Beispiel #1
0
  private int verify(String signatureb64) {
    int verified = 0;
    try {
      CMSSignedData signature = new CMSSignedData(Base64.decode(signatureb64));

      // batch verification
      Store certs = signature.getCertificates();
      SignerInformationStore signers = signature.getSignerInfos();
      Collection c = signers.getSigners();
      Iterator it = c.iterator();

      while (it.hasNext()) {
        SignerInformation signer = (SignerInformation) it.next();
        Collection certCollection = certs.getMatches(signer.getSID());

        Iterator certIt = certCollection.iterator();
        X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
        System.out.println(verified);

        if (signer.verify(
            new JcaSimpleSignerInfoVerifierBuilder()
                .setProvider(new BouncyCastleProvider())
                .build(certHolder))) {
          verified++;
        }
      }
      System.out.println(verified);
    } catch (CMSException | StoreException | CertificateException | OperatorCreationException ex) {
      System.err.println("error : " + ex.getMessage());
    }
    return verified;
  }
Beispiel #2
0
  private void verifyRSASignatures(CMSSignedData s, byte[] contentDigest) throws Exception {
    Store certStore = s.getCertificates();
    SignerInformationStore signers = s.getSignerInfos();

    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = certStore.getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509CertificateHolder cert = (X509CertificateHolder) certIt.next();

      if (!signer.verify(
          new BcRSASignerInfoVerifierBuilder(
                  new DefaultCMSSignatureAlgorithmNameGenerator(),
                  new DefaultSignatureAlgorithmIdentifierFinder(),
                  new DefaultDigestAlgorithmIdentifierFinder(),
                  new BcDigestCalculatorProvider())
              .build(cert))) {
        fail("signature verification failed");
      }

      if (contentDigest != null) {
        if (!Arrays.areEqual(contentDigest, signer.getContentDigest())) {
          fail("digest verification failed");
        }
      }
    }
  }
 /**
  * Verify the email is signed by the given certificate.
  *
  * @param signedData
  * @param mailMsg
  * @return
  * @throws CMSException
  * @throws OperatorCreationException
  * @throws CertificateException
  */
 @SuppressWarnings({"rawtypes"})
 protected boolean isValid(CMSSignedData signedData, MailMessage mailMsg)
     throws OperatorCreationException, CMSException, CertificateException {
   boolean verify = false;
   SignerInformationStore signerStore = signedData.getSignerInfos();
   Iterator<SignerInformation> it = signerStore.getSigners().iterator();
   while (it.hasNext()) {
     SignerInformation signer = it.next();
     org.bouncycastle.util.Store store = signedData.getCertificates();
     @SuppressWarnings("unchecked")
     Collection certCollection = store.getMatches(signer.getSID());
     Iterator certIt = certCollection.iterator();
     X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
     X509Certificate certificate =
         new JcaX509CertificateConverter().setProvider(PROVIDER_NAME).getCertificate(certHolder);
     verify =
         signer.verify(
             new JcaSimpleSignerInfoVerifierBuilder()
                 .setProvider(PROVIDER_NAME)
                 .build(certificate));
     mailMsg.setHasSignature(true);
     mailMsg.setSignaturePassed(verify);
     mailMsg.setNameOfPrincipal(certificate.getSubjectDN().getName());
   }
   return verify;
 }
  public static boolean isValidSignature(CMSSignedData signedData, X509Certificate rootCert)
      throws Exception {

    boolean[] bArr = new boolean[2];
    bArr[0] = true;
    CertStore certsAndCRLs = signedData.getCertificatesAndCRLs("Collection", "BC");
    SignerInformationStore signers = signedData.getSignerInfos();
    Iterator it = signers.getSigners().iterator();

    if (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      SignerId signerConstraints = signer.getSID();
      signerConstraints.setKeyUsage(bArr);
      PKIXCertPathBuilderResult result = buildPath(rootCert, signer.getSID(), certsAndCRLs);
      return signer.verify(result.getPublicKey(), "BC");
    }

    return false;
  }
 public Certificate getSignerCertificate() {
   try {
     Collection certificateCollection =
         cmsSignedData.getCertificates().getMatches(firstSignerInfo.getSID());
     Iterator iterator = certificateCollection.iterator();
     X509CertificateHolder certHolder = (X509CertificateHolder) iterator.next();
     return CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
         .generateCertificate(new ByteArrayInputStream(certHolder.getEncoded()));
   } catch (Exception e) {
     log.error(Channel.TECH, "Could not extract signer certificate from CMS signature : %1$s", e);
   }
   return null;
 }
  private void verifySigners(Store certs, SignerInformationStore signers) throws Exception {
    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = certs.getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();

      assertEquals(
          true,
          signer.verify(
              new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder)));
    }
  }
Beispiel #7
0
  /** verify the signature (assuming the cert is contained in the message) */
  private static void verify(SMIMESigned s) throws Exception {
    //
    // extract the information to verify the signatures.
    //

