io.OutputStream;

  42. import java.math.BigInteger;

  43. import java.net.ConnectException;

  44. import java.net.HttpURLConnection;

  45. import java.net.MalformedURLException;

  46. import java.net.SocketTimeoutException;

  47. import java.net.URL;

  48. import java.nio.charset.StandardCharsets;

  49. import java.security.Key;

  50. import java.security.KeyPair;

  51. import java.security.KeyPairGenerator;

  52. import java.security.KeyStore;

  53. import java.security.PrivateKey;

  54. import java.security.PublicKey;

  55. import java.security.SecureRandom;

  56. import java.security.cert.CRLException;

  57. import java.security.cert.Certificate;

  58. import java.security.cert.CertificateEncodingException;

  59. import java.security.cert.CertificateException;

  60. import java.security.cert.X509CRL;

  61. import java.security.cert.X509Certificate;

  62. import java.security.interfaces.RSAPublicKey;

  63. import java.security.spec.RSAKeyGenParameterSpec;

  64. import java.util.ArrayList;

  65. import java.util.Calendar;

  66. import java.util.Collections;

  67. import java.util.Date;

  68. import java.util.Iterator;

  69. import java.util.List;

  70. 

  71. import javax.xml.crypto.MarshalException;

  72. import javax.xml.crypto.dsig.CanonicalizationMethod;

  73. import javax.xml.crypto.dsig.XMLSignatureException;

  74. import javax.xml.crypto.dsig.dom.DOMSignContext;

  75. 

  76. import org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo;

  77. import org.apache.poi.EncryptedDocumentException;

  78. import org.apache.poi.POIDataSamples;

  79. import org.apache.poi.POITestCase;

  80. import org.apache.poi.ooxml.util.DocumentHelper;

  81. import org.apache.poi.openxml4j.exceptions.InvalidFormatException;

  82. import org.apache.poi.openxml4j.opc.OPCPackage;

  83. import org.apache.poi.openxml4j.opc.PackageAccess;

  84. import org.apache.poi.openxml4j.opc.PackageRelationshipTypes;

  85. import org.apache.poi.poifs.crypt.dsig.SignatureConfig;

  86. import org.apache.poi.poifs.crypt.dsig.SignatureInfo;

  87. import org.apache.poi.poifs.crypt.dsig.SignaturePart;

  88. import org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet;

  89. import org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet;

  90. import org.apache.poi.poifs.crypt.dsig.facets.OOXMLSignatureFacet;

  91. import org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet;

  92. import org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet;

  93. import org.apache.poi.poifs.crypt.dsig.services.RevocationData;

  94. import org.apache.poi.poifs.crypt.dsig.services.RevocationDataService;

  95. import org.apache.poi.poifs.crypt.dsig.services.TimeStampService;

  96. import org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator;

  97. import org.apache.poi.poifs.storage.RawDataUtil;

  98. import org.apache.poi.ss.usermodel.WorkbookFactory;

  99. import org.apache.poi.util.IOUtils;

  100. import org.apache.poi.util.LocaleUtil;

  101. import org.apache.poi.util.POILogFactory;

  102. import org.apache.poi.util.POILogger;

  103. import org.apache.poi.xssf.streaming.SXSSFWorkbook;

  104. import org.apache.poi.xssf.usermodel.XSSFWorkbook;

  105. import org.apache.xmlbeans.SystemProperties;

  106. import org.apache.xmlbeans.XmlObject;

  107. import org.bouncycastle.asn1.DERIA5String;

  108. import org.bouncycastle.asn1.DEROctetString;

  109. import org.bouncycastle.asn1.DERSequence;

  110. import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;

  111. import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;

  112. import org.bouncycastle.asn1.x500.X500Name;

  113. import org.bouncycastle.asn1.x509.AuthorityInformationAccess;

  114. import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;

  115. import org.bouncycastle.asn1.x509.BasicConstraints;

  116. import org.bouncycastle.asn1.x509.CRLNumber;

  117. import org.bouncycastle.asn1.x509.CRLReason;

  118. import org.bouncycastle.asn1.x509.DistributionPoint;

  119. import org.bouncycastle.asn1.x509.DistributionPointName;

  120. import org.bouncycastle.asn1.x509.Extension;

  121. import org.bouncycastle.asn1.x509.Extensions;

  122. import org.bouncycastle.asn1.x509.GeneralName;

  123. import org.bouncycastle.asn1.x509.GeneralNames;

  124. import org.bouncycastle.asn1.x509.KeyUsage;

  125. import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;

  126. import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;

  127. import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;

  128. import org.bouncycastle.cert.X509CRLHolder;

  129. import org.bouncycastle.cert.X509CertificateHolder;

  130. import org.bouncycastle.cert.X509ExtensionUtils;

  131. import org.bouncycastle.cert.X509v2CRLBuilder;

  132. import org.bouncycastle.cert.X509v3CertificateBuilder;

  133. import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;

  134. import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

  135. import org.bouncycastle.cert.ocsp.BasicOCSPResp;

  136. import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;

  137. import org.bouncycastle.cert.ocsp.CertificateID;

  138. import org.bouncycastle.cert.ocsp.CertificateStatus;

  139. import org.bouncycastle.cert.ocsp.OCSPReq;

  140. import org.bouncycastle.cert.ocsp.OCSPReqBuilder;

  141. import org.bouncycastle.cert.ocsp.OCSPResp;

  142. import org.bouncycastle.cert.ocsp.OCSPRespBuilder;

  143. import org.bouncycastle.cert.ocsp.Req;

  144. import org.bouncycastle.cert.ocsp.RevokedStatus;

  145. import org.bouncycastle.crypto.params.RSAKeyParameters;

  146. import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;

  147. import org.bouncycastle.openssl.PEMParser;

  148. import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;

  149. import org.bouncycastle.operator.ContentSigner;

  150. import org.bouncycastle.operator.DigestCalculator;

  151. import org.bouncycastle.operator.OperatorCreationException;

  152. import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

  153. import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

  154. import org.etsi.uri.x01903.v13.DigestAlgAndValueType;

  155. import org.etsi.uri.x01903.v13.QualifyingPropertiesType;

  156. import org.junit.AfterClass;

  157. import org.junit.Assume;

  158. import org.junit.BeforeClass;

  159. import org.junit.Ignore;

  160. import org.junit.Test;

  161. import org.w3.x2000.x09.xmldsig.ReferenceType;

  162. import org.w3.x2000.x09.xmldsig.SignatureDocument;

  163. import org.w3c.dom.Document;

  164. 

  165. public class TestSignatureInfo {

  166.     private static final POILogger LOG = POILogFactory.getLogger(TestSignatureInfo.class);

  167.     private static final POIDataSamples testdata = POIDataSamples.getXmlDSignInstance();

  168. 

  169.     private static Calendar cal;

  170.     private KeyPair keyPair;

  171.     private X509Certificate x509;

  172. 

  173.     @AfterClass

  174.     public static void removeUserLocale() {

  175.         LocaleUtil.resetUserLocale();

  176.     }

  177.     

  178.     @BeforeClass

  179.     public static void initBouncy() {

  180.         CryptoFunctions.registerBouncyCastle();

  181. 

  182.         // Set cal to now ... only set to fixed date for debugging ...

