mirrors
/
poi
peilaus alkaen https://github.com/apache/poi.git
Tarkkaile 1
Äänestä 0
Fork 0
Koodi Ongelmat 0 Julkaisut 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6768 Commitit
24 Branchit
Puu: 4f2692f870
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '4f2692f870'
${ noResults }
poi/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestSignatureInfo.java

TestSignatureInfo.java 28KB
Raaka Blame Historia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. 

  18. /* ====================================================================

  19.    This product contains an ASLv2 licensed version of the OOXML signer

  20.    package from the eID Applet project

  21.    http://code.google.com/p/eid-applet/source/browse/trunk/README.txt  

  22.    Copyright (C) 2008-2014 FedICT.

  23.    ================================================================= */ 

  24. package org.apache.poi.poifs.crypt;

  25. 

  26. import static org.junit.Assert.assertEquals;

  27. import static org.junit.Assert.assertFalse;

  28. import static org.junit.Assert.assertNotNull;

  29. import static org.junit.Assert.assertTrue;

  30. 

  31. import java.io.ByteArrayInputStream;

  32. import java.io.ByteArrayOutputStream;

  33. import java.io.File;

  34. import java.io.FileInputStream;

  35. import java.io.FileOutputStream;

  36. import java.io.IOException;

  37. import java.io.InputStream;

  38. import java.io.OutputStream;

  39. import java.net.ConnectException;

  40. import java.net.HttpURLConnection;

  41. import java.net.MalformedURLException;

  42. import java.net.URL;

  43. import java.security.Key;

  44. import java.security.KeyPair;

  45. import java.security.KeyStore;

  46. import java.security.PrivateKey;

  47. import java.security.cert.Certificate;

  48. import java.security.cert.X509CRL;

  49. import java.security.cert.X509Certificate;

  50. import java.util.ArrayList;

  51. import java.util.Calendar;

  52. import java.util.Collections;

  53. import java.util.Date;

  54. import java.util.Iterator;

  55. import java.util.List;

  56. 

  57. import org.apache.poi.POIDataSamples;

  58. import org.apache.poi.POITestCase;

  59. import org.apache.poi.openxml4j.opc.OPCPackage;

  60. import org.apache.poi.openxml4j.opc.PackageAccess;

  61. import org.apache.poi.poifs.crypt.dsig.DigestInfo;

  62. import org.apache.poi.poifs.crypt.dsig.SignatureConfig;

  63. import org.apache.poi.poifs.crypt.dsig.SignatureInfo;

  64. import org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart;

  65. import org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet;

  66. import org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet;

  67. import org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet;

  68. import org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet;

  69. import org.apache.poi.poifs.crypt.dsig.services.RevocationData;

  70. import org.apache.poi.poifs.crypt.dsig.services.RevocationDataService;

  71. import org.apache.poi.poifs.crypt.dsig.services.TimeStampService;

  72. import org.apache.poi.poifs.crypt.dsig.services.TimeStampServiceValidator;

  73. import org.apache.poi.ss.usermodel.WorkbookFactory;

  74. import org.apache.poi.util.DocumentHelper;

  75. import org.apache.poi.util.IOUtils;

  76. import org.apache.poi.util.LocaleUtil;

  77. import org.apache.poi.util.POILogFactory;

  78. import org.apache.poi.util.POILogger;

  79. import org.apache.poi.xssf.streaming.SXSSFWorkbook;

  80. import org.apache.poi.xssf.usermodel.XSSFWorkbook;

  81. import org.apache.xmlbeans.XmlObject;

  82. import org.bouncycastle.asn1.x509.KeyUsage;

  83. import org.bouncycastle.cert.ocsp.OCSPResp;

  84. import org.etsi.uri.x01903.v13.DigestAlgAndValueType;

  85. import org.etsi.uri.x01903.v13.QualifyingPropertiesType;

  86. import org.junit.Assume;

  87. import org.junit.BeforeClass;

  88. import org.junit.Test;

  89. import org.w3.x2000.x09.xmldsig.ReferenceType;

  90. import org.w3.x2000.x09.xmldsig.SignatureDocument;

  91. import org.w3c.dom.Document;

  92. 

  93. public class TestSignatureInfo {

  94.     private static final POILogger LOG = POILogFactory.getLogger(TestSignatureInfo.class);

  95.     private static final POIDataSamples testdata = POIDataSamples.getXmlDSignInstance();

  96. 

