mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10422 Commits
24 Branches
Tree: 2a292cb42d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2a292cb42d'
${ noResults }
poi/src/ooxml/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLSignatureFacet.java

XAdESXLSignatureFacet.java 18KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. 

  18. /* ====================================================================

  19.    This product contains an ASLv2 licensed version of the OOXML signer

  20.    package from the eID Applet project

  21.    http://code.google.com/p/eid-applet/source/browse/trunk/README.txt

  22.    Copyright (C) 2008-2014 FedICT.

  23.    ================================================================= */

  24. 

  25. package org.apache.poi.poifs.crypt.dsig.facets;

  26. 

  27. import static org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS;

  28. import static org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet.insertXChild;

  29. 

  30. import java.io.ByteArrayInputStream;

  31. import java.io.ByteArrayOutputStream;

  32. import java.io.IOException;

  33. import java.math.BigInteger;

  34. import java.security.cert.CRLException;

  35. import java.security.cert.CertificateEncodingException;

  36. import java.security.cert.CertificateException;

  37. import java.security.cert.CertificateFactory;

  38. import java.security.cert.X509CRL;

  39. import java.security.cert.X509Certificate;

  40. import java.util.ArrayList;

  41. import java.util.Calendar;

  42. import java.util.Collections;

  43. import java.util.List;

  44. import java.util.Locale;

  45. import java.util.TimeZone;

  46. import java.util.UUID;

  47. 

  48. import javax.xml.crypto.MarshalException;

  49. 

  50. import org.apache.poi.poifs.crypt.dsig.SignatureConfig;

  51. import org.apache.poi.poifs.crypt.dsig.SignatureInfo;

  52. import org.apache.poi.poifs.crypt.dsig.services.RevocationData;

  53. import org.apache.poi.util.IOUtils;

  54. import org.apache.poi.util.POILogFactory;

  55. import org.apache.poi.util.POILogger;

  56. import org.apache.xml.security.c14n.Canonicalizer;

  57. import org.apache.xmlbeans.XmlException;

  58. import org.bouncycastle.asn1.ASN1InputStream;

  59. import org.bouncycastle.asn1.ASN1Integer;

  60. import org.bouncycastle.asn1.ASN1OctetString;

  61. import org.bouncycastle.asn1.DERTaggedObject;

  62. import org.bouncycastle.asn1.ocsp.ResponderID;

  63. import org.bouncycastle.asn1.x500.X500Name;

  64. import org.bouncycastle.asn1.x509.Extension;

  65. import org.bouncycastle.cert.ocsp.BasicOCSPResp;

  66. import org.bouncycastle.cert.ocsp.OCSPResp;

  67. import org.bouncycastle.cert.ocsp.RespID;

  68. import org.etsi.uri.x01903.v13.*;

  69. import org.etsi.uri.x01903.v14.ValidationDataType;

  70. import org.w3.x2000.x09.xmldsig.CanonicalizationMethodType;

  71. import org.w3c.dom.Document;

  72. import org.w3c.dom.Node;

  73. import org.w3c.dom.NodeList;

  74. 

  75. /**

  76.  * XAdES-X-L v1.4.1 signature facet. This signature facet implementation will

  77.  * upgrade a given XAdES-BES/EPES signature to XAdES-X-L.

  78.  *

  79.  * We don't inherit from XAdESSignatureFacet as we also want to be able to use

  80.  * this facet out of the context of a signature creation. This signature facet

  81.  * assumes that the signature is already XAdES-BES/EPES compliant.

  82.  *

  83.  * This implementation has been tested against an implementation that

  84.  * participated multiple ETSI XAdES plugtests.

  85.  *

  86.  * @author Frank Cornelis

  87.  * @see XAdESSignatureFacet

  88.  */

  89. public class XAdESXLSignatureFacet implements SignatureFacet {

  90. 

  91.     private static final POILogger LOG = POILogFactory.getLogger(XAdESXLSignatureFacet.class);

  92. 