  183.         LocaleUtil.resetUserLocale();

  184.         LocaleUtil.resetUserTimeZone();

  185.         

  186.         cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  187.         assertNotNull(cal);

  188. 

  189.         // don't run this test when we are using older Xerces as it triggers an XML Parser backwards compatibility issue 

  190.         // in the xmlsec jar file

  191.         String additionalJar = System.getProperty("additionaljar");

  192.         //System.out.println("Having: " + additionalJar);

  193.         Assume.assumeTrue("Not running TestSignatureInfo because we are testing with additionaljar set to " + additionalJar, 

  194.                 additionalJar == null || additionalJar.trim().length() == 0);

  195.         

  196.         System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");

  197.         

  198.         // Set line.separator for bug61182

  199.         // System.setProperty("line.separator", "\n");

  200.     }

  201. 

  202.     @Ignore("This test is very sensitive, it breaks with every little change to the produced XML")

  203.     @Test

  204.     public void bug61182() throws Exception {

  205.         String pfxInput =

  206.             "H4sIAAAAAAAAAFXTfzzTeRwH8P2uGRmG6hKSmJh9a2HsuPy60VnHCEU6v86sieZH2Jr2qFl+s+ZHJ5tfUcfKb4uho/OjiFq1qTv5ceFyp0PqEK"+

  207.             "fH4+66++Pz+Dwer9fj8f7r9cRzEd4QMBTPRWxDIM14ZN47NfAWsJgL34Bx4at4Lvwdngvd9b8KqgbjQpGbMXzzgRGovytVFTBEzIXU47kQCd4U"+

  208.             "ofJPvHl8JwyTjRS55hbKoor3UJLDE1i/PcPKCBAIDATjQlKiK67XjVYdcnkZgD2txroiAUb8W9dtn57DvTsbM+3wIsdocXDEN7TdPKgaSl+tU1"+

  209.             "xq9oqiB5yMaZCPho8uUEbFU9U6u3N7lEMLTJGeA0RfX+5FMRrpXPFrbrlJ8uNUCE2H247P28Ckyfqlsy32yeKg/HTbH5JpqUDNw2B32+SaiRw7"+

  210.             "ofRMePUpaAoK7KYgmd5ZIc0rLLYjJBfOWCb28xlrGhbpJvdToFdqt5PXVjEz5YOJ6g7W0fskuKW9/iZP0yLEVpR9XkkHmb6tfpcE8YwCdWNCan"+

  211.             "LvAsco25JdF1j2/FLAMVU79HdOex07main90dy40511OZtTGZ+TdVd3lKZ7D3clEg9hLESHwSNnZ6239X4yLM4xYSElQ/hqSbwdmiozYG9PhF2"+

  212.             "Zf0XaZnxzTK0Iot+rJ3kYoxWTLE8DR9leV62Ywbtlg4mapYOxb3lT7fQ1x4EQ44flh2oFWSPLR8LMbsc6jzJsV6OZ3TrODjHEdw9W+8OD32vd8"+

  213.             "XQ6iCaIHcrSOn6qS0TKLr786234eeSAhvAQbEsVn7vrvc/487Be/O2e/+5Y5zRq2zAtz6pfcNyraJNDqMW1inNkgJ3t3VESbZ3pNzyl3KHILs0"+

  214.             "51dY6msDYSlWhw40TglXxj9rw95O6gFWIuN012W/vhS50jpKXcao4gc1aLaXtJXxirbRkpZ/0e7a0pD6TDa7+GxEdEEML3VGo9udD5YUKhU3y7"+

  215.             "SzWAgN6WIEIglq7LilvCjqIVLIfg8CvVGL9f5iSsCDf5hef4vMxbyvcjINuy06gZu+iPYOWNxjfrwKGYzoqqotK2aywgYVrPMh0JovfkDuN95n"+

  216.             "MdVlYHbN1Mnn4TxAwuv+u3AkBlDZvRUUCwoDMUGxeMNPhTaAgWl60xhhBgCBaEMgAACReMAav7n3x598IDYJ9GxGXRAwaPOT/kfO/1AgPqLQkp"+

  217.             "MiIVaHthnUS4v2y32e2BjdMPyIImUTBW3cV3R5tjVQm0MOm+D2C5+bBW9vHLjLR4lun4toQiY3Ls/v4bES/OJ4EmpZk5xhL9i5ClofYZNEsxFn"+

  218.             "An/q821Tg+Cq9Er4XYGQe8ogjjLJ2b7dUsJ3auFQFNUJF7Ke7yUL2EeYYxl6vz5l4q5u8704mRbFts1E1eWMp6WIy91GPrsVlRGvtuNERfrjfE"+

  219.             "YtzUI3Flcv65zJUbUBEzUnTS0fEYso2XyToAl8kb251mUY2o2lJzv5dp/1htmcjeeP2MjxC+3S45ljx7jd52Pv9XAat+ryiauFOF7YgztkoWWD"+

  220.             "h62tplPH1bzDV+d0NLdaE5AfVJ09HuUYTFS+iggtvT5Euyk+unj4N2XvzW91n+GNjtgWfKOHmkinUPvYRh70Jv+wlPJrVaT8mL7GxJLqDC9jbv"+

  221.             "Gznoiae6es+wQejnk3XjU366MrK/zXxngBYj9J6NnXc9mMiTFLX8WqQ8iTelTAFs2NJzPoDzrBUz4JFIEOa6Dja6dULc68g1jFDTeEHZyra7RZ"+

  222.             "2ElqGDEqcNRo3SNX6feMy9EF1GOyZK0Sa87KwjKw8aM68dpsIYjfLcTXaZ6atg0BKfMnl6axeUGEaIFSP7rzj9wjzumRbG3jgUVp2lX5AK/tsO"+

  223.             "7R4TQX/9/H6RiN34c9KldmPZZGANXzzTajZS9mR2OSvlJ+F4AgSko4htrMAKFTBu51/5SWNsO1vlRaaG48ZRJ+8PzuHQMdvS36gNpRPi7jhF1S"+

  224.             "H3B2ycI4y0VURv6SrqJNUY/X645ZFJQ+eBO+ptG7o8axf1dcqh2beiQk+GRTeZ37LVeUlaeo9vl1/+8tyBfyT2v5lFC5E19WdKIyCuZe7r99Px"+

  225.             "D/Od4Qj0TA92+DQnbCQTCMy/wwse9O4gsEebkkpPIP5GBV3Q0YBsj75XE0uSFQ1tCZSW8bNa9MUJZ/nPBfExohHlgGAAA=";

  226.         

  227.         Calendar cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  228.         cal.clear();

  229.         cal.setTimeZone(LocaleUtil.TIMEZONE_UTC);

  230.         cal.set(2017, Calendar.JULY, 1);

  231.         

  232.         SignatureConfig signatureConfig = prepareConfig("test", "CN=Test", pfxInput);

  233.         signatureConfig.setExecutionTime(cal.getTime());

  234. 

  235.         SignatureInfo si = new SignatureInfo();

  236.         si.setSignatureConfig(signatureConfig);

  237. 

  238.         XSSFWorkbook wb1 = new XSSFWorkbook();

  239.         wb1.createSheet().createRow(1).createCell(1).setCellValue("Test");

  240.         ByteArrayOutputStream bos = new ByteArrayOutputStream(100000);

  241.         wb1.write(bos);

  242.         wb1.close();

  243.         

