List of usage examples for org.bouncycastle.cert.ocsp BasicOCSPResp getProducedAt
public Date getProducedAt()
From source file:com.swisscom.ais.itext.PDF.java
License:Open Source License
/** * Add external revocation information to DSS Dictionary, to enable Long Term Validation (LTV) in Adobe Reader * /*from ww w . j a va2 s. c om*/ * @param ocspArr List of OCSP Responses as base64 encoded String * @param crlArr List of CRLs as base64 encoded String * @throws Exception */ public void addValidationInformation(ArrayList<String> ocspArr, ArrayList<String> crlArr) throws Exception { if (ocspArr == null && crlArr == null) return; PdfReader reader = new PdfReader(outputFilePath); // Check if source pdf is not protected by a certification if (reader.getCertificationLevel() == PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED) throw new Exception( "Could not apply revocation information (LTV) to the DSS Dictionary. Document contains a certification that does not allow any changes."); Collection<byte[]> ocspColl = new ArrayList<byte[]>(); Collection<byte[]> crlColl = new ArrayList<byte[]>(); // Decode each OCSP Response (String of base64 encoded form) and add it to the Collection (byte[]) if (ocspArr != null) { for (String ocspBase64 : ocspArr) { OCSPResp ocspResp = new OCSPResp(new ByteArrayInputStream(Base64.decode(ocspBase64))); BasicOCSPResp basicResp = (BasicOCSPResp) ocspResp.getResponseObject(); if (Soap._debugMode) { System.out.println("\nEmbedding OCSP Response..."); System.out.println("Status : " + ((ocspResp.getStatus() == 0) ? "GOOD" : "BAD")); System.out.println("Produced at : " + basicResp.getProducedAt()); System.out.println("This Update : " + basicResp.getResponses()[0].getThisUpdate()); System.out.println("Next Update : " + basicResp.getResponses()[0].getNextUpdate()); System.out.println("X509 Cert Issuer : " + basicResp.getCerts()[0].getIssuer()); System.out.println("X509 Cert Subject : " + basicResp.getCerts()[0].getSubject()); System.out.println( "Responder ID X500Name : " + basicResp.getResponderId().toASN1Object().getName()); System.out.println("Certificate ID : " + basicResp.getResponses()[0].getCertID().getSerialNumber().toString() + " (" + basicResp.getResponses()[0].getCertID().getSerialNumber().toString(16).toUpperCase() + ")"); } ocspColl.add(basicResp.getEncoded()); // Add Basic OCSP Response to Collection (ASN.1 encoded representation of this object) } } // Decode each CRL (String of base64 encoded form) and add it to the Collection (byte[]) if (crlArr != null) { for (String crlBase64 : crlArr) { X509CRL x509crl = (X509CRL) CertificateFactory.getInstance("X.509") .generateCRL(new ByteArrayInputStream(Base64.decode(crlBase64))); if (Soap._debugMode) { System.out.println("\nEmbedding CRL..."); System.out.println("IssuerDN : " + x509crl.getIssuerDN()); System.out.println("This Update : " + x509crl.getThisUpdate()); System.out.println("Next Update : " + x509crl.getNextUpdate()); System.out.println( "No. of Revoked Certificates : " + ((x509crl.getRevokedCertificates() == null) ? "0" : x509crl.getRevokedCertificates().size())); } crlColl.add(x509crl.getEncoded()); // Add CRL to Collection (ASN.1 DER-encoded form of this CRL) } } byteArrayOutputStream = new ByteArrayOutputStream(); PdfStamper stamper = new PdfStamper(reader, byteArrayOutputStream, '\0', true); LtvVerification validation = stamper.getLtvVerification(); // Add the CRL/OCSP validation information to the DSS Dictionary boolean addVerification = false; for (String sigName : stamper.getAcroFields().getSignatureNames()) { addVerification = validation.addVerification(sigName, // Signature Name ocspColl, // OCSP crlColl, // CRL null // certs ); } validation.merge(); // Merges the validation with any validation already in the document or creates a new one. stamper.close(); reader.close(); // Save to (same) file OutputStream outputStream = new FileOutputStream(outputFilePath); byteArrayOutputStream.writeTo(outputStream); if (Soap._debugMode) { if (addVerification) System.out.println("\nOK merging LTV validation information to " + outputFilePath); else System.out.println("\nFAILED merging LTV validation information to " + outputFilePath); } byteArrayOutputStream.close(); outputStream.close(); }
From source file:controller.CCInstance.java
License:Open Source License
public final ArrayList<SignatureValidation> validatePDF(final String file, final ValidationListener vl) throws IOException, DocumentException, GeneralSecurityException { this.validating = true; final PdfReader reader = new PdfReader(file); final AcroFields af = reader.getAcroFields(); final ArrayList names = af.getSignatureNames(); final ArrayList<SignatureValidation> validateList = new ArrayList<>(); X509Certificate x509c = null; Security.setProperty("ocsp.enable", "true"); System.setProperty("com.sun.security.enableCRLDP", "true"); boolean nextValid = true; for (Object o : names) { if (!validating) { return null; }/*from w ww . j a v a2 s .c o m*/ final String name = (String) o; final PdfPKCS7 pk = af.verifySignature(name, "BC"); final Certificate pkc[] = pk.getCertificates(); x509c = (X509Certificate) pkc[pkc.length - 1]; final Certificate[] aL = pkc;//getCompleteCertificateChain(x509c); if (null == aL || 0 == aL.length) { return null; } CertificateStatus ocspCertificateStatus = CertificateStatus.UNCHECKED; BasicOCSPResp ocspResp = pk.getOcsp(); if (null != ocspResp && pk.isRevocationValid()) { for (SingleResp singleResp : ocspResp.getResponses()) { if (null == singleResp.getCertStatus()) { ocspCertificateStatus = CertificateStatus.OK; } else if (singleResp.getCertStatus() instanceof RevokedStatus) { if (ocspResp.getProducedAt() .before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) { ocspCertificateStatus = CertificateStatus.OK; } else { ocspCertificateStatus = CertificateStatus.REVOKED; } } else if (singleResp.getCertStatus() instanceof UnknownStatus) { ocspCertificateStatus = CertificateStatus.UNKNOWN; } } } CertificateStatus crlCertificateStatus = CertificateStatus.UNCHECKED; Collection<CRL> crlResp = pk.getCRLs(); if (null != crlResp) { boolean revoked = false; for (CRL crl : crlResp) { if (crl.isRevoked(x509c)) { revoked = true; } } crlCertificateStatus = revoked ? CertificateStatus.REVOKED : CertificateStatus.OK; } if (ocspCertificateStatus.equals(CertificateStatus.UNCHECKED) && crlCertificateStatus.equals(CertificateStatus.UNCHECKED)) { if (pkc.length == 1) { Certificate[] completeChain = getCompleteTrustedCertificateChain(x509c); if (completeChain.length == 1) { ocspCertificateStatus = CertificateStatus.UNCHAINED; } else { ocspCertificateStatus = CertificateStatus.CHAINED_LOCALLY; } } } final TimeStampToken tst = pk.getTimeStampToken(); boolean validTimestamp = false; if (null != tst) { final boolean hasTimestamp = pk.verifyTimestampImprint(); validTimestamp = hasTimestamp && CertificateVerification.verifyTimestampCertificates(tst, ks, null); } PdfDictionary pdfDic = reader.getAcroFields().getSignatureDictionary(name); SignaturePermissions sp = new SignaturePermissions(pdfDic, null); boolean isValid; if (nextValid) { isValid = pk.verify(); } else { isValid = false; } List<AcroFields.FieldPosition> posList = af.getFieldPositions(name); final SignatureValidation signature = new SignatureValidation(file, name, pk, !pk.verify(), af.signatureCoversWholeDocument(name), af.getRevision(name), af.getTotalRevisions(), reader.getCertificationLevel(), ocspCertificateStatus, crlCertificateStatus, validTimestamp, posList, sp, isValid); validateList.add(signature); if (null != vl) { vl.onValidationComplete(signature); } if (!sp.isFillInAllowed()) { nextValid = false; } } return validateList; }
