mirrors
/
poi
огледало от https://github.com/apache/poi.git
Наблюдаван 1
Харесван 0
Разклонения 0
Код Задачи 0 Версии 100 Уики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12612 Ревизии
24 Клонове
ИН на ревизия: 99634d6af6
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
от '99634d6af6'
${ noResults }
poi/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLSignatureFacet.java

XAdESXLSignatureFacet.java 19KB
Директен файл Blame История

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. 

  18. /* ====================================================================

  19.    This product contains an ASLv2 licensed version of the OOXML signer

  20.    package from the eID Applet project

  21.    http://code.google.com/p/eid-applet/source/browse/trunk/README.txt

  22.    Copyright (C) 2008-2014 FedICT.

  23.    ================================================================= */

  24. 

  25. package org.apache.poi.poifs.crypt.dsig.facets;

  26. 

  27. import static java.util.Optional.ofNullable;

  28. import static org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS;

  29. import static org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet.insertXChild;

  30. 

  31. import java.io.IOException;

  32. import java.math.BigInteger;

  33. import java.security.cert.CRLException;

  34. import java.security.cert.CertificateEncodingException;

  35. import java.security.cert.CertificateException;

  36. import java.security.cert.CertificateFactory;

  37. import java.security.cert.X509CRL;

  38. import java.security.cert.X509Certificate;

  39. import java.util.Arrays;

  40. import java.util.Calendar;

  41. import java.util.List;

  42. import java.util.Locale;

  43. import java.util.TimeZone;

  44. 

  45. import javax.xml.crypto.MarshalException;

  46. 

  47. import org.apache.commons.io.input.UnsynchronizedByteArrayInputStream;

  48. import org.apache.commons.io.output.UnsynchronizedByteArrayOutputStream;

  49. import org.apache.logging.log4j.LogManager;

  50. import org.apache.logging.log4j.Logger;

  51. import org.apache.poi.poifs.crypt.dsig.SignatureConfig;

  52. import org.apache.poi.poifs.crypt.dsig.SignatureInfo;

  53. import org.apache.poi.poifs.crypt.dsig.services.RevocationData;

  54. import org.apache.poi.poifs.crypt.dsig.services.RevocationDataService;

  55. import org.apache.xml.security.c14n.Canonicalizer;

  56. import org.apache.xmlbeans.XmlException;

  57. import org.bouncycastle.asn1.ASN1InputStream;

  58. import org.bouncycastle.asn1.ASN1Integer;

  59. import org.bouncycastle.asn1.ASN1OctetString;

  60. import org.bouncycastle.asn1.DERTaggedObject;

  61. import org.bouncycastle.asn1.ocsp.ResponderID;

  62. import org.bouncycastle.asn1.x500.X500Name;

  63. import org.bouncycastle.asn1.x509.Extension;

  64. import org.bouncycastle.cert.ocsp.BasicOCSPResp;

  65. import org.bouncycastle.cert.ocsp.OCSPResp;

  66. import org.bouncycastle.cert.ocsp.RespID;

  67. import org.etsi.uri.x01903.v13.*;

  68. import org.etsi.uri.x01903.v14.TimeStampValidationDataDocument;

  69. import org.etsi.uri.x01903.v14.ValidationDataType;

  70. import org.w3.x2000.x09.xmldsig.CanonicalizationMethodType;

  71. import org.w3c.dom.Document;

  72. import org.w3c.dom.Element;

  73. import org.w3c.dom.Node;

  74. import org.w3c.dom.NodeList;

  75. 

  76. /**

  77.  * XAdES-X-L v1.4.1 signature facet. This signature facet implementation will

  78.  * upgrade a given XAdES-BES/EPES signature to XAdES-X-L.

  79.  * If no revocation data service is set, only a XAdES-T signature is created.

  80.  *

  81.  * We don't inherit from XAdESSignatureFacet as we also want to be able to use

  82.  * this facet out of the context of a signature creation. This signature facet

  83.  * assumes that the signature is already XAdES-BES/EPES compliant.

  84.  *

  85.  * @see XAdESSignatureFacet

  86.  */

  87. public class XAdESXLSignatureFacet implements SignatureFacet {

  88. 