    //
    // certificates and crls passed in the signature
    //
    Store certs = s.getCertificates();

    //
    // SignerInfo blocks which contain the signatures
    //
    SignerInformationStore signers = s.getSignerInfos();

    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    //
    // check each signer
    //
    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = certs.getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509Certificate cert =
          new JcaX509CertificateConverter()
              .setProvider(BC)
              .getCertificate((X509CertificateHolder) certIt.next());

      //
      // verify that the sig is correct and that it was generated
      // when the certificate was current
      //
      if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(BC).build(cert))) {
        System.out.println("signature verified");
      } else {
        System.out.println("signature failed!");
      }
    }
  }
Beispiel #8
0
  public boolean verifyEstrai(String pathBase, File pathFilesSignedd) {

    boolean esito = false;

    byte[] buffer = new byte[(int) pathFilesSignedd.length()];
    DataInputStream in;
    try {
      in = new DataInputStream(new FileInputStream(pathFilesSignedd));

      in.readFully(buffer);
      in.close();

      Security.addProvider(new BouncyCastleProvider());
      CMSSignedData signature = new CMSSignedData(buffer);
      SignerInformation signer =
          (SignerInformation) signature.getSignerInfos().getSigners().iterator().next();
      CertStore cs = signature.getCertificatesAndCRLs("Collection", "BC");

      Iterator iter = cs.getCertificates(signer.getSID()).iterator();
      X509Certificate certificate = (X509Certificate) iter.next();
      CMSProcessable sc = signature.getSignedContent();
      byte[] data = (byte[]) sc.getContent();

      // Verifie la signature
      // System.out.println(signer.verify(certificate, "BC"));
      esito = signer.verify(certificate.getPublicKey(), "BC");
      System.out.println("Verifica FILE: " + esito);

      String fatturapaName =
          pathFilesSignedd.getName().substring(0, pathFilesSignedd.getName().length() - 4).trim();
      System.out.println(" test:" + fatturapaName);
      FileOutputStream envfos = new FileOutputStream(new File(pathBase, fatturapaName));
      envfos.write(data);
      envfos.close();
    } catch (Exception e) {
      // TODO Auto-generated catch block
      e.printStackTrace();
    }

    return esito;
  }
  public void testDoubleNlCanonical() throws Exception {
    MimeMessage message = loadMessage("3nnn_smime.eml");

    SMIMESigned s = new SMIMESigned((MimeMultipart) message.getContent());

    Collection c = s.getSignerInfos().getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = s.getCertificates().getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();

      // in this case the sig is invalid, but it's the lack of an exception from the content digest
      // we're looking for
      Assert.assertFalse(
          signer.verify(
              new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder)));
    }
  }
  // controlla che il certificato del firmatario sia affidabile controllando la sua catena di
  // certificati
  // valida il certificato X509 del firmatario usando il built-in PKIX support messo a disposizione
  // da java
  // caricando il keystore contenente i certificati degli enti certificatori autorizzati dallo stato
  // italiano
  private PKIXCertPathBuilderResult isTrustedSigner(SignerInformation signer)
      throws FirmapiuException {
    // genera la lista di certificati da controllare  per generare la catena dei certificati del
    // firmatario
    // TODO quali certificati carica esattamente?
    Collection<?> certCollection = certStore.getMatches(signer.getSID());
    Iterator<?> certIt = certCollection.iterator();
    X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
    List<X509Certificate> chain = new LinkedList<X509Certificate>();
    JcaX509CertificateConverter certConverter =
        new JcaX509CertificateConverter().setProvider(this.bcProvName);
    try {
      X509Certificate x509cert = certConverter.getCertificate(cert);
      chain.add(x509cert);
      while (certIt.hasNext()) {
        x509cert = certConverter.getCertificate((X509CertificateHolder) certIt.next());
        chain.add(x509cert);
      }
    } catch (CertificateException e) {
      new FirmapiuException(CERT_DEFAULT_ERROR, e);
    }