From source file:eu.europa.ec.markt.dss.signature.xades.XAdESLevelC.java
License:Open Source License
/** * @param completeRevocationRefsDom//from w ww .ja va2 s.co m * @param processedRevocationTokens * @throws eu.europa.ec.markt.dss.exception.DSSException */ private void incorporateOCSPRefs(final Element completeRevocationRefsDom, final Set<RevocationToken> processedRevocationTokens) throws DSSException { if (processedRevocationTokens.isEmpty()) { return; } // ...<xades:CRLRefs/> // ...<xades:OCSPRefs> // ......<xades:OCSPRef> // .........<xades:OCSPIdentifier> // ............<xades:ResponderID> // ...............<xades:ByName>C=AA,O=DSS,CN=OCSP A</xades:ByName> // ............</xades:ResponderID> // ............<xades:ProducedAt>2013-11-25T12:33:34.000+01:00</xades:ProducedAt> // .........</xades:OCSPIdentifier> // .........<xades:DigestAlgAndValue> // ............<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> // ............<ds:DigestValue>O1uHdchN+zFzbGrBg2FP3/idD0k=</ds:DigestValue> final Element ocspRefsDom = DSSXMLUtils.addElement(documentDom, completeRevocationRefsDom, XAdESNamespaces.XAdES, "xades:OCSPRefs"); for (RevocationToken revocationToken : processedRevocationTokens) { if (revocationToken instanceof OCSPToken) { BasicOCSPResp basicOcspResp = ((OCSPToken) revocationToken).getBasicOCSPResp(); final Element ocspRefDom = DSSXMLUtils.addElement(documentDom, ocspRefsDom, XAdESNamespaces.XAdES, "xades:OCSPRef"); final Element ocspIdentifierDom = DSSXMLUtils.addElement(documentDom, ocspRefDom, XAdESNamespaces.XAdES, "xades:OCSPIdentifier"); final Element responderIDDom = DSSXMLUtils.addElement(documentDom, ocspIdentifierDom, XAdESNamespaces.XAdES, "xades:ResponderID"); final RespID responderId = basicOcspResp.getResponderId(); final ResponderID responderIdAsASN1Object = responderId.toASN1Object(); final DERTaggedObject derTaggedObject = (DERTaggedObject) responderIdAsASN1Object.toASN1Primitive(); if (2 == derTaggedObject.getTagNo()) { final ASN1OctetString keyHashOctetString = (ASN1OctetString) derTaggedObject.getObject(); final byte[] keyHashOctetStringBytes = keyHashOctetString.getOctets(); final String base65EncodedKeyHashOctetStringBytes = DSSUtils .base64Encode(keyHashOctetStringBytes); DSSXMLUtils.addTextElement(documentDom, responderIDDom, XAdESNamespaces.XAdES, "xades:ByKey", base65EncodedKeyHashOctetStringBytes); } else { final ASN1Primitive derObject = derTaggedObject.getObject(); final X500Name name = X500Name.getInstance(derObject); DSSXMLUtils.addTextElement(documentDom, responderIDDom, XAdESNamespaces.XAdES, "xades:ByName", name.toString()); } final Date producedAt = basicOcspResp.getProducedAt(); final XMLGregorianCalendar xmlGregorianCalendar = DSSXMLUtils .createXMLGregorianCalendar(producedAt); final String producedAtXmlEncoded = xmlGregorianCalendar.toXMLFormat(); DSSXMLUtils.addTextElement(documentDom, ocspIdentifierDom, XAdESNamespaces.XAdES, "xades:ProducedAt", producedAtXmlEncoded); final Element digestAlgAndValueDom = DSSXMLUtils.addElement(documentDom, ocspRefDom, XAdESNamespaces.XAdES, "xades:DigestAlgAndValue"); // TODO: to be added as field to eu.europa.ec.markt.dss.parameter.SignatureParameters. DigestAlgorithm digestAlgorithm = DigestAlgorithm.SHA1; incorporateDigestMethod(digestAlgAndValueDom, digestAlgorithm); final InMemoryDocument inMemoryDocument = new InMemoryDocument(revocationToken.getEncoded()); incorporateDigestValue(digestAlgAndValueDom, digestAlgorithm, inMemoryDocument); } } }