  97.     private static Calendar cal;

  98.     private KeyPair keyPair = null;

  99.     private X509Certificate x509 = null;

  100.     

  101.     @BeforeClass

  102.     public static void initBouncy() throws IOException {

  103.         CryptoFunctions.registerBouncyCastle();

  104. 

  105.         /*** TODO : set cal to now ... only set to fixed date for debugging ... */ 

  106.         cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  107. //        cal.set(2014, 7, 6, 21, 42, 12);

  108. //        cal.clear(Calendar.MILLISECOND);

  109. 

  110.         // don't run this test when we are using older Xerces as it triggers an XML Parser backwards compatibility issue 

  111.         // in the xmlsec jar file

  112.         String additionalJar = System.getProperty("additionaljar");

  113.         //System.out.println("Having: " + additionalJar);

  114.         Assume.assumeTrue("Not running TestSignatureInfo because we are testing with additionaljar set to " + additionalJar, 

  115.                 additionalJar == null || additionalJar.trim().length() == 0);

  116.     }

  117.     

  118.     @Test

  119.     public void office2007prettyPrintedRels() throws Exception {

  120.         OPCPackage pkg = OPCPackage.open(testdata.getFile("office2007prettyPrintedRels.docx"), PackageAccess.READ);

  121.         try {

  122.             SignatureConfig sic = new SignatureConfig();

  123.             sic.setOpcPackage(pkg);

  124.             SignatureInfo si = new SignatureInfo();

  125.             si.setSignatureConfig(sic);

  126.             boolean isValid = si.verifySignature();

  127.             assertTrue(isValid);

  128.         } finally {

  129.             pkg.close();

  130.         }

  131.     }

  132.     

  133.     @Test

  134.     public void getSignerUnsigned() throws Exception {

  135.         String testFiles[] = { 

  136.             "hello-world-unsigned.docx",

  137.             "hello-world-unsigned.pptx",

  138.             "hello-world-unsigned.xlsx",

  139.             "hello-world-office-2010-technical-preview-unsigned.docx"

  140.         };

  141.         

  142.         for (String testFile : testFiles) {

  143.             OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);

  144.             SignatureConfig sic = new SignatureConfig();

  145.             sic.setOpcPackage(pkg);

  146.             SignatureInfo si = new SignatureInfo();

  147.             si.setSignatureConfig(sic);

  148.             List<X509Certificate> result = new ArrayList<X509Certificate>();

  149.             for (SignaturePart sp : si.getSignatureParts()) {

  150.                 if (sp.validate()) {

  151.                     result.add(sp.getSigner());

  152.                 }

  153.             }

  154.             pkg.revert();

  155.             pkg.close();

  156.             assertNotNull(result);

  157.             assertTrue(result.isEmpty());

  158.         }

  159.     }

  160.     

  161.     @Test

  162.     public void getSigner() throws Exception {

  163.         String testFiles[] = { 

  164.             "hyperlink-example-signed.docx",

  165.             "hello-world-signed.docx",

  166.             "hello-world-signed.pptx",

  167.             "hello-world-signed.xlsx",

  168.             "hello-world-office-2010-technical-preview.docx",

  169.             "ms-office-2010-signed.docx",

  170.             "ms-office-2010-signed.pptx",

  171.             "ms-office-2010-signed.xlsx",

  172.             "Office2010-SP1-XAdES-X-L.docx",

  173.             "signed.docx",

  174.         };

  175.         

  176.         for (String testFile : testFiles) {

  177.             OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);

  178.             try {

  179.                 SignatureConfig sic = new SignatureConfig();

  180.                 sic.setOpcPackage(pkg);

  181.                 SignatureInfo si = new SignatureInfo();

  182.                 si.setSignatureConfig(sic);

  183.                 List<X509Certificate> result = new ArrayList<X509Certificate>();

  184.                 for (SignaturePart sp : si.getSignatureParts()) {

  185.                     if (sp.validate()) {

  186.                         result.add(sp.getSigner());

  187.                     }

  188.                 }

  189.     

  190.                 assertNotNull(result);

  191.                 assertEquals("test-file: "+testFile, 1, result.size());

  192.                 X509Certificate signer = result.get(0);

  193.                 LOG.log(POILogger.DEBUG, "signer: " + signer.getSubjectX500Principal());

  194.     

