mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10802 Commits
24 Branches
Tree: 329ae952d2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '329ae952d2'
${ noResults }
poi/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/TestSignatureInfo.java

TestSignatureInfo.java 55KB
Raw Blame History

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. 

  18. /* ====================================================================

  19.    This product contains an ASLv2 licensed version of the OOXML signer

  20.    package from the eID Applet project

  21.    http://code.google.com/p/eid-applet/source/browse/trunk/README.txt

  22.    Copyright (C) 2008-2014 FedICT.

  23.    ================================================================= */

  24. package org.apache.poi.poifs.crypt.dsig;

  25. 

  26. import static org.junit.jupiter.api.Assertions.assertEquals;

  27. import static org.junit.jupiter.api.Assertions.assertFalse;

  28. import static org.junit.jupiter.api.Assertions.assertNotNull;

  29. import static org.junit.jupiter.api.Assertions.assertTrue;

  30. import static org.junit.jupiter.api.Assumptions.assumeFalse;

  31. import static org.junit.jupiter.api.Assumptions.assumeTrue;

  32. 

  33. import java.io.BufferedReader;

  34. import java.io.ByteArrayInputStream;

  35. import java.io.ByteArrayOutputStream;

  36. import java.io.File;

  37. import java.io.FileInputStream;

  38. import java.io.FileOutputStream;

  39. import java.io.IOException;

  40. import java.io.InputStream;

  41. import java.io.InputStreamReader;

  42. import java.io.OutputStream;

  43. import java.math.BigInteger;

  44. import java.net.ConnectException;

  45. import java.net.HttpURLConnection;

  46. import java.net.MalformedURLException;

  47. import java.net.SocketTimeoutException;

  48. import java.net.URL;

  49. import java.nio.charset.StandardCharsets;

  50. import java.security.Key;

  51. import java.security.KeyPair;

  52. import java.security.KeyPairGenerator;

  53. import java.security.KeyStore;

  54. import java.security.PrivateKey;

  55. import java.security.PublicKey;

  56. import java.security.SecureRandom;

  57. import java.security.cert.CRLException;

  58. import java.security.cert.Certificate;

  59. import java.security.cert.CertificateEncodingException;

  60. import java.security.cert.CertificateException;

  61. import java.security.cert.X509CRL;

  62. import java.security.cert.X509Certificate;

  63. import java.security.interfaces.RSAPublicKey;

  64. import java.security.spec.RSAKeyGenParameterSpec;

  65. import java.util.ArrayList;

  66. import java.util.Arrays;

  67. import java.util.Calendar;

  68. import java.util.Collections;

  69. import java.util.Date;

  70. import java.util.Iterator;

  71. import java.util.List;

  72. import java.util.function.BiFunction;

  73. import java.util.function.Supplier;

  74. 

  75. import javax.xml.crypto.MarshalException;

  76. import javax.xml.crypto.dsig.CanonicalizationMethod;

  77. import javax.xml.crypto.dsig.XMLSignatureException;

  78. import javax.xml.crypto.dsig.dom.DOMSignContext;

  79. 

  80. import org.apache.jcp.xml.dsig.internal.dom.DOMSignedInfo;

  81. import org.apache.logging.log4j.LogManager;

  82. import org.apache.logging.log4j.Logger;

  83. import org.apache.poi.EncryptedDocumentException;

  84. import org.apache.poi.POIDataSamples;

  85. import org.apache.poi.POITestCase;

  86. import org.apache.poi.ooxml.POIXMLDocument;

  87. import org.apache.poi.ooxml.util.DocumentHelper;

  88. import org.apache.poi.openxml4j.exceptions.InvalidFormatException;

  89. import org.apache.poi.openxml4j.opc.OPCPackage;

  90. import org.apache.poi.openxml4j.opc.PackageAccess;

  91. import org.apache.poi.openxml4j.opc.PackageRelationshipTypes;

  92. import org.apache.poi.poifs.crypt.CryptoFunctions;

  93. import org.apache.poi.poifs.crypt.HashAlgorithm;

  94. import org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet;

  95. import org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet;

  96. import org.apache.poi.poifs.crypt.dsig.facets.OOXMLSignatureFacet;

  97. import org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet;

  98. import org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet;

  99. import org.apache.poi.poifs.crypt.dsig.services.RevocationData;

  100. import org.apache.poi.poifs.crypt.dsig.services.RevocationDataService;

  101. import org.apache.poi.poifs.crypt.dsig.services.TimeStampService;

  102. import org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator;

  103. import org.apache.poi.poifs.storage.RawDataUtil;

  104. import org.apache.poi.ss.usermodel.WorkbookFactory;

  105. import org.apache.poi.util.IOUtils;

  106. import org.apache.poi.util.LocaleUtil;

  107. import org.apache.poi.util.TempFile;

  108. import org.apache.poi.xssf.streaming.SXSSFWorkbook;

  109. import org.apache.poi.xssf.usermodel.XSSFClientAnchor;

  110. import org.apache.poi.xssf.usermodel.XSSFSheet;

  111. import org.apache.poi.xssf.usermodel.XSSFSignatureLine;

  112. import org.apache.poi.xssf.usermodel.XSSFWorkbook;

  113. import org.apache.poi.xwpf.usermodel.XWPFDocument;

  114. import org.apache.poi.xwpf.usermodel.XWPFSignatureLine;

  115. import org.apache.xmlbeans.SystemProperties;

  116. import org.apache.xmlbeans.XmlException;

  117. import org.apache.xmlbeans.XmlObject;

  118. import org.bouncycastle.asn1.DEROctetString;

  119. import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;

  120. import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;

  121. import org.bouncycastle.asn1.x500.X500Name;

  122. import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;

  123. import org.bouncycastle.asn1.x509.BasicConstraints;

  124. import org.bouncycastle.asn1.x509.CRLNumber;

  125. import org.bouncycastle.asn1.x509.Extension;

  126. import org.bouncycastle.asn1.x509.Extensions;

  127. import org.bouncycastle.asn1.x509.KeyUsage;

  128. import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;

  129. import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;

  130. import org.bouncycastle.cert.X509CRLHolder;

  131. import org.bouncycastle.cert.X509CertificateHolder;

  132. import org.bouncycastle.cert.X509ExtensionUtils;

  133. import org.bouncycastle.cert.X509v2CRLBuilder;

  134. import org.bouncycastle.cert.X509v3CertificateBuilder;

  135. import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;

  136. import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

  137. import org.bouncycastle.cert.ocsp.BasicOCSPResp;

  138. import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;

  139. import org.bouncycastle.cert.ocsp.CertificateID;

  140. import org.bouncycastle.cert.ocsp.CertificateStatus;

  141. import org.bouncycastle.cert.ocsp.OCSPReq;

  142. import org.bouncycastle.cert.ocsp.OCSPReqBuilder;

  143. import org.bouncycastle.cert.ocsp.OCSPResp;

  144. import org.bouncycastle.cert.ocsp.OCSPRespBuilder;

  145. import org.bouncycastle.cert.ocsp.Req;

  146. import org.bouncycastle.crypto.params.RSAKeyParameters;

  147. import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;

  148. import org.bouncycastle.openssl.PEMParser;

  149. import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;

  150. import org.bouncycastle.operator.ContentSigner;

  151. import org.bouncycastle.operator.DigestCalculator;

  152. import org.bouncycastle.operator.OperatorCreationException;

  153. import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

  154. import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

  155. import org.etsi.uri.x01903.v13.DigestAlgAndValueType;

  156. import org.etsi.uri.x01903.v13.QualifyingPropertiesType;

  157. import org.junit.jupiter.api.AfterAll;

  158. import org.junit.jupiter.api.BeforeAll;

  159. import org.junit.jupiter.api.Disabled;

  160. import org.junit.jupiter.api.Test;

  161. import org.w3.x2000.x09.xmldsig.ReferenceType;

  162. import org.w3.x2000.x09.xmldsig.SignatureDocument;

  163. import org.w3c.dom.Document;

  164. 

