mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11630 Commits
26 Branches
Tree: ff6984df00
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ff6984df00'
${ noResults }
poi/poi-ooxml/src/test/java/org/apache/poi/poifs/crypt/dsig/DummyKeystore.java

DummyKeystore.java 16KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353 
  1. /* ====================================================================

  2.    Licensed to the Apache Software Foundation (ASF) under one or more

  3.    contributor license agreements.  See the NOTICE file distributed with

  4.    this work for additional information regarding copyright ownership.

  5.    The ASF licenses this file to You under the Apache License, Version 2.0

  6.    (the "License"); you may not use this file except in compliance with

  7.    the License.  You may obtain a copy of the License at

  8. 

  9.        http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11.    Unless required by applicable law or agreed to in writing, software

  12.    distributed under the License is distributed on an "AS IS" BASIS,

  13.    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14.    See the License for the specific language governing permissions and

  15.    limitations under the License.

  16. ==================================================================== */

  17. 

  18. /* ====================================================================

  19.    This product contains an ASLv2 licensed version of the OOXML signer

  20.    package from the eID Applet project

  21.    http://code.google.com/p/eid-applet/source/browse/trunk/README.txt

  22.    Copyright (C) 2008-2014 FedICT.

  23.    ================================================================= */

  24. package org.apache.poi.poifs.crypt.dsig;

  25. 

  26. import java.io.BufferedReader;

  27. import java.io.ByteArrayInputStream;

  28. import java.io.File;

  29. import java.io.FileInputStream;

  30. import java.io.FileOutputStream;

  31. import java.io.IOException;

  32. import java.io.InputStream;

  33. import java.io.InputStreamReader;

  34. import java.math.BigInteger;

  35. import java.nio.charset.StandardCharsets;

  36. import java.security.GeneralSecurityException;

  37. import java.security.KeyPair;

  38. import java.security.KeyPairGenerator;

  39. import java.security.KeyStore;

  40. import java.security.KeyStoreException;

  41. import java.security.PrivateKey;

  42. import java.security.PublicKey;

  43. import java.security.cert.Certificate;

  44. import java.security.cert.CertificateEncodingException;

  45. import java.security.cert.CertificateException;

  46. import java.security.cert.X509CRL;

  47. import java.security.cert.X509Certificate;

  48. import java.security.interfaces.RSAPublicKey;

  49. import java.security.spec.RSAKeyGenParameterSpec;

  50. import java.util.Calendar;

  51. import java.util.Date;

  52. import java.util.List;

  53. import java.util.stream.Collectors;

  54. import java.util.stream.Stream;

  55. 

  56. import org.apache.poi.poifs.crypt.CryptoFunctions;

  57. import org.apache.poi.poifs.storage.RawDataUtil;

  58. import org.apache.poi.util.LocaleUtil;

  59. import org.apache.poi.util.RandomSingleton;

  60. import org.bouncycastle.asn1.DEROctetString;

  61. import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;

  62. import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;

  63. import org.bouncycastle.asn1.x500.X500Name;

  64. import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;

  65. import org.bouncycastle.asn1.x509.BasicConstraints;

  66. import org.bouncycastle.asn1.x509.CRLNumber;

  67. import org.bouncycastle.asn1.x509.Extension;

  68. import org.bouncycastle.asn1.x509.Extensions;

  69. import org.bouncycastle.asn1.x509.KeyUsage;

  70. import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;

  71. import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;

  72. import org.bouncycastle.cert.X509CRLHolder;

  73. import org.bouncycastle.cert.X509CertificateHolder;

  74. import org.bouncycastle.cert.X509ExtensionUtils;

  75. import org.bouncycastle.cert.X509v2CRLBuilder;

  76. import org.bouncycastle.cert.X509v3CertificateBuilder;

  77. import org.bouncycastle.cert.jcajce.JcaX509CRLConverter;

  78. import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

  79. import org.bouncycastle.cert.ocsp.BasicOCSPResp;

  80. import org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;

  81. import org.bouncycastle.cert.ocsp.CertificateID;