  195.                 boolean b = si.verifySignature();

  196.                 assertTrue("test-file: "+testFile, b);

  197.                 pkg.revert();

  198.             } finally {

  199.                 pkg.close();

  200.             }

  201.         }

  202.     }

  203. 

  204.     @Test

  205.     public void getMultiSigners() throws Exception {

  206.         String testFile = "hello-world-signed-twice.docx";

  207.         OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);

  208.         try {

  209.             SignatureConfig sic = new SignatureConfig();

  210.             sic.setOpcPackage(pkg);

  211.             SignatureInfo si = new SignatureInfo();

  212.             si.setSignatureConfig(sic);

  213.             List<X509Certificate> result = new ArrayList<X509Certificate>();

  214.             for (SignaturePart sp : si.getSignatureParts()) {

  215.                 if (sp.validate()) {

  216.                     result.add(sp.getSigner());

  217.                 }

  218.             }

  219.     

  220.             assertNotNull(result);

  221.             assertEquals("test-file: "+testFile, 2, result.size());

  222.             X509Certificate signer1 = result.get(0);

  223.             X509Certificate signer2 = result.get(1);

  224.             LOG.log(POILogger.DEBUG, "signer 1: " + signer1.getSubjectX500Principal());

  225.             LOG.log(POILogger.DEBUG, "signer 2: " + signer2.getSubjectX500Principal());

  226.     

  227.             boolean b = si.verifySignature();

  228.             assertTrue("test-file: "+testFile, b);

  229.             pkg.revert();

  230.         } finally {

  231.             pkg.close();

  232.         }

  233.     }

  234.     

  235.     @Test

  236.     public void testSignSpreadsheet() throws Exception {

  237.         String testFile = "hello-world-unsigned.xlsx";

  238.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  239.         sign(pkg, "Test", "CN=Test", 1);

  240.         pkg.close();

  241.     }

  242. 

  243.     @Test

  244.     public void testManipulation() throws Exception {

  245.         // sign & validate

  246.         String testFile = "hello-world-unsigned.xlsx";

  247.         @SuppressWarnings("resource")

  248.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  249.         sign(pkg, "Test", "CN=Test", 1);

  250.         

  251.         // manipulate

  252.         XSSFWorkbook wb = new XSSFWorkbook(pkg);

  253.         wb.setSheetName(0, "manipulated");

  254.         // ... I don't know, why commit is protected ...

  255.         POITestCase.callMethod(XSSFWorkbook.class, wb, Void.class, "commit", new Class[0], new Object[0]);

  256. 

  257.         // todo: test a manipulation on a package part, which is not signed

  258.         // ... maybe in combination with #56164 

  259.         

  260.         // validate

  261.         SignatureConfig sic = new SignatureConfig();

  262.         sic.setOpcPackage(pkg);

  263.         SignatureInfo si = new SignatureInfo();

  264.         si.setSignatureConfig(sic);

  265.         boolean b = si.verifySignature();

  266.         assertFalse("signature should be broken", b);

  267.         

  268.         wb.close();

  269.     }

  270.     

  271.     @Test

  272.     public void testSignSpreadsheetWithSignatureInfo() throws Exception {

  273.         initKeyPair("Test", "CN=Test");

  274.         String testFile = "hello-world-unsigned.xlsx";

  275.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  276.         SignatureConfig sic = new SignatureConfig();

  277.         sic.setOpcPackage(pkg);

  278.         sic.setKey(keyPair.getPrivate());

  279.         sic.setSigningCertificateChain(Collections.singletonList(x509));

  280.         SignatureInfo si = new SignatureInfo();

  281.         si.setSignatureConfig(sic);

  282.         // hash > sha1 doesn't work in excel viewer ...

  283.         si.confirmSignature();

  284.         List<X509Certificate> result = new ArrayList<X509Certificate>();

  285.         for (SignaturePart sp : si.getSignatureParts()) {

  286.             if (sp.validate()) {

  287.                 result.add(sp.getSigner());

  288.             }

  289.         }

  290.         assertEquals(1, result.size());

  291.         pkg.close();

  292.     }

  293. 

  294.     @Test

  295.     public void testSignEnvelopingDocument() throws Exception {

  296.         String testFile = "hello-world-unsigned.xlsx";

  297.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  298. 

  299.         initKeyPair("Test", "CN=Test");

  300.         final X509CRL crl = PkiTestUtils.generateCrl(x509, keyPair.getPrivate());

  301.         

