aboutsummaryrefslogtreecommitdiff
path: root/signature-standards
diff options
context:
space:
mode:
authorAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2014-07-10 12:58:25 +0200
committerAndreas Fitzek <andreas.fitzek@iaik.tugraz.at>2014-07-10 12:58:25 +0200
commit0bfafff409078ef49b2d4a0d71405e8f5b0eb078 (patch)
tree6b0eb440acbca7407ec77a23fca1ad653c2d9a81 /signature-standards
parentaf90012c848711a4c9010dbcf71694dbfbca0e86 (diff)
downloadpdf-as-4-0bfafff409078ef49b2d4a0d71405e8f5b0eb078.tar.gz
pdf-as-4-0bfafff409078ef49b2d4a0d71405e8f5b0eb078.tar.bz2
pdf-as-4-0bfafff409078ef49b2d4a0d71405e8f5b0eb078.zip
Implemented Verification level (Full incl. Certificate Path, and Integrity Only)
Diffstat (limited to 'signature-standards')
-rw-r--r--signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java194
-rw-r--r--signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java75
2 files changed, 27 insertions, 242 deletions
diff --git a/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java b/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java
index 2df2368e..d1e185ab 100644
--- a/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java
+++ b/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java
@@ -23,41 +23,21 @@
******************************************************************************/
package at.gv.egiz.pdfas.sigs.pades;
-import iaik.x509.X509Certificate;
-
import java.util.ArrayList;
-import java.util.Calendar;
import java.util.Date;
import java.util.List;
-import javax.activation.DataHandler;
-import javax.xml.bind.JAXBElement;
-
-import org.apache.axis2.databinding.types.Token;
import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import at.gv.egiz.dsig.X509DataType;
-import at.gv.egiz.dsig.util.DsigMarschaller;
-import at.gv.egiz.moa.ByteArrayDataSource;
-import at.gv.egiz.moa.SignatureVerificationServiceStub;
-import at.gv.egiz.moa.SignatureVerificationServiceStub.CMSContentBaseType;
-import at.gv.egiz.moa.SignatureVerificationServiceStub.CMSDataObjectOptionalMetaType;
-import at.gv.egiz.moa.SignatureVerificationServiceStub.KeyInfoTypeChoice;
-import at.gv.egiz.moa.SignatureVerificationServiceStub.VerifyCMSSignatureRequest;
-import at.gv.egiz.moa.SignatureVerificationServiceStub.VerifyCMSSignatureResponse;
-import at.gv.egiz.moa.SignatureVerificationServiceStub.VerifyCMSSignatureResponseTypeSequence;
-import at.gv.egiz.moa.SignatureVerificationServiceStub.X509DataTypeSequence;
import at.gv.egiz.pdfas.common.exceptions.PdfAsException;
-import at.gv.egiz.pdfas.common.messages.CodesResolver;
import at.gv.egiz.pdfas.common.utils.PDFUtils;
-import at.gv.egiz.pdfas.common.utils.StreamUtils;
import at.gv.egiz.pdfas.lib.api.Configuration;
import at.gv.egiz.pdfas.lib.api.verify.VerifyResult;
import at.gv.egiz.pdfas.lib.impl.verify.FilterEntry;
+import at.gv.egiz.pdfas.lib.impl.verify.IVerifier;
import at.gv.egiz.pdfas.lib.impl.verify.IVerifyFilter;
-import at.gv.egiz.pdfas.lib.impl.verify.SignatureCheckImpl;
import at.gv.egiz.pdfas.lib.impl.verify.VerifyResultImpl;
public class PAdESVerifier implements IVerifyFilter {
@@ -76,169 +56,19 @@ public class PAdESVerifier implements IVerifyFilter {
@SuppressWarnings("rawtypes")
public List<VerifyResult> verify(byte[] contentData,
- byte[] signatureContent, Date verificationTime, int[] byteRange)
+ byte[] signatureContent, Date verificationTime, int[] byteRange, IVerifier verifier)