    // carica i certificati presenti nel token crittografico passato come parametro
    KeyStore anchors = this.token.loadKeyStore(null);
    X509CertSelector target = new X509CertSelector();
    target.setCertificate(chain.get(0));
    PKIXBuilderParameters params;
    CertPathBuilder builder;
    try {
      params = new PKIXBuilderParameters(anchors, target);
      // disabilita il controllo delle CRL
      params.setRevocationEnabled(false);
      // se il certificato è scaduto cerca di generare lo stesso la catena dei certificati
      try {
        X509Certificate x509cert = certConverter.getCertificate(cert);
        // long before=x509cert.getNotBefore().getTime();
        long after = x509cert.getNotAfter().getTime();
        after -= 10;
        params.setDate(new Date(after));
      } catch (CertificateException e) {
        throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
      }
      CertStoreParameters intermediates = new CollectionCertStoreParameters(chain);
      params.addCertStore(CertStore.getInstance("Collection", intermediates));
      params.setSigProvider(this.bcProvName);
      builder = CertPathBuilder.getInstance("PKIX", this.bcProvName);
    } catch (KeyStoreException | InvalidAlgorithmParameterException e) {
      throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
    } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
      throw new FirmapiuException(DEFAULT_ERROR, e);
    }
    /*
     * If build() returns successfully, the certificate is valid. More details
     * about the valid path can be obtained through the PKIXBuilderResult.
     * If no valid path can be found, a CertPathBuilderException is thrown.
     */
    try {
      return (PKIXCertPathBuilderResult) builder.build(params);
    } catch (CertPathBuilderException e) {
      throw new FirmapiuException(VERIFY_SIGNER_CERTPATH_ERROR, e);
    } catch (InvalidAlgorithmParameterException e) {
      throw new FirmapiuException(DEFAULT_ERROR, e);
    }
  } // fine metodo
  /**
   * Verifica la correttezza della firma elettronica <b>di uno dei firmatari</b> della busta
   * crittografica controllando i campi di verifica richiesti come parametro
   *
   * @param signer il firmatario di cui bisogna verificare la firma
   * @param fields Una Set contenente i nomi dei campi che si vogliono verificare in fase di
   *     operazione di verifica sul singolo firmatario
   * @return Una Map contenete il record dell'operazione di verifica sul firmatario con i campi
   *     richiesti dal parametro fields
   * @see it.libersoft.firmapiu.consts.FirmapiuRecordConstants
   */
  Map<String, Object> verifySigner(SignerInformation signer, Set<String> fields) {
    // genera la map contenente le informazioni di verifica per il singolo firmatario
    Map<String, Object> record = new TreeMap<String, Object>();
    // FIXME informazione replicata nei metodi di Cades-Bes Verifier che già offrono la possbilità
    // di ottenere la SignerInformation
    // inserisce la signerinfo
    if (fields.contains(SIGNERINFO)) record.put(SIGNERINFO, signer);

    Collection<?> certCollection = certStore.getMatches(signer.getSID());
    Iterator<?> certIt = certCollection.iterator();
    X509CertificateHolder cert = (X509CertificateHolder) certIt.next();

    // inserisce il certificato del firmatario
    if (fields.contains(SIGNERCERT)) {
      try {
        X509Certificate x509cert = new JcaX509CertificateConverter().getCertificate(cert);
        record.put(SIGNERCERT, x509cert);
      } catch (CertificateException e) {
        record.put(SIGNERCERT, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      }
    }

    // inserisce la verifica della firma del firmatatio
    if (fields.contains(OKSIGNED)) {
      try {
        Boolean result =
            signer.verify(
                new JcaSimpleSignerInfoVerifierBuilder().setProvider(this.bcProvName).build(cert));
        record.put(OKSIGNED, result);
      } catch (OperatorCreationException e) {
        record.put(OKSIGNED, new FirmapiuException(VERIFY_SIGNER_DEFAULT_ERROR, e));
      } catch (CertificateException e) {
        record.put(OKSIGNED, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      } catch (CMSException e) {
        record.put(OKSIGNED, new FirmapiuException(VERIFY_SIGNER_DEFAULT_ERROR, e));
      } // fine try-catch
    }

    // inserisce la verifica del controllo legale della firma di un firmatario
    if (fields.contains(LEGALLYSIGNED)) {
      try {
        record.put(LEGALLYSIGNED, new Boolean(isLegallySigned(signer, cert)));
      } catch (NoSuchAlgorithmException e) {
        record.put(LEGALLYSIGNED, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      } catch (FirmapiuException e) {
        record.put(LEGALLYSIGNED, e);
      } catch (IOException e) {
        record.put(LEGALLYSIGNED, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      }
    }