  302.         // setup

  303.         SignatureConfig signatureConfig = new SignatureConfig();

  304.         signatureConfig.setOpcPackage(pkg);

  305.         signatureConfig.setKey(keyPair.getPrivate());

  306. 

  307.         /*

  308.          * We need at least 2 certificates for the XAdES-C complete certificate

  309.          * refs construction.

  310.          */

  311.         List<X509Certificate> certificateChain = new ArrayList<X509Certificate>();

  312.         certificateChain.add(x509);

  313.         certificateChain.add(x509);

  314.         signatureConfig.setSigningCertificateChain(certificateChain);

  315.         

  316.         signatureConfig.addSignatureFacet(new EnvelopedSignatureFacet());

  317.         signatureConfig.addSignatureFacet(new KeyInfoSignatureFacet());

  318.         signatureConfig.addSignatureFacet(new XAdESSignatureFacet());

  319.         signatureConfig.addSignatureFacet(new XAdESXLSignatureFacet());

  320.         

  321.         // check for internet, no error means it works

  322.         boolean mockTsp = (getAccessError("http://timestamp.comodoca.com/rfc3161", true, 10000) != null);

  323.         

  324.         // http://timestamping.edelweb.fr/service/tsp

  325.         // http://tsa.belgium.be/connect

  326.         // http://timestamp.comodoca.com/authenticode

  327.         // http://timestamp.comodoca.com/rfc3161

  328.         // http://services.globaltrustfinder.com/adss/tsa

  329.         signatureConfig.setTspUrl("http://timestamp.comodoca.com/rfc3161");

  330.         signatureConfig.setTspRequestPolicy(null); // comodoca request fails, if default policy is set ...

  331.         signatureConfig.setTspOldProtocol(false);

  332.         

  333.         //set proxy info if any

  334.         String proxy = System.getProperty("http_proxy");

  335.         if (proxy != null && proxy.trim().length() > 0) {

  336.             signatureConfig.setProxyUrl(proxy);

  337.         }

  338. 

  339.         if (mockTsp) {

  340.             TimeStampService tspService = new TimeStampService(){

  341.                 @Override

  342.                 public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception {

  343.                     revocationData.addCRL(crl);

  344.                     return "time-stamp-token".getBytes(LocaleUtil.CHARSET_1252);                

  345.                 }

  346.                 @Override

  347.                 public void setSignatureConfig(SignatureConfig config) {

  348.                     // empty on purpose

  349.                 }

  350.             };

  351.             signatureConfig.setTspService(tspService);

  352.         } else {

  353.             TimeStampServiceValidator tspValidator = new TimeStampServiceValidator() {

  354.                 @Override

  355.                 public void validate(List<X509Certificate> validateChain,

  356.                 RevocationData revocationData) throws Exception {

  357.                     for (X509Certificate certificate : validateChain) {

  358.                         LOG.log(POILogger.DEBUG, "certificate: " + certificate.getSubjectX500Principal());

  359.                         LOG.log(POILogger.DEBUG, "validity: " + certificate.getNotBefore() + " - " + certificate.getNotAfter());

  360.                     }

  361.                 }

  362.             };

  363.             signatureConfig.setTspValidator(tspValidator);

  364.             signatureConfig.setTspOldProtocol(signatureConfig.getTspUrl().contains("edelweb"));

  365.         }

  366.         

  367.         final RevocationData revocationData = new RevocationData();

  368.         revocationData.addCRL(crl);

  369.         OCSPResp ocspResp = PkiTestUtils.createOcspResp(x509, false,

  370.                 x509, x509, keyPair.getPrivate(), "SHA1withRSA", cal.getTimeInMillis());

  371.         revocationData.addOCSP(ocspResp.getEncoded());

  372. 

  373.         RevocationDataService revocationDataService = new RevocationDataService(){

  374.             @Override

  375.             public RevocationData getRevocationData(List<X509Certificate> revocationChain) {

  376.                 return revocationData;

  377.             }

  378.         };

  379.         signatureConfig.setRevocationDataService(revocationDataService);

  380. 

  381.         // operate

  382.         SignatureInfo si = new SignatureInfo();

  383.         si.setSignatureConfig(signatureConfig);

  384.         try {

  385.             si.confirmSignature();

  386.         } catch (RuntimeException e) {

  387.             pkg.close();

  388.             // only allow a ConnectException because of timeout, we see this in Jenkins from time to time...

