aboutsummaryrefslogtreecommitdiff
path: root/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java
diff options
context:
space:
mode:
Diffstat (limited to 'pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java')
-rw-r--r--pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java122
1 files changed, 95 insertions, 27 deletions
diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java
index bb0f3268..9142bc68 100644
--- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java
+++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java
@@ -2,9 +2,12 @@ package at.gv.egiz.pdfas.lib.impl.verify;
import iaik.asn1.ObjectID;
import iaik.asn1.structures.AlgorithmID;
+import iaik.asn1.structures.Attribute;
import iaik.cms.ContentInfo;
import iaik.cms.SignedData;
import iaik.cms.SignerInfo;
+import iaik.smime.ess.SigningCertificate;
+import iaik.smime.ess.SigningCertificateV2;
import iaik.x509.X509Certificate;
import java.io.ByteArrayInputStream;
@@ -16,6 +19,7 @@ import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import at.gv.egiz.pdfas.common.exceptions.PDFASError;
import at.gv.egiz.pdfas.common.exceptions.PdfAsException;
import at.gv.egiz.pdfas.common.exceptions.PdfAsSignatureException;
import at.gv.egiz.pdfas.lib.api.Configuration;
@@ -26,25 +30,25 @@ public class IntegrityVerifier implements IVerifier {
private static final Logger logger = LoggerFactory
.getLogger(IntegrityVerifier.class);
-
+
public List<VerifyResult> verify(byte[] signature, byte[] signatureContent,
Date verificationTime) throws PdfAsException {
try {
List<VerifyResult> result = new ArrayList<VerifyResult>();
-
- SignedData signedData = new SignedData(signatureContent, new AlgorithmID[] {
- AlgorithmID.sha256, AlgorithmID.sha1, AlgorithmID.ripeMd160, AlgorithmID.ripeMd160_ISO
- });
- ContentInfo ci = new ContentInfo(new ByteArrayInputStream(signature
- ));
+
+ SignedData signedData = new SignedData(signatureContent,
+ new AlgorithmID[] { AlgorithmID.sha256, AlgorithmID.sha1,
+ AlgorithmID.ripeMd160, AlgorithmID.ripeMd160_ISO });
+ ContentInfo ci = new ContentInfo(
+ new ByteArrayInputStream(signature));
if (!ci.getContentType().equals(ObjectID.cms_signedData)) {
throw new PdfAsException("error.pdf.verify.01");
}
- //SignedData signedData = (SignedData)ci.getContent();
- //signedData.setContent(contentData);
+ // SignedData signedData = (SignedData)ci.getContent();
+ // signedData.setContent(contentData);
signedData.decode(ci.getContentInputStream());
-
+
// get the signer infos
SignerInfo[] signerInfos = signedData.getSignerInfos();
// verify the signatures
@@ -53,33 +57,97 @@ public class IntegrityVerifier implements IVerifier {
try {
// verify the signature for SignerInfo at index i
X509Certificate signer_cert = signedData.verify(i);
- logger.info("Signature Algo: {}, Digest {}",
- signedData.getSignerInfos()[i].getSignatureAlgorithm(),
+
+ // Verify signing Certificate
+ Attribute signedCertificate = signerInfos[0]
+ .getSignedAttribute(ObjectID.signingCertificate);
+
+ if (signedCertificate == null) {
+ signedCertificate = signerInfos[0]
+ .getSignedAttribute(ObjectID.signingCertificateV2);
+ if (signedCertificate == null) {
+ logger.error("Signature ERROR missing signed Signing Certificate: ");
+
+ throw new SignatureException("Signature ERROR missing signed Signing Certificate");
+ } else {
+ // Validate signingCertificate2
+ try {
+ SigningCertificateV2 signingCert = (SigningCertificateV2) signedCertificate
+ .getAttributeValue();
+
+ if (signingCert
+ .isSignerCertificate(signer_cert)) {
+ // OK
+ logger.debug("Found and verified SigningCertificateV2");
+ } else {
+ logger.error("Signature ERROR certificate missmatch: ");
+
+ throw new SignatureException("Signature ERROR certificate missmatch");
+ }
+ } catch (Throwable e) {
+ logger.error("Signature ERROR wrong encoding for ESSCertIDv2");
+
+ throw new SignatureException("Signature ERROR wrong encoding for ESSCertIDv2");
+ }
+ }
+ } else {
+ // Validate signingCertificate
+ try {
+ SigningCertificate signingCert = (SigningCertificate) signedCertificate
+ .getAttributeValue();
+ if (signingCert.isSignerCertificate(signer_cert)) {
+ // OK
+ logger.debug("Found and verified SigningCertificate");
+ } else {
+ logger.error("Signature ERROR certificate missmatch");
+
+ throw new SignatureException("Signature ERROR certificate missmatch");
+ }
+ } catch (Throwable e) {
+ logger.error("Signature ERROR wrong encoding for ESSCertIDv2");
+
+ throw new SignatureException("Signature ERROR wrong encoding for ESSCertIDv2", e);
+ }
+ }
+
+ logger.info("Signature Algo: {}, Digest {}", signedData
+ .getSignerInfos()[i].getSignatureAlgorithm(),
signedData.getSignerInfos()[i].getDigestAlgorithm());
// if the signature is OK the certificate of the
// signer is returned
logger.info("Signature OK from signer: "
+ signer_cert.getSubjectDN());
verifyResult.setSignerCertificate(signer_cert);
- verifyResult.setValueCheckCode(new SignatureCheckImpl(0, "OK"));
- verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked"));
- verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked"));
+ verifyResult.setValueCheckCode(new SignatureCheckImpl(0,
+ "OK"));
+ verifyResult.setManifestCheckCode(new SignatureCheckImpl(
+ 99, "not checked"));
+ verifyResult.setCertificateCheck(new SignatureCheckImpl(99,
+ "not checked"));
verifyResult.setVerificationDone(true);
} catch (SignatureException ex) {
// if the signature is not OK a SignatureException
// is thrown
- logger.info("Signature ERROR from signer: "
- + signedData.getCertificate(
- signerInfos[i].getSignerIdentifier())
- .getSubjectDN(), ex);
-
- verifyResult.setSignerCertificate(
- signedData.getCertificate(signerInfos[i].getSignerIdentifier()));
- verifyResult.setValueCheckCode(new SignatureCheckImpl(1, "failed to check signature"));
- verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked"));
- verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked"));
+ logger.info(
+ "Signature ERROR from signer: "
+ + signedData.getCertificate(
+ signerInfos[i]
+ .getSignerIdentifier())
+ .getSubjectDN(), ex);
+
+ verifyResult.setSignerCertificate(signedData
+ .getCertificate(signerInfos[i]
+ .getSignerIdentifier()));
+ verifyResult.setValueCheckCode(new SignatureCheckImpl(1,
+ "failed to check signature"));
+ verifyResult.setManifestCheckCode(new SignatureCheckImpl(
+ 99, "not checked"));
+ verifyResult.setCertificateCheck(new SignatureCheckImpl(99,
+ "not checked"));
verifyResult.setVerificationDone(false);
- verifyResult.setVerificationException(new PdfAsSignatureException("failed to check signature", ex));
+ verifyResult
+ .setVerificationException(new PdfAsSignatureException(
+ "failed to check signature", ex));
}
result.add(verifyResult);
}
@@ -91,7 +159,7 @@ public class IntegrityVerifier implements IVerifier {
}
public void setConfiguration(Configuration config) {
-
+
}
@Override
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-20 15:02:51 +0000