  89.     private static final Logger LOG = LogManager.getLogger(XAdESXLSignatureFacet.class);

  90. 

  91.     private final CertificateFactory certificateFactory;

  92. 

  93.     public XAdESXLSignatureFacet() {

  94.         try {

  95.             this.certificateFactory = CertificateFactory.getInstance("X.509");

  96.         } catch (CertificateException e) {

  97.             throw new IllegalStateException("X509 JCA error: " + e.getMessage(), e);

  98.         }

  99.     }

  100. 

  101.     @Override

  102.     public void postSign(SignatureInfo signatureInfo, Document document) throws MarshalException {

  103.         LOG.atDebug().log("XAdES-X-L post sign phase");

  104. 

  105.         SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();

  106. 

  107.         // check for XAdES-BES

  108.         NodeList qualNl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties");

  109.         QualifyingPropertiesType qualProps = getQualProps(qualNl);

  110. 

  111.         // create basic XML container structure

  112.         UnsignedPropertiesType unsignedProps =

  113.             ofNullable(qualProps.getUnsignedProperties()).orElseGet(qualProps::addNewUnsignedProperties);

  114.         UnsignedSignaturePropertiesType unsignedSigProps =

  115.             ofNullable(unsignedProps.getUnsignedSignatureProperties()).orElseGet(unsignedProps::addNewUnsignedSignatureProperties);

  116. 

  117.         final NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue");

  118.         if (nlSigVal.getLength() != 1) {

  119.             throw new IllegalArgumentException("SignatureValue is not set.");

  120.         }

  121.         final Element sigVal = (Element)nlSigVal.item(0);

  122. 

  123. 

  124.         // Without revocation data service we cannot construct the XAdES-C extension.

  125.         RevocationDataService revDataSvc = signatureConfig.getRevocationDataService();

  126.         if (revDataSvc != null) {

  127.             // XAdES-X-L

  128.             addCertificateValues(unsignedSigProps, signatureConfig);

  129.         }

  130. 

  131.         LOG.atDebug().log("creating XAdES-T time-stamp");

  132. 

  133.         // xadesv141::TimeStampValidationData

  134.         XAdESTimeStampType signatureTimeStamp;

  135.         try {

  136.             final RevocationData tsaRevocationDataXadesT = new RevocationData();

  137.             signatureTimeStamp = createXAdESTimeStamp(signatureInfo, tsaRevocationDataXadesT, sigVal);

  138.             unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp);

  139. 

  140.             if (tsaRevocationDataXadesT.hasRevocationDataEntries()) {

  141.                 TimeStampValidationDataDocument validationData = createValidationData(tsaRevocationDataXadesT);

  142.                 insertXChild(unsignedSigProps, validationData);

  143.             }

  144.         } catch (CertificateEncodingException e) {

  145.             throw new MarshalException("unable to create XAdES signature", e);

  146.         }

  147. 

  148. 

  149.         if (revDataSvc != null) {

  150.             // XAdES-C: complete certificate refs

  151.             CompleteCertificateRefsType completeCertificateRefs = completeCertificateRefs(unsignedSigProps, signatureConfig);

  152. 

  153.             // XAdES-C: complete revocation refs

  154.             RevocationData revocationData = revDataSvc.getRevocationData(signatureConfig.getSigningCertificateChain());

  155.             CompleteRevocationRefsType completeRevocationRefs = unsignedSigProps.addNewCompleteRevocationRefs();

  156.             addRevocationCRL(completeRevocationRefs, signatureConfig, revocationData);

  157.             addRevocationOCSP(completeRevocationRefs, signatureConfig, revocationData);

  158. 

  159.             RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues();

  160.             createRevocationValues(revocationValues, revocationData);

  161. 

  162.             // XAdES-X Type 1 timestamp

  163.             LOG.atDebug().log("creating XAdES-X time-stamp");

  164.             revocationData = new RevocationData();

  165.             XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp(signatureInfo, revocationData,

  166.                     sigVal, signatureTimeStamp.getDomNode(), completeCertificateRefs.getDomNode(), completeRevocationRefs.getDomNode());

  167. 

  168.             // marshal XAdES-X

  169.             unsignedSigProps.addNewSigAndRefsTimeStamp().set(timeStampXadesX1);

  170.         }

  171. 