  389.             if(e.getCause() == null) {

  390.                 throw e;

  391.             }

  392.             if(!(e.getCause() instanceof ConnectException)) {

  393.                 throw e;

  394.             }

  395.             assertTrue("Only allowing ConnectException with 'timed out' as message here, but had: " + e, e.getCause().getMessage().contains("timed out"));

  396.         }

  397.         

  398.         // verify

  399.         Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();

  400.         assertTrue(spIter.hasNext());

  401.         SignaturePart sp = spIter.next();

  402.         boolean valid = sp.validate();

  403.         assertTrue(valid);

  404.         

  405.         SignatureDocument sigDoc = sp.getSignatureDocument();

  406.         String declareNS = 

  407.             "declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; "

  408.           + "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; ";

  409.         

  410.         String digestValXQuery = declareNS +

  411.             "$this/ds:Signature/ds:SignedInfo/ds:Reference";

  412.         for (ReferenceType rt : (ReferenceType[])sigDoc.selectPath(digestValXQuery)) {

  413.             assertNotNull(rt.getDigestValue());

  414.             assertEquals(signatureConfig.getDigestMethodUri(), rt.getDigestMethod().getAlgorithm());

  415.         }

  416. 

  417.         String certDigestXQuery = declareNS +

  418.             "$this//xades:SigningCertificate/xades:Cert/xades:CertDigest";

  419.         XmlObject xoList[] = sigDoc.selectPath(certDigestXQuery);

  420.         assertEquals(xoList.length, 1);

  421.         DigestAlgAndValueType certDigest = (DigestAlgAndValueType)xoList[0];

  422.         assertNotNull(certDigest.getDigestValue());

  423. 

  424.         String qualPropXQuery = declareNS +

  425.             "$this/ds:Signature/ds:Object/xades:QualifyingProperties";

  426.         xoList = sigDoc.selectPath(qualPropXQuery);

  427.         assertEquals(xoList.length, 1);

  428.         QualifyingPropertiesType qualProp = (QualifyingPropertiesType)xoList[0];

  429.         boolean qualPropXsdOk = qualProp.validate();

  430.         assertTrue(qualPropXsdOk);

  431. 

  432.         pkg.close();

  433.     }

  434. 

  435.     public static String getAccessError(String destinationUrl, boolean fireRequest, int timeout) {

  436.         URL url;

  437.         try {

  438.             url = new URL(destinationUrl);

  439.         } catch (MalformedURLException e) {

  440.             throw new IllegalArgumentException("Invalid destination URL", e);

  441.         }

  442. 

  443.         HttpURLConnection conn = null;

  444.         try {

  445.             conn = (HttpURLConnection) url.openConnection();

  446. 

  447.             // set specified timeout if non-zero

  448.             if(timeout != 0) {

  449.                 conn.setConnectTimeout(timeout);

  450.                 conn.setReadTimeout(timeout);

  451.             }

  452. 

  453.             conn.setDoOutput(false);

  454.             conn.setDoInput(true);

  455. 

  456.             /* if connecting is not possible this will throw a connection refused exception */

  457.             conn.connect();

  458. 

  459.             if (fireRequest) {

  460.                 InputStream is = null;

  461.                 try {

  462.                     is = conn.getInputStream();

  463.                 } finally {

  464.                     IOUtils.closeQuietly(is);

  465.                 }

  466. 

  467.             }

  468.             /* if connecting is possible we return true here */

  469.             return null;

  470. 

  471.         } catch (IOException e) {

  472.             /* exception is thrown -> server not available */

  473.             return e.getClass().getName() + ": " + e.getMessage();

  474.         } finally {

  475.             if (conn != null) {

  476.                 conn.disconnect();

  477.             }

  478.         }

  479.     }

  480.     

  481.     @Test

  482.     public void testCertChain() throws Exception {

  483.         KeyStore keystore = KeyStore.getInstance("PKCS12");

  484.         String password = "test";

  485.         InputStream is = testdata.openResourceAsStream("chaintest.pfx");

  486.         keystore.load(is, password.toCharArray());

  487.         is.close();

  488. 

  489.         Key key = keystore.getKey("poitest", password.toCharArray());

  490.         Certificate chainList[] = keystore.getCertificateChain("poitest");

  491.         List<X509Certificate> certChain = new ArrayList<X509Certificate>();

  492.         for (Certificate c : chainList) {

  493.             certChain.add((X509Certificate)c);

  494.         }

  495.         x509 = certChain.get(0);

  496.         keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey)key);

  497.         