  93.     private final CertificateFactory certificateFactory;

  94. 

  95.     public XAdESXLSignatureFacet() {

  96.         try {

  97.             this.certificateFactory = CertificateFactory.getInstance("X.509");

  98.         } catch (CertificateException e) {

  99.             throw new RuntimeException("X509 JCA error: " + e.getMessage(), e);

  100.         }

  101.     }

  102. 

  103.     @Override

  104.     public void postSign(SignatureInfo signatureInfo, Document document) throws MarshalException {

  105.         LOG.log(POILogger.DEBUG, "XAdES-X-L post sign phase");

  106. 

  107.         SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();

  108. 

  109.         QualifyingPropertiesDocument qualDoc = null;

  110.         QualifyingPropertiesType qualProps = null;

  111. 

  112.         // check for XAdES-BES

  113.         NodeList qualNl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties");

  114.         if (qualNl.getLength() == 1) {

  115.             try {

  116.                 qualDoc = QualifyingPropertiesDocument.Factory.parse(qualNl.item(0), DEFAULT_XML_OPTIONS);

  117.             } catch (XmlException e) {

  118.                 throw new MarshalException(e);

  119.             }

  120.             qualProps = qualDoc.getQualifyingProperties();

  121.         } else {

  122.             throw new MarshalException("no XAdES-BES extension present");

  123.         }

  124. 

  125.         // create basic XML container structure

  126.         UnsignedPropertiesType unsignedProps = qualProps.getUnsignedProperties();

  127.         if (unsignedProps == null) {

  128.             unsignedProps = qualProps.addNewUnsignedProperties();

  129.         }

  130.         UnsignedSignaturePropertiesType unsignedSigProps = unsignedProps.getUnsignedSignatureProperties();

  131.         if (unsignedSigProps == null) {

  132.             unsignedSigProps = unsignedProps.addNewUnsignedSignatureProperties();

  133.         }

  134. 

  135. 

  136.         // create the XAdES-T time-stamp

  137.         NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue");

  138.         if (nlSigVal.getLength() != 1) {

  139.             throw new IllegalArgumentException("SignatureValue is not set.");

  140.         }

  141. 

  142.         RevocationData tsaRevocationDataXadesT = new RevocationData();

  143.         LOG.log(POILogger.DEBUG, "creating XAdES-T time-stamp");

  144.         XAdESTimeStampType signatureTimeStamp = createXAdESTimeStamp

  145.             (signatureInfo, Collections.singletonList(nlSigVal.item(0)), tsaRevocationDataXadesT);

  146. 

  147.         // marshal the XAdES-T extension

  148.         unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp);

  149. 

  150.         // xadesv141::TimeStampValidationData

  151.         if (tsaRevocationDataXadesT.hasRevocationDataEntries()) {

  152.             ValidationDataType validationData = createValidationData(tsaRevocationDataXadesT);

  153.             insertXChild(unsignedSigProps, validationData);

  154.         }

  155. 

  156.         if (signatureConfig.getRevocationDataService() == null) {

  157.             /*

  158.              * Without revocation data service we cannot construct the XAdES-C

  159.              * extension.

  160.              */

  161.             return;

  162.         }

  163. 

  164.         // XAdES-C: complete certificate refs

  165.         CompleteCertificateRefsType completeCertificateRefs =

  166.             unsignedSigProps.addNewCompleteCertificateRefs();

  167. 

  168.         CertIDListType certIdList = completeCertificateRefs.addNewCertRefs();

  169.         /*

  170.          * We skip the signing certificate itself according to section

  171.          * 4.4.3.2 of the XAdES 1.4.1 specification.