    // inserisce la verifica del controllo dell'affidabilità del certificato del firmatario
    PKIXCertPathBuilderResult signerCerthPathResult = null;
    if (fields.contains(TRUSTEDSIGNER)) {
      try {
        signerCerthPathResult = isTrustedSigner(signer);
        // se è arrivato a questo ramo di codice vuol dire che il certificato è affidbile
        record.put(TRUSTEDSIGNER, new Boolean(true));
      } catch (FirmapiuException e) {
        record.put(TRUSTEDSIGNER, e);
      }
    }

    // inserisce la "trust anchor" del certificato del firmatario, ossia il certificato della CA che
    // lo ha emesso
    if (fields.contains(TRUSTANCHOR)) {
      try {
        if (signerCerthPathResult == null) signerCerthPathResult = isTrustedSigner(signer);
        X509Certificate trustanchor = signerCerthPathResult.getTrustAnchor().getTrustedCert();
        record.put(TRUSTANCHOR, trustanchor);
      } catch (FirmapiuException e) {
        record.put(TRUSTANCHOR, e);
      }
    }

    // inserisce la catena di certificazione
    if (fields.contains(CERTCHAIN)) {
      try {
        if (signerCerthPathResult == null) signerCerthPathResult = isTrustedSigner(signer);
        List<? extends Certificate> certchain =
            signerCerthPathResult.getCertPath().getCertificates();
        record.put(CERTCHAIN, certchain);
      } catch (FirmapiuException e) {
        record.put(CERTCHAIN, e);
      }
    }

    // verifica che il certificato relativo il firmatario non sia stato revocato
    // e che era valido al momento in cui i dati sono stati firmati
    Object certStatus = null;
    Date rvkdCertTime = null;
    if (fields.contains(SIGNERCERTSTATUS) || fields.contains(SIGNERCERTREVOKED)) {
      // controllo lo status del certificato utente con OSCP. Se il controllo fallisce o lo status
      // del certificato è "UNKNOWN"
      // esegue il controllo con le CRL
      X509Certificate userCertificate = null;
      try {
        userCertificate = new JcaX509CertificateConverter().getCertificate(cert);
      } catch (CertificateException e1) {
        if (fields.contains(SIGNERCERTSTATUS)) record.put(SIGNERCERTSTATUS, e1);
        if (fields.contains(SIGNERCERTREVOKED)) record.put(SIGNERCERTREVOKED, e1);
      }
      // se non è in grado di determinare lo user certificate di cui controllare lo status non deve
      // proseguire oltre
      if (userCertificate != null) {
        try {
          if (signerCerthPathResult == null) signerCerthPathResult = isTrustedSigner(signer);
          // TODO nota: non è detto che il trustanchor sia anche l'issuercertificate. Bisogna fare
          // un controllo mogliore
          X509Certificate issuerCertificate =
              signerCerthPathResult.getTrustAnchor().getTrustedCert();
          certStatus = getCertificateStatus(userCertificate, issuerCertificate);
          // se certstatus è null il certificato è considerato valido
          if (certStatus == null) {
            if (fields.contains(SIGNERCERTSTATUS)) record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
            if (fields.contains(SIGNERCERTREVOKED))
              record.put(SIGNERCERTREVOKED, new Boolean(false));
          } else {
            // se certStatus è una risposta ocsp
            if (certStatus instanceof CertificateStatus) {
              CertificateStatus c1 = (CertificateStatus) certStatus;
              if (c1 == CertificateStatus.GOOD) {
                if (fields.contains(SIGNERCERTSTATUS))
                  record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
                if (fields.contains(SIGNERCERTREVOKED))
                  record.put(SIGNERCERTREVOKED, new Boolean(false));
              } else
              // certificato revocato
              if (c1 instanceof RevokedStatus) {
                rvkdCertTime = ((RevokedStatus) c1).getRevocationTime();
                if (fields.contains(SIGNERCERTSTATUS))
                  record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
                if (fields.contains(SIGNERCERTREVOKED)) {
                  // controlla se il certificato era già revocato al signing time
                  try {
                    if (isRevokedAtSigningTime(signer, rvkdCertTime))
                      record.put(SIGNERCERTREVOKED, new Boolean(true));
                    else record.put(SIGNERCERTREVOKED, new Boolean(false));
                  } catch (FirmapiuException e) {
                    record.put(SIGNERCERTREVOKED, e);
                  }
                } // fine if (fields.contains(SIGNERCERTREVOKED)
              } // fine if (c1 instanceof RevokedStatus)
            }
            // se il certStatus è una risposta CRL vuol dire che il certificato è revocato,
            // altrimenti avrebbe restituito null
            else if (certStatus instanceof X509CRLEntry) {
              rvkdCertTime = ((X509CRLEntry) certStatus).getRevocationDate();
              if (fields.contains(SIGNERCERTSTATUS))
                record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
              if (fields.contains(SIGNERCERTREVOKED)) {
                // controlla se il certificato era già revocato al signing time
                try {
                  if (isRevokedAtSigningTime(signer, rvkdCertTime))
                    record.put(SIGNERCERTREVOKED, new Boolean(true));
                  else record.put(SIGNERCERTREVOKED, new Boolean(false));
                } catch (FirmapiuException e) {
                  record.put(SIGNERCERTREVOKED, e);
                }
              } // fine if (fields.contains(SIGNERCERTREVOKED))
            } // fine else if (certStatus instanceof X509CRLEntry)
          } // fine else
        } catch (FirmapiuException e) {
          record.put(SIGNERCERTSTATUS, e);
        }
      } // fine if (userCertificate!=null)
    } // fine if(fields.contains(SIGNERCERTSTATUS) | fields.contains(SIGNERCERTREVOKED))