  165. class TestSignatureInfo {

  166.     private static final Logger LOG = LogManager.getLogger(TestSignatureInfo.class);

  167.     private static final POIDataSamples testdata = POIDataSamples.getXmlDSignInstance();

  168. 

  169.     private static Calendar cal;

  170.     private KeyPair keyPair;

  171.     private X509Certificate x509;

  172. 

  173. 	@BeforeAll

  174. 	public static void setUpClass() {

  175. 		POITestCase.setImageIOCacheDir();

  176. 	}

  177. 

  178. 	@AfterAll

  179.     public static void removeUserLocale() {

  180.         LocaleUtil.resetUserLocale();

  181.     }

  182. 

  183.     @BeforeAll

  184.     public static void initBouncy() {

  185.         CryptoFunctions.registerBouncyCastle();

  186. 

  187.         // Set cal to now ... only set to fixed date for debugging ...

  188.         LocaleUtil.resetUserLocale();

  189.         LocaleUtil.resetUserTimeZone();

  190. 

  191.         cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  192.         assertNotNull(cal);

  193. 

  194.         // don't run this test when we are using older Xerces as it triggers an XML Parser backwards compatibility issue

  195.         // in the xmlsec jar file

  196.         String additionalJar = System.getProperty("additionaljar");

  197.         //System.out.println("Having: " + additionalJar);

  198.         assumeTrue(additionalJar == null || additionalJar.trim().length() == 0,

  199.             "Not running TestSignatureInfo because we are testing with additionaljar set to " + additionalJar);

  200. 

  201.         System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");

  202. 

  203.         // Set line.separator for bug61182

  204.         // System.setProperty("line.separator", "\n");

  205.     }

  206. 

  207.     @Disabled("This test is very sensitive, it breaks with every little change to the produced XML")

  208.     @Test

  209.     void bug61182() throws Exception {

  210.         final String pfxInput =

  211.                 "H4sIAAAAAAAAAFXTfzzTeRwH8P2uGRmG6hKSmJh9a2HsuPy60VnHCEU6v86sieZH2Jr2qFl+s+ZHJ5tfUcfKb4uho/OjiFq1qTv5ceFyp0PqEK"+

  212.                         "fH4+66++Pz+Dwer9fj8f7r9cRzEd4QMBTPRWxDIM14ZN47NfAWsJgL34Bx4at4Lvwdngvd9b8KqgbjQpGbMXzzgRGovytVFTBEzIXU47kQCd4U"+

  213.                         "ofJPvHl8JwyTjRS55hbKoor3UJLDE1i/PcPKCBAIDATjQlKiK67XjVYdcnkZgD2txroiAUb8W9dtn57DvTsbM+3wIsdocXDEN7TdPKgaSl+tU1"+

  214.                         "xq9oqiB5yMaZCPho8uUEbFU9U6u3N7lEMLTJGeA0RfX+5FMRrpXPFrbrlJ8uNUCE2H247P28Ckyfqlsy32yeKg/HTbH5JpqUDNw2B32+SaiRw7"+

  215.                         "ofRMePUpaAoK7KYgmd5ZIc0rLLYjJBfOWCb28xlrGhbpJvdToFdqt5PXVjEz5YOJ6g7W0fskuKW9/iZP0yLEVpR9XkkHmb6tfpcE8YwCdWNCan"+

  216.                         "LvAsco25JdF1j2/FLAMVU79HdOex07main90dy40511OZtTGZ+TdVd3lKZ7D3clEg9hLESHwSNnZ6239X4yLM4xYSElQ/hqSbwdmiozYG9PhF2"+

  217.                         "Zf0XaZnxzTK0Iot+rJ3kYoxWTLE8DR9leV62Ywbtlg4mapYOxb3lT7fQ1x4EQ44flh2oFWSPLR8LMbsc6jzJsV6OZ3TrODjHEdw9W+8OD32vd8"+

  218.                         "XQ6iCaIHcrSOn6qS0TKLr786234eeSAhvAQbEsVn7vrvc/487Be/O2e/+5Y5zRq2zAtz6pfcNyraJNDqMW1inNkgJ3t3VESbZ3pNzyl3KHILs0"+

  219.                         "51dY6msDYSlWhw40TglXxj9rw95O6gFWIuN012W/vhS50jpKXcao4gc1aLaXtJXxirbRkpZ/0e7a0pD6TDa7+GxEdEEML3VGo9udD5YUKhU3y7"+

  220.                         "SzWAgN6WIEIglq7LilvCjqIVLIfg8CvVGL9f5iSsCDf5hef4vMxbyvcjINuy06gZu+iPYOWNxjfrwKGYzoqqotK2aywgYVrPMh0JovfkDuN95n"+

  221.                         "MdVlYHbN1Mnn4TxAwuv+u3AkBlDZvRUUCwoDMUGxeMNPhTaAgWl60xhhBgCBaEMgAACReMAav7n3x598IDYJ9GxGXRAwaPOT/kfO/1AgPqLQkp"+

  222.                         "MiIVaHthnUS4v2y32e2BjdMPyIImUTBW3cV3R5tjVQm0MOm+D2C5+bBW9vHLjLR4lun4toQiY3Ls/v4bES/OJ4EmpZk5xhL9i5ClofYZNEsxFn"+

  223.                         "An/q821Tg+Cq9Er4XYGQe8ogjjLJ2b7dUsJ3auFQFNUJF7Ke7yUL2EeYYxl6vz5l4q5u8704mRbFts1E1eWMp6WIy91GPrsVlRGvtuNERfrjfE"+

  224.                         "YtzUI3Flcv65zJUbUBEzUnTS0fEYso2XyToAl8kb251mUY2o2lJzv5dp/1htmcjeeP2MjxC+3S45ljx7jd52Pv9XAat+ryiauFOF7YgztkoWWD"+

  225.                         "h62tplPH1bzDV+d0NLdaE5AfVJ09HuUYTFS+iggtvT5Euyk+unj4N2XvzW91n+GNjtgWfKOHmkinUPvYRh70Jv+wlPJrVaT8mL7GxJLqDC9jbv"+

  226.                         "Gznoiae6es+wQejnk3XjU366MrK/zXxngBYj9J6NnXc9mMiTFLX8WqQ8iTelTAFs2NJzPoDzrBUz4JFIEOa6Dja6dULc68g1jFDTeEHZyra7RZ"+

  227.                         "2ElqGDEqcNRo3SNX6feMy9EF1GOyZK0Sa87KwjKw8aM68dpsIYjfLcTXaZ6atg0BKfMnl6axeUGEaIFSP7rzj9wjzumRbG3jgUVp2lX5AK/tsO"+

  228.                         "7R4TQX/9/H6RiN34c9KldmPZZGANXzzTajZS9mR2OSvlJ+F4AgSko4htrMAKFTBu51/5SWNsO1vlRaaG48ZRJ+8PzuHQMdvS36gNpRPi7jhF1S"+

  229.                         "H3B2ycI4y0VURv6SrqJNUY/X645ZFJQ+eBO+ptG7o8axf1dcqh2beiQk+GRTeZ37LVeUlaeo9vl1/+8tyBfyT2v5lFC5E19WdKIyCuZe7r99Px"+

  230.                         "D/Od4Qj0TA92+DQnbCQTCMy/wwse9O4gsEebkkpPIP5GBV3Q0YBsj75XE0uSFQ1tCZSW8bNa9MUJZ/nPBfExohHlgGAAA=";

  231. 