  172. 

  173. 

  174. 

  175.         // marshal XAdES-X-L

  176.         Element n = (Element)document.importNode(qualProps.getDomNode(), true);

  177.         NodeList nl = n.getElementsByTagName("TimeStampValidationData");

  178.         for (int i=0; i<nl.getLength(); i++) {

  179.             ((Element)nl.item(i)).setAttributeNS(XML_NS, "xmlns", "http://uri.etsi.org/01903/v1.4.1#");

  180.         }

  181.         Node qualNL0 = qualNl.item(0);

  182.         qualNL0.getParentNode().replaceChild(n, qualNL0);

  183.     }

  184. 

  185.     private QualifyingPropertiesType getQualProps(NodeList qualNl) throws MarshalException {

  186.         // check for XAdES-BES

  187.         if (qualNl.getLength() != 1) {

  188.             throw new MarshalException("no XAdES-BES extension present");

  189.         }

  190. 

  191.         try {

  192.             Node first = qualNl.item(0);

  193.             QualifyingPropertiesDocument qualDoc = QualifyingPropertiesDocument.Factory.parse(first, DEFAULT_XML_OPTIONS);

  194.             return qualDoc.getQualifyingProperties();

  195.         } catch (XmlException e) {

  196.             throw new MarshalException(e);

  197.         }

  198.     }

  199. 

  200.     private CompleteCertificateRefsType completeCertificateRefs(UnsignedSignaturePropertiesType unsignedSigProps, SignatureConfig signatureConfig) {

  201.         CompleteCertificateRefsType completeCertificateRefs = unsignedSigProps.addNewCompleteCertificateRefs();

  202. 

  203.         CertIDListType certIdList = completeCertificateRefs.addNewCertRefs();

  204.         /*

  205.          * We skip the signing certificate itself according to section

  206.          * 4.4.3.2 of the XAdES 1.4.1 specification.

  207.          */

  208.         List<X509Certificate> certChain = signatureConfig.getSigningCertificateChain();

  209.         certChain.stream().skip(1).forEachOrdered(cert ->

  210.             XAdESSignatureFacet.setCertID(certIdList.addNewCert(), signatureConfig, false, cert)

  211.         );

  212. 

  213.         return completeCertificateRefs;

  214.     }

  215. 

  216.     private void addRevocationCRL(CompleteRevocationRefsType completeRevocationRefs, SignatureConfig signatureConfig, RevocationData revocationData) {

  217.         if (revocationData.hasCRLs()) {

  218.             CRLRefsType crlRefs = completeRevocationRefs.addNewCRLRefs();

  219.             completeRevocationRefs.setCRLRefs(crlRefs);

  220. 

  221.             for (byte[] encodedCrl : revocationData.getCRLs()) {

  222.                 CRLRefType crlRef = crlRefs.addNewCRLRef();

  223.                 X509CRL crl;

  224.                 try {

  225.                     crl = (X509CRL) this.certificateFactory

  226.                         .generateCRL(UnsynchronizedByteArrayInputStream.builder().setByteArray(encodedCrl).get());

  227.                 } catch (CRLException e) {

  228.                     throw new IllegalStateException("CRL parse error: " + e.getMessage(), e);

  229.                 } catch (IOException e) {

  230.                     // not possible with ByteArray but still declared in the API

  231.                     throw new IllegalStateException(e);

  232.                 }

  233. 

  234.                 CRLIdentifierType crlIdentifier = crlRef.addNewCRLIdentifier();

  235.                 String issuerName = crl.getIssuerX500Principal().getName().replace(",", ", ");

  236.                 crlIdentifier.setIssuer(issuerName);

  237.                 Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);

  238.                 cal.setTime(crl.getThisUpdate());

  239.                 crlIdentifier.setIssueTime(cal);

  240.                 crlIdentifier.setNumber(getCrlNumber(crl));

  241. 

  242.                 DigestAlgAndValueType digestAlgAndValue = crlRef.addNewDigestAlgAndValue();

  243.                 XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, encodedCrl, signatureConfig.getDigestAlgo());

  244.             }

  245.         }

  246.     }

  247. 