  172.          */

  173.         List<X509Certificate> certChain = signatureConfig.getSigningCertificateChain();

  174.         int chainSize = certChain.size();

  175.         if (chainSize > 1) {

  176.             for (X509Certificate cert : certChain.subList(1, chainSize)) {

  177.                 CertIDType certId = certIdList.addNewCert();

  178.                 XAdESSignatureFacet.setCertID(certId, signatureConfig, false, cert);

  179.             }

  180.         }

  181. 

  182.         // XAdES-C: complete revocation refs

  183.         CompleteRevocationRefsType completeRevocationRefs =

  184.             unsignedSigProps.addNewCompleteRevocationRefs();

  185.         RevocationData revocationData = signatureConfig.getRevocationDataService()

  186.             .getRevocationData(certChain);

  187.         if (revocationData.hasCRLs()) {

  188.             CRLRefsType crlRefs = completeRevocationRefs.addNewCRLRefs();

  189.             completeRevocationRefs.setCRLRefs(crlRefs);

  190. 

  191.             for (byte[] encodedCrl : revocationData.getCRLs()) {

  192.                 CRLRefType crlRef = crlRefs.addNewCRLRef();

  193.                 X509CRL crl;

  194.                 try {

  195.                     crl = (X509CRL) this.certificateFactory

  196.                             .generateCRL(new ByteArrayInputStream(encodedCrl));

  197.                 } catch (CRLException e) {

  198.                     throw new RuntimeException("CRL parse error: "

  199.                             + e.getMessage(), e);

  200.                 }

  201. 

  202.                 CRLIdentifierType crlIdentifier = crlRef.addNewCRLIdentifier();

  203.                 String issuerName = crl.getIssuerDN().getName().replace(",", ", ");

  204.                 crlIdentifier.setIssuer(issuerName);

  205.                 Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);

  206.                 cal.setTime(crl.getThisUpdate());

  207.                 crlIdentifier.setIssueTime(cal);

  208.                 crlIdentifier.setNumber(getCrlNumber(crl));

  209. 

  210.                 DigestAlgAndValueType digestAlgAndValue = crlRef.addNewDigestAlgAndValue();

  211.                 XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, encodedCrl, signatureConfig.getDigestAlgo());

  212.             }

  213.         }

  214.         if (revocationData.hasOCSPs()) {

  215.             OCSPRefsType ocspRefs = completeRevocationRefs.addNewOCSPRefs();

  216.             for (byte[] ocsp : revocationData.getOCSPs()) {

  217.                 try {

  218.                     OCSPRefType ocspRef = ocspRefs.addNewOCSPRef();

  219. 

  220.                     DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue();

  221.                     XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo());

  222. 

  223.                     OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier();

  224. 

  225.                     OCSPResp ocspResp = new OCSPResp(ocsp);

  226. 

  227.                     BasicOCSPResp basicOcspResp = (BasicOCSPResp)ocspResp.getResponseObject();

  228. 

  229.                     Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);

  230.                     cal.setTime(basicOcspResp.getProducedAt());

  231.                     ocspIdentifier.setProducedAt(cal);

  232. 

  233.                     ResponderIDType responderId = ocspIdentifier.addNewResponderID();

  234. 

  235.                     RespID respId = basicOcspResp.getResponderId();

  236.                     ResponderID ocspResponderId = respId.toASN1Primitive();

  237.                     DERTaggedObject derTaggedObject = (DERTaggedObject)ocspResponderId.toASN1Primitive();

  238.                     if (2 == derTaggedObject.getTagNo()) {

  239.                         ASN1OctetString keyHashOctetString = (ASN1OctetString)derTaggedObject.getObject();

  240.                         byte[] key = keyHashOctetString.getOctets();

  241.                         responderId.setByKey(key);

  242.                     } else {

  243.                         X500Name name = X500Name.getInstance(derTaggedObject.getObject());

  244.                         String nameStr = name.toString();

  245.                         responderId.setByName(nameStr);

  246.                     }

  247.                 } catch (Exception e) {

  248.                     throw new RuntimeException("OCSP decoding error: " + e.getMessage(), e);

  249.                 }

  250.             }

  251.         }

  252. 

