From 0bfafff409078ef49b2d4a0d71405e8f5b0eb078 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Thu, 10 Jul 2014 12:58:25 +0200 Subject: Implemented Verification level (Full incl. Certificate Path, and Integrity Only) --- .../at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java | 194 ++------------------- .../sigs/pkcs7detached/PKCS7DetachedVerifier.java | 75 ++------ 2 files changed, 27 insertions(+), 242 deletions(-) (limited to 'signature-standards') diff --git a/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java b/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java index 2df2368e..d1e185ab 100644 --- a/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java +++ b/signature-standards/sigs-pades/src/main/java/at/gv/egiz/pdfas/sigs/pades/PAdESVerifier.java @@ -23,41 +23,21 @@ ******************************************************************************/ package at.gv.egiz.pdfas.sigs.pades; -import iaik.x509.X509Certificate; - import java.util.ArrayList; -import java.util.Calendar; import java.util.Date; import java.util.List; -import javax.activation.DataHandler; -import javax.xml.bind.JAXBElement; - -import org.apache.axis2.databinding.types.Token; import org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import at.gv.egiz.dsig.X509DataType; -import at.gv.egiz.dsig.util.DsigMarschaller; -import at.gv.egiz.moa.ByteArrayDataSource; -import at.gv.egiz.moa.SignatureVerificationServiceStub; -import at.gv.egiz.moa.SignatureVerificationServiceStub.CMSContentBaseType; -import at.gv.egiz.moa.SignatureVerificationServiceStub.CMSDataObjectOptionalMetaType; -import at.gv.egiz.moa.SignatureVerificationServiceStub.KeyInfoTypeChoice; -import at.gv.egiz.moa.SignatureVerificationServiceStub.VerifyCMSSignatureRequest; -import at.gv.egiz.moa.SignatureVerificationServiceStub.VerifyCMSSignatureResponse; -import at.gv.egiz.moa.SignatureVerificationServiceStub.VerifyCMSSignatureResponseTypeSequence; -import at.gv.egiz.moa.SignatureVerificationServiceStub.X509DataTypeSequence; import at.gv.egiz.pdfas.common.exceptions.PdfAsException; -import at.gv.egiz.pdfas.common.messages.CodesResolver; import at.gv.egiz.pdfas.common.utils.PDFUtils; -import at.gv.egiz.pdfas.common.utils.StreamUtils; import at.gv.egiz.pdfas.lib.api.Configuration; import at.gv.egiz.pdfas.lib.api.verify.VerifyResult; import at.gv.egiz.pdfas.lib.impl.verify.FilterEntry; +import at.gv.egiz.pdfas.lib.impl.verify.IVerifier; import at.gv.egiz.pdfas.lib.impl.verify.IVerifyFilter; -import at.gv.egiz.pdfas.lib.impl.verify.SignatureCheckImpl; import at.gv.egiz.pdfas.lib.impl.verify.VerifyResultImpl; public class PAdESVerifier implements IVerifyFilter { @@ -76,169 +56,19 @@ public class PAdESVerifier implements IVerifyFilter { @SuppressWarnings("rawtypes") public List verify(byte[] contentData, - byte[] signatureContent, Date verificationTime, int[] byteRange) + byte[] signatureContent, Date verificationTime, int[] byteRange, IVerifier verifier) throws PdfAsException { - - List resultList = new ArrayList(); - try { - logger.info("verification with MOA @ " + this.moaEndpoint); - - SignatureVerificationServiceStub service = new SignatureVerificationServiceStub( - this.moaEndpoint); - VerifyCMSSignatureRequest verifyCMSSignatureRequest = new VerifyCMSSignatureRequest(); - Token token = new Token(); - token.setValue(this.moaTrustProfile); - verifyCMSSignatureRequest.setTrustProfileID(token); - - byte[] data = contentData; - byte[] signature = signatureContent; - - CMSDataObjectOptionalMetaType cmsDataObjectOptionalMetaType = new CMSDataObjectOptionalMetaType(); - CMSContentBaseType cmsDataContent = new CMSContentBaseType(); - cmsDataContent.setBase64Content(new DataHandler( - new ByteArrayDataSource(data, "application/pdf"))); - DataHandler cmsSignature = new DataHandler(new ByteArrayDataSource( - signature, "application/pdf")); - cmsDataObjectOptionalMetaType.setContent(cmsDataContent); - verifyCMSSignatureRequest.setCMSSignature(cmsSignature); - verifyCMSSignatureRequest - .setDataObject(cmsDataObjectOptionalMetaType); - if (verificationTime != null) { - Calendar cal = Calendar.getInstance(); - cal.setTime(verificationTime); - verifyCMSSignatureRequest.setDateTime(cal); - } - // cmsDataObjectOptionalMetaType. - VerifyCMSSignatureResponse response = service - .verifyCMSSignature(verifyCMSSignatureRequest); - - logger.debug("Got Verify Response from