    // ritorna il record generato al chiamante
    return record;

    // OCSPVerify ocspVerifier=null;
    //		if(fields.contains(SIGNERCERTSTATUS)){
    //			//controllo lo status del certificato utente con OSCP. Se il controllo fallisce o lo status
    // del certificato è "UNKNOWN"
    //			//esegue il controllo con le CRL
    //			X509Certificate userCertificate=null;
    //			try {
    //				userCertificate = new JcaX509CertificateConverter().getCertificate(cert);
    //			} catch (CertificateException e1) {
    //				record.put(SIGNERCERTSTATUS, e1);
    //			}
    //			//se non è in grado di determinare lo user certificate di cui controllare lo status non
    // deve proseguire oltre
    //			if (userCertificate!=null) {
    //				try {
    //					if (signerCerthPathResult == null)
    //						signerCerthPathResult = isTrustedSigner(signer);
    //					//TODO nota: non è detto che il trustanchor sia anche l'issuercertificate. Bisogna fare
    // un controllo mogliore
    //					X509Certificate issuerCertificate = signerCerthPathResult
    //							.getTrustAnchor().getTrustedCert();
    //					ocspVerifier = new OCSPVerify(issuerCertificate,
    //							userCertificate, this.bcProvName);
    //					CertificateStatus certStatus = ocspVerifier
    //							.getStatusCertificate();
    //					// certificato valido
    //					if (certStatus == CertificateStatus.GOOD) {
    //						record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
    //					} else
    //					// certificato revocato
    //					if (certStatus instanceof RevokedStatus) {
    //						record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
    //					} else
    //					// stato del certificato sconosciuto
    //					if (certStatus instanceof UnknownStatus) {
    //						//			System.out.println("certificato sconosciuto!");
    //						//			System.err.println("OCSPVerify.getStatusResponse() "
    //						//					+ "UnknowStatus");
    //						//return CertStatus.UNKNOWN;
    //						//se lo stato del certificato è sconosciuto controlla anche le crl
    //						CRLVerify crlVerifier = new CRLVerify(userCertificate);
    //						try {
    //							//TODO bisognerebbe controllare la firma delle risposte ricevute
    //							if (crlVerifier.verifyCertificateCRLs())
    //								record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
    //							else
    //								record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
    //						} catch (FirmapiuException e) {
    //							record.put(SIGNERCERTSTATUS, e);
    //						}
    //					}//fine if (certStatus instanceof UnknownStatus)
    //				} catch (FirmapiuException e) {
    //					//se il controllo tramite ocsp è fallito a causa di un errore, controlla anche le CRL
    //					CRLVerify crlVerifier = new CRLVerify(userCertificate);
    //					try {
    //						//TODO bisognerebbe controllare la firma delle risposte ricevute
    //						if (crlVerifier.verifyCertificateCRLs())
    //							record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
    //						else
    //							record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
    //					} catch (FirmapiuException e1) {
    //						//TODO quale eccezione restituire? quella di OCSP o Quella di CRL?
    //						record.put(SIGNERCERTSTATUS, e1);
    //					}
    //				}//fine try-catch
    //			}//fine if (userCertificate!=null)
    //		}//fine if(fields.contains(SIGNERCERTSTATUS))
  }
Beispiel #12
0
  public boolean doJob() {
    String strMethod = "doJob()";

    try {
      // _validateCmsSignature();
      CMSSignedData cms = _getSignPkcs7();