  244.         OPCPackage pkg1 = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()));

  245.         

  246.         signatureConfig.setOpcPackage(pkg1);

  247.         si.confirmSignature();

  248.         assertTrue(si.verifySignature());

  249.         bos.reset();

  250.         pkg1.save(bos);

  251.         pkg1.close();

  252. 

  253.         XSSFWorkbook wb2 = new XSSFWorkbook(new ByteArrayInputStream(bos.toByteArray()));

  254.         assertEquals("Test", wb2.getSheetAt(0).getRow(1).getCell(1).getStringCellValue());

  255.         OPCPackage pkg2 = wb2.getPackage();

  256.         signatureConfig.setOpcPackage(pkg2);

  257.         assertTrue(si.verifySignature());

  258.         

  259.         // xmlbeans adds line-breaks depending on the system setting, so we get different

  260.         // test results on Unix/Mac/Windows

  261.         // if the xml documents eventually change, this test needs to be run with the

  262.         // separator set to the various system configurations

  263.         String sep = SystemProperties.getProperty( "line.separator" );

  264.         String signExp;

  265.         assumeTrue("Hashes only known for Windows/Unix/Mac", sep == null || "\n".equals(sep) || "\r\n".equals(sep) || "\r".equals(sep));

  266.         if (sep == null || "\n".equals(sep)) {

  267.             // Unix

  268.             signExp =

  269.                 "QkqTFQZjXagjRAoOWKpAGa8AR0rKqkSfBtfSWqtjBmTgyjarn+t2POHkpySIpheHAbg+90GKSH88ACMtPHbG7q"+

  270.                 "FL4gtgAD9Kjew6j16j0IRBwy145UlPrSLFMfF7YF7UlU1k1LBkIlRJ6Fv4MAJl6XspuzZOZIUmHZrWrdxycUQ=";

  271.         } else if ("\r\n".equals(sep)){

  272.             // Windows

  273.             signExp =

  274.                 "GmAlL7+bT1r3FsMHJOp3pKg8betblYieZTjhMIrPZPRBbSzjO7KsYRGNtr0aOE3qr8xzyYJN6/8QdF5X7pUEUc"+

  275.                 "2m8ctrm7s5o2vZTkAqk9ENJGDjBPXX7TnuVOiVeL1cJdtjHC2QpjtRwkFR+B54G6b1OXLOFuQpP3vqR3+/XXE=";

  276.         } else {

  277.             // Mac

  278.             signExp =

  279.                 "NZedY/LNTYU4nAUEUhIOg5+fKdgVtzRXKmdD3v+47E7Mb84oeiUGv9cCEE91DU3StF/JFIhjOJqavOzKnCsNcz"+

  280.                 "NJ4j/inggUl1OJUsicqIGQnA7E8vzWnN1kf5lINgJLv+0PyrrX9sQZbItzxUpgqyOFYcD0trid+31nRt4wtaA=";

  281.         }

  282.         

  283.         String signAct = si.getSignatureParts().iterator().next().

  284.             getSignatureDocument().getSignature().getSignatureValue().getStringValue();

  285.         assertEquals(signExp, signAct);

  286.         

  287.         pkg2.close();

  288.         wb2.close();

  289.     }

  290.     

  291.     @Test

  292.     public void office2007prettyPrintedRels() throws Exception {

  293.         try (OPCPackage pkg = OPCPackage.open(testdata.getFile("office2007prettyPrintedRels.docx"), PackageAccess.READ)) {

  294.             SignatureConfig sic = new SignatureConfig();

  295.             sic.setOpcPackage(pkg);

  296.             SignatureInfo si = new SignatureInfo();

  297.             si.setSignatureConfig(sic);

  298.             boolean isValid = si.verifySignature();

  299.             assertTrue(isValid);

  300.         }

  301.     }

  302.     

  303.     @Test

  304.     public void getSignerUnsigned() throws Exception {

  305.         String testFiles[] = { 

  306.             "hello-world-unsigned.docx",

  307.             "hello-world-unsigned.pptx",

  308.             "hello-world-unsigned.xlsx",

  309.             "hello-world-office-2010-technical-preview-unsigned.docx"

  310.         };

  311.         

  312.         for (String testFile : testFiles) {

  313.             OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);

  314.             SignatureConfig sic = new SignatureConfig();

  315.             sic.setOpcPackage(pkg);

  316.             SignatureInfo si = new SignatureInfo();

  317.             si.setSignatureConfig(sic);

  318.             List<X509Certificate> result = new ArrayList<>();

  319.             for (SignaturePart sp : si.getSignatureParts()) {

  320.                 if (sp.validate()) {

  321.                     result.add(sp.getSigner());

  322.                 }

  323.             }

  324.             pkg.revert();

  325.             pkg.close();

  326.             assertNotNull(result);

  327.             assertTrue(result.isEmpty());

  328.         }

  329.     }

  330.     

  331.     @Test

  332.     public void getSigner() throws Exception {

  333.         String testFiles[] = { 

  334.             "hyperlink-example-signed.docx",

  335.             "hello-world-signed.docx",

  336.             "hello-world-signed.pptx",

  337.             "hello-world-signed.xlsx",

  338.             "hello-world-office-2010-technical-preview.docx",

  339.             "ms-office-2010-signed.docx",

  340.             "ms-office-2010-signed.pptx",

  341.             "ms-office-2010-signed.xlsx",

  342.             "Office2010-SP1-XAdES-X-L.docx",

  343.             "signed.docx",

  344.         };

  345.         

  346.         for (String testFile : testFiles) {

  347.             try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {

  348.                 SignatureConfig sic = new SignatureConfig();

  349.                 sic.setOpcPackage(pkg);

  350.                 SignatureInfo si = new SignatureInfo();

  351.                 si.setSignatureConfig(sic);

  352.                 List<X509Certificate> result = new ArrayList<>();

  353.                 for (SignaturePart sp : si.getSignatureParts()) {

  354.                     if (sp.validate()) {

  355.                         result.add(sp.getSigner());

  356.                     }

  357.                 }

  358. 

  359.                 assertNotNull(result);

  360.                 assertEquals("test-file: " + testFile, 1, result.size());

  361.                 X509Certificate signer = result.get(0);

  362.                 LOG.log(POILogger.DEBUG, "signer: " + signer.getSubjectX500Principal());

  363. 

  364.                 boolean b = si.verifySignature();

  365.                 assertTrue("test-file: " + testFile, b);

  366.                 pkg.revert();

  367.             }

  368.         }

  369.     }

  370. 

  371.     @Test

  372.     public void getMultiSigners() throws Exception {

  373.         String testFile = "hello-world-signed-twice.docx";

  374.         try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {

  375.             SignatureConfig sic = new SignatureConfig();

  376.             sic.setOpcPackage(pkg);

  377.             SignatureInfo si = new SignatureInfo();

  378.             si.setSignatureConfig(sic);

  379.             List<X509Certificate> result = new ArrayList<>();

  380.             for (SignaturePart sp : si.getSignatureParts()) {

  381.                 if (sp.validate()) {

  382.                     result.add(sp.getSigner());

  383.                 }

  384.             }

  385. 