From source file:eu.europa.ec.markt.dss.validation102853.ocsp.OCSPRef.java
License:Open Source License
/** * @param ocspResp/* ww w.ja va 2 s .c o m*/ * @return */ public boolean match(BasicOCSPResp ocspResp) { try { MessageDigest digest = DSSUtils.getMessageDigest(digestAlgorithm); if (matchOnlyBasicOCSPResponse) { digest.update(ocspResp.getEncoded()); } else { digest.update(DSSRevocationUtils.fromBasicToResp(ocspResp).getEncoded()); } byte[] computedValue = digest.digest(); if (LOG.isInfoEnabled()) LOG.info("Compare " + DSSUtils.encodeHexString(digestValue) + " to computed value " + DSSUtils.encodeHexString(computedValue) + " of " + "BasicOCSPResp produced at " + ocspResp.getProducedAt()); return Arrays.equals(digestValue, computedValue); } catch (NoSuchAlgorithmException ex) { throw new RuntimeException("Maybe BouncyCastle provider is not installed ?", ex); } catch (IOException ex) { throw new RuntimeException(ex); } }
From source file:eu.europa.ec.markt.dss.validation102853.OCSPCertificateVerifier.java
License:Open Source License
@Override public RevocationToken check(final CertificateToken toCheckToken) { if (ocspSource == null) { LOG.warn("OCSPSource null"); toCheckToken.extraInfo().infoOCSPSourceIsNull(); return null; }/* w w w . j a v a2 s .c o m*/ try { final X509Certificate issuerCert = toCheckToken.getIssuerToken().getCertificate(); final X509Certificate toCheckCert = toCheckToken.getCertificate(); final BasicOCSPResp basicOCSPResp = ocspSource.getOCSPResponse(toCheckCert, issuerCert); if (basicOCSPResp == null) { String uri = ""; if (ocspSource instanceof OnlineOCSPSource) { uri = ((OnlineOCSPSource) ocspSource).getAccessLocation(toCheckCert); toCheckToken.extraInfo().infoNoOCSPResponse(uri); } if (LOG.isInfoEnabled()) { LOG.info("OCSP response not found for " + toCheckToken.getDSSIdAsString() + " [" + uri + "]"); } return null; } final BigInteger serialNumber = toCheckCert.getSerialNumber(); final X509CertificateHolder x509CertificateHolder = new X509CertificateHolder( DSSUtils.getEncoded(issuerCert)); final DigestCalculator digestCalculator = DSSUtils.getSHA1DigestCalculator(); final CertificateID certificateId = new CertificateID(digestCalculator, x509CertificateHolder, serialNumber); final SingleResp[] singleResps = basicOCSPResp.getResponses(); for (final SingleResp singleResp : singleResps) { if (!DSSRevocationUtils.matches(certificateId, singleResp)) { continue; } if (LOG.isDebugEnabled()) { LOG.debug("OCSP thisUpdate: " + singleResp.getThisUpdate()); LOG.debug("OCSP nextUpdate: " + singleResp.getNextUpdate()); } final OCSPToken ocspToken = new OCSPToken(basicOCSPResp, validationCertPool); if (ocspSource instanceof OnlineOCSPSource) { ocspToken.setSourceURI(((OnlineOCSPSource) ocspSource).getAccessLocation(toCheckCert)); } ocspToken.setIssuingTime(basicOCSPResp.getProducedAt()); toCheckToken.setRevocationToken(ocspToken); final Object certStatus = singleResp.getCertStatus(); if (certStatus == null) { if (LOG.isInfoEnabled()) { LOG.info("OCSP OK for: " + toCheckToken.getDSSIdAsString()); if (LOG.isTraceEnabled()) { LOG.trace("CertificateToken:\n{}", toCheckToken.toString()); } } ocspToken.setStatus(true); } else { if (LOG.isInfoEnabled()) { LOG.info("OCSP certificate status: " + certStatus.getClass().getName()); } if (certStatus instanceof RevokedStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status revoked"); } final RevokedStatus revokedStatus = (RevokedStatus) certStatus; ocspToken.setStatus(false); ocspToken.setRevocationDate(revokedStatus.getRevocationTime()); final int reasonId = revokedStatus.getRevocationReason(); final CRLReason crlReason = CRLReason.lookup(reasonId); ocspToken.setReason(crlReason.toString()); } else if (certStatus instanceof UnknownStatus) { if (LOG.isInfoEnabled()) { LOG.info("OCSP status unknown"); } ocspToken.setReason("OCSP status: unknown"); } } return ocspToken; } } catch (DSSException e) { LOG.error("OCSP DSS Exception: " + e.getMessage(), e); toCheckToken.extraInfo().infoOCSPException(e); return null; } catch (OCSPException e) { LOG.error("OCSP Exception: " + e.getMessage()); toCheckToken.extraInfo().infoOCSPException(e); throw new DSSException(e); } catch (IOException e) { throw new DSSException(e); } if (LOG.isInfoEnabled()) { LOG.debug("No matching OCSP response entry"); } toCheckToken.extraInfo().infoNoOCSPResponse(null); return null; }
From source file:eu.europa.ec.markt.dss.validation102853.OCSPToken.java
License:Open Source License
/** * The default constructor for OCSPToken. * * @param basicOCSPResp The basic OCSP response. * @param certificatePool The certificate pool used to validate/hold the certificate used to sign this OCSP response. *///from ww w .ja v a2 s .com public OCSPToken(final BasicOCSPResp basicOCSPResp, final CertificatePool certificatePool) { if (basicOCSPResp == null) { throw new DSSNullException(BasicOCSPResp.class); } if (certificatePool == null) { throw new DSSNullException(CertificatePool.class); } this.basicOCSPResp = basicOCSPResp; final ASN1ObjectIdentifier signatureAlgOID = basicOCSPResp.getSignatureAlgOID(); final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forOID(signatureAlgOID.getId()); this.algorithmUsedToSignToken = signatureAlgorithm; this.extraInfo = new TokenValidationExtraInfo(); try { for (final X509CertificateHolder x509CertificateHolder : basicOCSPResp.getCerts()) { final byte[] encoded = x509CertificateHolder.getEncoded(); final X509Certificate x509Certificate = DSSUtils.loadCertificate(encoded); final CertificateToken certToken = certificatePool.getInstance(x509Certificate, CertificateSourceType.OCSP_RESPONSE); if (isSignedBy(certToken)) { break; } } } catch (IOException e) { throw new DSSException(e); } if (LOG.isInfoEnabled()) { LOG.info("OCSP token, produced at '" + DSSUtils.formatInternal(basicOCSPResp.getProducedAt()) + "' added."); } }
From source file:eu.europa.esig.dss.validation.OCSPRef.java
License:Open Source License
/** * @param ocspResp//from www. ja v a2 s . co m * @return */ public boolean match(final BasicOCSPResp ocspResp) { if (digestAlgorithm == null) { // -444 return false; } try { MessageDigest digest = DSSUtils.getMessageDigest(digestAlgorithm); if (matchOnlyBasicOCSPResponse) { digest.update(ocspResp.getEncoded()); } else { digest.update(DSSRevocationUtils.fromBasicToResp(ocspResp).getEncoded()); } byte[] computedValue = digest.digest(); if (LOG.isInfoEnabled()) { LOG.info("Compare " + Hex.encodeHexString(digestValue) + " to computed value " + Hex.encodeHexString(computedValue) + " of " + "BasicOCSPResp produced at " + ocspResp.getProducedAt()); } return Arrays.equals(digestValue, computedValue); } catch (IOException e) { throw new DSSException(e); } }
From source file:eu.europa.esig.dss.x509.OCSPToken.java
License:Open Source License
/** * The default constructor for OCSPToken. * * @param basicOCSPResp The basic OCSP response. * @param singleResp/* w ww. j av a2 s .c o m*/ */ public OCSPToken(final BasicOCSPResp basicOCSPResp, final SingleResp singleResp) { if (basicOCSPResp == null) { throw new NullPointerException(); } if (singleResp == null) { throw new NullPointerException(); } this.basicOCSPResp = basicOCSPResp; this.singleResp = singleResp; this.issuingTime = basicOCSPResp.getProducedAt(); setStatus(singleResp.getCertStatus()); final ASN1ObjectIdentifier signatureAlgOID = basicOCSPResp.getSignatureAlgOID(); final SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.forOID(signatureAlgOID.getId()); this.signatureAlgorithm = signatureAlgorithm; this.extraInfo = new TokenValidationExtraInfo(); if (logger.isTraceEnabled()) { logger.trace("OCSP token, produced at '" + DSSUtils.formatInternal(issuingTime) + "' created."); } }
