diff options
Diffstat (limited to 'pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib')
-rw-r--r-- | pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java | 7 | ||||
-rw-r--r-- | pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java | 250 |
2 files changed, 126 insertions, 131 deletions
diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java index 22c6c9a1..1235e4e7 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/PdfAsImpl.java @@ -208,9 +208,10 @@ public class PdfAsImpl implements PdfAs, IConfigurationConstants, // Create signature try { - signer.signPDF(status.getPdfObject(), requestedSignature, signer - .buildSignaturInterface(status.getSignParamter() - .getPlainSigner(), parameter, requestedSignature)); + signer.signPDF(status.getPdfObject(), requestedSignature, + signer.buildSignaturInterface(status.getSignParamter().getPlainSigner(), + parameter, requestedSignature)); + } finally { if (parameter instanceof BKUHeaderHolder) { final BKUHeaderHolder holder = (BKUHeaderHolder) parameter; diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java index 6e584f32..6282d9c1 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/util/SignatureUtils.java @@ -1,144 +1,138 @@ package at.gv.egiz.pdfas.lib.util; -import iaik.asn1.CodingException; -import iaik.asn1.ObjectID; -import iaik.asn1.structures.Attribute; -import iaik.cms.CMSException; -import iaik.cms.SignedData; -import iaik.cms.SignerInfo; -import iaik.smime.ess.ESSCertID; -import iaik.smime.ess.ESSCertIDv2; -import iaik.smime.ess.SigningCertificate; -import iaik.smime.ess.SigningCertificateV2; -import iaik.x509.X509Certificate; - import java.io.ByteArrayInputStream; import java.io.IOException; -import java.security.NoSuchAlgorithmException; import java.security.SignatureException; -import java.security.cert.CertificateException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import at.gv.egiz.pdfas.common.exceptions.ErrorConstants; import at.gv.egiz.pdfas.common.exceptions.PDFASError; -import at.gv.egiz.pdfas.common.exceptions.PdfAsSignatureException; -import at.gv.egiz.pdfas.common.utils.StreamUtils; import at.gv.egiz.pdfas.lib.api.verify.VerifyResult; import at.gv.egiz.pdfas.lib.impl.verify.VerifyResultImpl; +import iaik.asn1.ObjectID; +import iaik.asn1.structures.Attribute; +import iaik.cms.CMSException; +import iaik.cms.SignedData; +import iaik.cms.SignerInfo; +import iaik.smime.ess.SigningCertificate; +import iaik.smime.ess.SigningCertificateV2; +import iaik.x509.X509Certificate; public class SignatureUtils implements ErrorConstants { - - private static final Logger logger = LoggerFactory - .getLogger(SignatureUtils.class); - - public static VerifyResult verifySignature(byte[] signature, byte[] input) - throws PDFASError { - // List<VerifyResult> results = new ArrayList<VerifyResult>(); - try { - SignedData signedData = new SignedData(new ByteArrayInputStream( - signature)); - - signedData.setContent(input); - - // get the signer infos - SignerInfo[] signerInfos = signedData.getSignerInfos(); - if (signerInfos.length == 0) { - logger.warn("Invalid signature (no signer information)"); - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); - } - - if (signerInfos.length != 1) { - logger.warn("Invalid signature (multiple signer information)"); - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); - } - // verify the signatures - // for (int i = 0; i < signerInfos.length; i++) { - VerifyResultImpl verifyResult = new VerifyResultImpl(); - // results.add(verifyResult); - try { - logger.debug("Signature Algo: {}, Digest {}", - signedData.getSignerInfos()[0].getSignatureAlgorithm(), - signedData.getSignerInfos()[0].getDigestAlgorithm()); - // verify the signature for SignerInfo at index i - X509Certificate signer_cert = signedData.verify(0); - - // Must include Signing Certificate! - Attribute signedCertificate = signerInfos[0] - .getSignedAttribute(ObjectID.signingCertificate); - - if (signedCertificate == null) { - signedCertificate = signerInfos[0] - .getSignedAttribute(ObjectID.signingCertificateV2); - if (signedCertificate == null) { - logger.warn("Signature ERROR missing signed Signing Certificate: "); - - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); - } else { - // Validate signingCertificate2 - try { - SigningCertificateV2 signingCert = (SigningCertificateV2)signedCertificate.getAttributeValue(); - - if (signingCert.isSignerCertificate(signer_cert)) { - // OK - logger.debug("Found and verified SigningCertificateV2"); - } else { - logger.error("Signature ERROR certificate missmatch, misbehaving Signature Backend?"); - - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); - } - } catch (Throwable e) { - logger.error("Signature ERROR wrong encoding for ESSCertIDv2, misbehaving Signature Backend?"); - - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); - } - } - } else { - // Validate signingCertificate - try { - SigningCertificate signingCert = (SigningCertificate)signedCertificate.getAttributeValue(); - if (signingCert.isSignerCertificate(signer_cert)) { - // OK - logger.debug("Found and verified SigningCertificate"); - } else { - logger.warn("Signature ERROR certificate missmatch, misbehaving Signature Backend?"); - - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); - } - } catch (Throwable e) { - logger.error("Signature ERROR wrong encoding for ESSCertIDv2, misbehaving Signature Backend?"); - - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); - } - } - - // if the signature is OK the certificate of the - // signer is returned - logger.debug("Signature OK"); - verifyResult.setSignerCertificate(signer_cert); - - } catch (SignatureException ex) { - // if the signature is not OK a SignatureException - // is thrown - logger.warn( - "Signature ERROR from signer: " - + signedData.getCertificate( - signerInfos[0].getSignerIdentifier()) - .getSubjectDN(), ex); - - verifyResult.setSignerCertificate(signedData - .getCertificate(signerInfos[0].getSignerIdentifier())); - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, ex); - } - - return verifyResult; - // } - } catch (CMSException e) { - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); - } catch (IOException e) { - throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); - } - - } + private static final Logger logger = LoggerFactory.getLogger(SignatureUtils.class); + + public static VerifyResult verifySignature(byte[] signature, byte[] input) + throws PDFASError { + // List<VerifyResult> results = new ArrayList<VerifyResult>(); + try { + final SignedData signedData = new SignedData(new ByteArrayInputStream(signature)); + signedData.setContent(input); + + // get the signer infos + final SignerInfo[] signerInfos = signedData.getSignerInfos(); + if (signerInfos.length == 0) { + logger.warn("Invalid signature (no signer information)"); + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); + + } + + if (signerInfos.length != 1) { + logger.warn("Invalid signature (multiple signer information)"); + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); + + } + // verify the signatures + // for (int i = 0; i < signerInfos.length; i++) { + final VerifyResultImpl verifyResult = new VerifyResultImpl(); + // results.add(verifyResult); + try { + logger.debug("Signature Algo: {}, Digest {}", + signedData.getSignerInfos()[0].getSignatureAlgorithm(), + signedData.getSignerInfos()[0].getDigestAlgorithm()); + // verify the signature for SignerInfo at index i + final X509Certificate signer_cert = signedData.verify(0); + + // Must include Signing Certificate! + Attribute signedCertificate = signerInfos[0].getSignedAttribute(ObjectID.signingCertificate); + + if (signedCertificate == null) { + signedCertificate = signerInfos[0].getSignedAttribute(ObjectID.signingCertificateV2); + + if (signedCertificate == null) { + logger.warn("Signature ERROR missing signed Signing Certificate: "); + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); + + } else { + // Validate signingCertificate2 + try { + final SigningCertificateV2 signingCert = (SigningCertificateV2) signedCertificate.getAttributeValue(); + if (signingCert.isSignerCertificate(signer_cert)) { + // OK + logger.debug("Found and verified SigningCertificateV2"); + + } else { + logger.error("Signature ERROR certificate missmatch, misbehaving Signature Backend?"); + + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); + } + + } catch (final Throwable e) { + logger.error("Signature ERROR wrong encoding for ESSCertIDv2, misbehaving Signature Backend?"); + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); + + } + } + + } else { + // Validate signingCertificate + try { + final SigningCertificate signingCert = (SigningCertificate) signedCertificate.getAttributeValue(); + if (signingCert.isSignerCertificate(signer_cert)) { + // OK + logger.debug("Found and verified SigningCertificate"); + } else { + logger.warn("Signature ERROR certificate missmatch, misbehaving Signature Backend?"); + + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG); + } + } catch (final Throwable e) { + logger.error("Signature ERROR wrong encoding for ESSCertIDv2, misbehaving Signature Backend?"); + + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); + } + } + + // if the signature is OK the certificate of the + // signer is returned + logger.debug("Signature OK"); + verifyResult.setSignerCertificate(signer_cert); + + } catch (final SignatureException ex) { + // if the signature is not OK a SignatureException + // is thrown + logger.warn( + "Signature ERROR from signer: " + + signedData.getCertificate( + signerInfos[0].getSignerIdentifier()) + .getSubjectDN(), ex); + + verifyResult.setSignerCertificate(signedData + .getCertificate(signerInfos[0].getSignerIdentifier())); + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, ex); + + } + + return verifyResult; + // } + } catch (final CMSException e) { + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); + + } catch (final IOException e) { + throw new PDFASError(ERROR_SIG_INVALID_BKU_SIG, e); + + } + + } } |