throws PdfAsException {
-
- List<VerifyResult> resultList = new ArrayList<VerifyResult>();
- try {
- logger.info("verification with MOA @ " + this.moaEndpoint);
-
- SignatureVerificationServiceStub service = new SignatureVerificationServiceStub(
- this.moaEndpoint);
- VerifyCMSSignatureRequest verifyCMSSignatureRequest = new VerifyCMSSignatureRequest();
- Token token = new Token();
- token.setValue(this.moaTrustProfile);
- verifyCMSSignatureRequest.setTrustProfileID(token);
-
- byte[] data = contentData;
- byte[] signature = signatureContent;
-
- CMSDataObjectOptionalMetaType cmsDataObjectOptionalMetaType = new CMSDataObjectOptionalMetaType();
- CMSContentBaseType cmsDataContent = new CMSContentBaseType();
- cmsDataContent.setBase64Content(new DataHandler(
- new ByteArrayDataSource(data, "application/pdf")));
- DataHandler cmsSignature = new DataHandler(new ByteArrayDataSource(
- signature, "application/pdf"));
- cmsDataObjectOptionalMetaType.setContent(cmsDataContent);
- verifyCMSSignatureRequest.setCMSSignature(cmsSignature);
- verifyCMSSignatureRequest
- .setDataObject(cmsDataObjectOptionalMetaType);
- if (verificationTime != null) {
- Calendar cal = Calendar.getInstance();
- cal.setTime(verificationTime);
- verifyCMSSignatureRequest.setDateTime(cal);
- }
- // cmsDataObjectOptionalMetaType.
- VerifyCMSSignatureResponse response = service
- .verifyCMSSignature(verifyCMSSignatureRequest);
-
- logger.debug("Got Verify Response from MOA");
-
- VerifyCMSSignatureResponseTypeSequence[] verifySequence = response
- .getVerifyCMSSignatureResponse()
- .getVerifyCMSSignatureResponseTypeSequence();
- for (int i = 0; i < verifySequence.length; i++) {
- VerifyResultImpl result = new VerifyResultImpl();
- logger.debug(" ---------------------- ");
- logger.debug("Signature: " + i);
-
- SignatureCheckImpl certificateCheck;
-
- verifySequence[i].getSignerInfo().getKeyInfoTypeChoice()[0]
- .getExtraElement();
- if (verifySequence[i].getCertificateCheck() != null) {
- certificateCheck = new SignatureCheckImpl(verifySequence[i]
- .getCertificateCheck().getCode().intValue(),
- verifySequence[i].getCertificateCheck()
- .isInfoSpecified() ? verifySequence[i]
- .getCertificateCheck().getInfo().toString()
- : "");
- } else {
- certificateCheck = new SignatureCheckImpl(
- 1,
- "");
- }
-
- if(certificateCheck.getMessage() == null || certificateCheck.getMessage().trim().length() == 0) {
- String resourceString = "verify.cert." + certificateCheck.getCode();
- String message = CodesResolver.resolveMessage(resourceString);
- certificateCheck.setMessage(message);
- }
-
- logger.debug("Certificate Check: " + certificateCheck.getCode() + " [" + certificateCheck.getMessage() + "]");
-
- SignatureCheckImpl signatureCheck = new SignatureCheckImpl(
- verifySequence[i].getSignatureCheck().getCode()
- .intValue(),
- verifySequence[i].getSignatureCheck().isInfoSpecified() ? verifySequence[i]
- .getSignatureCheck().getInfo().toString()
- : "");
-
- if(signatureCheck.getMessage() == null || signatureCheck.getMessage().trim().length() == 0) {
- String resourceString = "verify.value." + signatureCheck.getCode();
- String message = CodesResolver.resolveMessage(resourceString);
- signatureCheck.setMessage(message);
- }
-
- logger.debug("Signature Check: " + signatureCheck.getCode() + " [" + signatureCheck.getMessage() + "]");
-
- result.setCertificateCheck(certificateCheck);
- result.setValueCheckCode(signatureCheck);