From source file:eu.europa.esig.dss.xades.signature.XAdESLevelC.java
License:Open Source License
/** * @param completeRevocationRefsDom//from w w w . j a v a 2 s. c om * @param processedRevocationTokens * @throws eu.europa.esig.dss.DSSException */ private void incorporateOCSPRefs(final Element completeRevocationRefsDom, final Set<RevocationToken> processedRevocationTokens) throws DSSException { if (processedRevocationTokens.isEmpty()) { return; } boolean containsOCSPToken = false; for (RevocationToken revocationToken : processedRevocationTokens) { containsOCSPToken = revocationToken instanceof OCSPToken; if (containsOCSPToken) { break; } } if (!containsOCSPToken) { return; } // ...<xades:CRLRefs/> // ...<xades:OCSPRefs> // ......<xades:OCSPRef> // .........<xades:OCSPIdentifier> // ............<xades:ResponderID> // ...............<xades:ByName>C=AA,O=DSS,CN=OCSP A</xades:ByName> // ............</xades:ResponderID> // ............<xades:ProducedAt>2013-11-25T12:33:34.000+01:00</xades:ProducedAt> // .........</xades:OCSPIdentifier> // .........<xades:DigestAlgAndValue> // ............<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> // ............<ds:DigestValue>O1uHdchN+zFzbGrBg2FP3/idD0k=</ds:DigestValue> final Element ocspRefsDom = DSSXMLUtils.addElement(documentDom, completeRevocationRefsDom, XAdESNamespaces.XAdES, "xades:OCSPRefs"); for (RevocationToken revocationToken : processedRevocationTokens) { if (revocationToken instanceof OCSPToken) { BasicOCSPResp basicOcspResp = ((OCSPToken) revocationToken).getBasicOCSPResp(); final Element ocspRefDom = DSSXMLUtils.addElement(documentDom, ocspRefsDom, XAdESNamespaces.XAdES, "xades:OCSPRef"); final Element ocspIdentifierDom = DSSXMLUtils.addElement(documentDom, ocspRefDom, XAdESNamespaces.XAdES, "xades:OCSPIdentifier"); final Element responderIDDom = DSSXMLUtils.addElement(documentDom, ocspIdentifierDom, XAdESNamespaces.XAdES, "xades:ResponderID"); final RespID responderId = basicOcspResp.getResponderId(); final ResponderID responderIdAsASN1Object = responderId.toASN1Primitive(); final DERTaggedObject derTaggedObject = (DERTaggedObject) responderIdAsASN1Object.toASN1Primitive(); if (2 == derTaggedObject.getTagNo()) { final ASN1OctetString keyHashOctetString = (ASN1OctetString) derTaggedObject.getObject(); final byte[] keyHashOctetStringBytes = keyHashOctetString.getOctets(); final String base65EncodedKeyHashOctetStringBytes = Base64 .encodeBase64String(keyHashOctetStringBytes); DSSXMLUtils.addTextElement(documentDom, responderIDDom, XAdESNamespaces.XAdES, "xades:ByKey", base65EncodedKeyHashOctetStringBytes); } else { final ASN1Primitive derObject = derTaggedObject.getObject(); final X500Name name = X500Name.getInstance(derObject); DSSXMLUtils.addTextElement(documentDom, responderIDDom, XAdESNamespaces.XAdES, "xades:ByName", name.toString()); } final Date producedAt = basicOcspResp.getProducedAt(); final XMLGregorianCalendar xmlGregorianCalendar = DSSXMLUtils .createXMLGregorianCalendar(producedAt); final String producedAtXmlEncoded = xmlGregorianCalendar.toXMLFormat(); DSSXMLUtils.addTextElement(documentDom, ocspIdentifierDom, XAdESNamespaces.XAdES, "xades:ProducedAt", producedAtXmlEncoded); final Element digestAlgAndValueDom = DSSXMLUtils.addElement(documentDom, ocspRefDom, XAdESNamespaces.XAdES, "xades:DigestAlgAndValue"); // TODO: to be added as field to eu.europa.esig.dss.AbstractSignatureParameters. DigestAlgorithm digestAlgorithm = DigestAlgorithm.SHA1; incorporateDigestMethod(digestAlgAndValueDom, digestAlgorithm); final InMemoryDocument inMemoryDocument = new InMemoryDocument(revocationToken.getEncoded()); incorporateDigestValue(digestAlgAndValueDom, digestAlgorithm, inMemoryDocument); } } }
