コード例 #1
0
  /**
   * Validates that a signed entity has a valid message and signature. The signer's certificate is
   * validated to ensure authenticity of the message. Message tampering is also checked with the
   * message's digest and the signed digest in the message signature.
   *
   * @param signedEntity The entity containing the original signed part and the message signature.
   * @param signerCertificate The certificate used to sign the message.
   * @param anchors A collection of certificate anchors used to determine if the certificates used
   *     in the signature can be validated as trusted certificates.
   */
  public void checkSignature(
      SignedEntity signedEntity,
      X509Certificate signerCertificate,
      Collection<X509Certificate> anchors)
      throws SignatureValidationException {
    CMSSignedData signatureEnvelope = deserializeSignatureEnvelope(signedEntity);

    try {
      // there may be multiple signatures in the signed part... iterate through all the signing
      // certificates until one
      // is verified with the signerCertificate
      for (SignerInformation sigInfo :
          (Collection<SignerInformation>) signatureEnvelope.getSignerInfos().getSigners())
        if (sigInfo.verify(signerCertificate, CryptoExtensions.getJCEProviderName()))
          return; // verified... return

      // at this point the signerCertificate cannot be verified with one of the signing
      // certificates....
      throw new SignatureValidationException("Signature validation failure.");
    } catch (SignatureValidationException sve) {
      throw sve;
    } catch (Exception e) {
      throw new SignatureValidationException("Signature validation failure.", e);
    }
  }
コード例 #2
0
ファイル: Pomocnicza.java プロジェクト: pawelfree/b2btester
  private int verify(String signatureb64) {
    int verified = 0;
    try {
      CMSSignedData signature = new CMSSignedData(Base64.decode(signatureb64));

      // batch verification
      Store certs = signature.getCertificates();
      SignerInformationStore signers = signature.getSignerInfos();
      Collection c = signers.getSigners();
      Iterator it = c.iterator();

      while (it.hasNext()) {
        SignerInformation signer = (SignerInformation) it.next();
        Collection certCollection = certs.getMatches(signer.getSID());

        Iterator certIt = certCollection.iterator();
        X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
        System.out.println(verified);

        if (signer.verify(
            new JcaSimpleSignerInfoVerifierBuilder()
                .setProvider(new BouncyCastleProvider())
                .build(certHolder))) {
          verified++;
        }
      }
      System.out.println(verified);
    } catch (CMSException | StoreException | CertificateException | OperatorCreationException ex) {
      System.err.println("error : " + ex.getMessage());
    }
    return verified;
  }
コード例 #3
0
ファイル: TokenTest.java プロジェクト: rareddy/Resteasy
  @Test
  public void testCMD() throws Exception {
    Authentication auth =
        new SkeletonKeyClientBuilder()
            .username("wburke")
            .password("geheim")
            .authentication("Skeleton Key");
    ResteasyClient client = new ResteasyClient();
    WebTarget target = client.target(generateBaseUrl());
    String tiny = target.path("tokens").path("url").request().post(Entity.json(auth), String.class);
    System.out.println(tiny);
    System.out.println("tiny.size: " + tiny.length());
    Security.addProvider(new BouncyCastleProvider());

    KeyPair keyPair = KeyPairGenerator.getInstance("RSA", "BC").generateKeyPair();
    PrivateKey privateKey = keyPair.getPrivate();
    X509Certificate cert = KeyTools.generateTestCertificate(keyPair);

    byte[] signed = p7s(privateKey, cert, null, tiny.getBytes());

    CMSSignedData data = new CMSSignedData(signed);
    byte[] bytes = (byte[]) data.getSignedContent().getContent();
    System.out.println("BYTES: " + new String(bytes));
    System.out.println("size:" + signed.length);
    System.out.println("Base64.size: " + Base64.encodeBytes(signed).length());

    SignerInformation signer =
        (SignerInformation) data.getSignerInfos().getSigners().iterator().next();
    System.out.println("valid: " + signer.verify(cert, "BC"));
  }
コード例 #4
0
  private void verifyRSASignatures(CMSSignedData s, byte[] contentDigest) throws Exception {
    Store certStore = s.getCertificates();
    SignerInformationStore signers = s.getSignerInfos();

    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = certStore.getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509CertificateHolder cert = (X509CertificateHolder) certIt.next();

      if (!signer.verify(
          new BcRSASignerInfoVerifierBuilder(
                  new DefaultCMSSignatureAlgorithmNameGenerator(),
                  new DefaultSignatureAlgorithmIdentifierFinder(),
                  new DefaultDigestAlgorithmIdentifierFinder(),
                  new BcDigestCalculatorProvider())
              .build(cert))) {
        fail("signature verification failed");
      }