- result.setVerificationDone(true);
-
- KeyInfoTypeChoice[] keyInfo = verifySequence[i].getSignerInfo()
- .getKeyInfoTypeChoice();
- KeyInfoTypeChoice choice = keyInfo[0];
- result.setSignatureData(PDFUtils.blackOutSignature(data, byteRange));
-
- // extract certificate
- if (choice.isX509DataSpecified()) {
- byte[] certData = null;
- X509DataTypeSequence[] x509Sequence = choice.getX509Data()
- .getX509DataTypeSequence();
- for (int k = 0; k < x509Sequence.length; k++) {
- X509DataTypeSequence x509Data = x509Sequence[k];
- if (x509Data.getX509DataTypeChoice_type0()
- .isX509CertificateSpecified()) {
- DataHandler handler = x509Data
- .getX509DataTypeChoice_type0()
- .getX509Certificate();
- certData = StreamUtils
- .inputStreamToByteArray(handler
- .getInputStream());
- } else if (x509Data.getX509DataTypeChoice_type0()
- .isExtraElementSpecified()) {
- if (x509Data
- .getX509DataTypeChoice_type0()
- .getExtraElement()
- .getLocalName()
- .equals(SignatureVerificationServiceStub.QualifiedCertificate.MY_QNAME
- .getLocalPart())) {
- result.setQualifiedCertificate(true);
- }
- }
- }
- X509Certificate certificate = new X509Certificate(certData);
- result.setSignerCertificate(certificate);
- } else if (choice.isExtraElementSpecified()) {
- String xmldisg = choice.getExtraElement().toString();
- JAXBElement jaxbElement = (JAXBElement) DsigMarschaller
- .unmarshalFromString(xmldisg);
- if (jaxbElement.getValue() instanceof X509DataType) {
- X509DataType x509Data = (X509DataType) jaxbElement
- .getValue();
- List<Object> dsigElements = x509Data
- .getX509IssuerSerialOrX509SKIOrX509SubjectName();
- for (int j = 0; j < dsigElements.size(); j++) {
- Object jaxElement = dsigElements.get(j);
- if (jaxElement instanceof JAXBElement) {
- JAXBElement jaxbElementMember = (JAXBElement) jaxElement;
- if (jaxbElementMember
- .getName()
- .equals(DsigMarschaller.X509DataTypeX509Certificate_QNAME)) {
- if (jaxbElementMember.getValue() instanceof byte[]) {
- byte[] certData = (byte[]) jaxbElementMember
- .getValue();
- X509Certificate certificate = new X509Certificate(
- certData);
- result.setSignerCertificate(certificate);
- break;
- }
- }
- }
- }
- }
- }
-
- resultList.add(result);
-
- logger.debug(" ---------------------- ");
- }
- } catch (Throwable e) {
- logger.error("Verification failed", e);
- throw new PdfAsException("error.pdf.verify.02", e);
+
+ byte[] data = contentData;
+ byte[] signature = signatureContent;
+
+ List<VerifyResult> verifieResults = verifier.verify(signature, data, verificationTime);
+ for(int i =0; i < verifieResults.size();i++) {
+ VerifyResultImpl result = (VerifyResultImpl)verifieResults.get(i);
+ result.setSignatureData(PDFUtils.blackOutSignature(data, byteRange));
}
- return resultList;
+
+ return verifieResults;
}
public List<FilterEntry> getFiters() {
diff --git a/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java b/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java
index bef034b1..fb7fa5ab 100644
--- a/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java
+++ b/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java
@@ -46,6 +46,7 @@ import at.gv.egiz.pdfas.common.utils.PDFUtils;
import at.gv.egiz.pdfas.lib.api.Configuration;
import at.gv.egiz.pdfas.lib.api.verify.VerifyResult;
import at.gv.egiz.pdfas.lib.impl.verify.FilterEntry;
+import at.gv.egiz.pdfas.lib.impl.verify.IVerifier;
import at.gv.egiz.pdfas.lib.impl.verify.IVerifyFilter;