  498.         String testFile = "hello-world-unsigned.xlsx";

  499.         OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  500. 

  501.         SignatureConfig signatureConfig = new SignatureConfig();

  502.         signatureConfig.setKey(keyPair.getPrivate());

  503.         signatureConfig.setSigningCertificateChain(certChain);

  504.         Calendar oldCal = LocaleUtil.getLocaleCalendar(2007, 7, 1);

  505.         signatureConfig.setExecutionTime(oldCal.getTime());

  506.         signatureConfig.setDigestAlgo(HashAlgorithm.sha1);

  507.         signatureConfig.setOpcPackage(pkg);

  508.         

  509.         SignatureInfo si = new SignatureInfo();

  510.         si.setSignatureConfig(signatureConfig);

  511. 

  512.         si.confirmSignature();

  513.         

  514.         for (SignaturePart sp : si.getSignatureParts()){

  515.             assertTrue("Could not validate", sp.validate());

  516.             X509Certificate signer = sp.getSigner();

  517.             assertNotNull("signer undefined?!", signer);

  518.             List<X509Certificate> certChainRes = sp.getCertChain();

  519.             assertEquals(3, certChainRes.size());

  520.         }

  521.         

  522.         pkg.close();

  523.     }

  524. 

  525.     @Test

  526.     public void testNonSha1() throws Exception {

  527.         String testFile = "hello-world-unsigned.xlsx";

  528.         initKeyPair("Test", "CN=Test");

  529. 

  530.         SignatureConfig signatureConfig = new SignatureConfig();

  531.         signatureConfig.setKey(keyPair.getPrivate());

  532.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  533. 

  534.         HashAlgorithm testAlgo[] = { HashAlgorithm.sha224, HashAlgorithm.sha256

  535.             , HashAlgorithm.sha384, HashAlgorithm.sha512, HashAlgorithm.ripemd160 }; 

  536.         

  537.         for (HashAlgorithm ha : testAlgo) {

  538.             OPCPackage pkg = null;

  539.             try {

  540.                 signatureConfig.setDigestAlgo(ha);

  541.                 pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);

  542.                 signatureConfig.setOpcPackage(pkg);

  543.                 

  544.                 SignatureInfo si = new SignatureInfo();

  545.                 si.setSignatureConfig(signatureConfig);

  546.         

  547.                 si.confirmSignature();

  548.                 boolean b = si.verifySignature();

  549.                 assertTrue("Signature not correctly calculated for " + ha, b);

  550.             } finally {

  551.                 if (pkg != null) pkg.close();

  552.             }

  553.         }

  554.     }

  555. 

  556.     @Test

  557.     public void bug58630() throws Exception {

  558.         // test deletion of sheet 0 and signing

  559.         File tpl = copy(testdata.getFile("bug58630.xlsx"));

  560.         SXSSFWorkbook wb1 = new SXSSFWorkbook((XSSFWorkbook)WorkbookFactory.create(tpl), 10);

  561.         wb1.setCompressTempFiles(true);

  562.         wb1.removeSheetAt(0);

  563.         ByteArrayOutputStream os = new ByteArrayOutputStream();

  564.         wb1.write(os);

  565.         wb1.close();

  566.         OPCPackage pkg = OPCPackage.open(new ByteArrayInputStream(os.toByteArray()));

  567.         

  568.         initKeyPair("Test", "CN=Test");

  569.         SignatureConfig signatureConfig = new SignatureConfig();

  570.         signatureConfig.setKey(keyPair.getPrivate());

  571.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  572.         signatureConfig.setOpcPackage(pkg);

  573.         

  574.         SignatureInfo si = new SignatureInfo();

  575.         si.setSignatureConfig(signatureConfig);

  576.         si.confirmSignature();

  577.         assertTrue("invalid signature", si.verifySignature());

  578.         

  579.         pkg.close();

  580.     }

  581.     

  582.     

  583.     private void sign(OPCPackage pkgCopy, String alias, String signerDn, int signerCount) throws Exception {

  584.         initKeyPair(alias, signerDn);

  585. 

  586.         SignatureConfig signatureConfig = new SignatureConfig();

  587.         signatureConfig.setKey(keyPair.getPrivate());

  588.         signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));

  589.         signatureConfig.setExecutionTime(cal.getTime());

  590.         signatureConfig.setDigestAlgo(HashAlgorithm.sha1);

  591.         signatureConfig.setOpcPackage(pkgCopy);

  592.         