MOA"); - - VerifyCMSSignatureResponseTypeSequence[] verifySequence = response - .getVerifyCMSSignatureResponse() - .getVerifyCMSSignatureResponseTypeSequence(); - for (int i = 0; i < verifySequence.length; i++) { - VerifyResultImpl result = new VerifyResultImpl(); - logger.debug(" ---------------------- "); - logger.debug("Signature: " + i); - - SignatureCheckImpl certificateCheck; - - verifySequence[i].getSignerInfo().getKeyInfoTypeChoice()[0] - .getExtraElement(); - if (verifySequence[i].getCertificateCheck() != null) { - certificateCheck = new SignatureCheckImpl(verifySequence[i] - .getCertificateCheck().getCode().intValue(), - verifySequence[i].getCertificateCheck() - .isInfoSpecified() ? verifySequence[i] - .getCertificateCheck().getInfo().toString() - : ""); - } else { - certificateCheck = new SignatureCheckImpl( - 1, - ""); - } - - if(certificateCheck.getMessage() == null || certificateCheck.getMessage().trim().length() == 0) { - String resourceString = "verify.cert." + certificateCheck.getCode(); - String message = CodesResolver.resolveMessage(resourceString); - certificateCheck.setMessage(message); - } - - logger.debug("Certificate Check: " + certificateCheck.getCode() + " [" + certificateCheck.getMessage() + "]"); - - SignatureCheckImpl signatureCheck = new SignatureCheckImpl( - verifySequence[i].getSignatureCheck().getCode() - .intValue(), - verifySequence[i].getSignatureCheck().isInfoSpecified() ? verifySequence[i] - .getSignatureCheck().getInfo().toString() - : ""); - - if(signatureCheck.getMessage() == null || signatureCheck.getMessage().trim().length() == 0) { - String resourceString = "verify.value." + signatureCheck.getCode(); - String message = CodesResolver.resolveMessage(resourceString); - signatureCheck.setMessage(message); - } - - logger.debug("Signature Check: " + signatureCheck.getCode() + " [" + signatureCheck.getMessage() + "]"); - - result.setCertificateCheck(certificateCheck); - result.setValueCheckCode(signatureCheck); - result.setVerificationDone(true); - - KeyInfoTypeChoice[] keyInfo = verifySequence[i].getSignerInfo() - .getKeyInfoTypeChoice(); - KeyInfoTypeChoice choice = keyInfo[0]; - result.setSignatureData(PDFUtils.blackOutSignature(data, byteRange)); - - // extract certificate - if (choice.isX509DataSpecified()) { - byte[] certData = null; - X509DataTypeSequence[] x509Sequence = choice.getX509Data() - .getX509DataTypeSequence(); - for (int k = 0; k < x509Sequence.length; k++) { - X509DataTypeSequence x509Data = x509Sequence[k]; - if (x509Data.getX509DataTypeChoice_type0() - .isX509CertificateSpecified()) { - DataHandler handler = x509Data - .getX509DataTypeChoice_type0() - .getX509Certificate(); - certData = StreamUtils - .inputStreamToByteArray(handler - .getInputStream()); - } else if (x509Data.getX509DataTypeChoice_type0() - .isExtraElementSpecified()) { - if (x509Data - .getX509DataTypeChoice_type0() - .getExtraElement() - .getLocalName() - .equals(SignatureVerificationServiceStub.QualifiedCertificate.MY_QNAME - .getLocalPart())) { - result.setQualifiedCertificate(true); - } - } - } - X509Certificate certificate = new X509Certificate(certData); - result.setSignerCertificate(certificate); - } else if (choice.isExtraElementSpecified()) { - String xmldisg = choice.getExtraElement().toString(); - JAXBElement jaxbElement = (JAXBElement) DsigMarschaller - .unmarshalFromString(xmldisg); - if (jaxbElement.getValue() instanceof X509DataType) { - X509DataType x509Data = (X509DataType) jaxbElement - .getValue(); - List dsigElements = x509Data - .getX509IssuerSerialOrX509SKIOrX509SubjectName(); - for (int j = 0; j < dsigElements.size(); j++) { - Object jaxElement = dsigElements.get(j); - if (jaxElement instanceof JAXBElement) { - JAXBElement jaxbElementMember = (JAXBElement) jaxElement; - if (jaxbElementMember - .getName() - .equals(DsigMarschaller.X509DataTypeX509Certificate_QNAME)) { - if (jaxbElementMember.getValue() instanceof byte[]) { - byte[] certData = (byte[]) jaxbElementMember - .getValue(); - X509Certificate certificate = new X509Certificate( - certData); - result.setSignerCertificate(certificate); - break; - } - } - } - } - } - } - - resultList.add(result); - - logger.debug(" ---------------------- "); - } - } catch (Throwable e) { - logger.error("Verification failed", e); - throw new PdfAsException("error.pdf.verify.02", e); + + byte[] data = contentData; + byte[] signature = signatureContent; + + List verifieResults = verifier.verify(signature, data, verificationTime); + for(int i =0; i < verifieResults.size();i++) { + VerifyResultImpl result = (VerifyResultImpl)verifieResults.get(i); + result.setSignatureData(PDFUtils.blackOutSignature(data, byteRange)); } - return resultList; + + return verifieResults; } public List getFiters() { diff --git a/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java b/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java index bef034b1..fb7fa5ab 100644 --- a/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java +++ b/signature-standards/sigs-pkcs7detached/src/main/java/at/gv/egiz/pdfas/sigs/pkcs7detached/PKCS7DetachedVerifier.java @@ -46,6 +46,7 @@ import at.gv.egiz.pdfas.common.utils.PDFUtils; import at.gv.egiz.pdfas.lib.api.Configuration; import at.gv.egiz.pdfas.lib.api.verify.VerifyResult; import at.gv.egiz.pdfas.lib.impl.verify.FilterEntry; +import at.gv.egiz.pdfas.lib.impl.verify.IVerifier; import at.gv.egiz.pdfas.lib.impl.verify.IVerifyFilter; import at.gv.egiz.pdfas.lib.impl.verify.SignatureCheckImpl; import at.gv.egiz.pdfas.lib.impl.verify.VerifyResultImpl; @@ -57,68 +58,22 @@ public class PKCS7DetachedVerifier implements IVerifyFilter { public PKCS7DetachedVerifier() { } - public List verify(byte[] contentData, byte[] signatureContent, Date verificationTime, int[] byteRange) + public List verify(byte[] contentData, byte[] signatureContent, + Date verificationTime, int[] byteRange, IVerifier verifier) throws PdfAsException { - try { - List result = new ArrayList(); - - SignedData signedData = new SignedData(contentData, new AlgorithmID[] { - AlgorithmID.sha256, AlgorithmID.sha1, AlgorithmID.ripeMd160, AlgorithmID.ripeMd160_ISO - }); - ContentInfo ci = new ContentInfo(new ByteArrayInputStream( - signatureContent)); - if (!ci.getContentType().equals(ObjectID.cms_signedData)) { - throw new PdfAsException("error.pdf.verify.01"); - } - //SignedData signedData = (SignedData)ci.getContent(); - //signedData.setContent(contentData); - - signedData.decode(ci.getContentInputStream()); - - // get the signer infos - SignerInfo[] signerInfos = signedData.getSignerInfos(); - // verify the signatures - for (int i = 0; i < signerInfos.length; i++) { - VerifyResultImpl verifyResult = new VerifyResultImpl(); - verifyResult.setSignatureData(PDFUtils.blackOutSignature(contentData, byteRange)); - try { - // verify the signature for SignerInfo at index i - X509Certificate signer_cert = signedData.verify(i); - logger.info("Signature Algo: {}, Digest {}", - signedData.getSignerInfos()[i].getSignatureAlgorithm(), - signedData.getSignerInfos()[i].getDigestAlgorithm()); - // if the signature is OK the certificate of the - // signer is returned - logger.info("Signature OK from signer: " - + signer_cert.getSubjectDN()); - verifyResult.setSignerCertificate(signer_cert); - verifyResult.setValueCheckCode(new SignatureCheckImpl(0, "OK")); - verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked")); - verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked")); - verifyResult.setVerificationDone(true); - } catch (SignatureException ex) { - // if the signature is not OK a SignatureException - // is thrown - logger.info("Signature ERROR from signer: " - + signedData.getCertificate( - signerInfos[i].getSignerIdentifier()) - .getSubjectDN(), ex); - - verifyResult.setSignerCertificate( - signedData.getCertificate(signerInfos[i].getSignerIdentifier())); - verifyResult.setValueCheckCode(new SignatureCheckImpl(1, "failed to check signature")); - verifyResult.setManifestCheckCode(new SignatureCheckImpl(99, "not checked")); - verifyResult.setCertificateCheck(new SignatureCheckImpl(99, "not checked")); - verifyResult.setVerificationDone(false); - verifyResult.setVerificationException(new PdfAsSignatureException("failed to check signature", ex)); - } - result.add(verifyResult); - } - - return result; - } catch (Throwable e) { - throw new PdfAsException("error.pdf.verify.02", e); + + byte[] data = contentData; + byte[] signature = signatureContent; + + List verifieResults = verifier.verify(signature, data, verificationTime); + for(int i =0; i < verifieResults.size();i++) { + VerifyResultImpl result = (VerifyResultImpl)verifieResults.get(i); + result.setSignatureData(PDFUtils.blackOutSignature(data, byteRange)); } + + return verifieResults; + + } public List getFiters() { -- cgit v1.2.3