      SignerInformationStore sis = cms.getSignerInfos();
      Collection colSignerInfo = sis.getSigners();
      Iterator itrSignerInfo = colSignerInfo.iterator();
      SignerInformation sin = (SignerInformation) itrSignerInfo.next();

      // r�cup�ration du certificat du signataire
      CertStore cse = cms.getCertificatesAndCRLs("Collection", CmsVerif._STR_KST_PROVIDER_BC);
      Iterator itrCert = cse.getCertificates(sin.getSID()).iterator();
      X509Certificate crt = (X509Certificate) itrCert.next();

      // Verifie la signature
      boolean blnCoreValidity = sin.verify(crt, CmsVerif._STR_KST_PROVIDER_BC);

      if (blnCoreValidity) {
        MySystem.s_printOutTrace(this, strMethod, "blnCoreValidity=true");

        String strBody = "CMS Detached signature is OK!";

        strBody += "\n\n" + ". CMS signature file location:";
        strBody += "\n  " + super._strPathAbsFileSig_;

        strBody += "\n\n" + ". Data file location:";
        strBody += "\n  " + super._strPathAbsFileData_;

        OPAbstract.s_showDialogInfo(super._frmOwner_, strBody);

        // SignerInfo sio = sin.toSignerInfo();

        SignerId sid = sin.getSID();

        if (sid != null) {
          System.out.println("sid.getSerialNumber()=" + sid.getSerialNumber());
          System.out.println("sid.getIssuerAsString()=" + sid.getIssuerAsString());
          System.out.println("sid.getSubjectAsString()=" + sid.getSubjectAsString());
        }

        /*System.out.println("sin.getDigestAlgOID()=" + sin.getDigestAlgOID());
        System.out.println("sin.getEncryptionAlgOID()=" + sin.getEncryptionAlgOID());
        System.out.println("sin.toString()=" + sin.toString());
        System.out.println("sin.getVersion()=" + sin.getVersion());*/
      } else {
        MySystem.s_printOutWarning(this, strMethod, "blnCoreValidity=true");

        String strBody = "CMS Detached signature is WRONG!";

        strBody += "\n\n" + ". CMS signature file location:";
        strBody += "\n  " + super._strPathAbsFileSig_;

        strBody += "\n\n" + ". Data file location:";
        strBody += "\n  " + super._strPathAbsFileData_;

        OPAbstract.s_showDialogWarning(super._frmOwner_, strBody);
      }

    } catch (Exception exc) {
      exc.printStackTrace();
      MySystem.s_printOutError(this, strMethod, "exc caught");

      String strBody = "Failed to verify CMS detached signature.";

      strBody += "\n\n" + "Possible reason: wrong data file";

      strBody += "\n\n" + "got exception.";
      strBody += "\n" + exc.getMessage();
      strBody += "\n\n" + "More: see your session.log";

      OPAbstract.s_showDialogError(super._frmOwner_, strBody);

      return false;
    }

    // TODO
    return true;
  }
  @Test
  public void testCMSSignature() throws Exception {
    // setup
    byte[] toBeSigned = "hello world".getBytes();
    String signatureDescription = "Test CMS Signature";
    CMSTestSignatureService signatureService =
        new CMSTestSignatureService(toBeSigned, signatureDescription);

    KeyPair keyPair = PkiTestUtils.generateKeyPair();
    DateTime notBefore = new DateTime();
    DateTime notAfter = notBefore.plusYears(1);
    X509Certificate certificate =
        PkiTestUtils.generateCertificate(
            keyPair.getPublic(),
            "CN=Test",
            notBefore,
            notAfter,
            null,
            keyPair.getPrivate(),
            true,
            0,
            null,
            null,
            new KeyUsage(KeyUsage.nonRepudiation));
    List<X509Certificate> signingCertificateChain = new LinkedList<X509Certificate>();
    signingCertificateChain.add(certificate);

    // operate
    DigestInfo digestInfo =
        signatureService.preSign(null, signingCertificateChain, null, null, null);

    // verify
    assertNotNull(digestInfo);
    byte[] digestValue = digestInfo.digestValue;
    LOG.debug("digest value: " + Hex.encodeHexString(digestValue));
    assertNotNull(digestValue);
    assertEquals(signatureDescription, digestInfo.description);
    assertEquals("SHA1", digestInfo.digestAlgo);

    Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
    cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPrivate());
    byte[] digestInfoValue = ArrayUtils.addAll(PkiTestUtils.SHA1_DIGEST_INFO_PREFIX, digestValue);
    byte[] signatureValue = cipher.doFinal(digestInfoValue);
    LOG.debug("signature value: " + Hex.encodeHexString(signatureValue));