  232.         // Unix

  233.         final String unixSignExp =

  234.                 "QkqTFQZjXagjRAoOWKpAGa8AR0rKqkSfBtfSWqtjBmTgyjarn+t2POHkpySIpheHAbg+90GKSH88ACMtPHbG7q" +

  235.                         "FL4gtgAD9Kjew6j16j0IRBwy145UlPrSLFMfF7YF7UlU1k1LBkIlRJ6Fv4MAJl6XspuzZOZIUmHZrWrdxycUQ=";

  236. 

  237.         // Windows

  238.         final String winSignExp =

  239.                 "GmAlL7+bT1r3FsMHJOp3pKg8betblYieZTjhMIrPZPRBbSzjO7KsYRGNtr0aOE3qr8xzyYJN6/8QdF5X7pUEUc" +

  240.                         "2m8ctrm7s5o2vZTkAqk9ENJGDjBPXX7TnuVOiVeL1cJdtjHC2QpjtRwkFR+B54G6b1OXLOFuQpP3vqR3+/XXE=";

  241. 

  242.         // Mac

  243.         final String macSignExp =

  244.                 "NZedY/LNTYU4nAUEUhIOg5+fKdgVtzRXKmdD3v+47E7Mb84oeiUGv9cCEE91DU3StF/JFIhjOJqavOzKnCsNcz" +

  245.                         "NJ4j/inggUl1OJUsicqIGQnA7E8vzWnN1kf5lINgJLv+0PyrrX9sQZbItzxUpgqyOFYcD0trid+31nRt4wtaA=";

  246. 

  247. 

  248. 

  249.         Calendar cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  250.         cal.clear();

  251.         cal.setTimeZone(LocaleUtil.TIMEZONE_UTC);

  252.         cal.set(2017, Calendar.JULY, 1);

  253. 

  254.         SignatureConfig signatureConfig = prepareConfig(pfxInput);

  255.         signatureConfig.setExecutionTime(cal.getTime());

  256. 

  257.         SignatureInfo si = new SignatureInfo();

  258.         si.setSignatureConfig(signatureConfig);

  259. 

  260.         ByteArrayOutputStream bos = new ByteArrayOutputStream(100000);

  261.         try (XSSFWorkbook wb1 = new XSSFWorkbook()) {

  262.             wb1.createSheet().createRow(1).createCell(1).setCellValue("Test");

  263.             wb1.write(bos);

  264.         }

  265. 

  266.         try (OPCPackage pkg1 = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {

  267.             si.setOpcPackage(pkg1);

  268.             si.confirmSignature();

  269.             assertTrue(si.verifySignature());

  270.             bos.reset();

  271.             pkg1.save(bos);

  272.         }

  273. 

  274.         try (XSSFWorkbook wb2 = new XSSFWorkbook(new ByteArrayInputStream(bos.toByteArray()))) {

  275.             assertEquals("Test", wb2.getSheetAt(0).getRow(1).getCell(1).getStringCellValue());

  276.             OPCPackage pkg2 = wb2.getPackage();

  277.             si.setOpcPackage(pkg2);

  278.             assertTrue(si.verifySignature());

  279. 

  280.             // xmlbeans adds line-breaks depending on the system setting, so we get different

  281.             // test results on Unix/Mac/Windows

  282.             // if the xml documents eventually change, this test needs to be run with the

  283.             // separator set to the various system configurations

  284.             String sep = SystemProperties.getProperty("line.separator");

  285.             String signExp;

  286.             assumeTrue(sep == null || "\n".equals(sep) || "\r\n".equals(sep) || "\r".equals(sep), "Hashes only known for Windows/Unix/Mac");

  287.             signExp = (sep == null || "\n".equals(sep)) ? unixSignExp : ("\r\n".equals(sep)) ? winSignExp : macSignExp;

  288. 

  289.             String signAct = si.getSignatureParts().iterator().next().

  290.                     getSignatureDocument().getSignature().getSignatureValue().getStringValue();

  291.             assertEquals(signExp, signAct);

  292.         }

  293.     }

  294. 

  295.     @Test

  296.     void office2007prettyPrintedRels() throws Exception {

  297.         try (OPCPackage pkg = OPCPackage.open(testdata.getFile("office2007prettyPrintedRels.docx"), PackageAccess.READ)) {

  298.             SignatureConfig sic = new SignatureConfig();

  299.             SignatureInfo si = new SignatureInfo();

  300.             si.setOpcPackage(pkg);

  301.             si.setSignatureConfig(sic);

  302.             boolean isValid = si.verifySignature();

  303.             assertTrue(isValid);

  304.         }

  305.     }

  306. 

  307.     @Test

  308.     void getSignerUnsigned() throws Exception {

  309.         String[] testFiles = {

  310.                 "hello-world-unsigned.docx",

  311.                 "hello-world-unsigned.pptx",

  312.                 "hello-world-unsigned.xlsx",

  313.                 "hello-world-office-2010-technical-preview-unsigned.docx"

  314.         };

  315. 

  316.         for (String testFile : testFiles) {

  317.             List<X509Certificate> result = new ArrayList<>();

  318.             try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {

  319.                 SignatureConfig sic = new SignatureConfig();

  320.                 SignatureInfo si = new SignatureInfo();

  321.                 si.setOpcPackage(pkg);

  322.                 si.setSignatureConfig(sic);

  323.                 for (SignaturePart sp : si.getSignatureParts()) {

  324.                     if (sp.validate()) {

  325.                         result.add(sp.getSigner());

  326.                     }

  327.                 }

  328.                 pkg.revert();

  329.             }

  330.             assertNotNull(result);

  331.             assertTrue(result.isEmpty());

  332.         }

  333.     }

  334. 

  335.     @Test

  336.     void getSigner() throws Exception {

  337.         String[] testFiles = {

  338.                 "hyperlink-example-signed.docx",

  339.                 "hello-world-signed.docx",

  340.                 "hello-world-signed.pptx",

  341.                 "hello-world-signed.xlsx",

  342.                 "hello-world-office-2010-technical-preview.docx",

  343.                 "ms-office-2010-signed.docx",

  344.                 "ms-office-2010-signed.pptx",

  345.                 "ms-office-2010-signed.xlsx",

  346.                 "Office2010-SP1-XAdES-X-L.docx",

  347.                 "signed.docx"

  348.         };

  349. 

  350.         for (String testFile : testFiles) {

  351.             try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {

  352.                 SignatureConfig sic = new SignatureConfig();

  353.                 SignatureInfo si = new SignatureInfo();

  354.                 si.setOpcPackage(pkg);

  355.                 si.setSignatureConfig(sic);

  356.                 List<X509Certificate> result = new ArrayList<>();

  357.                 for (SignaturePart sp : si.getSignatureParts()) {

  358.                     if (sp.validate()) {

  359.                         result.add(sp.getSigner());

  360.                     }

  361.                 }

  362. 

  363.                 assertNotNull(result);

  364.                 assertEquals(1, result.size(), "test-file: " + testFile);

  365.                 X509Certificate signer = result.get(0);

  366.                 LOG.atDebug().log("signer: {}", signer.getSubjectX500Principal());

  367. 

  368.                 boolean b = si.verifySignature();

  369.                 assertTrue(b, "test-file: " + testFile);

  370.                 pkg.revert();

  371.             }

  372.         }

  373.     }

  374. 

  375.     @Test

  376.     void getMultiSigners() throws Exception {

  377.         String testFile = "hello-world-signed-twice.docx";

  378.         try (OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ)) {

  379.             SignatureConfig sic = new SignatureConfig();

  380.             SignatureInfo si = new SignatureInfo();

  381.             si.setOpcPackage(pkg);

  382.             si.setSignatureConfig(sic);

  383.             List<X509Certificate> result = new ArrayList<>();

  384.             for (SignaturePart sp : si.getSignatureParts()) {

  385.                 if (sp.validate()) {

  386.                     result.add(sp.getSigner());

  387.                 }

  388.             }

  389. 