      if (contentDigest != null) {
        if (!Arrays.areEqual(contentDigest, signer.getContentDigest())) {
          fail("digest verification failed");
        }
      }
    }
  }
コード例 #5
0
 /**
  * Verify the email is signed by the given certificate.
  *
  * @param signedData
  * @param mailMsg
  * @return
  * @throws CMSException
  * @throws OperatorCreationException
  * @throws CertificateException
  */
 @SuppressWarnings({"rawtypes"})
 protected boolean isValid(CMSSignedData signedData, MailMessage mailMsg)
     throws OperatorCreationException, CMSException, CertificateException {
   boolean verify = false;
   SignerInformationStore signerStore = signedData.getSignerInfos();
   Iterator<SignerInformation> it = signerStore.getSigners().iterator();
   while (it.hasNext()) {
     SignerInformation signer = it.next();
     org.bouncycastle.util.Store store = signedData.getCertificates();
     @SuppressWarnings("unchecked")
     Collection certCollection = store.getMatches(signer.getSID());
     Iterator certIt = certCollection.iterator();
     X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();
     X509Certificate certificate =
         new JcaX509CertificateConverter().setProvider(PROVIDER_NAME).getCertificate(certHolder);
     verify =
         signer.verify(
             new JcaSimpleSignerInfoVerifierBuilder()
                 .setProvider(PROVIDER_NAME)
                 .build(certificate));
     mailMsg.setHasSignature(true);
     mailMsg.setSignaturePassed(verify);
     mailMsg.setNameOfPrincipal(certificate.getSubjectDN().getName());
   }
   return verify;
 }
コード例 #6
0
 public void appendSignatureTimeStamp(byte[] timeStampTokenBytes) {
   try {
     AttributeTable at = firstSignerInfo.getUnsignedAttributes();
     firstSignerInfo =
         SignerInformation.replaceUnsignedAttributes(
             firstSignerInfo, appendTimestampAttribute(timeStampTokenBytes, at));
     Collection<SignerInformation> signers = new ArrayList<SignerInformation>(1);
     signers.add(firstSignerInfo);
     SignerInformationStore sis = new SignerInformationStore(signers);
     cmsSignedData = CMSSignedData.replaceSigners(cmsSignedData, sis);
   } catch (Exception e) {
     ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
   }
 }
コード例 #7
0
 // controlla che nel firmatario sia presente l'attributo ESSCertIDv2 e che esso sia valido
 // in questo caso la busta crittografica è espressa correttamente nel formato CADES-BES secondo
 // la  DELIBERAZIONE ministeriale del N . 45 DEL 21 MAGGIO 2009
 private boolean isLegallySigned(SignerInformation signer, X509CertificateHolder cert)
     throws FirmapiuException, NoSuchAlgorithmException, IOException {
   AttributeTable signAttr = signer.getSignedAttributes();
   if (signAttr == null) throw new FirmapiuException(VERIFY_SIGNER_SIGNINGATTRIBUTE_NOTFOUND);
   Attribute attr = signAttr.get(PKCSObjectIdentifiers.id_aa_signingCertificateV2);
   if (attr == null) throw new FirmapiuException(VERIFY_SIGNER_SIGNINGATTRIBUTE_NOTFOUND);
   ASN1Sequence sequence = ASN1Sequence.getInstance(attr.getAttrValues().getObjectAt(0));
   SigningCertificateV2 scv2 = SigningCertificateV2.getInstance(sequence);
   ESSCertIDv2[] essCert = scv2.getCerts();
   if (essCert == null || essCert.length < 1)
     throw new FirmapiuException(VERIFY_SIGNER_SIGNINGATTRIBUTE_NOTFOUND);
   // controlla l'hash del certificato se si restituisce true se no restituisce no
   // aggiungere hash del certificato di sottoscrizione
   String digestAlgorithm = "SHA-256";
   MessageDigest sha = null;
   sha = MessageDigest.getInstance(digestAlgorithm);
   byte[] digestedCert = sha.digest(cert.getEncoded());
   byte[] essCertHash = essCert[0].getCertHash();
   // affinché la firma sia valida digestCert e essCertHash devono essere uguali
   if (digestedCert.length != essCertHash.length) return false;
   else {
     for (int i = 0; i < digestedCert.length; i++)
       if (digestedCert[i] != essCertHash[i]) {
         return false;
       }
     return true;
   } // fine if
 } // fine metodo
コード例 #8
0
  // recupera il signing time di un firmatario
  private static Date getSigningTime(SignerInformation signer) throws FirmapiuException {
    AttributeTable signedAttr = signer.getSignedAttributes();
    Attribute signingTimeAttr = signedAttr.get(CMSAttributes.signingTime);
    if (signingTimeAttr != null) {
      Enumeration<?> en = signingTimeAttr.getAttrValues().getObjects();

      Date signingTime = null;

      Object obj = en.nextElement();
      try {
        if (obj instanceof ASN1UTCTime) {
          ASN1UTCTime asn1Time = (ASN1UTCTime) obj;
          signingTime = asn1Time.getDate();
        } else if (obj instanceof DERUTCTime) {
          DERUTCTime derTime = (DERUTCTime) obj;
          signingTime = derTime.getDate();
        }
        return signingTime;
      } catch (ParseException e) {
        // TODO eccezioni ammodo
        throw new FirmapiuException();
      }

    } else {
      // non ha trovato il signing time come attributo
      // TODO eccezioni ammodo
      throw new FirmapiuException();
    }
  } // fine metodo
コード例 #9
0
  /**
   * Return a signer information object with passed in SignerInformationStore representing counter
   * signatures attached as an unsigned attribute.
   *
   * @param signerInformation the signerInfo to be used as the basis.
   * @param counterSigners signer info objects carrying counter signature.
   * @return a copy of the original SignerInformationObject with the changed attributes.
   */
  public static SignerInformation addCounterSigners(
      SignerInformation signerInformation, SignerInformationStore counterSigners) {
    // TODO Perform checks from RFC 3852 11.4