    // operate
    signatureService.postSign(signatureValue, signingCertificateChain);

    // verify
    byte[] cmsSignature = signatureService.getCMSSignature();
    CMSSignedData signedData = new CMSSignedData(cmsSignature);
    SignerInformationStore signers = signedData.getSignerInfos();
    Iterator<SignerInformation> iter = signers.getSigners().iterator();
    while (iter.hasNext()) {
      SignerInformation signer = iter.next();
      SignerId signerId = signer.getSID();
      assertTrue(signerId.match(certificate));
      assertTrue(signer.verify(keyPair.getPublic(), BouncyCastleProvider.PROVIDER_NAME));
    }
    byte[] data = (byte[]) signedData.getSignedContent().getContent();
    assertArrayEquals(toBeSigned, data);
  }
Beispiel #14
0
  private byte[] getFingerprint() {

    byte[] fingerprint = null;
    byte[] serial = null;

    CertStore certs = null;
    CMSSignedData CNIPA_CMS = null;
    try {

      CNIPA_CMS = getCNIPA_CMS();

    } catch (FileNotFoundException ex) {
      System.out.println("Errore nella lettura del file delle RootCA: " + ex);
    } catch (CMSException e) {
      System.out.println("Errore nel CMS delle RootCA: " + e);
    }

    Provider p = new org.bouncycastle.jce.provider.BouncyCastleProvider();
    if (Security.getProvider(p.getName()) == null) Security.addProvider(p);

    try {
      certs = CNIPA_CMS.getCertificatesAndCRLs("Collection", "BC");
    } catch (CMSException ex2) {
      System.out.println("Errore nel CMS delle RootCA");
    } catch (NoSuchProviderException ex2) {
      System.out.println("Non esiste il provider del servizio");
    } catch (NoSuchAlgorithmException ex2) {
      System.out.println("Errore nell'algoritmo");
    }

    if (certs == null) System.out.println("No certs for CNIPA signature!");
    else {
      SignerInformationStore signers = CNIPA_CMS.getSignerInfos();
      Collection c = signers.getSigners();
      if (c.size() != 1) {
        System.out.println("There is not exactly one signer!");
      } else {

        Iterator it = c.iterator();

        if (it.hasNext()) {
          SignerInformation signer = (SignerInformation) it.next();
          Collection certCollection = null;
          try {
            certCollection = certs.getCertificates(signer.getSID());

            if (certCollection.size() == 1) {
              X509Certificate cnipaSignerCert = (X509Certificate) certCollection.toArray()[0];
              fingerprint = getCertFingerprint(cnipaSignerCert);
              serial = cnipaSignerCert.getSerialNumber().toByteArray();
            } else System.out.println("There is not exactly one certificate for this signer!");

          } catch (CertStoreException ex1) {
            System.out.println("Errore nel CertStore");
          }
        }
      }
    }

    if (JOptionPane.YES_OPTION
        == JOptionPane.showConfirmDialog(
            null,
            conf.getAcceptCAmsg()
                + "Seriale: "
                + ((serial == null)
                    ? "impossibile calcolare il numero seriale"
                    : formatAsGUString(serial, 1))
                + "\n"
                + "Impronta SHA1: "
                + ((fingerprint == null)
                    ? "impossibile calcolare l'impronta"
                    : formatAsGUString(fingerprint, 2))
                + "\n",
            "Impronta Certificato Presidente CNIPA",
            JOptionPane.YES_NO_OPTION)) return fingerprint;

    return null;
  }
Beispiel #15
0
  public CertificationAuthorities getRoots(AbstractTask task)
      throws GeneralSecurityException, IOException {

    CertificationAuthorities roots = null;
    boolean rootsOk = false;
    String error = null;

    try {

      CertificationAuthorities CNIPARoot = new CertificationAuthorities();
      try {
        CNIPARoot.addCertificateAuthority(CNIPARoot.getBytesFromPath(this.CNIPACACertFilePath));
      } catch (GeneralSecurityException e) {
        log(task, "Errore nell'inizializzazione della CA CNIPA: " + e);
      }

      X509Certificate cert = null;
      CertStore certs = null;

      CMSSignedData CNIPA_CMS = null;
      try {

        CNIPA_CMS = getCNIPA_CMS();

      } catch (FileNotFoundException ex) {
        log(task, "Errore nell'acquisizione del file: " + ex);
      }