  390.             assertNotNull(result);

  391.             assertEquals(2, result.size(), "test-file: " + testFile);

  392.             X509Certificate signer1 = result.get(0);

  393.             X509Certificate signer2 = result.get(1);

  394.             LOG.atDebug().log("signer 1: {}", signer1.getSubjectX500Principal());

  395.             LOG.atDebug().log("signer 2: {}", signer2.getSubjectX500Principal());

  396. 

  397.             boolean b = si.verifySignature();

  398.             assertTrue(b, "test-file: " + testFile);

  399.             pkg.revert();

  400.         }

  401.     }

  402. 

  403.     @Test

  404.     void testSignSpreadsheet() throws Exception {

  405.         String testFile = "hello-world-unsigned.xlsx";

  406.         try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {

  407.             sign(pkg);

  408.         }

  409.     }

  410. 

  411.     private static class CommitableWorkbook extends XSSFWorkbook {

  412.         CommitableWorkbook(OPCPackage pkg) throws IOException {

  413.             super(pkg);

  414.         }

  415.         public void commit() throws IOException {

  416.             super.commit();

  417.         }

  418.     }

  419. 

  420.     @Test

  421.     void testManipulation() throws Exception {

  422.         // sign & validate

  423.         String testFile = "hello-world-unsigned.xlsx";

  424.         try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {

  425.             sign(pkg);

  426. 

  427.             // manipulate

  428.             try (CommitableWorkbook wb = new CommitableWorkbook(pkg)) {

  429.                 wb.setSheetName(0, "manipulated");

  430.                 // ... I don't know, why commit is protected ...

  431.                 wb.commit();

  432. 

  433.                 // todo: test a manipulation on a package part, which is not signed

  434.                 // ... maybe in combination with #56164

  435. 

  436.                 // validate

  437.                 SignatureConfig sic = new SignatureConfig();

  438.                 SignatureInfo si = new SignatureInfo();

  439.                 si.setOpcPackage(pkg);

  440.                 si.setSignatureConfig(sic);

  441.                 boolean b = si.verifySignature();

  442.                 assertFalse(b, "signature should be broken");

  443.             }

  444.         }

  445.     }

  446. 

  447.     @Test

  448.     void testSignSpreadsheetWithSignatureInfo() throws Exception {

  449.         initKeyPair();

  450.         String testFile = "hello-world-unsigned.xlsx";

  451.         try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {

  452.             SignatureConfig sic = new SignatureConfig();

  453.             sic.setKey(keyPair.getPrivate());

  454.             sic.setSigningCertificateChain(Collections.singletonList(x509));

  455.             SignatureInfo si = new SignatureInfo();

  456.             si.setOpcPackage(pkg);

  457.             si.setSignatureConfig(sic);

  458.             // hash > sha1 doesn't work in excel viewer ...

  459.             si.confirmSignature();

  460.             List<X509Certificate> result = new ArrayList<>();

  461.             for (SignaturePart sp : si.getSignatureParts()) {

  462.                 if (sp.validate()) {

  463.                     result.add(sp.getSigner());

  464.                 }

  465.             }

  466.             assertEquals(1, result.size());

  467.         }

  468.     }

  469. 

  470.     @Test

  471.     void testSignEnvelopingDocument() throws Exception {

  472.         String testFile = "hello-world-unsigned.xlsx";

  473.         File sigCopy = testdata.getFile(testFile);

  474.         ByteArrayOutputStream bos = new ByteArrayOutputStream(50000);

  475. 

  476.         final String execTimestr;

  477. 

  478. 

  479.         try (OPCPackage pkg = OPCPackage.open(copy(sigCopy), PackageAccess.READ_WRITE)) {

  480. 

  481.             initKeyPair();

  482.             final X509CRL crl = generateCrl(x509, keyPair.getPrivate());

  483. 

  484.             // setup

  485.             SignatureConfig signatureConfig = new SignatureConfig();

  486.             signatureConfig.setKey(keyPair.getPrivate());

  487. 

  488.             /*

  489.              * We need at least 2 certificates for the XAdES-C complete certificate

  490.              * refs construction.

  491.              */

  492.             List<X509Certificate> certificateChain = new ArrayList<>();

  493.             certificateChain.add(x509);

  494.             certificateChain.add(x509);

  495.             signatureConfig.setSigningCertificateChain(certificateChain);

  496. 

  497.             signatureConfig.addSignatureFacet(new OOXMLSignatureFacet());

  498.             signatureConfig.addSignatureFacet(new EnvelopedSignatureFacet());

  499.             signatureConfig.addSignatureFacet(new KeyInfoSignatureFacet());

  500.             signatureConfig.addSignatureFacet(new XAdESSignatureFacet());

  501.             signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet());

  502. 

  503.             // check for internet, no error means it works

  504.             boolean mockTsp = (getAccessError("http://timestamp.comodoca.com/rfc3161", true, 10000) != null);

  505. 

  506.             // http://timestamping.edelweb.fr/service/tsp

  507.             // http://tsa.belgium.be/connect

  508.             // http://timestamp.comodoca.com/authenticode

  509.             // http://timestamp.comodoca.com/rfc3161

  510.             // http://services.globaltrustfinder.com/adss/tsa

  511.             signatureConfig.setTspUrl("http://timestamp.comodoca.com/rfc3161");

  512.             signatureConfig.setTspRequestPolicy(null); // comodoca request fails, if default policy is set ...

  513.             signatureConfig.setTspOldProtocol(false);

  514. 

  515.             signatureConfig.setXadesDigestAlgo(HashAlgorithm.sha512);

  516.             signatureConfig.setXadesRole("Xades Reviewer");

  517.             signatureConfig.setSignatureDescription("test xades signature");

  518. 

  519.             execTimestr = signatureConfig.formatExecutionTime();

  520. 

  521.             //set proxy info if any

  522.             String proxy = System.getProperty("http_proxy");

  523.             if (proxy != null && proxy.trim().length() > 0) {

  524.                 signatureConfig.setProxyUrl(proxy);

  525.             }

  526. 

  527.             if (mockTsp) {

  528.                 TimeStampService tspService = (signatureInfo, data, revocationData) -> {

  529.                     revocationData.addCRL(crl);

  530.                     return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);

  531.                 };

  532.                 signatureConfig.setTspService(tspService);

  533.             } else {

  534.                 TimeStampServiceValidator tspValidator = (validateChain, revocationData) -> {

  535.                     for (X509Certificate certificate : validateChain) {

  536.                         LOG.atDebug().log("certificate: {}", certificate.getSubjectX500Principal());

  537.                         LOG.atDebug().log("validity: {} - {}", certificate.getNotBefore(), certificate.getNotAfter());

  538.                     }

  539.                 };

  540.                 signatureConfig.setTspValidator(tspValidator);

  541.                 signatureConfig.setTspOldProtocol(signatureConfig.getTspUrl().contains("edelweb"));

  542.             }

  543. 

  544.             final RevocationData revocationData = new RevocationData();

  545.             revocationData.addCRL(crl);

  546.             OCSPResp ocspResp = createOcspResp(x509, x509, x509, keyPair.getPrivate(), cal.getTimeInMillis());

  547.             revocationData.addOCSP(ocspResp.getEncoded());

  548. 

  549.             RevocationDataService revocationDataService = revocationChain -> revocationData;

  550.             signatureConfig.setRevocationDataService(revocationDataService);

  551. 

  552.             // operate

  553.             SignatureInfo si = new SignatureInfo();

  554.             si.setOpcPackage(pkg);

  555.             si.setSignatureConfig(signatureConfig);

  556.             try {

  557.                 si.confirmSignature();

  558.             } catch (RuntimeException e) {

  559.                 // only allow a ConnectException because of timeout, we see this in Jenkins from time to time...