    SignerInfo sInfo = signerInformation.info;
    AttributeTable unsignedAttr = signerInformation.getUnsignedAttributes();
    ASN1EncodableVector v;

    if (unsignedAttr != null) {
      v = unsignedAttr.toASN1EncodableVector();
    } else {
      v = new ASN1EncodableVector();
    }

    ASN1EncodableVector sigs = new ASN1EncodableVector();

    for (Iterator it = counterSigners.getSigners().iterator(); it.hasNext(); ) {
      sigs.add(((SignerInformation) it.next()).toSignerInfo());
    }

    v.add(new Attribute(CMSAttributes.counterSignature, new DERSet(sigs)));

    return new SignerInformation(
        new SignerInfo(
            sInfo.getSID(),
            sInfo.getDigestAlgorithm(),
            sInfo.getAuthenticatedAttributes(),
            sInfo.getDigestEncryptionAlgorithm(),
            sInfo.getEncryptedDigest(),
            new DERSet(v)),
        signerInformation.contentType,
        signerInformation.content,
        null,
        new DefaultSignatureAlgorithmIdentifierFinder());
  }
コード例 #10
0
  private void verifySigners(Store certs, SignerInformationStore signers) throws Exception {
    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = certs.getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();

      assertEquals(
          true,
          signer.verify(
              new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder)));
    }
  }
コード例 #11
0
 public TimestampToken getContentTimestamp() {
   try {
     return SignedAttributesHelper.getContentTimestamp(firstSignerInfo.getSignedAttributes());
   } catch (Exception e) {
     ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
   }
   return null;
 }
コード例 #12
0
 // OCSP responses found as signed ID_ADBE_REVOCATION attribute
 public Set<OCSPResponse> getSignedOCSPResponses() {
   try {
     AttributeTable table = firstSignerInfo.getSignedAttributes();
     return SignedAttributesHelper.getSignedOCSPResponses(table);
   } catch (Exception e) {
     ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
   }
   return null;
 }
コード例 #13
0
 // CRLS found as signed ID_ADBE_REVOCATION attribute
 public Collection<CRL> getSignedCRLs() {
   try {
     AttributeTable table = firstSignerInfo.getSignedAttributes();
     return SignedAttributesHelper.getSignedCRLs(table);
   } catch (Exception e) {
     ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
   }
   return null;
 }
コード例 #14
0
ファイル: PESignerTest.java プロジェクト: ebourg/jsign
  /**
   * Tests that it is possible to specify a signature algorithm who's name is not simply a
   * concatenation of a digest algorithm and the key algorithm.
   *
   * <p>This test also sets the signature provider as a provider supporting the RSASSA-PSS
   * algorithms might not be installed.
   *
   * @throws Exception
   */
  public void testWithSignatureAlgorithmSHA256withRSAandMGF1() throws Exception {
    File sourceFile = new File("target/test-classes/wineyes.exe");
    File targetFile = new File("target/test-classes/wineyes-signed.exe");

    FileUtils.copyFile(sourceFile, targetFile);

    PEFile peFile = null;
    try {
      peFile = new PEFile(targetFile);

      PESigner signer =
          new PESigner(getKeyStore(), ALIAS, PRIVATE_KEY_PASSWORD)
              .withTimestamping(false)
              .withDigestAlgorithm(DigestAlgorithm.SHA1)
              .withSignatureAlgorithm("SHA256withRSAandMGF1", new BouncyCastleProvider());

      signer.sign(peFile);

      peFile = new PEFile(targetFile);
      List<CMSSignedData> signatures = peFile.getSignatures();
      assertNotNull(signatures);
      assertEquals(1, signatures.size());

      CMSSignedData signedData = signatures.get(0);
      assertNotNull(signedData);

      // Check the signature algorithm
      final SignerInformation si =
          (SignerInformation) signedData.getSignerInfos().getSigners().iterator().next();
      assertEquals(
          "Digest algorithm",
          NISTObjectIdentifiers.id_sha256,
          si.getDigestAlgorithmID().getAlgorithm());
      assertEquals(
          "Encryption algorithm",
          PKCSObjectIdentifiers.id_RSASSA_PSS.getId(),
          si.getEncryptionAlgOID());
    } finally {
      if (peFile != null) {
        peFile.close();
      }
    }
  }
コード例 #15
0
  public static boolean isValidSignature(CMSSignedData signedData, X509Certificate rootCert)
      throws Exception {

    boolean[] bArr = new boolean[2];
    bArr[0] = true;
    CertStore certsAndCRLs = signedData.getCertificatesAndCRLs("Collection", "BC");
    SignerInformationStore signers = signedData.getSignerInfos();
    Iterator it = signers.getSigners().iterator();

    if (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      SignerId signerConstraints = signer.getSID();
      signerConstraints.setKeyUsage(bArr);
      PKIXCertPathBuilderResult result = buildPath(rootCert, signer.getSID(), certsAndCRLs);
      return signer.verify(result.getPublicKey(), "BC");
    }

    return false;
  }
コード例 #16
0
ファイル: ReadSignedMail.java プロジェクト: XShandow/bc-java
  /** verify the signature (assuming the cert is contained in the message) */
  private static void verify(SMIMESigned s) throws Exception {
    //
    // extract the information to verify the signatures.
    //