  386.             assertNotNull(result);

  387.             assertEquals("test-file: " + testFile, 2, result.size());

  388.             X509Certificate signer1 = result.get(0);

  389.             X509Certificate signer2 = result.get(1);

  390.             LOG.log(POILogger.DEBUG, "signer 1: " + signer1.getSubjectX500Principal());

  391.             LOG.log(POILogger.DEBUG, "signer 2: " + signer2.getSubjectX500Principal());

  392. 

  393.             boolean b = si.verifySignature();

  394.             assertTrue("test-file: " + testFile, b);

  395.             pkg.revert();

  396.         }

  397.     }

  398.     

  399.     @Test

  400.     public void testSignSpreadsheet() throws Exception {

  401.         String testFile = "hello-world-unsigned.xlsx";

  402.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  403.         sign(pkg, "Test", "CN=Test", 1);

  404.         pkg.close();

  405.     }

  406. 

  407.     @Test

  408.     public void testManipulation() throws Exception {

  409.         // sign & validate

  410.         String testFile = "hello-world-unsigned.xlsx";

  411.         @SuppressWarnings("resource")

  412.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  413.         sign(pkg, "Test", "CN=Test", 1);

  414.         

  415.         // manipulate

  416.         XSSFWorkbook wb = new XSSFWorkbook(pkg);

  417.         wb.setSheetName(0, "manipulated");

  418.         // ... I don't know, why commit is protected ...

  419.         POITestCase.callMethod(XSSFWorkbook.class, wb, Void.class, "commit", new Class[0], new Object[0]);

  420. 

  421.         // todo: test a manipulation on a package part, which is not signed

  422.         // ... maybe in combination with #56164 

  423.         

  424.         // validate

  425.         SignatureConfig sic = new SignatureConfig();

  426.         sic.setOpcPackage(pkg);

  427.         SignatureInfo si = new SignatureInfo();

  428.         si.setSignatureConfig(sic);

  429.         boolean b = si.verifySignature();

  430.         assertFalse("signature should be broken", b);

  431.         

  432.         wb.close();

  433.     }

  434.     

  435.     @Test

  436.     public void testSignSpreadsheetWithSignatureInfo() throws Exception {

  437.         initKeyPair("Test", "CN=Test");

  438.         String testFile = "hello-world-unsigned.xlsx";

  439.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  440.         SignatureConfig sic = new SignatureConfig();

  441.         sic.setOpcPackage(pkg);

  442.         sic.setKey(keyPair.getPrivate());

  443.         sic.setSigningCertificateChain(Collections.singletonList(x509));

  444.         SignatureInfo si = new SignatureInfo();

  445.         si.setSignatureConfig(sic);

  446.         // hash > sha1 doesn't work in excel viewer ...

  447.         si.confirmSignature();

  448.         List<X509Certificate> result = new ArrayList<>();

  449.         for (SignaturePart sp : si.getSignatureParts()) {

  450.             if (sp.validate()) {

  451.                 result.add(sp.getSigner());

  452.             }

  453.         }

  454.         assertEquals(1, result.size());

  455.         pkg.close();

  456.     }

  457. 

  458.     @Test

  459.     public void testSignEnvelopingDocument() throws Exception {

  460.         String testFile = "hello-world-unsigned.xlsx";

  461.         File sigCopy = testdata.getFile(testFile);

  462.         ByteArrayOutputStream bos = new ByteArrayOutputStream(50000);

  463. 

  464.         final String execTimestr;

  465. 

  466. 

  467.         try (OPCPackage pkg = OPCPackage.open(copy(sigCopy), PackageAccess.READ_WRITE)) {

  468. 

  469.             initKeyPair("Test", "CN=Test");

  470.             final X509CRL crl = generateCrl(x509, keyPair.getPrivate());

  471. 

  472.             // setup

  473.             SignatureConfig signatureConfig = new SignatureConfig();

  474.             signatureConfig.setOpcPackage(pkg);

  475.             signatureConfig.setKey(keyPair.getPrivate());

  476. 

  477.             /*

  478.              * We need at least 2 certificates for the XAdES-C complete certificate

  479.              * refs construction.

  480.              */

  481.             List<X509Certificate> certificateChain = new ArrayList<>();

  482.             certificateChain.add(x509);

  483.             certificateChain.add(x509);

  484.             signatureConfig.setSigningCertificateChain(certificateChain);

  485. 

  486.             signatureConfig.addSignatureFacet(new OOXMLSignatureFacet());

  487.             signatureConfig.addSignatureFacet(new EnvelopedSignatureFacet());

  488.             signatureConfig.addSignatureFacet(new KeyInfoSignatureFacet());

  489.             signatureConfig.addSignatureFacet(new XAdESSignatureFacet());

  490.             signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet());

  491. 

  492.             // check for internet, no error means it works

  493.             boolean mockTsp = (getAccessError("http://timestamp.comodoca.com/rfc3161", true, 10000) != null);

  494. 

  495.             // http://timestamping.edelweb.fr/service/tsp

  496.             // http://tsa.belgium.be/connect

  497.             // http://timestamp.comodoca.com/authenticode

  498.             // http://timestamp.comodoca.com/rfc3161

  499.             // http://services.globaltrustfinder.com/adss/tsa

  500.             signatureConfig.setTspUrl("http://timestamp.comodoca.com/rfc3161");

  501.             signatureConfig.setTspRequestPolicy(null); // comodoca request fails, if default policy is set ...

  502.             signatureConfig.setTspOldProtocol(false);

  503. 

  504.             signatureConfig.setXadesDigestAlgo(HashAlgorithm.sha512);

  505.             signatureConfig.setXadesRole("Xades Reviewer");

  506.             signatureConfig.setSignatureDescription("test xades signature");

  507. 

  508.             execTimestr = signatureConfig.formatExecutionTime();

  509. 

  510.             //set proxy info if any

  511.             String proxy = System.getProperty("http_proxy");

  512.             if (proxy != null && proxy.trim().length() > 0) {

  513.                 signatureConfig.setProxyUrl(proxy);

  514.             }

  515. 

  516.             if (mockTsp) {

  517.                 TimeStampService tspService = new TimeStampService() {

  518.                     @Override

  519.                     public byte[] timeStamp(byte[] data, RevocationData revocationData) {

  520.                         revocationData.addCRL(crl);

  521.                         return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);

  522.                     }

  523. 

  524.                     @Override

  525.                     public void setSignatureConfig(SignatureConfig config) {

  526.                         // empty on purpose

  527.                     }

  528.                 };

  529.                 signatureConfig.setTspService(tspService);

  530.             } else {

  531.                 TimeStampServiceValidator tspValidator = (validateChain, revocationData) -> {

  532.                     for (X509Certificate certificate : validateChain) {

  533.                         LOG.log(POILogger.DEBUG, "certificate: " + certificate.getSubjectX500Principal());

  534.                         LOG.log(POILogger.DEBUG, "validity: " + certificate.getNotBefore() + " - " + certificate.getNotAfter());

  535.                     }

  536.                 };

  537.                 signatureConfig.setTspValidator(tspValidator);

  538.                 signatureConfig.setTspOldProtocol(signatureConfig.getTspUrl().contains("edelweb"));

  539.             }

  540. 