  253.         // marshal XAdES-C

  254. 

  255.         // XAdES-X Type 1 timestamp

  256.         List<Node> timeStampNodesXadesX1 = new ArrayList<>();

  257.         timeStampNodesXadesX1.add(nlSigVal.item(0));

  258.         timeStampNodesXadesX1.add(signatureTimeStamp.getDomNode());

  259.         timeStampNodesXadesX1.add(completeCertificateRefs.getDomNode());

  260.         timeStampNodesXadesX1.add(completeRevocationRefs.getDomNode());

  261. 

  262.         RevocationData tsaRevocationDataXadesX1 = new RevocationData();

  263.         LOG.log(POILogger.DEBUG, "creating XAdES-X time-stamp");

  264.         XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp

  265.             (signatureInfo, timeStampNodesXadesX1, tsaRevocationDataXadesX1);

  266.         if (tsaRevocationDataXadesX1.hasRevocationDataEntries()) {

  267.             ValidationDataType timeStampXadesX1ValidationData = createValidationData(tsaRevocationDataXadesX1);

  268.             insertXChild(unsignedSigProps, timeStampXadesX1ValidationData);

  269.         }

  270. 

  271.         // marshal XAdES-X

  272.         unsignedSigProps.addNewSigAndRefsTimeStamp().set(timeStampXadesX1);

  273. 

  274.         // XAdES-X-L

  275.         CertificateValuesType certificateValues = unsignedSigProps.addNewCertificateValues();

  276.         for (X509Certificate certificate : certChain) {

  277.             EncapsulatedPKIDataType encapsulatedPKIDataType = certificateValues.addNewEncapsulatedX509Certificate();

  278.             try {

  279.                 encapsulatedPKIDataType.setByteArrayValue(certificate.getEncoded());

  280.             } catch (CertificateEncodingException e) {

  281.                 throw new RuntimeException("certificate encoding error: " + e.getMessage(), e);

  282.             }

  283.         }

  284. 

  285.         RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues();

  286.         createRevocationValues(revocationValues, revocationData);

  287. 

  288.         // marshal XAdES-X-L

  289.         Node n = document.importNode(qualProps.getDomNode(), true);

  290.         qualNl.item(0).getParentNode().replaceChild(n, qualNl.item(0));

  291.     }

  292. 

  293.     public static byte[] getC14nValue(List<Node> nodeList, String c14nAlgoId) {

  294.         ByteArrayOutputStream c14nValue = new ByteArrayOutputStream();

  295.         try {

  296.             for (Node node : nodeList) {

  297.                 /*

  298.                  * Re-initialize the c14n else the namespaces will get cached

  299.                  * and will be missing from the c14n resulting nodes.

  300.                  */

  301.                 Canonicalizer c14n = Canonicalizer.getInstance(c14nAlgoId);

  302.                 c14n.canonicalizeSubtree(node, c14nValue);

  303.             }

  304.         } catch (RuntimeException e) {

  305.             throw e;

  306.         } catch (Exception e) {

  307.             throw new RuntimeException("c14n error: " + e.getMessage(), e);

  308.         }

  309.         return c14nValue.toByteArray();

  310.     }

  311. 

  312.     private BigInteger getCrlNumber(X509CRL crl) {

  313.         byte[] crlNumberExtensionValue = crl.getExtensionValue(Extension.cRLNumber.getId());

  314.         if (null == crlNumberExtensionValue) {

  315.             return null;

  316.         }

  317. 