    //
    // certificates and crls passed in the signature
    //
    Store certs = s.getCertificates();

    //
    // SignerInfo blocks which contain the signatures
    //
    SignerInformationStore signers = s.getSignerInfos();

    Collection c = signers.getSigners();
    Iterator it = c.iterator();

    //
    // check each signer
    //
    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = certs.getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509Certificate cert =
          new JcaX509CertificateConverter()
              .setProvider(BC)
              .getCertificate((X509CertificateHolder) certIt.next());

      //
      // verify that the sig is correct and that it was generated
      // when the certificate was current
      //
      if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(BC).build(cert))) {
        System.out.println("signature verified");
      } else {
        System.out.println("signature failed!");
      }
    }
  }
コード例 #17
0
ファイル: ExstractorP7M.java プロジェクト: flaviooo/TestCert
  public boolean verifyEstrai(String pathBase, File pathFilesSignedd) {

    boolean esito = false;

    byte[] buffer = new byte[(int) pathFilesSignedd.length()];
    DataInputStream in;
    try {
      in = new DataInputStream(new FileInputStream(pathFilesSignedd));

      in.readFully(buffer);
      in.close();

      Security.addProvider(new BouncyCastleProvider());
      CMSSignedData signature = new CMSSignedData(buffer);
      SignerInformation signer =
          (SignerInformation) signature.getSignerInfos().getSigners().iterator().next();
      CertStore cs = signature.getCertificatesAndCRLs("Collection", "BC");

      Iterator iter = cs.getCertificates(signer.getSID()).iterator();
      X509Certificate certificate = (X509Certificate) iter.next();
      CMSProcessable sc = signature.getSignedContent();
      byte[] data = (byte[]) sc.getContent();

      // Verifie la signature
      // System.out.println(signer.verify(certificate, "BC"));
      esito = signer.verify(certificate.getPublicKey(), "BC");
      System.out.println("Verifica FILE: " + esito);

      String fatturapaName =
          pathFilesSignedd.getName().substring(0, pathFilesSignedd.getName().length() - 4).trim();
      System.out.println(" test:" + fatturapaName);
      FileOutputStream envfos = new FileOutputStream(new File(pathBase, fatturapaName));
      envfos.write(data);
      envfos.close();
    } catch (Exception e) {
      // TODO Auto-generated catch block
      e.printStackTrace();
    }

    return esito;
  }
コード例 #18
0
 public List<TimestampToken> getSignatureTimestamps() {
   if (signatureTimeStamps == null) {
     try {
       signatureTimeStamps =
           UnsignedAttributesHelper.getSignatureTimestamps(
               firstSignerInfo.getUnsignedAttributes());
     } catch (Exception e) {
       ExceptionHandlerTyped.<SPISignatureException>handle(SPISignatureException.class, e);
     }
   }
   return signatureTimeStamps;
 }
コード例 #19
0
 public Certificate getSignerCertificate() {
   try {
     Collection certificateCollection =
         cmsSignedData.getCertificates().getMatches(firstSignerInfo.getSID());
     Iterator iterator = certificateCollection.iterator();
     X509CertificateHolder certHolder = (X509CertificateHolder) iterator.next();
     return CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
         .generateCertificate(new ByteArrayInputStream(certHolder.getEncoded()));
   } catch (Exception e) {
     log.error(Channel.TECH, "Could not extract signer certificate from CMS signature : %1$s", e);
   }
   return null;
 }
コード例 #20
0
  public void testDoubleNlCanonical() throws Exception {
    MimeMessage message = loadMessage("3nnn_smime.eml");

    SMIMESigned s = new SMIMESigned((MimeMultipart) message.getContent());

    Collection c = s.getSignerInfos().getSigners();
    Iterator it = c.iterator();

    while (it.hasNext()) {
      SignerInformation signer = (SignerInformation) it.next();
      Collection certCollection = s.getCertificates().getMatches(signer.getSID());

      Iterator certIt = certCollection.iterator();
      X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next();

      // in this case the sig is invalid, but it's the lack of an exception from the content digest
      // we're looking for
      Assert.assertFalse(
          signer.verify(
              new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(certHolder)));
    }
  }
コード例 #21
0
ファイル: DSSASN1Utils.java プロジェクト: Ovrful/sd-dss-1
  /**
   * @param signerInformation {@code SignerInformation}
   * @return {@code DERTaggedObject} representing the signed attributes
   * @throws DSSException in case of a decoding problem
   */
  public static DERTaggedObject getSignedAttributes(final SignerInformation signerInformation)
      throws DSSException {

    try {
      final byte[] encodedSignedAttributes = signerInformation.getEncodedSignedAttributes();
      if (encodedSignedAttributes == null) {
        return null;
      }
      final ASN1Set asn1Set = DSSASN1Utils.toASN1Primitive(encodedSignedAttributes);
      return new DERTaggedObject(false, 0, asn1Set);
    } catch (IOException e) {
      throw new DSSException(e);
    }
  }
  private Date findTimestamp(CMSSignedData cmsSignedData) {
    Iterator iterator = cmsSignedData.getSignerInfos().getSigners().iterator();

    while (iterator.hasNext()) {

      SignerInformation signerInformation = (SignerInformation) iterator.next();
      AttributeTable signedAttrTable = signerInformation.getSignedAttributes();
      if (signedAttrTable == null) {
        continue;
      }