  248.     private void addRevocationOCSP(CompleteRevocationRefsType completeRevocationRefs, SignatureConfig signatureConfig, RevocationData revocationData) {

  249.         if (revocationData.hasOCSPs()) {

  250.             OCSPRefsType ocspRefs = completeRevocationRefs.addNewOCSPRefs();

  251.             for (byte[] ocsp : revocationData.getOCSPs()) {

  252.                 try {

  253.                     OCSPRefType ocspRef = ocspRefs.addNewOCSPRef();

  254. 

  255.                     DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue();

  256.                     XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo());

  257. 

  258.                     OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier();

  259. 

  260.                     OCSPResp ocspResp = new OCSPResp(ocsp);

  261. 

  262.                     BasicOCSPResp basicOcspResp = (BasicOCSPResp)ocspResp.getResponseObject();

  263. 

  264.                     Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("Z"), Locale.ROOT);

  265.                     cal.setTime(basicOcspResp.getProducedAt());

  266.                     ocspIdentifier.setProducedAt(cal);

  267. 

  268.                     ResponderIDType responderId = ocspIdentifier.addNewResponderID();

  269. 

  270.                     RespID respId = basicOcspResp.getResponderId();

  271.                     ResponderID ocspResponderId = respId.toASN1Primitive();

  272.                     DERTaggedObject derTaggedObject = (DERTaggedObject)ocspResponderId.toASN1Primitive();

  273.                     if (2 == derTaggedObject.getTagNo()) {

  274.                         ASN1OctetString keyHashOctetString = (ASN1OctetString)derTaggedObject.getBaseObject();

  275.                         byte[] key = keyHashOctetString.getOctets();

  276.                         responderId.setByKey(key);

  277.                     } else {

  278.                         X500Name name = X500Name.getInstance(derTaggedObject.getBaseObject());

  279.                         String nameStr = name.toString();

  280.                         responderId.setByName(nameStr);

  281.                     }

  282.                 } catch (Exception e) {

  283.                     throw new IllegalStateException("OCSP decoding error: " + e.getMessage(), e);

  284.                 }

  285.             }

  286.         }

  287.     }

  288. 

  289.     private void addCertificateValues(UnsignedSignaturePropertiesType unsignedSigProps, SignatureConfig signatureConfig) {

  290.         List<X509Certificate> chain = signatureConfig.getSigningCertificateChain();

  291.         if (chain.size() < 2) {

  292.             return;

  293.         }

  294.         CertificateValuesType certificateValues = unsignedSigProps.addNewCertificateValues();

  295.         try {

  296.             for (X509Certificate certificate : chain.subList(1, chain.size())) {

  297.                 certificateValues.addNewEncapsulatedX509Certificate().setByteArrayValue(certificate.getEncoded());

  298.             }

  299.         } catch (CertificateEncodingException e) {

  300.             throw new IllegalStateException("certificate encoding error: " + e.getMessage(), e);

  301.         }

  302.     }

  303. 

  304.     private static byte[] getC14nValue(List<Node> nodeList, String c14nAlgoId) {

  305.         try (UnsynchronizedByteArrayOutputStream c14nValue = UnsynchronizedByteArrayOutputStream.builder().get()) {

  306.             for (Node node : nodeList) {

  307.                 /*

  308.                  * Re-initialize the c14n else the namespaces will get cached

  309.                  * and will be missing from the c14n resulting nodes.

  310.                  */

  311.                 Canonicalizer c14n = Canonicalizer.getInstance(c14nAlgoId);

  312.                 c14n.canonicalizeSubtree(node, c14nValue);

  313.             }

  314.             return c14nValue.toByteArray();

  315.         } catch (RuntimeException e) {

  316.             throw e;

  317.         } catch (Exception e) {

  318.             throw new IllegalStateException("c14n error: " + e.getMessage(), e);

  319.         }

  320.     }

  321. 

  322.     private BigInteger getCrlNumber(X509CRL crl) {

  323.         byte[] crlNumberExtensionValue = crl.getExtensionValue(Extension.cRLNumber.getId());

  324.         if (null == crlNumberExtensionValue) {

  325.             return null;

  326.         }

  327. 

