diff options
Diffstat (limited to 'pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl')
-rw-r--r-- | pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java | 122 |
1 files changed, 95 insertions, 27 deletions
diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java index bb0f3268..9142bc68 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/verify/IntegrityVerifier.java @@ -2,9 +2,12 @@ package at.gv.egiz.pdfas.lib.impl.verify; import iaik.asn1.ObjectID; import iaik.asn1.structures.AlgorithmID; +import iaik.asn1.structures.Attribute; import iaik.cms.ContentInfo; import iaik.cms.SignedData; import iaik.cms.SignerInfo; +import iaik.smime.ess.SigningCertificate; +import iaik.smime.ess.SigningCertificateV2; import iaik.x509.X509Certificate; import java.io.ByteArrayInputStream; @@ -16,6 +19,7 @@ import java.util.List; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import at.gv.egiz.pdfas.common.exceptions.PDFASError; import at.gv.egiz.pdfas.common.exceptions.PdfAsException; import at.gv.egiz.pdfas.common.exceptions.PdfAsSignatureException; import at.gv.egiz.pdfas.lib.api.Configuration; @@ -26,25 +30,25 @@ public class IntegrityVerifier implements IVerifier { private static final Logger logger = LoggerFactory .getLogger(IntegrityVerifier.class); - + public List<VerifyResult> verify(byte[] signature, byte[] signatureContent, Date verificationTime) throws PdfAsException { try { List<VerifyResult> result = new ArrayList<VerifyResult>(); - - SignedData signedData = new SignedData(signatureContent, new AlgorithmID[] { - AlgorithmID.sha256, AlgorithmID.sha1, AlgorithmID.ripeMd160, AlgorithmID.ripeMd160_ISO - }); - ContentInfo ci = new ContentInfo(new ByteArrayInputStream(signature - )); + + SignedData signedData = new SignedData(signatureContent, + new AlgorithmID[] { AlgorithmID.sha256, AlgorithmID.sha1, + AlgorithmID.ripeMd160, AlgorithmID.ripeMd160_ISO }); + ContentInfo ci = new ContentInfo( + new ByteArrayInputStream(signature)); if (!ci.getContentType().equals(ObjectID.cms_signedData)) { throw new PdfAsException("error.pdf.verify.01"); } - //SignedData signedData = (SignedData)ci.getContent(); - //signedData.setContent(contentData); + // SignedData signedData = (SignedData)ci.getContent(); + // signedData.setContent(contentData); signedData.decode(ci.getContentInputStream()); - + // get the signer infos SignerInfo[] signerInfos = signedData.getSignerInfos(); // verify the signatures @@ -53,33 +57,97 @@ public class IntegrityVerifier implements IVerifier { try { // verify the signature for SignerInfo at index i X509Certificate signer_cert = signedData.verify(i); - logger.info("Signature Algo: {}, Digest {}", - signedData.getSignerInfos()[i].getSignatureAlgorithm(), + + // Verify signing Certificate + Attribute signedCertificate = signerInfos[0] + .getSignedAttribute(ObjectID.signingCertificate); + + if (signedCertificate == null) { + signedCertificate = signerInfos[0] + .getSignedAttribute(ObjectID.signingCertificateV2); + if (signedCertificate == null) { + logger.error("Signature ERROR missing signed Signing Certificate: "); + + throw new SignatureException("Signature ERROR missing signed Signing Certificate"); + } else { + // Validate signingCertificate2 + try { + SigningCertificateV2 signingCert = (SigningCertificateV2) signedCertificate + .getAttributeValue(); + + if (signingCert + .isSignerCertificate(signer_cert)) { + // OK + logger.debug("Found and verified SigningCertificateV2"); + } else { + logger.error("Signature ERROR certificate missmatch: "); + + throw new SignatureException("Signature ERROR certificate missmatch"); + } + } catch (Throwable e) { + logger.error("Signature ERROR wrong encoding for ESSCertIDv2"); + + throw new SignatureException("Signature ERROR wrong encoding for ESSCertIDv2"); + } + } + } else { + // Validate signingCertificate + try { + SigningCertificate signingCert = (SigningCertificate) signedCertificate + .getAttributeValue(); + if (signingCert.isSignerCertificate(signer_cert)) { + // OK + logger.debug("Found and verified SigningCertificate"); + } else { + logger.error("Signature ERROR certificate missmatch"); + + throw new SignatureException("Signature ERROR certificate missmatch"); + } + } catch (Throwable e) { + logger.error("Signature ERROR wrong encoding for ESSCertIDv2"); + + throw new SignatureException("Signature ERROR wrong encoding for ESSCertIDv2", e); + } + } + + logger.info("Signature Algo: {}, Digest {}", signedData + .getSignerInfos()[i].getSignatureAlgorithm(), signedData.getSignerInfos()[i].getDigestAlgorithm()); // if the signature is OK the certificate of the // signer is returned logger.info("Signature OK from signer: " + signer_cert.getSubjectDN()); verifyResult.setSignerCertificate(signer_cert); - verifyResult.setValueCheckCode(new SignatureCheckImpl(0, "OK")); - verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked")); - verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked")); + verifyResult.setValueCheckCode(new SignatureCheckImpl(0, + "OK")); + verifyResult.setManifestCheckCode(new SignatureCheckImpl( + 99, "not checked")); + verifyResult.setCertificateCheck(new SignatureCheckImpl(99, + "not checked")); verifyResult.setVerificationDone(true); } catch (SignatureException ex) { // if the signature is not OK a SignatureException // is thrown - logger.info("Signature ERROR from signer: " - + signedData.getCertificate( - signerInfos[i].getSignerIdentifier()) - .getSubjectDN(), ex); - - verifyResult.setSignerCertificate( - signedData.getCertificate(signerInfos[i].getSignerIdentifier())); - verifyResult.setValueCheckCode(new SignatureCheckImpl(1, "failed to check signature")); - verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked")); - verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked")); + logger.info( + "Signature ERROR from signer: " + + signedData.getCertificate( + signerInfos[i] + .getSignerIdentifier()) + .getSubjectDN(), ex); + + verifyResult.setSignerCertificate(signedData + .getCertificate(signerInfos[i] + .getSignerIdentifier())); + verifyResult.setValueCheckCode(new SignatureCheckImpl(1, + "failed to check signature")); + verifyResult.setManifestCheckCode(new SignatureCheckImpl( + 99, "not checked")); + verifyResult.setCertificateCheck(new SignatureCheckImpl(99, + "not checked")); verifyResult.setVerificationDone(false); - verifyResult.setVerificationException(new PdfAsSignatureException("failed to check signature", ex)); + verifyResult + .setVerificationException(new PdfAsSignatureException( + "failed to check signature", ex)); } result.add(verifyResult); } @@ -91,7 +159,7 @@ public class IntegrityVerifier implements IVerifier { } public void setConfiguration(Configuration config) { - + } @Override |