      ASN1EncodableVector v = signedAttrTable.getAll(CMSAttributes.signingTime);
      switch (v.size()) {
        case 0:
          continue;
        case 1:
          Attribute t = (Attribute) v.get(0);
          ASN1Set attrValues = t.getAttrValues();
          if (attrValues.size() != 1) {
            continue;
          }

          // found it
          try {
            return ((ASN1UTCTime) attrValues.getObjectAt(0).getDERObject()).getDate();
          } catch (ParseException e) {
            e.printStackTrace();
          }
          continue;
        default:
          continue;
      }
    }

    // no timestamp found
    return null;
  }
コード例 #23
0
ファイル: CmsVerif.java プロジェクト: kdkanishka/keytool-iui
  public boolean doJob() {
    String strMethod = "doJob()";

    try {
      // _validateCmsSignature();
      CMSSignedData cms = _getSignPkcs7();

      SignerInformationStore sis = cms.getSignerInfos();
      Collection colSignerInfo = sis.getSigners();
      Iterator itrSignerInfo = colSignerInfo.iterator();
      SignerInformation sin = (SignerInformation) itrSignerInfo.next();

      // r�cup�ration du certificat du signataire
      CertStore cse = cms.getCertificatesAndCRLs("Collection", CmsVerif._STR_KST_PROVIDER_BC);
      Iterator itrCert = cse.getCertificates(sin.getSID()).iterator();
      X509Certificate crt = (X509Certificate) itrCert.next();

      // Verifie la signature
      boolean blnCoreValidity = sin.verify(crt, CmsVerif._STR_KST_PROVIDER_BC);

      if (blnCoreValidity) {
        MySystem.s_printOutTrace(this, strMethod, "blnCoreValidity=true");

        String strBody = "CMS Detached signature is OK!";

        strBody += "\n\n" + ". CMS signature file location:";
        strBody += "\n  " + super._strPathAbsFileSig_;

        strBody += "\n\n" + ". Data file location:";
        strBody += "\n  " + super._strPathAbsFileData_;

        OPAbstract.s_showDialogInfo(super._frmOwner_, strBody);

        // SignerInfo sio = sin.toSignerInfo();

        SignerId sid = sin.getSID();

        if (sid != null) {
          System.out.println("sid.getSerialNumber()=" + sid.getSerialNumber());
          System.out.println("sid.getIssuerAsString()=" + sid.getIssuerAsString());
          System.out.println("sid.getSubjectAsString()=" + sid.getSubjectAsString());
        }

        /*System.out.println("sin.getDigestAlgOID()=" + sin.getDigestAlgOID());
        System.out.println("sin.getEncryptionAlgOID()=" + sin.getEncryptionAlgOID());
        System.out.println("sin.toString()=" + sin.toString());
        System.out.println("sin.getVersion()=" + sin.getVersion());*/
      } else {
        MySystem.s_printOutWarning(this, strMethod, "blnCoreValidity=true");

        String strBody = "CMS Detached signature is WRONG!";

        strBody += "\n\n" + ". CMS signature file location:";
        strBody += "\n  " + super._strPathAbsFileSig_;

        strBody += "\n\n" + ". Data file location:";
        strBody += "\n  " + super._strPathAbsFileData_;

        OPAbstract.s_showDialogWarning(super._frmOwner_, strBody);
      }

    } catch (Exception exc) {
      exc.printStackTrace();
      MySystem.s_printOutError(this, strMethod, "exc caught");

      String strBody = "Failed to verify CMS detached signature.";

      strBody += "\n\n" + "Possible reason: wrong data file";

      strBody += "\n\n" + "got exception.";
      strBody += "\n" + exc.getMessage();
      strBody += "\n\n" + "More: see your session.log";

      OPAbstract.s_showDialogError(super._frmOwner_, strBody);

      return false;
    }

    // TODO
    return true;
  }
コード例 #24
0
 public SignerLocation getSignerLocationAttribute() {
   return SignedAttributesHelper.getSignerLocationAttribute(firstSignerInfo.getSignedAttributes());
 }
コード例 #25
0
 public SignerAttribute getSignerAttributesAttribute() {
   return SignedAttributesHelper.getSignerAttributesAttribute(
       firstSignerInfo.getSignedAttributes());
 }
コード例 #26
0
  // controlla che il certificato del firmatario sia affidabile controllando la sua catena di
  // certificati
  // valida il certificato X509 del firmatario usando il built-in PKIX support messo a disposizione
  // da java
  // caricando il keystore contenente i certificati degli enti certificatori autorizzati dallo stato
  // italiano
  private PKIXCertPathBuilderResult isTrustedSigner(SignerInformation signer)
      throws FirmapiuException {
    // genera la lista di certificati da controllare  per generare la catena dei certificati del
    // firmatario
    // TODO quali certificati carica esattamente?
    Collection<?> certCollection = certStore.getMatches(signer.getSID());
    Iterator<?> certIt = certCollection.iterator();
    X509CertificateHolder cert = (X509CertificateHolder) certIt.next();
    List<X509Certificate> chain = new LinkedList<X509Certificate>();
    JcaX509CertificateConverter certConverter =
        new JcaX509CertificateConverter().setProvider(this.bcProvName);
    try {
      X509Certificate x509cert = certConverter.getCertificate(cert);
      chain.add(x509cert);
      while (certIt.hasNext()) {
        x509cert = certConverter.getCertificate((X509CertificateHolder) certIt.next());
        chain.add(x509cert);
      }
    } catch (CertificateException e) {
      new FirmapiuException(CERT_DEFAULT_ERROR, e);
    }