  82. import org.bouncycastle.cert.ocsp.CertificateStatus;

  83. import org.bouncycastle.cert.ocsp.OCSPException;

  84. import org.bouncycastle.cert.ocsp.OCSPReq;

  85. import org.bouncycastle.cert.ocsp.OCSPReqBuilder;

  86. import org.bouncycastle.cert.ocsp.OCSPResp;

  87. import org.bouncycastle.cert.ocsp.OCSPRespBuilder;

  88. import org.bouncycastle.cert.ocsp.Req;

  89. import org.bouncycastle.crypto.params.RSAKeyParameters;

  90. import org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory;

  91. import org.bouncycastle.openssl.PEMParser;

  92. import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;

  93. import org.bouncycastle.operator.ContentSigner;

  94. import org.bouncycastle.operator.DigestCalculator;

  95. import org.bouncycastle.operator.OperatorCreationException;

  96. import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

  97. import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

  98. 

  99. public class DummyKeystore {

  100.     public static class KeyCertPair {

  101.         private final PrivateKey key;

  102.         private final List<X509Certificate> x509chain;

  103. 

  104.         public KeyCertPair(PrivateKey key, Certificate[] x509chain) {

  105.             this.key = key;

  106.             this.x509chain = Stream.of(x509chain).map(X509Certificate.class::cast).collect(Collectors.toList());

  107.         }

  108. 

  109.         public PrivateKey getKey() {

  110.             return key;

  111.         }

  112. 

  113.         public X509Certificate getX509() {

  114.             return x509chain.get(0);

  115.         }

  116. 

  117.         public List<X509Certificate> getX509Chain() {

  118.             return x509chain;

  119.         }

  120.     }

  121. 

  122.     private static final String DUMMY_ALIAS = "Test";

  123.     private static final String DUMMY_PASS = "test";

  124. 

  125.     private final KeyStore keystore;

  126. 

  127.     public DummyKeystore(String storePass) throws GeneralSecurityException, IOException {

  128.         this((File)null, storePass);

  129.     }

  130. 

  131.     public DummyKeystore(File storeFile, String storePass) throws GeneralSecurityException, IOException {

  132.         CryptoFunctions.registerBouncyCastle();

  133.         keystore = KeyStore.getInstance("PKCS12");

  134.         try (InputStream fis = storeFile != null && storeFile.exists() ? new FileInputStream(storeFile) : null) {

  135.             keystore.load(fis, storePass.toCharArray());

  136.         }

  137.     }

  138. 

  139.     public DummyKeystore(String pfxInput, String storePass) throws GeneralSecurityException, IOException {

  140.         CryptoFunctions.registerBouncyCastle();

  141.         keystore = KeyStore.getInstance("PKCS12");

  142.         try (InputStream fis = new ByteArrayInputStream(RawDataUtil.decompress(pfxInput))) {

  143.             keystore.load(fis, storePass.toCharArray());

  144.         }

  145.     }

  146. 

  147.     /**

  148.      * Create dummy key

  149.      * @return the alias of the dummy key

  150.      */

  151.     public KeyCertPair createDummyKey() throws GeneralSecurityException, IOException, OperatorCreationException {

  152.         return addEntry(DUMMY_ALIAS, DUMMY_PASS, 2048, 24);

  153.     }

  154. 

  155.     public KeyCertPair addEntryFromPEM(File pemFile, String keyPass) throws IOException, CertificateException, KeyStoreException {

  156.         PrivateKey key = null;

  157.         X509Certificate x509 = null;

  158. 

  159.         try (BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(pemFile), StandardCharsets.ISO_8859_1))) {

  160.             PEMParser parser = new PEMParser(br);

  161.             for (Object obj; (obj = parser.readObject()) != null; ) {

  162.                 if (obj instanceof PrivateKeyInfo) {

  163.                     key = new JcaPEMKeyConverter().setProvider("BC").getPrivateKey((PrivateKeyInfo)obj);

  164.                 } else if (obj instanceof X509CertificateHolder) {

  165.                     x509 = new JcaX509CertificateConverter().setProvider("BC").getCertificate((X509CertificateHolder)obj);

  166.                 }

  167.             }

  168.         }

  169. 