  541.             final RevocationData revocationData = new RevocationData();

  542.             revocationData.addCRL(crl);

  543.             OCSPResp ocspResp = createOcspResp(x509, false,

  544.                     x509, x509, keyPair.getPrivate(), "SHA1withRSA", cal.getTimeInMillis());

  545.             revocationData.addOCSP(ocspResp.getEncoded());

  546. 

  547.             RevocationDataService revocationDataService = revocationChain -> revocationData;

  548.             signatureConfig.setRevocationDataService(revocationDataService);

  549. 

  550.             // operate

  551.             SignatureInfo si = new SignatureInfo();

  552.             si.setSignatureConfig(signatureConfig);

  553.             try {

  554.                 si.confirmSignature();

  555.             } catch (RuntimeException e) {

  556.                 pkg.close();

  557.                 // only allow a ConnectException because of timeout, we see this in Jenkins from time to time...

  558.                 if (e.getCause() == null) {

  559.                     throw e;

  560.                 }

  561.                 if ((e.getCause() instanceof ConnectException) || (e.getCause() instanceof SocketTimeoutException)) {

  562.                     Assume.assumeFalse("Only allowing ConnectException with 'timed out' as message here, but had: " + e,

  563.                             e.getCause().getMessage().contains("timed out"));

  564.                 } else if (e.getCause() instanceof IOException) {

  565.                     Assume.assumeFalse("Only allowing IOException with 'Error contacting TSP server' as message here, but had: " + e,

  566.                             e.getCause().getMessage().contains("Error contacting TSP server"));

  567.                 } else if (e.getCause() instanceof RuntimeException) {

  568.                     Assume.assumeFalse("Only allowing RuntimeException with 'This site is cur' as message here, but had: " + e,

  569.                             e.getCause().getMessage().contains("This site is cur"));

  570.                 }

  571.                 throw e;

  572.             }

  573. 

  574.             // verify

  575.             Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();

  576.             assertTrue("Had: " + si.getSignatureConfig().getOpcPackage().

  577.                             getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN),

  578.                     spIter.hasNext());

  579.             SignaturePart sp = spIter.next();

  580.             boolean valid = sp.validate();

  581.             assertTrue(valid);

  582. 

  583.             SignatureDocument sigDoc = sp.getSignatureDocument();

  584.             String declareNS =

  585.                     "declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; "

  586.                             + "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; ";

  587. 

  588.             String digestValXQuery = declareNS +

  589.                     "$this/ds:Signature/ds:SignedInfo/ds:Reference";

  590.             for (ReferenceType rt : (ReferenceType[]) sigDoc.selectPath(digestValXQuery)) {

  591.                 assertNotNull(rt.getDigestValue());

  592.                 assertEquals(signatureConfig.getDigestMethodUri(), rt.getDigestMethod().getAlgorithm());

  593.             }

  594. 

  595.             String certDigestXQuery = declareNS +

  596.                     "$this//xades:SigningCertificate/xades:Cert/xades:CertDigest";

  597.             XmlObject xoList[] = sigDoc.selectPath(certDigestXQuery);

  598.             assertEquals(xoList.length, 1);

  599.             DigestAlgAndValueType certDigest = (DigestAlgAndValueType) xoList[0];

  600.             assertNotNull(certDigest.getDigestValue());

  601. 

  602.             String qualPropXQuery = declareNS +

  603.                     "$this/ds:Signature/ds:Object/xades:QualifyingProperties";

  604.             xoList = sigDoc.selectPath(qualPropXQuery);

  605.             assertEquals(xoList.length, 1);

  606.             QualifyingPropertiesType qualProp = (QualifyingPropertiesType) xoList[0];

  607.             boolean qualPropXsdOk = qualProp.validate();

  608.             assertTrue(qualPropXsdOk);

  609. 

  610.             pkg.save(bos);

  611.         }

  612. 

  613.         try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {

  614.             SignatureConfig signatureConfig = new SignatureConfig();

  615.             signatureConfig.setOpcPackage(pkg);

  616.             signatureConfig.setUpdateConfigOnValidate(true);

  617. 

  618.             SignatureInfo si = new SignatureInfo();

  619.             si.setSignatureConfig(signatureConfig);

  620. 

  621.             assertTrue(si.verifySignature());

  622. 

  623.             assertEquals(HashAlgorithm.sha512, signatureConfig.getXadesDigestAlgo());

  624.             assertEquals("Xades Reviewer", signatureConfig.getXadesRole());

  625.             assertEquals("test xades signature", signatureConfig.getSignatureDescription());

  626.             assertEquals(execTimestr, signatureConfig.formatExecutionTime());

  627.         }

  628.     }

  629. 

  630.     public static String getAccessError(String destinationUrl, boolean fireRequest, int timeout) {

  631.         URL url;

  632.         try {

  633.             url = new URL(destinationUrl);

  634.         } catch (MalformedURLException e) {

  635.             throw new IllegalArgumentException("Invalid destination URL", e);

  636.         }

  637. 

  638.         HttpURLConnection conn = null;

  639.         try {

  640.             conn = (HttpURLConnection) url.openConnection();

  641. 

  642.             // set specified timeout if non-zero

  643.             if(timeout != 0) {

  644.                 conn.setConnectTimeout(timeout);

  645.                 conn.setReadTimeout(timeout);

  646.             }

  647. 

  648.             conn.setDoOutput(false);

  649.             conn.setDoInput(true);

  650. 

  651.             /* if connecting is not possible this will throw a connection refused exception */

  652.             conn.connect();

  653. 

  654.             if (fireRequest) {

  655.                 InputStream is = null;

  656.                 try {

  657.                     is = conn.getInputStream();

  658.                 } finally {

  659.                     IOUtils.closeQuietly(is);

  660.                 }

  661. 

  662.             }

  663.             /* if connecting is possible we return true here */

  664.             return null;

  665. 

  666.         } catch (IOException e) {

  667.             /* exception is thrown -> server not available */

  668.             return e.getClass().getName() + ": " + e.getMessage();

  669.         } finally {

  670.             if (conn != null) {

  671.                 conn.disconnect();

  672.             }

  673.         }

  674.     }

  675.     

  676.     @Test

  677.     public void testCertChain() throws Exception {

  678.         KeyStore keystore = KeyStore.getInstance("PKCS12");

  679.         String password = "test";

  680.         InputStream is = testdata.openResourceAsStream("chaintest.pfx");

  681.         keystore.load(is, password.toCharArray());

  682.         is.close();

  683. 

  684.         Key key = keystore.getKey("poitest", password.toCharArray());

  685.         Certificate chainList[] = keystore.getCertificateChain("poitest");

  686.         List<X509Certificate> certChain = new ArrayList<>();

  687.         for (Certificate c : chainList) {

  688.             certChain.add((X509Certificate)c);

  689.         }

  690.         x509 = certChain.get(0);

  691.         keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey)key);

  692.         

  693.         String testFile = "hello-world-unsigned.xlsx";

  694.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  695. 

  696.         SignatureConfig signatureConfig = new SignatureConfig();

  697.         signatureConfig.setKey(keyPair.getPrivate());

  698.         signatureConfig.setSigningCertificateChain(certChain);

  699.         Calendar oldCal = LocaleUtil.getLocaleCalendar(2007, 7, 1);

  700.         signatureConfig.setExecutionTime(oldCal.getTime());

  701.         signatureConfig.setDigestAlgo(HashAlgorithm.sha1);

  702.         signatureConfig.setOpcPackage(pkg);

  703.         