import at.gv.egiz.pdfas.lib.impl.verify.SignatureCheckImpl;
import at.gv.egiz.pdfas.lib.impl.verify.VerifyResultImpl;
@@ -57,68 +58,22 @@ public class PKCS7DetachedVerifier implements IVerifyFilter {
public PKCS7DetachedVerifier() {
}
- public List<VerifyResult> verify(byte[] contentData, byte[] signatureContent, Date verificationTime, int[] byteRange)
+ public List<VerifyResult> verify(byte[] contentData, byte[] signatureContent,
+ Date verificationTime, int[] byteRange, IVerifier verifier)
throws PdfAsException {
- try {
- List<VerifyResult> result = new ArrayList<VerifyResult>();
-
- SignedData signedData = new SignedData(contentData, new AlgorithmID[] {
- AlgorithmID.sha256, AlgorithmID.sha1, AlgorithmID.ripeMd160, AlgorithmID.ripeMd160_ISO
- });
- ContentInfo ci = new ContentInfo(new ByteArrayInputStream(
- signatureContent));
- if (!ci.getContentType().equals(ObjectID.cms_signedData)) {
- throw new PdfAsException("error.pdf.verify.01");
- }
- //SignedData signedData = (SignedData)ci.getContent();
- //signedData.setContent(contentData);
-
- signedData.decode(ci.getContentInputStream());
-
- // get the signer infos
- SignerInfo[] signerInfos = signedData.getSignerInfos();
- // verify the signatures
- for (int i = 0; i < signerInfos.length; i++) {
- VerifyResultImpl verifyResult = new VerifyResultImpl();
- verifyResult.setSignatureData(PDFUtils.blackOutSignature(contentData, byteRange));
- try {
- // verify the signature for SignerInfo at index i
- X509Certificate signer_cert = signedData.verify(i);
- logger.info("Signature Algo: {}, Digest {}",
- signedData.getSignerInfos()[i].getSignatureAlgorithm(),
- signedData.getSignerInfos()[i].getDigestAlgorithm());
- // if the signature is OK the certificate of the
- // signer is returned
- logger.info("Signature OK from signer: "
- + signer_cert.getSubjectDN());
- verifyResult.setSignerCertificate(signer_cert);
- verifyResult.setValueCheckCode(new SignatureCheckImpl(0, "OK"));
- verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked"));
- verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked"));
- verifyResult.setVerificationDone(true);
- } catch (SignatureException ex) {
- // if the signature is not OK a SignatureException
- // is thrown
- logger.info("Signature ERROR from signer: "
- + signedData.getCertificate(
- signerInfos[i].getSignerIdentifier())
- .getSubjectDN(), ex);
-
- verifyResult.setSignerCertificate(
- signedData.getCertificate(signerInfos[i].getSignerIdentifier()));
- verifyResult.setValueCheckCode(new SignatureCheckImpl(1, "failed to check signature"));
- verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked"));
- verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked"));
- verifyResult.setVerificationDone(false);
- verifyResult.setVerificationException(new PdfAsSignatureException("failed to check signature", ex));
- }
- result.add(verifyResult);
- }
-
- return result;
- } catch (Throwable e) {
- throw new PdfAsException("error.pdf.verify.02", e);
+
+ byte[] data = contentData;
+ byte[] signature = signatureContent;
+
+ List<VerifyResult> verifieResults = verifier.verify(signature, data, verificationTime);
+ for(int i =0; i < verifieResults.size();i++) {
+ VerifyResultImpl result = (VerifyResultImpl)verifieResults.get(i);
+ result.setSignatureData(PDFUtils.blackOutSignature(data, byteRange));
}
+
+ return verifieResults;
+
+
}
public List<FilterEntry> getFiters() {