aboutsummaryrefslogtreecommitdiff
path: root/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util
diff options
context:
space:
mode:
authorAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2014-11-24 15:45:18 +0100
committerAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2014-11-24 15:45:18 +0100
commit7b402478784fe7237ade7c32d07f034fd7083bb7 (patch)
tree28244a16c2699a8e06d86aae90707bb5c846a3f7 /pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util
parent2ff0b5d7489909561b2122284bd7e60fee8c5baf (diff)
downloadpdf-as-4-7b402478784fe7237ade7c32d07f034fd7083bb7.tar.gz
pdf-as-4-7b402478784fe7237ade7c32d07f034fd7083bb7.tar.bz2
pdf-as-4-7b402478784fe7237ade7c32d07f034fd7083bb7.zip
verification changes
Diffstat (limited to 'pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util')
-rw-r--r--pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java136
1 files changed, 97 insertions, 39 deletions
diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java
index 14dbdd16..ef5df8b1 100644
--- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java
+++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java
@@ -1,19 +1,30 @@
package at.gv.egiz.pdfas.lib.util;
+import iaik.asn1.CodingException;
+import iaik.asn1.ObjectID;
+import iaik.asn1.structures.Attribute;
import iaik.cms.CMSException;
import iaik.cms.SignedData;
import iaik.cms.SignerInfo;
+import iaik.smime.ess.ESSCertID;
+import iaik.smime.ess.ESSCertIDv2;
+import iaik.smime.ess.SigningCertificate;
+import iaik.smime.ess.SigningCertificateV2;
import iaik.x509.X509Certificate;
import java.io.ByteArrayInputStream;
import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
+import java.security.cert.CertificateException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import at.gv.egiz.pdfas.common.exceptions.ErrorConstants;
import at.gv.egiz.pdfas.common.exceptions.PDFASError;
+import at.gv.egiz.pdfas.common.exceptions.PdfAsSignatureException;
+import at.gv.egiz.pdfas.common.utils.StreamUtils;
import at.gv.egiz.pdfas.lib.api.verify.VerifyResult;
import at.gv.egiz.pdfas.lib.impl.verify.VerifyResultImpl;
@@ -21,66 +32,113 @@ public class SignatureUtils implements ErrorConstants {
private static final Logger logger = LoggerFactory
.getLogger(SignatureUtils.class);
-
- public static VerifyResult verifySignature(byte[] signature, byte[] input) throws PDFASError {
- //List<VerifyResult> results = new ArrayList<VerifyResult>();
+
+ public static VerifyResult verifySignature(byte[] signature, byte[] input)
+ throws PDFASError {
+ // List<VerifyResult> results = new ArrayList<VerifyResult>();
try {
SignedData signedData = new SignedData(new ByteArrayInputStream(
signature));
signedData.setContent(input);
-
+
// get the signer infos
SignerInfo[] signerInfos = signedData.getSignerInfos();
if (signerInfos.length == 0) {
logger.error("Invalid signature (no signer information)");
throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG);
}
-
+
if (signerInfos.length != 1) {
logger.error("Invalid signature (multiple signer information)");
throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG);
}
// verify the signatures
- //for (int i = 0; i < signerInfos.length; i++) {
- VerifyResultImpl verifyResult = new VerifyResultImpl();
- //results.add(verifyResult);
- try {
- logger.debug("Signature Algo: {}, Digest {}", signedData
- .getSignerInfos()[0].getSignatureAlgorithm(),
- signedData.getSignerInfos()[0].getDigestAlgorithm());
- // verify the signature for SignerInfo at index i
- X509Certificate signer_cert = signedData.verify(0);
- // if the signature is OK the certificate of the
- // signer is returned
- logger.debug("Signature OK from signer: "
- + signer_cert.getSubjectDN());
- verifyResult.setSignerCertificate(signer_cert);
-
- } catch (SignatureException ex) {
- // if the signature is not OK a SignatureException
- // is thrown
- logger.error(
- "Signature ERROR from signer: "
- + signedData.getCertificate(
- signerInfos[0]
- .getSignerIdentifier())
- .getSubjectDN(), ex);
-
- verifyResult.setSignerCertificate(signedData
- .getCertificate(signerInfos[0]
- .getSignerIdentifier()));
- throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, ex);
+ // for (int i = 0; i < signerInfos.length; i++) {
+ VerifyResultImpl verifyResult = new VerifyResultImpl();
+ // results.add(verifyResult);
+ try {
+ logger.debug("Signature Algo: {}, Digest {}",
+ signedData.getSignerInfos()[0].getSignatureAlgorithm(),
+ signedData.getSignerInfos()[0].getDigestAlgorithm());
+ // verify the signature for SignerInfo at index i
+ X509Certificate signer_cert = signedData.verify(0);
+
+ // Must include Signing Certificate!
+ Attribute signedCertificate = signerInfos[0]
+ .getSignedAttribute(ObjectID.signingCertificate);
+
+ if (signedCertificate == null) {
+ signedCertificate = signerInfos[0]
+ .getSignedAttribute(ObjectID.signingCertificateV2);
+ if (signedCertificate == null) {
+ logger.error("Signature ERROR missing signed Signing Certificate: ");
+
+ throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG);
+ } else {
+ // Validate signingCertificate2
+ try {
+ SigningCertificateV2 signingCert = (SigningCertificateV2)signedCertificate.getAttributeValue();
+
+ if (signingCert.isSignerCertificate(signer_cert)) {
+ // OK
+ logger.debug("Found and verified SigningCertificateV2");
+ } else {
+ logger.error("Signature ERROR certificate missmatch: ");
+
+ throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG);
+ }
+ } catch (Throwable e) {
+ logger.error("Signature ERROR wrong encoding for ESSCertIDv2:");
+
+ throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e);
+ }
+ }
+ } else {
+ // Validate signingCertificate
+ try {
+ SigningCertificate signingCert = (SigningCertificate)signedCertificate.getAttributeValue();
+ if (signingCert.isSignerCertificate(signer_cert)) {
+ // OK
+ logger.debug("Found and verified SigningCertificate");
+ } else {
+ logger.error("Signature ERROR certificate missmatch");
+
+ throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG);
+ }
+ } catch (Throwable e) {
+ logger.error("Signature ERROR wrong encoding for ESSCertIDv2");
+
+ throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e);
+ }
}
-
- return verifyResult;
- //}
+
+ // if the signature is OK the certificate of the
+ // signer is returned
+ logger.debug("Signature OK");
+ verifyResult.setSignerCertificate(signer_cert);
+
+ } catch (SignatureException ex) {
+ // if the signature is not OK a SignatureException
+ // is thrown
+ logger.error(
+ "Signature ERROR from signer: "
+ + signedData.getCertificate(
+ signerInfos[0].getSignerIdentifier())
+ .getSubjectDN(), ex);
+
+ verifyResult.setSignerCertificate(signedData
+ .getCertificate(signerInfos[0].getSignerIdentifier()));
+ throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, ex);
+ }
+
+ return verifyResult;
+ // }
} catch (CMSException e) {
throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e);
} catch (IOException e) {
throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e);
}
-
-
+
}
}