From source file:org.apache.poi.poifs.crypt.dsig.facets.XAdESXLSignatureFacet.java
License:Apache License
@Override public void postSign(Document document) throws MarshalException { LOG.log(POILogger.DEBUG, "XAdES-X-L post sign phase"); QualifyingPropertiesDocument qualDoc = null; QualifyingPropertiesType qualProps = null; // check for XAdES-BES NodeList qualNl = document.getElementsByTagNameNS(XADES_132_NS, "QualifyingProperties"); if (qualNl.getLength() == 1) { try {// w w w . j a v a 2 s . co m qualDoc = QualifyingPropertiesDocument.Factory.parse(qualNl.item(0)); } catch (XmlException e) { throw new MarshalException(e); } qualProps = qualDoc.getQualifyingProperties(); } else { throw new MarshalException("no XAdES-BES extension present"); } // create basic XML container structure UnsignedPropertiesType unsignedProps = qualProps.getUnsignedProperties(); if (unsignedProps == null) { unsignedProps = qualProps.addNewUnsignedProperties(); } UnsignedSignaturePropertiesType unsignedSigProps = unsignedProps.getUnsignedSignatureProperties(); if (unsignedSigProps == null) { unsignedSigProps = unsignedProps.addNewUnsignedSignatureProperties(); } // create the XAdES-T time-stamp NodeList nlSigVal = document.getElementsByTagNameNS(XML_DIGSIG_NS, "SignatureValue"); if (nlSigVal.getLength() != 1) { throw new IllegalArgumentException("SignatureValue is not set."); } RevocationData tsaRevocationDataXadesT = new RevocationData(); LOG.log(POILogger.DEBUG, "creating XAdES-T time-stamp"); XAdESTimeStampType signatureTimeStamp = createXAdESTimeStamp(Collections.singletonList(nlSigVal.item(0)), tsaRevocationDataXadesT); // marshal the XAdES-T extension unsignedSigProps.addNewSignatureTimeStamp().set(signatureTimeStamp); // xadesv141::TimeStampValidationData if (tsaRevocationDataXadesT.hasRevocationDataEntries()) { ValidationDataType validationData = createValidationData(tsaRevocationDataXadesT); insertXChild(unsignedSigProps, validationData); } if (signatureConfig.getRevocationDataService() == null) { /* * Without revocation data service we cannot construct the XAdES-C * extension. */ return; } // XAdES-C: complete certificate refs CompleteCertificateRefsType completeCertificateRefs = unsignedSigProps.addNewCompleteCertificateRefs(); CertIDListType certIdList = completeCertificateRefs.addNewCertRefs(); /* * We skip the signing certificate itself according to section * 4.4.3.2 of the XAdES 1.4.1 specification. */ List<X509Certificate> certChain = signatureConfig.getSigningCertificateChain(); int chainSize = certChain.size(); if (chainSize > 1) { for (X509Certificate cert : certChain.subList(1, chainSize)) { CertIDType certId = certIdList.addNewCert(); XAdESSignatureFacet.setCertID(certId, signatureConfig, false, cert); } } // XAdES-C: complete revocation refs CompleteRevocationRefsType completeRevocationRefs = unsignedSigProps.addNewCompleteRevocationRefs(); RevocationData revocationData = signatureConfig.getRevocationDataService().getRevocationData(certChain); if (revocationData.hasCRLs()) { CRLRefsType crlRefs = completeRevocationRefs.addNewCRLRefs(); completeRevocationRefs.setCRLRefs(crlRefs); for (byte[] encodedCrl : revocationData.getCRLs()) { CRLRefType crlRef = crlRefs.addNewCRLRef(); X509CRL