  704.         SignatureInfo si = new SignatureInfo();

  705.         si.setSignatureConfig(signatureConfig);

  706. 

  707.         si.confirmSignature();

  708.         

  709.         for (SignaturePart sp : si.getSignatureParts()){

  710.             assertTrue("Could not validate", sp.validate());

  711.             X509Certificate signer = sp.getSigner();

  712.             assertNotNull("signer undefined?!", signer);

  713.             List<X509Certificate> certChainRes = sp.getCertChain();

  714.             assertEquals(3, certChainRes.size());

  715.         }

  716.         

  717.         pkg.close();

  718.     }

  719. 

  720.     @Test

  721.     public void testNonSha1() throws Exception {

  722.         String testFile = "hello-world-unsigned.xlsx";

  723.         initKeyPair("Test", "CN=Test");

  724. 

  725.         SignatureConfig signatureConfig = new SignatureConfig();

  726.         signatureConfig.setKey(keyPair.getPrivate());

  727.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  728. 

  729.         HashAlgorithm testAlgo[] = { HashAlgorithm.sha224, HashAlgorithm.sha256

  730.             , HashAlgorithm.sha384, HashAlgorithm.sha512, HashAlgorithm.ripemd160 }; 

  731.         

  732.         for (HashAlgorithm ha : testAlgo) {

  733.             OPCPackage pkg = null;

  734.             try {

  735.                 signatureConfig.setDigestAlgo(ha);

  736.                 pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  737.                 signatureConfig.setOpcPackage(pkg);

  738.                 

  739.                 SignatureInfo si = new SignatureInfo();

  740.                 si.setSignatureConfig(signatureConfig);

  741.         

  742.                 si.confirmSignature();

  743.                 boolean b = si.verifySignature();

  744.                 assertTrue("Signature not correctly calculated for " + ha, b);

  745.             } catch (EncryptedDocumentException e) {

  746.                 Assume.assumeTrue(e.getMessage().startsWith("Export Restrictions"));

  747.             } finally {

  748.                 if (pkg != null) {

  749.                     pkg.close();

  750.                 }

  751.             }

  752.         }

  753.     }

  754. 

  755.     @Test

  756.     public void bug58630() throws Exception {

  757.         // test deletion of sheet 0 and signing

  758.         File tpl = copy(testdata.getFile("bug58630.xlsx"));

  759.         SXSSFWorkbook wb1 = new SXSSFWorkbook((XSSFWorkbook)WorkbookFactory.create(tpl), 10);

  760.         wb1.setCompressTempFiles(true);

  761.         wb1.removeSheetAt(0);

  762.         ByteArrayOutputStream os = new ByteArrayOutputStream();

  763.         wb1.write(os);

  764.         wb1.close();

  765.         OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(os.toByteArray()));

  766.         

  767.         initKeyPair("Test", "CN=Test");

  768.         SignatureConfig signatureConfig = new SignatureConfig();

  769.         signatureConfig.setKey(keyPair.getPrivate());

  770.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  771.         signatureConfig.setOpcPackage(pkg);

  772.         

  773.         SignatureInfo si = new SignatureInfo();

  774.         si.setSignatureConfig(signatureConfig);

  775.         si.confirmSignature();

  776.         assertTrue("invalid signature", si.verifySignature());

  777.         

  778.         pkg.close();

  779.     }

  780.     

  781.     @Test

  782.     public void testMultiSign() throws Exception {

  783.         cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  784.         cal.clear();

  785.         cal.setTimeZone(LocaleUtil.TIMEZONE_UTC);

  786.         cal.set(2018, Calendar.DECEMBER, 14);

  787. 

  788.         // test signing with separate opened packages

  789.         File tpl = copy(testdata.getFile("hello-world-unsigned.xlsx"));

  790.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  791.             signPkg63011(pkg, "bug63011_key1.pem", true);

  792.         }

  793. 

  794.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  795.             signPkg63011(pkg, "bug63011_key2.pem", true);

  796.         }

  797. 

  798.         verifyPkg63011(tpl, true);

  799. 

  800.         // test signing with single opened package

  801.         tpl = copy(testdata.getFile("hello-world-unsigned.xlsx"));

  802.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  803.             signPkg63011(pkg, "bug63011_key1.pem", true);

  804.             signPkg63011(pkg, "bug63011_key2.pem", true);

  805.         }

  806. 

  807.         verifyPkg63011(tpl, true);

  808. 

  809.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  810.             signPkg63011(pkg, "bug63011_key1.pem", true);

  811.             signPkg63011(pkg, "bug63011_key2.pem", false);

  812.         }

  813. 

  814.         verifyPkg63011(tpl, false);

  815.     }

  816. 

  817.     private void verifyPkg63011(File tpl, boolean multi) throws InvalidFormatException, IOException {

  818.         try (OPCPackage pkg = OPCPackage.open(tpl, PackageAccess.READ)) {

  819.             SignatureConfig sic = new SignatureConfig();

  820.             sic.setOpcPackage(pkg);

  821.             SignatureInfo si = new SignatureInfo();

  822.             si.setSignatureConfig(sic);

  823.             List<X509Certificate> result = new ArrayList<>();

  824.             for (SignaturePart sp : si.getSignatureParts()) {

  825.                 if (sp.validate()) {

  826.                     result.add(sp.getSigner());

  827.                 }

  828.             }

  829. 

  830.             assertNotNull(result);

  831. 

  832.             if (multi) {

  833.                 assertEquals(2, result.size());

  834.                 assertEquals("CN=Muj Klic", result.get(0).getSubjectDN().toString());

  835.                 assertEquals("CN=My Second key", result.get(1).getSubjectDN().toString());

  836.             } else {

  837.                 assertEquals(1, result.size());

  838.                 assertEquals("CN=My Second key", result.get(0).getSubjectDN().toString());

  839.             }

  840. 

  841.             assertTrue(si.verifySignature());

  842.             pkg.revert();

  843.         }

  844.     }

  845. 

  846.     private void signPkg63011(OPCPackage pkg, String pemFile, boolean multi)

  847.     throws IOException, CertificateException, XMLSignatureException, MarshalException {

  848.         assertNotNull(pkg);

  849.         initKeyFromPEM(testdata.getFile(pemFile));

  850. 

  851.         SignatureConfig config = new SignatureConfig();

  852.         config.setKey(keyPair.getPrivate());

  853.         config.setSigningCertificateChain(Collections.singletonList(x509));

  854.         config.setExecutionTime(cal.getTime());

  855.         config.setAllowMultipleSignatures(multi);

  856.         config.setOpcPackage(pkg);

  857. 

  858.         SignatureInfo si = new SignatureInfo();

  859.         si.setSignatureConfig(config);

  860.         si.confirmSignature();

  861.     }

  862. 

  863.     @Test

  864.     public void testRetrieveCertificate() throws InvalidFormatException, IOException {

  865.         SignatureConfig sic = new SignatureConfig();

  866.         final File file = testdata.getFile("PPT2016withComment.pptx");

  867.         try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) {

  868.             sic.setOpcPackage(pkg);

  869.             sic.setUpdateConfigOnValidate(true);

  870.             SignatureInfo si = new SignatureInfo();

  871.             si.setSignatureConfig(sic);

  872.             assertTrue(si.verifySignature());

  873.         }

  874. 

