aboutsummaryrefslogtreecommitdiff
path: root/signature-standards/sigs-pcks7detached/src/main/java/at
diff options
context:
space:
mode:
Diffstat (limited to 'signature-standards/sigs-pcks7detached/src/main/java/at')
-rw-r--r--signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedSigner.java146
-rw-r--r--signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java28
2 files changed, 142 insertions, 32 deletions
diff --git a/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedSigner.java b/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedSigner.java
index 25b42f5f..4c4b3621 100644
--- a/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedSigner.java
+++ b/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedSigner.java
@@ -1,40 +1,54 @@
package at.gv.egiz.pdfas.sigs.pkcs7detached;
+import iaik.asn1.ASN1Object;
+import iaik.asn1.ObjectID;
import iaik.asn1.structures.AlgorithmID;
-import iaik.cms.SignedDataStream;
+import iaik.asn1.structures.Attribute;
+import iaik.asn1.structures.ChoiceOfTime;
+import iaik.cms.ContentInfo;
+import iaik.cms.IssuerAndSerialNumber;
+import iaik.cms.SignedData;
import iaik.cms.SignerInfo;
-import iaik.cms.SubjectKeyID;
+import iaik.cms.Utils;
import iaik.security.ecc.provider.ECCProvider;
import iaik.security.provider.IAIK;
import iaik.x509.X509Certificate;
-import iaik.x509.X509ExtensionException;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.io.OutputStream;
import java.security.KeyStore;
+import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
+import java.util.Date;
import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.CMSProcessable;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
-import at.gv.egiz.pdfas.common.exceptions.PDFIOException;
import at.gv.egiz.pdfas.common.exceptions.PdfAsException;
import at.gv.egiz.pdfas.common.exceptions.PdfAsSignatureException;
+import at.gv.egiz.pdfas.common.utils.StringUtils;
import at.gv.egiz.pdfas.lib.api.sign.IPlainSigner;
public class PKCS7DetachedSigner implements IPlainSigner {
+ private static final Logger logger = LoggerFactory
+ .getLogger(PKCS7DetachedSigner.class);
+
PrivateKey privKey;
X509Certificate cert;
public PKCS7DetachedSigner(String file, String alias, String kspassword,
String keypassword, String type) throws PdfAsException {
try {
- IAIK.getInstance();
+ IAIK.addAsProvider();
ECCProvider.addAsProvider();
KeyStore ks = KeyStore.getInstance(type);
ks.load(new FileInputStream(file), kspassword.toCharArray());
@@ -49,40 +63,114 @@ public class PKCS7DetachedSigner implements IPlainSigner {
return cert;
}
+ class CMSProcessableInputStream implements CMSProcessable {
+
+ InputStream in;
+
+ public CMSProcessableInputStream(InputStream is) {
+ in = is;
+ }
+
+ public Object getContent() {
+ return null;
+ }
+
+ public void write(OutputStream out) throws IOException, CMSException {
+ // read the content only one time
+ byte[] buffer = new byte[8 * 1024];
+ int read;
+ while ((read = in.read(buffer)) != -1) {
+ out.write(buffer, 0, read);
+ }
+ in.close();
+ }
+ }
+
+ private static BouncyCastleProvider provider = new BouncyCastleProvider();
+
+ /*
+ * public byte[] sign(byte[] input, int[] byteRange) throws PdfAsException {
+ * CMSProcessableInputStream content = new CMSProcessableInputStream(new
+ * ByteArrayInputStream(input)); CMSSignedDataGenerator gen = new
+ * CMSSignedDataGenerator(); // CertificateChain List<X509Certificate>
+ * certList = Arrays.asList(cert);
+ *
+ * CertStore certStore = null; try { certStore =
+ * CertStore.getInstance("Collection", new
+ * CollectionCertStoreParameters(certList), provider);
+ * gen.addSigner(privKey, (X509Certificate)certList.get(0),
+ * CMSSignedGenerator.DIGEST_SHA256); gen.addCertificatesAndCRLs(certStore);
+ * CMSSignedData signedData = gen.generate(content, false, provider); return
+ * signedData.getEncoded(); } catch (Exception e) { // should be handled
+ * e.printStackTrace(); } throw new
+ * RuntimeException("Problem while preparing signature"); }
+ */
+
public byte[] sign(byte[] input, int[] byteRange) throws PdfAsException {
try {
- SignedDataStream signed_data_stream = new SignedDataStream(
- new ByteArrayInputStream(input), SignedDataStream.EXPLICIT);
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- signed_data_stream.addCertificates(new Certificate[] { cert });
-
- SubjectKeyID subjectKeyId = new SubjectKeyID(cert);
- SignerInfo signer1 = new SignerInfo(subjectKeyId,
- AlgorithmID.sha256, privKey);
- signed_data_stream.addSignerInfo(signer1);
- InputStream data_is = signed_data_stream.getInputStream();
- if (signed_data_stream.getMode() == SignedDataStream.EXPLICIT) {
- byte[] buf = new byte[1024];
- int r;
- while ((r = data_is.read(buf)) > 0) {
- // do something useful
- }
+ // SignedDataStream signed_data_stream = new SignedDataStream(
+ // new ByteArrayInputStream(input), SignedDataStream.EXPLICIT);
+ // ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ // signed_data_stream.addCertificates(new Certificate[] { cert });
+ //
+ // SubjectKeyID subjectKeyId = new SubjectKeyID(cert);
+ // SignerInfo signer1 = new SignerInfo(subjectKeyId,
+ // AlgorithmID.sha256, privKey);
+ // signed_data_stream.addSignerInfo(signer1);
+ // InputStream data_is = signed_data_stream.getInputStream();
+ // if (signed_data_stream.getMode() == SignedDataStream.EXPLICIT) {
+ // byte[] buf = new byte[1024];
+ // int r;
+ // while ((r = data_is.read(buf)) > 0) {
+ // // do something useful
+ // }
+ // }
+ // SubjectKeyID subjectKeyId = new SubjectKeyID(cert);
+ try {
+ MessageDigest md = MessageDigest.getInstance("SHA256", "IAIK");
+ md.update(input);
+ byte[] sha256 = md.digest();
+ logger.info("Message digest: " + StringUtils.bytesToHexString(sha256));
+ } catch (Exception e) {
+ e.printStackTrace();
}
- signed_data_stream.writeTo(baos);
- return baos.toByteArray();
+ IssuerAndSerialNumber issuer = new IssuerAndSerialNumber(cert);
+ SignerInfo signer1 = new SignerInfo(issuer, AlgorithmID.sha256,
+ privKey);
+
+ SignedData si = new SignedData(input, SignedData.EXPLICIT);
+ si.addCertificates(new Certificate[] { cert });
+ Attribute signingTime = new Attribute(ObjectID.signingTime,
+ new ASN1Object[] { new ChoiceOfTime(new Date())
+ .toASN1Object() });
+ // Attribute signingCert = new
+ // Attribute(ObjectID.signingCertificateV2,
+ // new ASN1Object[] { cert.toASN1Object() });
+
+ Attribute[] attributes = new Attribute[] { signingTime };
+ signer1.setSignedAttributes(attributes);
+ si.addSignerInfo(signer1);
+ InputStream dataIs = si.getInputStream();
+ byte[] buf = new byte[1024];
+ int r;
+ while ((r = dataIs.read(buf)) > 0)
+ ; // skip data
+ ContentInfo ci = new ContentInfo(si);
+
+ return ci.getEncoded();
} catch (NoSuchAlgorithmException e) {
throw new PdfAsSignatureException("", e);
- } catch (X509ExtensionException e) {
+ } catch (iaik.cms.CMSException e) {
+ throw new PdfAsSignatureException("", e);
+ } catch (IOException e) {
throw new PdfAsSignatureException("", e);
- } catch (IOException e) {
- throw new PDFIOException("", e);
}
}
public String getPDFSubFilter() {
return PDSignature.SUBFILTER_ADBE_PKCS7_DETACHED.getName();
}
-
+
public String getPDFFilter() {
return PDSignature.FILTER_ADOBE_PPKLITE.getName();
}
diff --git a/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java b/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java
index 7e974f3f..e8f0661b 100644
--- a/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java
+++ b/signature-standards/sigs-pcks7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java
@@ -1,10 +1,14 @@
package at.gv.egiz.pdfas.sigs.pkcs7detached;
+import iaik.asn1.ObjectID;
+import iaik.asn1.structures.AlgorithmID;
+import iaik.cms.ContentInfo;
import iaik.cms.SignedData;
import iaik.cms.SignerInfo;
import iaik.x509.X509Certificate;
import java.io.ByteArrayInputStream;
+import java.io.FileOutputStream;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.List;
@@ -24,21 +28,38 @@ public class PKCS7DetachedVerifier implements IVerifyFilter {
private static final Logger logger = LoggerFactory.getLogger(PKCS7DetachedVerifier.class);
+ public PKCS7DetachedVerifier() {
+ }
+
public List<VerifyResult> verify(byte[] contentData, byte[] signatureContent)
throws PdfAsException {
try {
List<VerifyResult> result = new ArrayList<VerifyResult>();
- SignedData signedData = new SignedData(new ByteArrayInputStream(
+
+ SignedData signedData = new SignedData(contentData, new AlgorithmID[] {
+ AlgorithmID.sha256
+ });
+
+ FileOutputStream fos = new FileOutputStream("/tmp/verify.bin");
+ fos.write(signatureContent);
+ fos.close();
+
+ ContentInfo ci = new ContentInfo(new ByteArrayInputStream(
signatureContent));
- signedData.setContent(contentData);
+ if (!ci.getContentType().equals(ObjectID.cms_signedData)) {
+ throw new PdfAsException("No Signed DATA");
+ }
+ //SignedData signedData = (SignedData)ci.getContent();
+ //signedData.setContent(contentData);
+ signedData.decode(ci.getContentInputStream());
+
// get the signer infos
SignerInfo[] signerInfos = signedData.getSignerInfos();
// verify the signatures
for (int i = 0; i < signerInfos.length; i++) {
VerifyResultImpl verifyResult = new VerifyResultImpl();
try {
-
// verify the signature for SignerInfo at index i
X509Certificate signer_cert = signedData.verify(i);
// if the signature is OK the certificate of the
@@ -69,6 +90,7 @@ public class PKCS7DetachedVerifier implements IVerifyFilter {
public List<FilterEntry> getFiters() {
List<FilterEntry> result = new ArrayList<FilterEntry>();
result.add(new FilterEntry(PDSignature.FILTER_ADOBE_PPKLITE, PDSignature.SUBFILTER_ADBE_PKCS7_DETACHED));
+ result.add(new FilterEntry(PDSignature.FILTER_ADOBE_PPKLITE, PDSignature.SUBFILTER_ETSI_CADES_DETACHED));
return result;
}