crl; try { crl = (X509CRL) this.certificateFactory.generateCRL(new ByteArrayInputStream(encodedCrl)); } catch (CRLException e) { throw new RuntimeException("CRL parse error: " + e.getMessage(), e); } CRLIdentifierType crlIdentifier = crlRef.addNewCRLIdentifier(); String issuerName = crl.getIssuerDN().getName().replace(",", ", "); crlIdentifier.setIssuer(issuerName); Calendar cal = Calendar.getInstance(); cal.setTime(crl.getThisUpdate()); crlIdentifier.setIssueTime(cal); crlIdentifier.setNumber(getCrlNumber(crl)); DigestAlgAndValueType digestAlgAndValue = crlRef.addNewDigestAlgAndValue(); XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, encodedCrl, signatureConfig.getDigestAlgo()); } } if (revocationData.hasOCSPs()) { OCSPRefsType ocspRefs = completeRevocationRefs.addNewOCSPRefs(); for (byte[] ocsp : revocationData.getOCSPs()) { try { OCSPRefType ocspRef = ocspRefs.addNewOCSPRef(); DigestAlgAndValueType digestAlgAndValue = ocspRef.addNewDigestAlgAndValue(); XAdESSignatureFacet.setDigestAlgAndValue(digestAlgAndValue, ocsp, signatureConfig.getDigestAlgo()); OCSPIdentifierType ocspIdentifier = ocspRef.addNewOCSPIdentifier(); OCSPResp ocspResp = new OCSPResp(ocsp); BasicOCSPResp basicOcspResp = (BasicOCSPResp) ocspResp.getResponseObject(); Calendar cal = Calendar.getInstance(); cal.setTime(basicOcspResp.getProducedAt()); ocspIdentifier.setProducedAt(cal); ResponderIDType responderId = ocspIdentifier.addNewResponderID(); RespID respId = basicOcspResp.getResponderId(); ResponderID ocspResponderId = respId.toASN1Object(); DERTaggedObject derTaggedObject = (DERTaggedObject) ocspResponderId.toASN1Primitive(); if (2 == derTaggedObject.getTagNo()) { ASN1OctetString keyHashOctetString = (ASN1OctetString) derTaggedObject.getObject(); byte key[] = keyHashOctetString.getOctets(); responderId.setByKey(key); } else { X500Name name = X500Name.getInstance(derTaggedObject.getObject()); String nameStr = name.toString(); responderId.setByName(nameStr); } } catch (Exception e) { throw new RuntimeException("OCSP decoding error: " + e.getMessage(), e); } } } // marshal XAdES-C // XAdES-X Type 1 timestamp List<Node> timeStampNodesXadesX1 = new ArrayList<Node>(); timeStampNodesXadesX1.add(nlSigVal.item(0)); timeStampNodesXadesX1.add(signatureTimeStamp.getDomNode()); timeStampNodesXadesX1.add(completeCertificateRefs.getDomNode()); timeStampNodesXadesX1.add(completeRevocationRefs.getDomNode()); RevocationData tsaRevocationDataXadesX1 = new RevocationData(); LOG.log(POILogger.DEBUG, "creating XAdES-X time-stamp"); XAdESTimeStampType timeStampXadesX1 = createXAdESTimeStamp(timeStampNodesXadesX1, tsaRevocationDataXadesX1); if (tsaRevocationDataXadesX1.hasRevocationDataEntries()) { ValidationDataType timeStampXadesX1ValidationData = createValidationData(tsaRevocationDataXadesX1); insertXChild(unsignedSigProps, timeStampXadesX1ValidationData); } // marshal XAdES-X unsignedSigProps.addNewSigAndRefsTimeStamp().set(timeStampXadesX1); // XAdES-X-L CertificateValuesType certificateValues = unsignedSigProps.addNewCertificateValues(); for (X509Certificate certificate : certChain) { EncapsulatedPKIDataType encapsulatedPKIDataType = certificateValues.addNewEncapsulatedX509Certificate(); try { encapsulatedPKIDataType.setByteArrayValue(certificate.getEncoded()); } catch (CertificateEncodingException e) { throw new RuntimeException("certificate encoding error: " + e.getMessage(), e); } } RevocationValuesType revocationValues = unsignedSigProps.addNewRevocationValues(); createRevocationValues(revocationValues, revocationData); // marshal XAdES-X-L Node n = document.importNode(qualProps.getDomNode(), true); qualNl.item(0).getParentNode().replaceChild(n, qualNl.item(0)); }