  560.                 if (e.getCause() == null) {

  561.                     throw e;

  562.                 }

  563.                 if ((e.getCause() instanceof ConnectException) || (e.getCause() instanceof SocketTimeoutException)) {

  564.                     assumeFalse(e.getCause().getMessage().contains("timed out"),

  565.                         "Only allowing ConnectException with 'timed out' as message here, but had: " + e);

  566.                 } else if (e.getCause() instanceof IOException) {

  567.                     assumeFalse(e.getCause().getMessage().contains("Error contacting TSP server"),

  568.                         "Only allowing IOException with 'Error contacting TSP server' as message here, but had: " + e);

  569.                 } else if (e.getCause() instanceof RuntimeException) {

  570.                     assumeFalse(e.getCause().getMessage().contains("This site is cur"),

  571.                         "Only allowing RuntimeException with 'This site is cur' as message here, but had: " + e);

  572.                 }

  573.                 throw e;

  574.             }

  575. 

  576.             // verify

  577.             Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();

  578.             assertTrue(spIter.hasNext(), "Had: " + pkg.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN));

  579.             SignaturePart sp = spIter.next();

  580.             boolean valid = sp.validate();

  581.             assertTrue(valid);

  582. 

  583.             SignatureDocument sigDoc = sp.getSignatureDocument();

  584.             String declareNS =

  585.                     "declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; "

  586.                             + "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; ";

  587. 

  588.             String digestValXQuery = declareNS +

  589.                     "$this/ds:Signature/ds:SignedInfo/ds:Reference";

  590.             for (ReferenceType rt : (ReferenceType[]) sigDoc.selectPath(digestValXQuery)) {

  591.                 assertNotNull(rt.getDigestValue());

  592.                 assertEquals(signatureConfig.getDigestMethodUri(), rt.getDigestMethod().getAlgorithm());

  593.             }

  594. 

  595.             String certDigestXQuery = declareNS +

  596.                     "$this//xades:SigningCertificate/xades:Cert/xades:CertDigest";

  597.             XmlObject[] xoList = sigDoc.selectPath(certDigestXQuery);

  598.             assertEquals(xoList.length, 1);

  599.             DigestAlgAndValueType certDigest = (DigestAlgAndValueType) xoList[0];

  600.             assertNotNull(certDigest.getDigestValue());

  601. 

  602.             String qualPropXQuery = declareNS +

  603.                     "$this/ds:Signature/ds:Object/xades:QualifyingProperties";

  604.             xoList = sigDoc.selectPath(qualPropXQuery);

  605.             assertEquals(xoList.length, 1);

  606.             QualifyingPropertiesType qualProp = (QualifyingPropertiesType) xoList[0];

  607.             boolean qualPropXsdOk = qualProp.validate();

  608.             assertTrue(qualPropXsdOk);

  609. 

  610.             pkg.save(bos);

  611.         }

  612. 

  613.         try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(bos.toByteArray()))) {

  614.             SignatureConfig signatureConfig = new SignatureConfig();

  615.             signatureConfig.setUpdateConfigOnValidate(true);

  616. 

  617.             SignatureInfo si = new SignatureInfo();

  618.             si.setOpcPackage(pkg);

  619.             si.setSignatureConfig(signatureConfig);

  620. 

  621.             assertTrue(si.verifySignature());

  622. 

  623.             assertEquals(HashAlgorithm.sha512, signatureConfig.getXadesDigestAlgo());

  624.             assertEquals("Xades Reviewer", signatureConfig.getXadesRole());

  625.             assertEquals("test xades signature", signatureConfig.getSignatureDescription());

  626.             assertEquals(execTimestr, signatureConfig.formatExecutionTime());

  627.         }

  628.     }

  629. 

  630.     public static String getAccessError(String destinationUrl, boolean fireRequest, int timeout) {

  631.         URL url;

  632.         try {

  633.             url = new URL(destinationUrl);

  634.         } catch (MalformedURLException e) {

  635.             throw new IllegalArgumentException("Invalid destination URL", e);

  636.         }

  637. 

  638.         HttpURLConnection conn = null;

  639.         try {

  640.             conn = (HttpURLConnection) url.openConnection();

  641. 

  642.             // set specified timeout if non-zero

  643.             if(timeout != 0) {

  644.                 conn.setConnectTimeout(timeout);

  645.                 conn.setReadTimeout(timeout);

  646.             }

  647. 

  648.             conn.setDoOutput(false);

  649.             conn.setDoInput(true);

  650. 

  651.             /* if connecting is not possible this will throw a connection refused exception */

  652.             conn.connect();

  653. 

  654.             if (fireRequest) {

  655.                 conn.getInputStream().close();

  656.             }

  657.             /* if connecting is possible we return true here */

  658.             return null;

  659. 

  660.         } catch (IOException e) {

  661.             /* exception is thrown -> server not available */

  662.             return e.getClass().getName() + ": " + e.getMessage();

  663.         } finally {

  664.             if (conn != null) {

  665.                 conn.disconnect();

  666.             }

  667.         }

  668.     }

  669. 

  670.     @Test

  671.     void testCertChain() throws Exception {

  672.         final boolean isIBM = System.getProperty("java.vendor").contains("IBM");

  673. 

  674.         KeyStore keystore = KeyStore.getInstance("PKCS12");

  675.         String password = "test";

  676.         try (InputStream is = testdata.openResourceAsStream("chaintest.pfx")) {

  677.             keystore.load(is, password.toCharArray());

  678.         }

  679. 

  680.         Key key = keystore.getKey("poitest", password.toCharArray());

  681.         Certificate[] chainList = keystore.getCertificateChain("poitest");

  682.         List<X509Certificate> certChain = new ArrayList<>();

  683.         for (Certificate c : chainList) {

  684.             certChain.add((X509Certificate)c);

  685.         }

  686.         x509 = certChain.get(0);

  687.         keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey)key);

  688. 

  689.         String testFile = "hello-world-unsigned.xlsx";

  690.         try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {

  691. 

  692.             SignatureConfig signatureConfig = new SignatureConfig();

  693.             signatureConfig.setKey(keyPair.getPrivate());

  694.             signatureConfig.setSigningCertificateChain(certChain);

  695.             Calendar oldCal = LocaleUtil.getLocaleCalendar(2007, 7, 1);

  696.             signatureConfig.setExecutionTime(oldCal.getTime());

  697.             signatureConfig.setDigestAlgo(HashAlgorithm.sha1);

  698. 

  699.             SignatureInfo si = new SignatureInfo();

  700.             si.setOpcPackage(pkg);

  701.             si.setSignatureConfig(signatureConfig);

  702. 

  703.             si.confirmSignature();

  704. 

  705.             for (SignaturePart sp : si.getSignatureParts()) {

  706.                 assertTrue(sp.validate(), "Could not validate");

  707.                 X509Certificate signer = sp.getSigner();

  708.                 assertNotNull(signer, "signer undefined?!");

  709.                 List<X509Certificate> certChainRes = sp.getCertChain();

  710. 

  711.                 // IBM JDK is still buggy, even after fix for APAR IJ21985

  712.                 int exp = isIBM ? 1 : 3;

  713.                 assertEquals(exp, certChainRes.size());

  714.             }

  715. 

  716.         }

  717.     }

  718. 

  719.     @Test

  720.     void testNonSha1() throws Exception {

  721.         String testFile = "hello-world-unsigned.xlsx";

  722.         initKeyPair();

  723. 

  724.         SignatureConfig signatureConfig = new SignatureConfig();

  725.         signatureConfig.setKey(keyPair.getPrivate());

  726.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  727. 

  728.         HashAlgorithm[] testAlgo = {HashAlgorithm.sha224, HashAlgorithm.sha256

  729.                 , HashAlgorithm.sha384, HashAlgorithm.sha512, HashAlgorithm.ripemd160};

  730. 