  328.         try (ASN1InputStream asn1IS1 = new ASN1InputStream(crlNumberExtensionValue)) {

  329.             ASN1OctetString octetString = (ASN1OctetString)asn1IS1.readObject();

  330.             byte[] octets = octetString.getOctets();

  331.             try (ASN1InputStream asn1IS2 = new ASN1InputStream(octets)) {

  332.                 ASN1Integer integer = (ASN1Integer) asn1IS2.readObject();

  333.                 return integer.getPositiveValue();

  334.             }

  335.         } catch (IOException e) {

  336.             throw new IllegalStateException("I/O error: " + e.getMessage(), e);

  337.         }

  338.     }

  339. 

  340.     private XAdESTimeStampType createXAdESTimeStamp(

  341.             SignatureInfo signatureInfo,

  342.             RevocationData revocationData,

  343.             Node... nodes) {

  344.         SignatureConfig signatureConfig = signatureInfo.getSignatureConfig();

  345.         byte[] c14nSignatureValueElement = getC14nValue(Arrays.asList(nodes), signatureConfig.getXadesCanonicalizationMethod());

  346. 

  347.         // create the time-stamp

  348.         byte[] timeStampToken;

  349.         try {

  350.             timeStampToken = signatureConfig.getTspService().timeStamp(signatureInfo, c14nSignatureValueElement, revocationData);

  351.         } catch (Exception e) {

  352.             throw new IllegalStateException("error while creating a time-stamp: "

  353.                 + e.getMessage(), e);

  354.         }

  355. 

  356.         // create a XAdES time-stamp container

  357.         XAdESTimeStampType xadesTimeStamp = XAdESTimeStampType.Factory.newInstance();

  358.         CanonicalizationMethodType c14nMethod = xadesTimeStamp.addNewCanonicalizationMethod();

  359.         c14nMethod.setAlgorithm(signatureConfig.getXadesCanonicalizationMethod());

  360. 

  361.         // embed the time-stamp

  362.         EncapsulatedPKIDataType encapsulatedTimeStamp = xadesTimeStamp.addNewEncapsulatedTimeStamp();

  363.         encapsulatedTimeStamp.setByteArrayValue(timeStampToken);

  364. 

  365.         return xadesTimeStamp;

  366.     }

  367. 

  368.     private TimeStampValidationDataDocument createValidationData(RevocationData revocationData)

  369.     throws CertificateEncodingException {

  370.         TimeStampValidationDataDocument doc = TimeStampValidationDataDocument.Factory.newInstance();

  371.         ValidationDataType validationData = doc.addNewTimeStampValidationData();

  372.         List<X509Certificate> tspChain = revocationData.getX509chain();

  373. 

  374.         if (tspChain.size() > 1) {

  375.             CertificateValuesType cvals = validationData.addNewCertificateValues();

  376.             for (X509Certificate x509 : tspChain.subList(1, tspChain.size())) {

  377.                 byte[] encoded = x509.getEncoded();

  378.                 cvals.addNewEncapsulatedX509Certificate().setByteArrayValue(encoded);

  379.             }

  380.         }

  381.         RevocationValuesType revocationValues = validationData.addNewRevocationValues();

  382.         createRevocationValues(revocationValues, revocationData);

  383.         return doc;

  384.     }

  385. 

  386.     private void createRevocationValues(

  387.             RevocationValuesType revocationValues, RevocationData revocationData) {

  388.         if (revocationData.hasCRLs()) {

  389.             CRLValuesType crlValues = revocationValues.addNewCRLValues();

  390.             for (byte[] crl : revocationData.getCRLs()) {

  391.                 EncapsulatedPKIDataType encapsulatedCrlValue = crlValues.addNewEncapsulatedCRLValue();

  392.                 encapsulatedCrlValue.setByteArrayValue(crl);

  393.             }

  394.         }

  395.         if (revocationData.hasOCSPs()) {

  396.             OCSPValuesType ocspValues = revocationValues.addNewOCSPValues();

  397.             for (byte[] ocsp : revocationData.getOCSPs()) {

  398.                 EncapsulatedPKIDataType encapsulatedOcspValue = ocspValues.addNewEncapsulatedOCSPValue();

  399.                 encapsulatedOcspValue.setByteArrayValue(ocsp);

  400.             }

  401.         }

  402.     }

  403. }