    // carica i certificati presenti nel token crittografico passato come parametro
    KeyStore anchors = this.token.loadKeyStore(null);
    X509CertSelector target = new X509CertSelector();
    target.setCertificate(chain.get(0));
    PKIXBuilderParameters params;
    CertPathBuilder builder;
    try {
      params = new PKIXBuilderParameters(anchors, target);
      // disabilita il controllo delle CRL
      params.setRevocationEnabled(false);
      // se il certificato è scaduto cerca di generare lo stesso la catena dei certificati
      try {
        X509Certificate x509cert = certConverter.getCertificate(cert);
        // long before=x509cert.getNotBefore().getTime();
        long after = x509cert.getNotAfter().getTime();
        after -= 10;
        params.setDate(new Date(after));
      } catch (CertificateException e) {
        throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
      }
      CertStoreParameters intermediates = new CollectionCertStoreParameters(chain);
      params.addCertStore(CertStore.getInstance("Collection", intermediates));
      params.setSigProvider(this.bcProvName);
      builder = CertPathBuilder.getInstance("PKIX", this.bcProvName);
    } catch (KeyStoreException | InvalidAlgorithmParameterException e) {
      throw new FirmapiuException(CERT_KEYSTORE_DEFAULT_ERROR, e);
    } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
      throw new FirmapiuException(DEFAULT_ERROR, e);
    }
    /*
     * If build() returns successfully, the certificate is valid. More details
     * about the valid path can be obtained through the PKIXBuilderResult.
     * If no valid path can be found, a CertPathBuilderException is thrown.
     */
    try {
      return (PKIXCertPathBuilderResult) builder.build(params);
    } catch (CertPathBuilderException e) {
      throw new FirmapiuException(VERIFY_SIGNER_CERTPATH_ERROR, e);
    } catch (InvalidAlgorithmParameterException e) {
      throw new FirmapiuException(DEFAULT_ERROR, e);
    }
  } // fine metodo
コード例 #27
0
 public SignerInformationStore getCounterSignatures() {
   return firstSignerInfo.getCounterSignatures();
 }
コード例 #28
0
  /**
   * Verifica la correttezza della firma elettronica <b>di uno dei firmatari</b> della busta
   * crittografica controllando i campi di verifica richiesti come parametro
   *
   * @param signer il firmatario di cui bisogna verificare la firma
   * @param fields Una Set contenente i nomi dei campi che si vogliono verificare in fase di
   *     operazione di verifica sul singolo firmatario
   * @return Una Map contenete il record dell'operazione di verifica sul firmatario con i campi
   *     richiesti dal parametro fields
   * @see it.libersoft.firmapiu.consts.FirmapiuRecordConstants
   */
  Map<String, Object> verifySigner(SignerInformation signer, Set<String> fields) {
    // genera la map contenente le informazioni di verifica per il singolo firmatario
    Map<String, Object> record = new TreeMap<String, Object>();
    // FIXME informazione replicata nei metodi di Cades-Bes Verifier che già offrono la possbilità
    // di ottenere la SignerInformation
    // inserisce la signerinfo
    if (fields.contains(SIGNERINFO)) record.put(SIGNERINFO, signer);

    Collection<?> certCollection = certStore.getMatches(signer.getSID());
    Iterator<?> certIt = certCollection.iterator();
    X509CertificateHolder cert = (X509CertificateHolder) certIt.next();

    // inserisce il certificato del firmatario
    if (fields.contains(SIGNERCERT)) {
      try {
        X509Certificate x509cert = new JcaX509CertificateConverter().getCertificate(cert);
        record.put(SIGNERCERT, x509cert);
      } catch (CertificateException e) {
        record.put(SIGNERCERT, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      }
    }

    // inserisce la verifica della firma del firmatatio
    if (fields.contains(OKSIGNED)) {
      try {
        Boolean result =
            signer.verify(
                new JcaSimpleSignerInfoVerifierBuilder().setProvider(this.bcProvName).build(cert));
        record.put(OKSIGNED, result);
      } catch (OperatorCreationException e) {
        record.put(OKSIGNED, new FirmapiuException(VERIFY_SIGNER_DEFAULT_ERROR, e));
      } catch (CertificateException e) {
        record.put(OKSIGNED, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      } catch (CMSException e) {
        record.put(OKSIGNED, new FirmapiuException(VERIFY_SIGNER_DEFAULT_ERROR, e));
      } // fine try-catch
    }

    // inserisce la verifica del controllo legale della firma di un firmatario
    if (fields.contains(LEGALLYSIGNED)) {
      try {
        record.put(LEGALLYSIGNED, new Boolean(isLegallySigned(signer, cert)));
      } catch (NoSuchAlgorithmException e) {
        record.put(LEGALLYSIGNED, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      } catch (FirmapiuException e) {
        record.put(LEGALLYSIGNED, e);
      } catch (IOException e) {
        record.put(LEGALLYSIGNED, new FirmapiuException(CERT_DEFAULT_ERROR, e));
      }
    }