  731.         for (HashAlgorithm ha : testAlgo) {

  732.             signatureConfig.setDigestAlgo(ha);

  733.             try (OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE)) {

  734.                 SignatureInfo si = new SignatureInfo();

  735.                 si.setOpcPackage(pkg);

  736.                 si.setSignatureConfig(signatureConfig);

  737. 

  738.                 si.confirmSignature();

  739.                 boolean b = si.verifySignature();

  740.                 assertTrue(b, "Signature not correctly calculated for " + ha);

  741.             } catch (EncryptedDocumentException e) {

  742.                 assumeTrue(e.getMessage().startsWith("Export Restrictions"));

  743.             }

  744.         }

  745.     }

  746. 

  747.     @Test

  748.     void bug58630() throws Exception {

  749.         // test deletion of sheet 0 and signing

  750.         File tpl = copy(testdata.getFile("bug58630.xlsx"));

  751.         try (SXSSFWorkbook wb1 = new SXSSFWorkbook((XSSFWorkbook)WorkbookFactory.create(tpl), 10)) {

  752.             wb1.setCompressTempFiles(true);

  753.             wb1.removeSheetAt(0);

  754.             ByteArrayOutputStream os = new ByteArrayOutputStream();

  755.             wb1.write(os);

  756. 

  757.             try (OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(os.toByteArray()))) {

  758.                 initKeyPair();

  759.                 SignatureConfig signatureConfig = new SignatureConfig();

  760.                 signatureConfig.setKey(keyPair.getPrivate());

  761.                 signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  762. 

  763.                 SignatureInfo si = new SignatureInfo();

  764.                 si.setOpcPackage(pkg);

  765.                 si.setSignatureConfig(signatureConfig);

  766.                 si.confirmSignature();

  767.                 assertTrue(si.verifySignature(), "invalid signature");

  768.             }

  769.         }

  770.     }

  771. 

  772.     @Test

  773.     void testMultiSign() throws Exception {

  774.         cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  775.         cal.clear();

  776.         cal.setTimeZone(LocaleUtil.TIMEZONE_UTC);

  777.         cal.set(2018, Calendar.DECEMBER, 14);

  778. 

  779.         // test signing with separate opened packages

  780.         File tpl = copy(testdata.getFile("hello-world-unsigned.xlsx"));

  781.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  782.             signPkg63011(pkg, "bug63011_key1.pem", true);

  783.         }

  784. 

  785.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  786.             signPkg63011(pkg, "bug63011_key2.pem", true);

  787.         }

  788. 

  789.         verifyPkg63011(tpl, true);

  790. 

  791.         // test signing with single opened package

  792.         tpl = copy(testdata.getFile("hello-world-unsigned.xlsx"));

  793.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  794.             signPkg63011(pkg, "bug63011_key1.pem", true);

  795.             signPkg63011(pkg, "bug63011_key2.pem", true);

  796.         }

  797. 

  798.         verifyPkg63011(tpl, true);

  799. 

  800.         try (OPCPackage pkg = OPCPackage.open(tpl)) {

  801.             signPkg63011(pkg, "bug63011_key1.pem", true);

  802.             signPkg63011(pkg, "bug63011_key2.pem", false);

  803.         }

  804. 

  805.         verifyPkg63011(tpl, false);

  806.     }

  807. 

  808.     private void verifyPkg63011(File tpl, boolean multi) throws InvalidFormatException, IOException {

  809.         try (OPCPackage pkg = OPCPackage.open(tpl, PackageAccess.READ)) {

  810.             SignatureConfig sic = new SignatureConfig();

  811.             SignatureInfo si = new SignatureInfo();

  812.             si.setOpcPackage(pkg);

  813.             si.setSignatureConfig(sic);

  814.             List<X509Certificate> result = new ArrayList<>();

  815.             for (SignaturePart sp : si.getSignatureParts()) {

  816.                 if (sp.validate()) {

  817.                     result.add(sp.getSigner());

  818.                 }

  819.             }

  820. 

  821.             assertNotNull(result);

  822. 

  823.             if (multi) {

  824.                 assertEquals(2, result.size());

  825.                 assertEquals("CN=Muj Klic", result.get(0).getSubjectDN().toString());

  826.                 assertEquals("CN=My Second key", result.get(1).getSubjectDN().toString());

  827.             } else {

  828.                 assertEquals(1, result.size());

  829.                 assertEquals("CN=My Second key", result.get(0).getSubjectDN().toString());

  830.             }

  831. 

  832.             assertTrue(si.verifySignature());

  833.             pkg.revert();

  834.         }

  835.     }

  836. 

  837.     private void signPkg63011(OPCPackage pkg, String pemFile, boolean multi)

  838.             throws IOException, CertificateException, XMLSignatureException, MarshalException {

  839.         assertNotNull(pkg);

  840.         initKeyFromPEM(testdata.getFile(pemFile));

  841. 

  842.         SignatureConfig config = new SignatureConfig();

  843.         config.setKey(keyPair.getPrivate());

  844.         config.setSigningCertificateChain(Collections.singletonList(x509));

  845.         config.setExecutionTime(cal.getTime());

  846.         config.setAllowMultipleSignatures(multi);

  847. 

  848.         SignatureInfo si = new SignatureInfo();

  849.         si.setOpcPackage(pkg);

  850.         si.setSignatureConfig(config);

  851.         si.confirmSignature();

  852.     }

  853. 

  854.     @Test

  855.     void testRetrieveCertificate() throws InvalidFormatException, IOException {

  856.         SignatureConfig sic = new SignatureConfig();

  857.         final File file = testdata.getFile("PPT2016withComment.pptx");

  858.         try (final OPCPackage pkg = OPCPackage.open(file, PackageAccess.READ)) {

  859.             sic.setUpdateConfigOnValidate(true);

  860.             SignatureInfo si = new SignatureInfo();

  861.             si.setOpcPackage(pkg);

  862.             si.setSignatureConfig(sic);

  863.             assertTrue(si.verifySignature());

  864.         }

  865. 

  866.         final List<X509Certificate> certs = sic.getSigningCertificateChain();

  867.         assertEquals(1, certs.size());

  868.         assertEquals("CN=Test", certs.get(0).getSubjectDN().getName());

  869.         assertEquals("SuperDuper-Reviewer", sic.getXadesRole());

  870.         assertEquals("Purpose for signing", sic.getSignatureDescription());

  871.         assertEquals("2018-06-10T09:00:54Z", sic.formatExecutionTime());

  872.         assertEquals(CanonicalizationMethod.INCLUSIVE, sic.getCanonicalizationMethod());

  873.     }

  874. 

  875.     private interface XmlDocumentPackageInit {

  876.         POIXMLDocument init(SignatureLine line, OPCPackage pkg) throws IOException, XmlException;

  877.     }

  878. 

  879.     @Test

  880.     void testSignatureImage() throws Exception {

  881.         initKeyPair();

  882. 

  883.         List<Supplier<SignatureLine>> lines = Arrays.asList(XSSFSignatureLine::new, XWPFSignatureLine::new);

  884.         for (Supplier<SignatureLine> sup : lines) {

  885.             SignatureLine line = sup.get();

  886.             line.setSuggestedSigner("Jack Sparrow");

  887.             line.setSuggestedSigner2("Captain");

  888.             line.setSuggestedSignerEmail("jack.bl@ck.perl");

  889.             line.setInvalidStamp("Bungling!");

  890.             line.setPlainSignature(testdata.readFile("jack-sign.emf"));

  891. 

  892.             String[] ext = { "" };

  893.             BiFunction<SignatureLine,String[],POIXMLDocument> init =

  894.                 (line instanceof XSSFSignatureLine)

  895.                 ? this::initSignatureImageXSSF

  896.                 : this::initSignatureImageXWPF;

  897. 