  170.         if (key == null || x509 == null) {

  171.             throw new IOException("Please add private key and certificate in the PEM file.");

  172.         }

  173. 

  174.         String alias = x509.getSubjectX500Principal().getName();

  175.         keystore.setKeyEntry(alias, key, keyPass.toCharArray(), new Certificate[]{x509});

  176. 

  177.         return new KeyCertPair(key, new Certificate[]{x509});

  178.     }

  179. 

  180. 

  181.     /**

  182.      * Add an entry with password, keySize and expiry values. Ignore if alias is already in keystore

  183.      * @param keySize multiple of 1024, e.g. 1024, 2048

  184.      */

  185.     public KeyCertPair addEntry(String keyAlias, String keyPass, int keySize, int expiryInMonths) throws GeneralSecurityException, IOException, OperatorCreationException {

  186.         if (!keystore.isKeyEntry(keyAlias)) {

  187.             KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");

  188.             keyPairGenerator.initialize(new RSAKeyGenParameterSpec(keySize, RSAKeyGenParameterSpec.F4), RandomSingleton.getInstance());

  189.             KeyPair pair = keyPairGenerator.generateKeyPair();

  190. 

  191.             Date notBefore = new Date();

  192.             Calendar cal = LocaleUtil.getLocaleCalendar(LocaleUtil.TIMEZONE_UTC);

  193.             cal.add(Calendar.MONTH, expiryInMonths);

  194.             Date notAfter = cal.getTime();

  195.             KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature);

  196. 

  197.             X509Certificate x509 = generateCertificate(pair.getPublic(), notBefore, notAfter, pair.getPrivate(), keyUsage);

  198.             keystore.setKeyEntry(keyAlias, pair.getPrivate(), keyPass.toCharArray(), new Certificate[]{x509});

  199.             return new KeyCertPair(pair.getPrivate(), new X509Certificate[]{x509});

  200.         } else {

  201.             return new KeyCertPair(getKey(keyAlias, keyPass), keystore.getCertificateChain(keyAlias));

  202.         }

  203.     }

  204. 

  205.     public KeyCertPair getKeyPair(String keyAlias, String keyPass) throws GeneralSecurityException {

  206.         return new KeyCertPair(getKey(keyAlias, keyPass), keystore.getCertificateChain(keyAlias));

  207.     }

  208. 

  209.     public PrivateKey getKey(String keyAlias, String keyPass) throws GeneralSecurityException {

  210.         return (PrivateKey)keystore.getKey(keyAlias, keyPass.toCharArray());

  211.     }

  212. 

  213.     public X509Certificate getFirstX509(String alias) throws KeyStoreException {

  214.         return (X509Certificate)keystore.getCertificate(alias);

  215.     }

  216. 

  217.     public void save(File storeFile, String storePass) throws IOException, GeneralSecurityException {

  218.         try (FileOutputStream fos = new FileOutputStream(storeFile)) {

  219.             keystore.store(fos, storePass.toCharArray());

  220.         }

  221.     }

  222. 

  223.     public X509CRL generateCrl(KeyCertPair certPair)

  224.         throws GeneralSecurityException, IOException, OperatorCreationException {

  225. 

  226.         PrivateKey issuerPrivateKey = certPair.getKey();

  227.         X509Certificate issuer = certPair.getX509();

  228. 

  229.         X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded());

  230.         X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date());

  231.         crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000));

  232.         JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC");

  233. 

  234.         CRLNumber crlNumber = new CRLNumber(new BigInteger("1234"));

  235. 

  236.         crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber);

  237.         X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey));

  238.         return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl);

  239.     }

  240. 

  241. 

  242. 

  243.     private static X509Certificate generateCertificate(PublicKey subjectPublicKey,

  244.         Date notBefore, Date notAfter,

  245.         PrivateKey issuerPrivateKey,

  246.         KeyUsage keyUsage)

  247.         throws IOException, OperatorCreationException, CertificateException {

  248.         final String signatureAlgorithm = "SHA1withRSA";

  249.         final String subjectDn = "CN=Test";

  250.         X500Name issuerName = new X500Name(subjectDn);

  251. 