    // inserisce la verifica del controllo dell'affidabilità del certificato del firmatario
    PKIXCertPathBuilderResult signerCerthPathResult = null;
    if (fields.contains(TRUSTEDSIGNER)) {
      try {
        signerCerthPathResult = isTrustedSigner(signer);
        // se è arrivato a questo ramo di codice vuol dire che il certificato è affidbile
        record.put(TRUSTEDSIGNER, new Boolean(true));
      } catch (FirmapiuException e) {
        record.put(TRUSTEDSIGNER, e);
      }
    }

    // inserisce la "trust anchor" del certificato del firmatario, ossia il certificato della CA che
    // lo ha emesso
    if (fields.contains(TRUSTANCHOR)) {
      try {
        if (signerCerthPathResult == null) signerCerthPathResult = isTrustedSigner(signer);
        X509Certificate trustanchor = signerCerthPathResult.getTrustAnchor().getTrustedCert();
        record.put(TRUSTANCHOR, trustanchor);
      } catch (FirmapiuException e) {
        record.put(TRUSTANCHOR, e);
      }
    }

    // inserisce la catena di certificazione
    if (fields.contains(CERTCHAIN)) {
      try {
        if (signerCerthPathResult == null) signerCerthPathResult = isTrustedSigner(signer);
        List<? extends Certificate> certchain =
            signerCerthPathResult.getCertPath().getCertificates();
        record.put(CERTCHAIN, certchain);
      } catch (FirmapiuException e) {
        record.put(CERTCHAIN, e);
      }
    }

    // verifica che il certificato relativo il firmatario non sia stato revocato
    // e che era valido al momento in cui i dati sono stati firmati
    Object certStatus = null;
    Date rvkdCertTime = null;
    if (fields.contains(SIGNERCERTSTATUS) || fields.contains(SIGNERCERTREVOKED)) {
      // controllo lo status del certificato utente con OSCP. Se il controllo fallisce o lo status
      // del certificato è "UNKNOWN"
      // esegue il controllo con le CRL
      X509Certificate userCertificate = null;
      try {
        userCertificate = new JcaX509CertificateConverter().getCertificate(cert);
      } catch (CertificateException e1) {
        if (fields.contains(SIGNERCERTSTATUS)) record.put(SIGNERCERTSTATUS, e1);
        if (fields.contains(SIGNERCERTREVOKED)) record.put(SIGNERCERTREVOKED, e1);
      }
      // se non è in grado di determinare lo user certificate di cui controllare lo status non deve
      // proseguire oltre
      if (userCertificate != null) {
        try {
          if (signerCerthPathResult == null) signerCerthPathResult = isTrustedSigner(signer);
          // TODO nota: non è detto che il trustanchor sia anche l'issuercertificate. Bisogna fare
          // un controllo mogliore
          X509Certificate issuerCertificate =
              signerCerthPathResult.getTrustAnchor().getTrustedCert();
          certStatus = getCertificateStatus(userCertificate, issuerCertificate);
          // se certstatus è null il certificato è considerato valido
          if (certStatus == null) {
            if (fields.contains(SIGNERCERTSTATUS)) record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
            if (fields.contains(SIGNERCERTREVOKED))
              record.put(SIGNERCERTREVOKED, new Boolean(false));
          } else {
            // se certStatus è una risposta ocsp
            if (certStatus instanceof CertificateStatus) {
              CertificateStatus c1 = (CertificateStatus) certStatus;
              if (c1 == CertificateStatus.GOOD) {
                if (fields.contains(SIGNERCERTSTATUS))
                  record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
                if (fields.contains(SIGNERCERTREVOKED))
                  record.put(SIGNERCERTREVOKED, new Boolean(false));
              } else
              // certificato revocato
              if (c1 instanceof RevokedStatus) {
                rvkdCertTime = ((RevokedStatus) c1).getRevocationTime();
                if (fields.contains(SIGNERCERTSTATUS))
                  record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
                if (fields.contains(SIGNERCERTREVOKED)) {
                  // controlla se il certificato era già revocato al signing time
                  try {
                    if (isRevokedAtSigningTime(signer, rvkdCertTime))
                      record.put(SIGNERCERTREVOKED, new Boolean(true));
                    else record.put(SIGNERCERTREVOKED, new Boolean(false));
                  } catch (FirmapiuException e) {
                    record.put(SIGNERCERTREVOKED, e);
                  }
                } // fine if (fields.contains(SIGNERCERTREVOKED)
              } // fine if (c1 instanceof RevokedStatus)
            }
            // se il certStatus è una risposta CRL vuol dire che il certificato è revocato,
            // altrimenti avrebbe restituito null
            else if (certStatus instanceof X509CRLEntry) {
              rvkdCertTime = ((X509CRLEntry) certStatus).getRevocationDate();
              if (fields.contains(SIGNERCERTSTATUS))
                record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
              if (fields.contains(SIGNERCERTREVOKED)) {
                // controlla se il certificato era già revocato al signing time
                try {
                  if (isRevokedAtSigningTime(signer, rvkdCertTime))
                    record.put(SIGNERCERTREVOKED, new Boolean(true));
                  else record.put(SIGNERCERTREVOKED, new Boolean(false));
                } catch (FirmapiuException e) {
                  record.put(SIGNERCERTREVOKED, e);
                }
              } // fine if (fields.contains(SIGNERCERTREVOKED))
            } // fine else if (certStatus instanceof X509CRLEntry)
          } // fine else
        } catch (FirmapiuException e) {
          record.put(SIGNERCERTSTATUS, e);
        }
      } // fine if (userCertificate!=null)
    } // fine if(fields.contains(SIGNERCERTSTATUS) | fields.contains(SIGNERCERTREVOKED))