  898.             File signDoc;

  899.             try (POIXMLDocument xmlDoc = init.apply(line,ext)) {

  900.                 signDoc = TempFile.createTempFile("visual-signature", ext[0]);

  901.                 try (FileOutputStream fos = new FileOutputStream(signDoc)) {

  902.                     xmlDoc.write(fos);

  903.                 }

  904.             }

  905. 

  906.             try (OPCPackage pkg = OPCPackage.open(signDoc, PackageAccess.READ_WRITE)) {

  907.                 SignatureConfig sic = new SignatureConfig();

  908.                 sic.setKey(keyPair.getPrivate());

  909.                 sic.setSigningCertificateChain(Collections.singletonList(x509));

  910. 

  911.                 line.updateSignatureConfig(sic);

  912. 

  913.                 sic.setDigestAlgo(HashAlgorithm.sha1);

  914.                 SignatureInfo si = new SignatureInfo();

  915.                 si.setOpcPackage(pkg);

  916.                 si.setSignatureConfig(sic);

  917.                 // hash > sha1 doesn't work in excel viewer ...

  918.                 si.confirmSignature();

  919.             } catch (java.util.ServiceConfigurationError e) {

  920.                 assumeFalse(true, "running on module-path / JPMS and batik is \"kaputt\" WRT JPMS");

  921.             }

  922. 

  923.             XmlDocumentPackageInit reinit =

  924.                 (line instanceof XSSFSignatureLine)

  925.                 ? this::initSignatureImageXSSF

  926.                 : this::initSignatureImageXWPF;

  927. 

  928.             try (OPCPackage pkg = OPCPackage.open(signDoc, PackageAccess.READ)) {

  929.                 SignatureLine line2 = sup.get();

  930.                 try (POIXMLDocument doc = reinit.init(line2, pkg)) {

  931.                 	assertNotNull(doc);

  932. 

  933.                     line2.parse();

  934.                     assertEquals(line.getSuggestedSigner(), line2.getSuggestedSigner());

  935.                     assertEquals(line.getSuggestedSigner2(), line2.getSuggestedSigner2());

  936.                     assertEquals(line.getSuggestedSignerEmail(), line2.getSuggestedSignerEmail());

  937.                 }

  938. 

  939.                 pkg.revert();

  940.             }

  941.         }

  942.     }

  943. 

  944.     private XWPFDocument initSignatureImageXWPF(SignatureLine line, String[] ext) {

  945.         XWPFDocument doc = new XWPFDocument();

  946.         ((XWPFSignatureLine)line).add(doc.createParagraph());

  947.         ext[0] = ".docx";

  948.         return doc;

  949.     }

  950. 

  951.     private XWPFDocument initSignatureImageXWPF(SignatureLine line, OPCPackage pkg) throws IOException, XmlException {

  952.         XWPFDocument doc = new XWPFDocument(pkg);

  953.         ((XWPFSignatureLine)line).parse(doc);

  954.         return doc;

  955.     }

  956. 

  957.     private XSSFWorkbook initSignatureImageXSSF(SignatureLine line, String[] ext) {

  958.         XSSFWorkbook xls = new XSSFWorkbook();

  959.         XSSFSheet sheet = xls.createSheet();

  960.         XSSFClientAnchor anchor = new XSSFClientAnchor(0,0,0,0,3,3,8,13);

  961.         ((XSSFSignatureLine)line).add(sheet, anchor);

  962.         ext[0] = ".xlsx";

  963.         return xls;

  964.     }

  965. 

  966.     private XSSFWorkbook initSignatureImageXSSF(SignatureLine line, OPCPackage pkg) throws IOException, XmlException {

  967.         XSSFWorkbook xls = new XSSFWorkbook(pkg);

  968.         ((XSSFSignatureLine)line).parse(xls.getSheetAt(0));

  969.         return xls;

  970.     }

  971. 

  972. 

  973.     private SignatureConfig prepareConfig(String pfxInput) throws Exception {

  974.         initKeyPair(pfxInput);

  975. 

  976.         SignatureConfig signatureConfig = new SignatureConfig();

  977.         signatureConfig.setKey(keyPair.getPrivate());

  978.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  979.         signatureConfig.setExecutionTime(cal.getTime());

  980.         signatureConfig.setDigestAlgo(HashAlgorithm.sha1);

  981. 

  982.         return signatureConfig;

  983.     }

  984. 

  985.     private void sign(OPCPackage pkgCopy) throws Exception {

  986.         int signerCount = 1;

  987. 

  988.         SignatureConfig signatureConfig = prepareConfig(null);

  989. 

  990.         SignatureInfo si = new SignatureInfo();

  991.         si.setOpcPackage(pkgCopy);

  992.         si.setSignatureConfig(signatureConfig);

  993. 

  994.         final Document document = DocumentHelper.createDocument();

  995.         final DOMSignContext xmlSignContext = si.createXMLSignContext(document);

  996. 

  997.         // operate

  998.         final DOMSignedInfo signedInfo = si.preSign(xmlSignContext);

  999. 

  1000.         // verify

  1001.         assertNotNull(signedInfo);

  1002.         assertEquals("Office OpenXML Document", signatureConfig.getSignatureDescription());

  1003. 

  1004.         // setup: key material, signature value

  1005.         final String signatureValue = si.signDigest(xmlSignContext, signedInfo);

  1006. 

  1007.         // operate: postSign

  1008.         si.postSign(xmlSignContext, signatureValue);

  1009. 

  1010.         // verify: signature

  1011.         si.setOpcPackage(pkgCopy);

  1012.         List<X509Certificate> result = new ArrayList<>();

  1013.         for (SignaturePart sp : si.getSignatureParts()) {

  1014.             if (sp.validate()) {

  1015.                 result.add(sp.getSigner());

  1016.             }

  1017.         }

  1018.         assertEquals(signerCount, result.size());

  1019.     }

  1020. 

  1021.     private void initKeyPair() throws Exception {

  1022.         initKeyPair(null);

  1023.     }

  1024. 

  1025.     private void initKeyPair(String pfxInput) throws Exception {

  1026.         final String alias = "Test";

  1027.         final char[] password = "test".toCharArray();

  1028.         File file = new File("build/test.pfx");

  1029.         assertTrue(file.getParentFile().exists() || file.getParentFile().mkdir());

  1030. 

  1031.         KeyStore keystore = KeyStore.getInstance("PKCS12");

  1032. 

  1033.         if (pfxInput != null) {

  1034.             try (InputStream fis = new ByteArrayInputStream(RawDataUtil.decompress(pfxInput))) {

  1035.                 keystore.load(fis, password);

  1036.             }

  1037.         } else if (file.exists()) {

  1038.             try (InputStream fis = new FileInputStream(file)) {

  1039.                 keystore.load(fis, password);

  1040.             }

  1041.         } else {

  1042.             keystore.load(null, password);

  1043.         }

  1044. 

  1045.         if (keystore.isKeyEntry(alias)) {

  1046.             Key key = keystore.getKey(alias, password);

  1047.             x509 = (X509Certificate)keystore.getCertificate(alias);

  1048.             keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey)key);

  1049.         } else {

  1050.             keyPair = generateKeyPair();

  1051.             Date notBefore = cal.getTime();

  1052.             Calendar cal2 = (Calendar)cal.clone();

  1053.             cal2.add(Calendar.YEAR, 1);

  1054.             Date notAfter = cal2.getTime();

  1055.             KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);

  1056. 

  1057.             x509 = generateCertificate(keyPair.getPublic(), notBefore, notAfter, keyPair.getPrivate(), keyUsage);

  1058. 

  1059.             keystore.setKeyEntry(alias, keyPair.getPrivate(), password, new Certificate[]{x509});

  1060. 

  1061.             if (pfxInput == null) {

  1062.                 try (FileOutputStream fos = new FileOutputStream(file)) {

  1063.                     keystore.store(fos, password);

  1064.                 }

  1065.             }

  1066.         }

  1067.     }

  1068. 