  252.         RSAPublicKey rsaPubKey = (RSAPublicKey)subjectPublicKey;

  253.         RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent());

  254. 

  255.         SubjectPublicKeyInfo subjectPublicKeyInfo =

  256.             SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec);

  257. 

  258.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  259.             .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  260. 

  261.         X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(

  262.             issuerName

  263.             , new BigInteger(128, RandomSingleton.getInstance())

  264.             , notBefore

  265.             , notAfter

  266.             , new X500Name(subjectDn)

  267.             , subjectPublicKeyInfo

  268.         );

  269. 

  270.         X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc);

  271.         SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo);

  272.         AuthorityKeyIdentifier autKeyId = exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo);

  273. 

  274.         certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId);

  275.         certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId);

  276. 

  277.         BasicConstraints bc = new BasicConstraints(0);

  278.         certificateGenerator.addExtension(Extension.basicConstraints, false, bc);

  279. 

  280.         if (null != keyUsage) {

  281.             certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage);

  282.         }

  283. 

  284.         JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm);

  285.         signerBuilder.setProvider("BC");

  286. 

  287.         X509CertificateHolder certHolder =

  288.             certificateGenerator.build(signerBuilder.build(issuerPrivateKey));

  289. 

  290.         return new JcaX509CertificateConverter().getCertificate(certHolder);

  291.     }

  292. 

  293.     public OCSPResp createOcspResp(KeyCertPair certPair, long nonceTimeinMillis)

  294.     throws OperatorCreationException, OCSPException, CertificateEncodingException, IOException {

  295.         X509Certificate certificate = certPair.getX509();

  296.         X509Certificate issuerCertificate = certPair.getX509();

  297.         X509Certificate ocspResponderCertificate = certPair.getX509();

  298.         PrivateKey ocspResponderPrivateKey = certPair.getKey();

  299. 

  300. 

  301.         DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder()

  302.             .setProvider("BC").build().get(CertificateID.HASH_SHA1);

  303.         X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded());

  304.         CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber());

  305. 

  306.         // request

  307.         //create a nonce to avoid replay attack

  308.         BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis);

  309.         DEROctetString nonceDer = new DEROctetString(nonce.toByteArray());

  310.         Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer);

  311.         Extensions exts = new Extensions(ext);

  312. 

  313.         OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder();

  314.         ocspReqBuilder.addRequest(certId);

  315.         ocspReqBuilder.setRequestExtensions(exts);

  316.         OCSPReq ocspReq = ocspReqBuilder.build();

  317. 

  318. 

  319.         SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo

  320.             (CertificateID.HASH_SHA1, ocspResponderCertificate.getPublicKey().getEncoded());

  321. 

  322.         BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc);

  323.         basicOCSPRespBuilder.setResponseExtensions(exts);

  324. 

  325.         // request processing

  326.         Req[] requestList = ocspReq.getRequestList();

  327.         for (Req ocspRequest : requestList) {

  328.             CertificateID certificateID = ocspRequest.getCertID();

  329.             CertificateStatus certificateStatus = CertificateStatus.GOOD;

  330.             basicOCSPRespBuilder.addResponse(certificateID, certificateStatus);

  331.         }

  332. 

  333.         // basic response generation

  334.         X509CertificateHolder[] chain = null;

  335.         if (!ocspResponderCertificate.equals(issuerCertificate)) {

  336.             // TODO: HorribleProxy can't convert array input params yet

  337.             chain = new X509CertificateHolder[] {

  338.                 new X509CertificateHolder(ocspResponderCertificate.getEncoded()),

  339.                 issuerHolder

  340.             };

  341.         }

  342. 

  343.         ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA")

  344.             .setProvider("BC").build(ocspResponderPrivateKey);

  345.         BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis));

  346. 

  347. 

  348.         OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder();

  349. 

  350.         return ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp);

  351.     }

  352. 

  353. }