  875.         final List<X509Certificate> certs = sic.getSigningCertificateChain();

  876.         assertEquals(1, certs.size());

  877.         assertEquals("CN=Test", certs.get(0).getSubjectDN().getName());

  878.         assertEquals("SuperDuper-Reviewer", sic.getXadesRole());

  879.         assertEquals("Purpose for signing", sic.getSignatureDescription());

  880.         assertEquals("2018-06-10T09:00:54Z", sic.formatExecutionTime());

  881.         assertEquals(CanonicalizationMethod.INCLUSIVE, sic.getCanonicalizationMethod());

  882.     }

  883. 

  884.     private SignatureConfig prepareConfig(String alias, String signerDn, String pfxInput) throws Exception {

  885.         initKeyPair(alias, signerDn, pfxInput);

  886. 

  887.         SignatureConfig signatureConfig = new SignatureConfig();

  888.         signatureConfig.setKey(keyPair.getPrivate());

  889.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  890.         signatureConfig.setExecutionTime(cal.getTime());

  891.         signatureConfig.setDigestAlgo(HashAlgorithm.sha1);

  892. 

  893.         return signatureConfig;

  894.     }

  895.     

  896.     private void sign(OPCPackage pkgCopy, String alias, String signerDn, int signerCount) throws Exception {

  897.         SignatureConfig signatureConfig = prepareConfig(alias, signerDn, null);

  898.         signatureConfig.setOpcPackage(pkgCopy);

  899.         

  900.         SignatureInfo si = new SignatureInfo();

  901.         si.setSignatureConfig(signatureConfig);

  902. 

  903.         final Document document = DocumentHelper.createDocument();

  904.         final DOMSignContext xmlSignContext = si.createXMLSignContext(document);

  905. 

  906.         // operate

  907.         final DOMSignedInfo signedInfo = si.preSign(xmlSignContext);

  908. 

  909.         // verify

  910.         assertNotNull(signedInfo);

  911.         assertEquals("Office OpenXML Document", signatureConfig.getSignatureDescription());

  912. 

  913.         // setup: key material, signature value

  914.         final String signatureValue = si.signDigest(xmlSignContext, signedInfo);

  915.         

  916.         // operate: postSign

  917.         si.postSign(xmlSignContext, signatureValue);

  918. 

  919.         // verify: signature

  920.         si.getSignatureConfig().setOpcPackage(pkgCopy);

  921.         List<X509Certificate> result = new ArrayList<>();

  922.         for (SignaturePart sp : si.getSignatureParts()) {

  923.             if (sp.validate()) {

  924.                 result.add(sp.getSigner());

  925.             }

  926.         }

  927.         assertEquals(signerCount, result.size());

  928.     }

  929. 

  930.     private void initKeyPair(String alias, String subjectDN) throws Exception {

  931.         initKeyPair(alias, subjectDN, null);

  932.     }

  933.     

  934.     private void initKeyPair(String alias, String subjectDN, String pfxInput) throws Exception {

  935.         final char password[] = "test".toCharArray();

  936.         File file = new File("build/test.pfx");

  937. 

  938.         KeyStore keystore = KeyStore.getInstance("PKCS12");

  939. 

  940.         if (pfxInput != null) {

  941.             InputStream fis = new ByteArrayInputStream(RawDataUtil.decompress(pfxInput));

  942.             keystore.load(fis, password);

  943.             fis.close();

  944.         } else if (file.exists()) { 

  945.             InputStream fis = new FileInputStream(file);

  946.             keystore.load(fis, password);

  947.             fis.close();

  948.         } else {

  949.             keystore.load(null, password);

  950.         }

  951. 

  952.         if (keystore.isKeyEntry(alias)) {

  953.             Key key = keystore.getKey(alias, password);

  954.             x509 = (X509Certificate)keystore.getCertificate(alias);

  955.             keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey)key);

  956.         } else {

  957.             keyPair = generateKeyPair();

  958.             Date notBefore = cal.getTime();

  959.             Calendar cal2 = (Calendar)cal.clone();

  960.             cal2.add(Calendar.YEAR, 1);

  961.             Date notAfter = cal2.getTime();

  962.             KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);

  963.             

  964.             x509 = generateCertificate(keyPair.getPublic(), subjectDN

  965.                 , notBefore, notAfter, null, keyPair.getPrivate(), true, 0, null, null, keyUsage);

  966. 

  967.             keystore.setKeyEntry(alias, keyPair.getPrivate(), password, new Certificate[]{x509});

  968.             

  969.             if (pfxInput == null) {

  970.                 FileOutputStream fos = new FileOutputStream(file);

  971.                 keystore.store(fos, password);

  972.                 fos.close();

  973.             }

  974.         }

  975.     }

  976. 

  977.     private void initKeyFromPEM(File pemFile) throws IOException, CertificateException {

  978.         // see https://stackoverflow.com/questions/11787571/how-to-read-pem-file-to-get-private-and-public-key

  979.         PrivateKey key = null;

  980.         x509 = null;

  981. 

  982.         try (BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(pemFile), StandardCharsets.ISO_8859_1))) {

  983.             PEMParser parser = new PEMParser(br);

  984.             for (Object obj; (obj = parser.readObject()) != null; ) {

  985.                 if (obj instanceof PrivateKeyInfo) {

  986.                     key = new JcaPEMKeyConverter().setProvider("BC").getPrivateKey((PrivateKeyInfo)obj);

  987.                 } else if (obj instanceof X509CertificateHolder) {

  988.                     x509 = new JcaX509CertificateConverter().setProvider("BC").getCertificate((X509CertificateHolder)obj);

  989.                 }

  990.             }

  991.         }

  992. 

  993.         if (key != null && x509 != null) {

  994.             keyPair = new KeyPair(x509.getPublicKey(), key);

  995.         }

  996.     }

  997. 

  998.     private static File copy(File input) throws IOException {

  999.         String extension = input.getName().replaceAll(".*?(\\.[^.]+)?$", "$1");

  1000.         if (extension == null || extension.isEmpty()) {

  1001.             extension = ".zip";

  1002.         }

  1003. 

  1004.         // ensure that we create the "build" directory as it might not be existing

  1005.         // in the Sonar Maven runs where we are at a different source directory

  1006.         File buildDir = new File("build");

  1007.         if(!buildDir.exists()) {

  1008.             assertTrue("Failed to create " + buildDir.getAbsolutePath(), buildDir.mkdirs());

  1009.         }

  1010.         File tmpFile = new File(buildDir, "sigtest"+extension);

  1011. 

  1012.         try (OutputStream fos = new FileOutputStream(tmpFile)) {

  1013.             try (InputStream fis = new FileInputStream(input)) {

  1014.                 IOUtils.copy(fis, fos);

  1015.             }

  1016.         }

  1017. 

  1018.         return tmpFile;

  1019.     }

  1020. 