  1069.     private void initKeyFromPEM(File pemFile) throws IOException, CertificateException {

  1070.         // see https://stackoverflow.com/questions/11787571/how-to-read-pem-file-to-get-private-and-public-key

  1071.         PrivateKey key = null;

  1072.         x509 = null;

  1073. 

  1074.         try (BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(pemFile), StandardCharsets.ISO_8859_1))) {

  1075.             PEMParser parser = new PEMParser(br);

  1076.             for (Object obj; (obj = parser.readObject()) != null; ) {

  1077.                 if (obj instanceof PrivateKeyInfo) {

  1078.                     key = new JcaPEMKeyConverter().setProvider("BC").getPrivateKey((PrivateKeyInfo)obj);

  1079.                 } else if (obj instanceof X509CertificateHolder) {

  1080.                     x509 = new JcaX509CertificateConverter().setProvider("BC").getCertificate((X509CertificateHolder)obj);

  1081.                 }

  1082.             }

  1083.         }

  1084. 

  1085.         if (key != null && x509 != null) {

  1086.             keyPair = new KeyPair(x509.getPublicKey(), key);

  1087.         }

  1088.     }

  1089. 

  1090.     private static File copy(File input) throws IOException {

  1091.         String extension = input.getName().replaceAll(".*?(\\.[^.]+)?$", "$1");

  1092.         if (extension.isEmpty()) {

  1093.             extension = ".zip";

  1094.         }

  1095. 

  1096.         // ensure that we create the "build" directory as it might not be existing

  1097.         // in the Sonar Maven runs where we are at a different source directory

  1098.         File buildDir = new File("build");

  1099.         if(!buildDir.exists()) {

  1100.             assertTrue(buildDir.mkdirs(), "Failed to create " + buildDir.getAbsolutePath());

  1101.         }

  1102.         File tmpFile = new File(buildDir, "sigtest"+extension);

  1103. 

  1104.         try (OutputStream fos = new FileOutputStream(tmpFile)) {

  1105.             try (InputStream fis = new FileInputStream(input)) {

  1106.                 IOUtils.copy(fis, fos);

  1107.             }

  1108.         }

  1109. 

  1110.         return tmpFile;

  1111.     }

  1112. 

  1113.     private static KeyPair generateKeyPair() throws Exception {

  1114.         KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");

  1115.         SecureRandom random = new SecureRandom();

  1116.         keyPairGenerator.initialize(new RSAKeyGenParameterSpec(1024,

  1117.                                                                RSAKeyGenParameterSpec.F4), random);

  1118.         return keyPairGenerator.generateKeyPair();

  1119.     }

  1120. 

  1121.     private static X509Certificate generateCertificate(PublicKey subjectPublicKey,

  1122.                                                        Date notBefore, Date notAfter,

  1123.                                                        PrivateKey issuerPrivateKey,

  1124.                                                        KeyUsage keyUsage)

  1125.             throws IOException, OperatorCreationException, CertificateException {

  1126.         final String signatureAlgorithm = "SHA1withRSA";

  1127.         final String subjectDn = "CN=Test";

  1128.         X500Name issuerName = new X500Name(subjectDn);

  1129. 

  1130.         RSAPublicKey rsaPubKey = (RSAPublicKey)subjectPublicKey;

  1131.         RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());

  1132. 

  1133.         SubjectPublicKeyInfo subjectPublicKeyInfo =

  1134.                 SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec);

  1135. 

  1136.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  1137.                 .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  1138. 

  1139.         X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(

  1140.                 issuerName

  1141.                 , new BigInteger(128, new SecureRandom())

  1142.                 , notBefore

  1143.                 , notAfter

  1144.                 , new X500Name(subjectDn)

  1145.                 , subjectPublicKeyInfo

  1146.         );

  1147. 

  1148.         X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);

  1149.         SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);

  1150.         AuthorityKeyIdentifier autKeyId = exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);

  1151. 

  1152.         certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);

  1153.         certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);

  1154. 

  1155.         BasicConstraints bc = new BasicConstraints(0);

  1156.         certificateGenerator.addExtension(Extension.basicConstraints, false, bc);

  1157. 

  1158.         if (null != keyUsage) {

  1159.             certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);

  1160.         }

  1161. 

  1162.         JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm);

  1163.         signerBuilder.setProvider("BC");

  1164. 

  1165.         X509CertificateHolder certHolder =

  1166.                 certificateGenerator.build(signerBuilder.build(issuerPrivateKey));

  1167. 

  1168.         /*

  1169.          * Next certificate factory trick is needed to make sure that the

  1170.          * certificate delivered to the caller is provided by the default

  1171.          * security provider instead of BouncyCastle. If we don't do this trick

  1172.          * we might run into trouble when trying to use the CertPath validator.

  1173.          */

  1174. //        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");

  1175. //        certificate = (X509Certificate) certificateFactory

  1176. //                .generateCertificate(new ByteArrayInputStream(certificate

  1177. //                        .getEncoded()));

  1178.         return new JcaX509CertificateConverter().getCertificate(certHolder);

  1179.     }

  1180. 

  1181.     private static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey)

  1182.             throws CertificateEncodingException, IOException, CRLException, OperatorCreationException {

  1183. 

  1184.         X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded());

  1185.         X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date());

  1186.         crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000));

  1187.         JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC");

  1188. 

  1189.         CRLNumber crlNumber = new CRLNumber(new BigInteger("1234"));

  1190. 

  1191.         crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber);

  1192.         X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey));

  1193.         return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl);

  1194.     }

  1195. 

  1196.     private static OCSPResp createOcspResp(X509Certificate certificate,

  1197.                                            X509Certificate issuerCertificate,

  1198.                                            X509Certificate ocspResponderCertificate,

  1199.                                            PrivateKey ocspResponderPrivateKey,

  1200.                                            long nonceTimeinMillis)

  1201.             throws Exception {

  1202.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  1203.                 .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  1204.         X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded());

  1205.         CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber());

  1206. 

  1207.         // request

  1208.         //create a nonce to avoid replay attack

  1209.         BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis);

  1210.         DEROctetString nonceDer = new DEROctetString(nonce.toByteArray());

  1211.         Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer);

  1212.         Extensions exts = new Extensions(ext);

  1213. 

  1214.         OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();

  1215.         ocspReqBuilder.addRequest(certId);

  1216.         ocspReqBuilder.setRequestExtensions(exts);

  1217.         OCSPReq ocspReq = ocspReqBuilder.build();

  1218. 

  1219. 

  1220.         SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo

  1221.                 (CertificateID.HASH_SHA1, ocspResponderCertificate.getPublicKey().getEncoded());

  1222. 

  1223.         BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc);

  1224.         basicOCSPRespBuilder.setResponseExtensions(exts);

  1225. 

  1226.         // request processing

  1227.         Req[] requestList = ocspReq.getRequestList();

  1228.         for (Req ocspRequest : requestList) {

  1229.             CertificateID certificateID = ocspRequest.getCertID();

  1230.             CertificateStatus certificateStatus = CertificateStatus.GOOD;

  1231.             basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);

  1232.         }

  1233. 

  1234.         // basic response generation

  1235.         X509CertificateHolder[] chain = null;

  1236.         if (!ocspResponderCertificate.equals(issuerCertificate)) {

  1237.             // TODO: HorribleProxy can't convert array input params yet

  1238.             chain = new X509CertificateHolder[] {

  1239.                     new X509CertificateHolder(ocspResponderCertificate.getEncoded()),

  1240.                     issuerHolder

  1241.             };

  1242.         }

  1243. 

  1244.         ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA")

  1245.                 .setProvider("BC").build(ocspResponderPrivateKey);

  1246.         BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis));

  1247. 

  1248. 

  1249.         OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();

  1250. 

  1251.         return ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

  1252.     }

  1253. }