Java tutorial
/* * DSS - Digital Signature Services * * Copyright (C) 2013 European Commission, Directorate-General Internal Market and Services (DG MARKT), B-1049 Bruxelles/Brussel * * Developed by: 2013 ARHS Developments S.A. (rue Nicolas Bov 2B, L-1253 Luxembourg) http://www.arhs-developments.com * * This file is part of the "DSS - Digital Signature Services" project. * * "DSS - Digital Signature Services" is free software: you can redistribute it and/or modify it under the terms of * the GNU Lesser General Public License as published by the Free Software Foundation, either version 2.1 of the * License, or (at your option) any later version. * * DSS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License along with * "DSS - Digital Signature Services". If not, see <http://www.gnu.org/licenses/>. */ package eu.europa.ec.markt.dss.validation102853.cades; import java.security.cert.CRLException; import java.security.cert.X509CRL; import java.util.ArrayList; import java.util.Collection; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Set; import org.bouncycastle.asn1.cms.Attribute; import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.asn1.esf.RevocationValues; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.CertificateList; import org.bouncycastle.cert.X509CRLHolder; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.jce.provider.X509CRLObject; import org.bouncycastle.util.Store; import eu.europa.ec.markt.dss.DSSUtils; import eu.europa.ec.markt.dss.exception.DSSException; import eu.europa.ec.markt.dss.validation102853.crl.OfflineCRLSource; /** * CRLSource that retrieves information from a CAdES signature. * * @version $Revision$ - $Date$ */ public class CAdESCRLSource extends OfflineCRLSource { private final CMSSignedData cmsSignedData; private final SignerInformation signerInformation; /** * The default constructor for CAdESCRLSource. * * @param signerInformation */ public CAdESCRLSource(final CMSSignedData cmsSignedData, final SignerInformation signerInformation) { this.cmsSignedData = cmsSignedData; this.signerInformation = signerInformation; extract(); } private void extract() { x509CRLList = new ArrayList<X509CRL>(); // Adds CRLs contained in SignedData final Store crLs = cmsSignedData.getCRLs(); final Collection<X509CRLHolder> collection = (Collection<X509CRLHolder>) crLs.getMatches(null); for (final X509CRLHolder x509CRLHolder : collection) { final X509CRL x509CRL = DSSUtils.toX509CRL(x509CRLHolder); addCRLToken(x509CRL); } // Adds CRLs in -XL ... inside SignerInfo attribute if present if (signerInformation != null) { final AttributeTable attributes = signerInformation.getUnsignedAttributes(); if (attributes != null) { /* ETSI TS 101 733 V2.2.1 (2013-04) page 43 6.3.4 revocation-values Attribute Definition This attribute is used to contain the revocation information required for the following forms of extended electronic signature: CAdES-X Long, ES X-Long Type 1, and CAdES-X Long Type 2, see clause B.1.1 for an illustration of this form of electronic signature. The revocation-values attribute is an unsigned attribute. Only a single instance of this attribute shall occur with an electronic signature. It holds the values of CRLs and OCSP referenced in the complete-revocation-references attribute. RevocationValues ::= SEQUENCE { crlVals [0] SEQUENCE OF CertificateList OPTIONAL, ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL, otherRevVals [2] OtherRevVals OPTIONAL} */ final Attribute attribute = attributes.get(PKCSObjectIdentifiers.id_aa_ets_revocationValues); if (attribute != null) { final ASN1Set attrValues = attribute.getAttrValues(); final ASN1Encodable attValue = attrValues.getObjectAt(0); final RevocationValues revValues = RevocationValues.getInstance(attValue); for (final CertificateList revValue : revValues.getCrlVals()) { addCRLToken(revValue); } } } /* TODO (pades): Read revocation data from from unsigned attribute 1.2.840.113583.1.1.8 In the PKCS #7 object of a digital signature in a PDF file, identifies a signed attribute that "can include all the revocation information that is necessary to carry out revocation checks for the signer's certificate and its issuer certificates." Defined as adbe-revocationInfoArchival { adbe(1.2.840.113583) acrobat(1) security(1) 8 } in "PDF Reference, fifth edition: Adobe Portable Document Format, Version 1.6" Adobe Systems Incorporated, 2004. http://partners.adobe.com/public/developer/en/pdf/PDFReference16.pdf page 698 RevocationInfoArchival ::= SEQUENCE { crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL } OtherRevInfo ::= SEQUENCE { Type OBJECT IDENTIFIER Value OCTET STRING } */ // TODO: (Bob: 2013 Dec 03) --> NICOLAS: Is there any other container within the CAdES signature with revocation data? (ie: timestamp) } } private void addCRLToken(final X509CRL x509CRL) { if (!x509CRLList.contains(x509CRL)) { x509CRLList.add(x509CRL); } } private void addCRLToken(final CertificateList certificateList) { final X509CRLObject x509CRLObject = getX509CRLObject(certificateList); if (!x509CRLList.contains(x509CRLObject)) { x509CRLList.add(x509CRLObject); } } private static X509CRLObject getX509CRLObject(final CertificateList certificateList) throws DSSException { try { return new X509CRLObject(certificateList); } catch (CRLException e) { throw new DSSException(e); } } }