  1021.     private static KeyPair generateKeyPair() throws Exception {

  1022.         KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");

  1023.         SecureRandom random = new SecureRandom();

  1024.         keyPairGenerator.initialize(new RSAKeyGenParameterSpec(1024,

  1025.                 RSAKeyGenParameterSpec.F4), random);

  1026.         return keyPairGenerator.generateKeyPair();

  1027.     }

  1028. 

  1029.     private static X509Certificate generateCertificate(PublicKey subjectPublicKey,

  1030.                                                String subjectDn, Date notBefore, Date notAfter,

  1031.                                                X509Certificate issuerCertificate, PrivateKey issuerPrivateKey,

  1032.                                                boolean caFlag, int pathLength, String crlUri, String ocspUri,

  1033.                                                KeyUsage keyUsage)

  1034.             throws IOException, OperatorCreationException, CertificateException

  1035.     {

  1036.         String signatureAlgorithm = "SHA1withRSA";

  1037.         X500Name issuerName;

  1038.         if (issuerCertificate != null) {

  1039.             issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer();

  1040.         } else {

  1041.             issuerName = new X500Name(subjectDn);

  1042.         }

  1043. 

  1044.         RSAPublicKey rsaPubKey = (RSAPublicKey)subjectPublicKey;

  1045.         RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());

  1046. 

  1047.         SubjectPublicKeyInfo subjectPublicKeyInfo =

  1048.                 SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec);

  1049. 

  1050.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  1051.                 .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  1052. 

  1053.         X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(

  1054.                 issuerName

  1055.                 , new BigInteger(128, new SecureRandom())

  1056.                 , notBefore

  1057.                 , notAfter

  1058.                 , new X500Name(subjectDn)

  1059.                 , subjectPublicKeyInfo

  1060.         );

  1061. 

  1062.         X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);

  1063.         SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);

  1064.         AuthorityKeyIdentifier autKeyId = (issuerCertificate != null)

  1065.                 ? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded()))

  1066.                 : exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);

  1067. 

  1068.         certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);

  1069.         certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);

  1070. 

  1071.         if (caFlag) {

  1072.             BasicConstraints bc;

  1073. 

  1074.             if (-1 == pathLength) {

  1075.                 bc = new BasicConstraints(true);

  1076.             } else {

  1077.                 bc = new BasicConstraints(pathLength);

  1078.             }

  1079.             certificateGenerator.addExtension(Extension.basicConstraints, false, bc);

  1080.         }

  1081. 

  1082.         if (null != crlUri) {

  1083.             int uri = GeneralName.uniformResourceIdentifier;

  1084.             DERIA5String crlUriDer = new DERIA5String(crlUri);

  1085.             GeneralName gn = new GeneralName(uri, crlUriDer);

  1086. 

  1087.             DERSequence gnDer = new DERSequence(gn);

  1088.             GeneralNames gns = GeneralNames.getInstance(gnDer);

  1089. 

  1090.             DistributionPointName dpn = new DistributionPointName(0, gns);

  1091.             DistributionPoint distp = new DistributionPoint(dpn, null, null);

  1092.             DERSequence distpDer = new DERSequence(distp);

  1093.             certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer);

  1094.         }

  1095. 

  1096.         if (null != ocspUri) {

  1097.             int uri = GeneralName.uniformResourceIdentifier;

  1098.             GeneralName ocspName = new GeneralName(uri, ocspUri);

  1099. 

  1100.             AuthorityInformationAccess authorityInformationAccess =

  1101.                     new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, ocspName);

  1102. 

  1103.             certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess);

  1104.         }

  1105. 

  1106.         if (null != keyUsage) {

  1107.             certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);

  1108.         }

  1109. 

  1110.         JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm);

  1111.         signerBuilder.setProvider("BC");

  1112. 

  1113.         X509CertificateHolder certHolder =

  1114.                 certificateGenerator.build(signerBuilder.build(issuerPrivateKey));

  1115. 

  1116.         /*

  1117.          * Next certificate factory trick is needed to make sure that the

  1118.          * certificate delivered to the caller is provided by the default

  1119.          * security provider instead of BouncyCastle. If we don't do this trick

  1120.          * we might run into trouble when trying to use the CertPath validator.

  1121.          */

  1122. //        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

  1123. //        certificate = (X509Certificate) certificateFactory

  1124. //                .generateCertificate(new ByteArrayInputStream(certificate

  1125. //                        .getEncoded()));

  1126.         return new JcaX509CertificateConverter().getCertificate(certHolder);

  1127.     }

  1128. 

  1129.     private static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey)

  1130.             throws CertificateEncodingException, IOException, CRLException, OperatorCreationException {

  1131. 

  1132.         X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded());

  1133.         X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date());

  1134.         crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000));

  1135.         JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC");

  1136. 

  1137.         CRLNumber crlNumber = new CRLNumber(new BigInteger("1234"));

  1138. 

  1139.         crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber);

  1140.         X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey));

  1141.         return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl);

  1142.     }

  1143. 

  1144.     private static OCSPResp createOcspResp(X509Certificate certificate,

  1145.                                           boolean revoked, X509Certificate issuerCertificate,

  1146.                                           X509Certificate ocspResponderCertificate,

  1147.                                           PrivateKey ocspResponderPrivateKey, String signatureAlgorithm,

  1148.                                           long nonceTimeinMillis)

  1149.             throws Exception {

  1150.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  1151.                 .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  1152.         X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded());

  1153.         CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber());

  1154. 

  1155.         // request

  1156.         //create a nonce to avoid replay attack

  1157.         BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis);

  1158.         DEROctetString nonceDer = new DEROctetString(nonce.toByteArray());

  1159.         Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer);

  1160.         Extensions exts = new Extensions(ext);

  1161. 

  1162.         OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();

  1163.         ocspReqBuilder.addRequest(certId);

  1164.         ocspReqBuilder.setRequestExtensions(exts);

  1165.         OCSPReq ocspReq = ocspReqBuilder.build();

  1166. 

  1167. 

  1168.         SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo

  1169.                 (CertificateID.HASH_SHA1, ocspResponderCertificate.getPublicKey().getEncoded());

  1170. 

  1171.         BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc);

  1172.         basicOCSPRespBuilder.setResponseExtensions(exts);

  1173. 

  1174.         // request processing

  1175.         Req[] requestList = ocspReq.getRequestList();

  1176.         for (Req ocspRequest : requestList) {

  1177.             CertificateID certificateID = ocspRequest.getCertID();

  1178.             CertificateStatus certificateStatus = CertificateStatus.GOOD;

  1179.             if (revoked) {

  1180.                 certificateStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);

  1181.             }

  1182.             basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);

  1183.         }

  1184. 

  1185.         // basic response generation

  1186.         X509CertificateHolder[] chain = null;

  1187.         if (!ocspResponderCertificate.equals(issuerCertificate)) {

  1188.             // TODO: HorribleProxy can't convert array input params yet

  1189.             chain = new X509CertificateHolder[] {

  1190.                     new X509CertificateHolder(ocspResponderCertificate.getEncoded()),

  1191.                     issuerHolder

  1192.             };

  1193.         }

  1194. 

  1195.         ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA")

  1196.                 .setProvider("BC").build(ocspResponderPrivateKey);

  1197.         BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis));

  1198. 

  1199. 

  1200.         OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();

  1201. 

  1202.         return ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

  1203.     }

  1204. }