From af90012c848711a4c9010dbcf71694dbfbca0e86 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Thu, 10 Jul 2014 12:09:05 +0200 Subject: Integrity verification of Signature after Signature creation to ensure correct signed Document --- .../at/gv/egiz/sl/util/ISignatureConnector.java | 3 +- .../egiz/sl/util/ISignatureConnectorSLWrapper.java | 68 +++++----------------- .../main/java/at/gv/egiz/sl/util/MOAConnector.java | 19 +++++- 3 files changed, 33 insertions(+), 57 deletions(-) (limited to 'pdf-as-lib/src/main/java/at/gv/egiz/sl/util') diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnector.java b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnector.java index fdb95f49..24a1b84d 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnector.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnector.java @@ -26,8 +26,9 @@ package at.gv.egiz.sl.util; import iaik.x509.X509Certificate; import at.gv.egiz.pdfas.common.exceptions.PdfAsException; import at.gv.egiz.pdfas.lib.api.sign.SignParameter; +import at.gv.egiz.pdfas.lib.impl.status.RequestedSignature; public interface ISignatureConnector { public X509Certificate getCertificate(SignParameter parameter) throws PdfAsException; - public byte[] sign(byte[] input, int[] byteRange, SignParameter parameter) throws PdfAsException; + public byte[] sign(byte[] input, int[] byteRange, SignParameter parameter, RequestedSignature requestedSignature) throws PdfAsException; } diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnectorSLWrapper.java b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnectorSLWrapper.java index b564c215..077f2f9b 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnectorSLWrapper.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/ISignatureConnectorSLWrapper.java @@ -23,24 +23,23 @@ ******************************************************************************/ package at.gv.egiz.sl.util; -import iaik.cms.CMSException; -import iaik.cms.SignedData; -import iaik.cms.SignerInfo; import iaik.x509.X509Certificate; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.security.SignatureException; import java.security.cert.CertificateException; import java.util.Iterator; +import java.util.List; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import at.gv.egiz.pdfas.common.exceptions.PdfAsException; import at.gv.egiz.pdfas.common.exceptions.PdfAsSignatureException; +import at.gv.egiz.pdfas.common.utils.StreamUtils; import at.gv.egiz.pdfas.lib.api.sign.SignParameter; -import at.gv.egiz.pdfas.lib.impl.verify.VerifyResultImpl; +import at.gv.egiz.pdfas.lib.api.verify.VerifyResult; +import at.gv.egiz.pdfas.lib.impl.SignResultImpl; +import at.gv.egiz.pdfas.lib.impl.status.RequestedSignature; +import at.gv.egiz.pdfas.lib.util.SignatureUtils; import at.gv.egiz.sl.schema.CreateCMSSignatureResponseType; import at.gv.egiz.sl.schema.InfoboxAssocArrayPairType; import at.gv.egiz.sl.schema.InfoboxReadRequestType; @@ -84,59 +83,20 @@ public class ISignatureConnectorSLWrapper implements ISignatureConnector { return certificate; } - public byte[] sign(byte[] input, int[] byteRange, SignParameter parameter) throws PdfAsException { + public byte[] sign(byte[] input, int[] byteRange, + SignParameter parameter, RequestedSignature requestedSignature) throws PdfAsException { RequestPackage pack = connector.createCMSRequest( input, byteRange, parameter); CreateCMSSignatureResponseType response = connector .sendCMSRequest(pack, parameter); - try { - SignedData signedData = new SignedData(new ByteArrayInputStream( - response.getCMSSignature())); - - signedData.setContent(input); - - // get the signer infos - SignerInfo[] signerInfos = signedData.getSignerInfos(); - if (signerInfos.length == 0) { - throw new PdfAsSignatureException("Invalid Signature (no signer info created!)", null); - } - // verify the signatures - for (int i = 0; i < signerInfos.length; i++) { - VerifyResultImpl verifyResult = new VerifyResultImpl(); - try { - logger.info("Signature Algo: {}, Digest {}", signedData - .getSignerInfos()[i].getSignatureAlgorithm(), - signedData.getSignerInfos()[i].getDigestAlgorithm()); - // verify the signature for SignerInfo at index i - X509Certificate signer_cert = signedData.verify(i); - // if the signature is OK the certificate of the - // signer is returned - logger.info("Signature OK from signer: " - + signer_cert.getSubjectDN()); - verifyResult.setSignerCertificate(signer_cert); + + VerifyResult verifyResult = SignatureUtils.verifySignature(response.getCMSSignature(), input); - } catch (SignatureException ex) { - // if the signature is not OK a SignatureException - // is thrown - logger.error( - "Signature ERROR from signer: " - + signedData.getCertificate( - signerInfos[i] - .getSignerIdentifier()) - .getSubjectDN(), ex); - - verifyResult.setSignerCertificate(signedData - .getCertificate(signerInfos[i] - .getSignerIdentifier())); - throw new PdfAsSignatureException("error.pdf.sig.08", ex); - } - } - } catch (CMSException e) { - throw new PdfAsSignatureException("error.pdf.sig.08", e); - } catch (IOException e) { - throw new PdfAsSignatureException("error.pdf.sig.08", e); + if(!StreamUtils.dataCompare(requestedSignature.getCertificate().getFingerprintSHA(), + verifyResult.getSignerCertificate().getFingerprintSHA())) { + throw new PdfAsSignatureException("Certificates missmatch!"); } - + return response.getCMSSignature(); } diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/MOAConnector.java b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/MOAConnector.java index 73de30cf..1059dba1 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/MOAConnector.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/MOAConnector.java @@ -55,10 +55,15 @@ import org.xml.sax.SAXException; import at.gv.egiz.pdfas.common.exceptions.PdfAsException; import at.gv.egiz.pdfas.common.exceptions.PdfAsMOAException; +import at.gv.egiz.pdfas.common.exceptions.PdfAsSignatureException; import at.gv.egiz.pdfas.common.exceptions.PdfAsWrappedIOException; import at.gv.egiz.pdfas.common.settings.ISettings; +import at.gv.egiz.pdfas.common.utils.StreamUtils; import at.gv.egiz.pdfas.lib.api.Configuration; import at.gv.egiz.pdfas.lib.api.sign.SignParameter; +import at.gv.egiz.pdfas.lib.api.verify.VerifyResult; +import at.gv.egiz.pdfas.lib.impl.status.RequestedSignature; +import at.gv.egiz.pdfas.lib.util.SignatureUtils; public class MOAConnector implements ISignatureConnector { @@ -135,7 +140,8 @@ public class MOAConnector implements ISignatureConnector { return builder.build(); } - public byte[] sign(byte[] input, int[] byteRange, SignParameter parameter) throws PdfAsException { + public byte[] sign(byte[] input, int[] byteRange, SignParameter parameter + , RequestedSignature requestedSignature) throws PdfAsException { CloseableHttpClient client = null; try { client = buildHttpClient(); @@ -220,7 +226,16 @@ public class MOAConnector implements ISignatureConnector { if (cmsSignature != null) { try { - return base64.decode(cmsSignature); + byte[] cmsSignatureData = base64.decode(cmsSignature); + + VerifyResult verifyResult = SignatureUtils.verifySignature(cmsSignatureData, input); + + if(!StreamUtils.dataCompare(requestedSignature.getCertificate().getFingerprintSHA(), + verifyResult.getSignerCertificate().getFingerprintSHA())) { + throw new PdfAsSignatureException("Certificates missmatch!"); + } + + return cmsSignatureData; } catch(Exception e) { throw new PdfAsException("error.pdf.io.07", e); } -- cgit v1.2.3