  318.         try {

  319.             ASN1InputStream asn1IS1 = null, asn1IS2 = null;

  320.             try {

  321.                 asn1IS1 = new ASN1InputStream(crlNumberExtensionValue);

  322.                 ASN1OctetString octetString = (ASN1OctetString)asn1IS1.readObject();

  323.                 byte[] octets = octetString.getOctets();

  324.                 asn1IS2 = new ASN1InputStream(octets);

  325.                 ASN1Integer integer = (ASN1Integer)asn1IS2.readObject();

  326.                 return integer.getPositiveValue();

  327.             } finally {

  328.                 IOUtils.closeQuietly(asn1IS2);

  329.                 IOUtils.closeQuietly(asn1IS1);

  330.             }

  331.         } catch (IOException e) {

  332.             throw new RuntimeException("I/O error: " + e.getMessage(), e);

  333.         }

  334.     }

  335. 

  336.     private XAdESTimeStampType createXAdESTimeStamp(

  337.             SignatureInfo signatureInfo,

  338.             List<Node> nodeList,

  339.             RevocationData revocationData) {

  340.         SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();

  341.         byte[] c14nSignatureValueElement = getC14nValue(nodeList, signatureConfig.getXadesCanonicalizationMethod());

  342. 

  343.         return createXAdESTimeStamp(signatureInfo, c14nSignatureValueElement, revocationData);

  344.     }

  345. 

  346.     private XAdESTimeStampType createXAdESTimeStamp(SignatureInfo signatureInfo, byte[] data, RevocationData revocationData) {

  347.         SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();

  348.         // create the time-stamp

  349.         byte[] timeStampToken;

  350.         try {

  351.             timeStampToken = signatureConfig.getTspService().timeStamp(signatureInfo, data, revocationData);

  352.         } catch (Exception e) {

  353.             throw new RuntimeException("error while creating a time-stamp: "

  354.                     + e.getMessage(), e);

  355.         }

  356. 

  357.         // create a XAdES time-stamp container

  358.         XAdESTimeStampType xadesTimeStamp = XAdESTimeStampType.Factory.newInstance();

  359.         xadesTimeStamp.setId("time-stamp-" + UUID.randomUUID());

  360.         CanonicalizationMethodType c14nMethod = xadesTimeStamp.addNewCanonicalizationMethod();

  361.         c14nMethod.setAlgorithm(signatureConfig.getXadesCanonicalizationMethod());

  362. 

  363.         // embed the time-stamp

  364.         EncapsulatedPKIDataType encapsulatedTimeStamp = xadesTimeStamp.addNewEncapsulatedTimeStamp();

  365.         encapsulatedTimeStamp.setByteArrayValue(timeStampToken);

  366.         encapsulatedTimeStamp.setId("time-stamp-token-" + UUID.randomUUID());

  367. 

  368.         return xadesTimeStamp;

  369.     }

  370. 

  371.     private ValidationDataType createValidationData(

  372.             RevocationData revocationData) {

  373.         ValidationDataType validationData = ValidationDataType.Factory.newInstance();

  374.         RevocationValuesType revocationValues = validationData.addNewRevocationValues();

  375.         createRevocationValues(revocationValues, revocationData);

  376.         return validationData;

  377.     }

  378. 

  379.     private void createRevocationValues(

  380.             RevocationValuesType revocationValues, RevocationData revocationData) {

  381.         if (revocationData.hasCRLs()) {

  382.             CRLValuesType crlValues = revocationValues.addNewCRLValues();

  383.             for (byte[] crl : revocationData.getCRLs()) {

  384.                 EncapsulatedPKIDataType encapsulatedCrlValue = crlValues.addNewEncapsulatedCRLValue();

  385.                 encapsulatedCrlValue.setByteArrayValue(crl);

  386.             }

  387.         }

  388.         if (revocationData.hasOCSPs()) {

  389.             OCSPValuesType ocspValues = revocationValues.addNewOCSPValues();

  390.             for (byte[] ocsp : revocationData.getOCSPs()) {

  391.                 EncapsulatedPKIDataType encapsulatedOcspValue = ocspValues.addNewEncapsulatedOCSPValue();

  392.                 encapsulatedOcspValue.setByteArrayValue(ocsp);

  393.             }

  394.         }

  395.     }

  396. }