  593.         SignatureInfo si = new SignatureInfo();

  594.         si.setSignatureConfig(signatureConfig);

  595. 

  596.         Document document = DocumentHelper.createDocument();

  597. 

  598.         // operate

  599.         DigestInfo digestInfo = si.preSign(document, null);

  600. 

  601.         // verify

  602.         assertNotNull(digestInfo);

  603.         LOG.log(POILogger.DEBUG, "digest algo: " + digestInfo.hashAlgo);

  604.         LOG.log(POILogger.DEBUG, "digest description: " + digestInfo.description);

  605.         assertEquals("Office OpenXML Document", digestInfo.description);

  606.         assertNotNull(digestInfo.hashAlgo);

  607.         assertNotNull(digestInfo.digestValue);

  608. 

  609.         // setup: key material, signature value

  610.         byte[] signatureValue = si.signDigest(digestInfo.digestValue);

  611.         

  612.         // operate: postSign

  613.         si.postSign(document, signatureValue);

  614. 

  615.         // verify: signature

  616.         si.getSignatureConfig().setOpcPackage(pkgCopy);

  617.         List<X509Certificate> result = new ArrayList<X509Certificate>();

  618.         for (SignaturePart sp : si.getSignatureParts()) {

  619.             if (sp.validate()) {

  620.                 result.add(sp.getSigner());

  621.             }

  622.         }

  623.         assertEquals(signerCount, result.size());

  624.     }

  625. 

  626.     private void initKeyPair(String alias, String subjectDN) throws Exception {

  627.         final char password[] = "test".toCharArray();

  628.         File file = new File("build/test.pfx");

  629. 

  630.         KeyStore keystore = KeyStore.getInstance("PKCS12");

  631. 

  632.         if (file.exists()) {

  633.             FileInputStream fis = new FileInputStream(file);

  634.             keystore.load(fis, password);

  635.             fis.close();

  636.         } else {

  637.             keystore.load(null, password);

  638.         }

  639. 

  640.         if (keystore.isKeyEntry(alias)) {

  641.             Key key = keystore.getKey(alias, password);

  642.             x509 = (X509Certificate)keystore.getCertificate(alias);

  643.             keyPair = new KeyPair(x509.getPublicKey(), (PrivateKey)key);

  644.         } else {

  645.             keyPair = PkiTestUtils.generateKeyPair();

  646.             Date notBefore = cal.getTime();

  647.             Calendar cal2 = (Calendar)cal.clone();

  648.             cal2.add(Calendar.YEAR, 1);

  649.             Date notAfter = cal2.getTime();

  650.             KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);

  651.             

  652.             x509 = PkiTestUtils.generateCertificate(keyPair.getPublic(), subjectDN

  653.                 , notBefore, notAfter, null, keyPair.getPrivate(), true, 0, null, null, keyUsage);

  654. 

  655.             keystore.setKeyEntry(alias, keyPair.getPrivate(), password, new Certificate[]{x509});

  656.             FileOutputStream fos = new FileOutputStream(file);

  657.             keystore.store(fos, password);

  658.             fos.close();

  659.         }

  660.     }

  661. 

  662.     private static File copy(File input) throws IOException {

  663.         String extension = input.getName().replaceAll(".*?(\\.[^.]+)?$", "$1");

  664.         if (extension == null || "".equals(extension)) {

  665.             extension = ".zip";

  666.         }

  667. 

  668.         // ensure that we create the "build" directory as it might not be existing

  669.         // in the Sonar Maven runs where we are at a different source directory

  670.         File buildDir = new File("build");

  671.         if(!buildDir.exists()) {

  672.             assertTrue("Failed to create " + buildDir.getAbsolutePath(), 

  673.                     buildDir.mkdirs());

  674.         }

  675.         File tmpFile = new File(buildDir, "sigtest"+extension);

  676. 

  677.         OutputStream fos = new FileOutputStream(tmpFile);

  678.         try {

  679.             InputStream fis = new FileInputStream(input);

  680.             try {

  681.                 IOUtils.copy(fis, fos);

  682.             } finally {

  683.                 fis.close();

  684.             }

  685.         } finally {

  686.             fos.close();

  687.         }

  688. 

  689.         return tmpFile;

  690.     }

  691. 

  692. }