      Provider p = new org.bouncycastle.jce.provider.BouncyCastleProvider();
      if (Security.getProvider(p.getName()) == null) Security.addProvider(p);

      try {
        certs = CNIPA_CMS.getCertificatesAndCRLs("Collection", "BC");
      } catch (CMSException ex2) {
        log(task, "Errore nel CMS delle RootCA");
      } catch (NoSuchProviderException ex2) {
        log(task, "Non esiste il provider del servizio");
      } catch (NoSuchAlgorithmException ex2) {
        log(task, "Errore nell'algoritmo");
      }

      if (certs != null) {
        SignerInformationStore signers = CNIPA_CMS.getSignerInfos();
        Collection c = signers.getSigners();

        System.out.println(c.size() + " signers found.");

        Iterator it = c.iterator();

        // ciclo tra tutti i firmatari
        int i = 0;
        while (it.hasNext()) {
          SignerInformation signer = (SignerInformation) it.next();
          Collection certCollection = null;
          try {
            certCollection = certs.getCertificates(signer.getSID());
          } catch (CertStoreException ex1) {
            log(task, "Errore nel CertStore");
          }

          if (certCollection.size() == 1) {

            // task.setStatus(++current,
            // "Verifica delle CA firmate dal CNIPA...");

            byte[] signerFingerprint =
                getCertFingerprint((X509Certificate) certCollection.toArray()[0]);

            System.out.println("Signer fingerprint: " + formatAsGUString(signerFingerprint, 2));

            if (Arrays.equals(signerFingerprint, this.userApprovedFingerprint)) {

              VerifyResult vr =
                  new VerifyResult(
                      (X509Certificate) certCollection.toArray()[0],
                      CNIPA_CMS,
                      CNIPARoot,
                      signer,
                      false);
              rootsOk = vr.getPassed();
              error = vr.getCRLerror();
            } else log(task, "Signer certs has wrong fingerprint!");
          } else log(task, "There is not exactly one certificate for this signer!");

          i++;
        }
      }
    } catch (IOException e) {
      e.printStackTrace();
    } catch (CMSException e) {
      e.printStackTrace();
    }

    if (rootsOk) {

      roots = new CertificationAuthorities(getCmsInputStream(this.CAFilePath), true);

    } else {

      log(task, "Verifica del file CNIPA delle root CA fallita!");
    }

    return roots;
  }
Beispiel #16
0
  /*
   * test compressing and uncompressing of a multipart-signed message.
   */
  public void testCompressedSHA1WithRSA() throws Exception {
    List certList = new ArrayList();

    certList.add(origCert);
    certList.add(signCert);

    Store certs = new JcaCertStore(certList);

    ASN1EncodableVector signedAttrs = new ASN1EncodableVector();
    SMIMECapabilityVector caps = new SMIMECapabilityVector();

    caps.addCapability(SMIMECapability.dES_EDE3_CBC);
    caps.addCapability(SMIMECapability.rC2_CBC, 128);
    caps.addCapability(SMIMECapability.dES_CBC);

    signedAttrs.add(new SMIMECapabilitiesAttribute(caps));

    SMIMESignedGenerator gen = new SMIMESignedGenerator();

    gen.addSignerInfoGenerator(
        new JcaSimpleSignerInfoGeneratorBuilder()
            .setProvider("BC")
            .setSignedAttributeGenerator(new AttributeTable(signedAttrs))
            .build("SHA1withRSA", origKP.getPrivate(), origCert));

    gen.addCertificates(certs);

    MimeMultipart smp = gen.generate(msg);

    MimeMessage bp2 = new MimeMessage((Session) null);

    bp2.setContent(smp);

    bp2.saveChanges();

    SMIMECompressedGenerator cgen = new SMIMECompressedGenerator();

    MimeBodyPart cbp = cgen.generate(bp2, new ZlibCompressor());

    SMIMECompressed cm = new SMIMECompressed(cbp);

    MimeMultipart mm =
        (MimeMultipart)
            SMIMEUtil.toMimeBodyPart(cm.getContent(new ZlibExpanderProvider())).getContent();

    SMIMESigned s = new SMIMESigned(mm);

    ByteArrayOutputStream _baos = new ByteArrayOutputStream();
    msg.writeTo(_baos);
    _baos.close();
    byte[] _msgBytes = _baos.toByteArray();
    _baos = new ByteArrayOutputStream();
    s.getContent().writeTo(_baos);
    _baos.close();
    byte[] _resBytes = _baos.toByteArray();

    assertEquals(true, Arrays.areEqual(_msgBytes, _resBytes));

    certs = s.getCertificates();

    SignerInformationStore signers = s.getSignerInfos();
    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = certs.getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509CertificateHolder cert = (X509CertificateHolder) certIt.next();

      assertEquals(
          true,
          signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert)));
    }
  }