    // ritorna il record generato al chiamante
    return record;

    // OCSPVerify ocspVerifier=null;
    //		if(fields.contains(SIGNERCERTSTATUS)){
    //			//controllo lo status del certificato utente con OSCP. Se il controllo fallisce o lo status
    // del certificato è "UNKNOWN"
    //			//esegue il controllo con le CRL
    //			X509Certificate userCertificate=null;
    //			try {
    //				userCertificate = new JcaX509CertificateConverter().getCertificate(cert);
    //			} catch (CertificateException e1) {
    //				record.put(SIGNERCERTSTATUS, e1);
    //			}
    //			//se non è in grado di determinare lo user certificate di cui controllare lo status non
    // deve proseguire oltre
    //			if (userCertificate!=null) {
    //				try {
    //					if (signerCerthPathResult == null)
    //						signerCerthPathResult = isTrustedSigner(signer);
    //					//TODO nota: non è detto che il trustanchor sia anche l'issuercertificate. Bisogna fare
    // un controllo mogliore
    //					X509Certificate issuerCertificate = signerCerthPathResult
    //							.getTrustAnchor().getTrustedCert();
    //					ocspVerifier = new OCSPVerify(issuerCertificate,
    //							userCertificate, this.bcProvName);
    //					CertificateStatus certStatus = ocspVerifier
    //							.getStatusCertificate();
    //					// certificato valido
    //					if (certStatus == CertificateStatus.GOOD) {
    //						record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
    //					} else
    //					// certificato revocato
    //					if (certStatus instanceof RevokedStatus) {
    //						record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
    //					} else
    //					// stato del certificato sconosciuto
    //					if (certStatus instanceof UnknownStatus) {
    //						//			System.out.println("certificato sconosciuto!");
    //						//			System.err.println("OCSPVerify.getStatusResponse() "
    //						//					+ "UnknowStatus");
    //						//return CertStatus.UNKNOWN;
    //						//se lo stato del certificato è sconosciuto controlla anche le crl
    //						CRLVerify crlVerifier = new CRLVerify(userCertificate);
    //						try {
    //							//TODO bisognerebbe controllare la firma delle risposte ricevute
    //							if (crlVerifier.verifyCertificateCRLs())
    //								record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
    //							else
    //								record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
    //						} catch (FirmapiuException e) {
    //							record.put(SIGNERCERTSTATUS, e);
    //						}
    //					}//fine if (certStatus instanceof UnknownStatus)
    //				} catch (FirmapiuException e) {
    //					//se il controllo tramite ocsp è fallito a causa di un errore, controlla anche le CRL
    //					CRLVerify crlVerifier = new CRLVerify(userCertificate);
    //					try {
    //						//TODO bisognerebbe controllare la firma delle risposte ricevute
    //						if (crlVerifier.verifyCertificateCRLs())
    //							record.put(SIGNERCERTSTATUS, CertStatus.GOOD);
    //						else
    //							record.put(SIGNERCERTSTATUS, CertStatus.REVOKED);
    //					} catch (FirmapiuException e1) {
    //						//TODO quale eccezione restituire? quella di OCSP o Quella di CRL?
    //						record.put(SIGNERCERTSTATUS, e1);
    //					}
    //				}//fine try-catch
    //			}//fine if (userCertificate!=null)
    //		}//fine if(fields.contains(SIGNERCERTSTATUS))
  }
コード例 #29
0
 public byte[] getEncodedSignedAttrs() throws IOException {
   return firstSignerInfo.getEncodedSignedAttributes();
 }
コード例 #30
0
  @Test
  public void testCMSSignature() throws Exception {
    // setup
    byte[] toBeSigned = "hello world".getBytes();
    String signatureDescription = "Test CMS Signature";
    CMSTestSignatureService signatureService =
        new CMSTestSignatureService(toBeSigned, signatureDescription);

    KeyPair keyPair = PkiTestUtils.generateKeyPair();
    DateTime notBefore = new DateTime();
    DateTime notAfter = notBefore.plusYears(1);
    X509Certificate certificate =
        PkiTestUtils.generateCertificate(
            keyPair.getPublic(),
            "CN=Test",
            notBefore,
            notAfter,
            null,
            keyPair.getPrivate(),
            true,
            0,
            null,
            null,
            new KeyUsage(KeyUsage.nonRepudiation));
    List<X509Certificate> signingCertificateChain = new LinkedList<X509Certificate>();
    signingCertificateChain.add(certificate);

    // operate
    DigestInfo digestInfo =
        signatureService.preSign(null, signingCertificateChain, null, null, null);

    // verify
    assertNotNull(digestInfo);
    byte[] digestValue = digestInfo.digestValue;
    LOG.debug("digest value: " + Hex.encodeHexString(digestValue));
    assertNotNull(digestValue);
    assertEquals(signatureDescription, digestInfo.description);
    assertEquals("SHA1", digestInfo.digestAlgo);

    Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
    cipher.init(Cipher.ENCRYPT_MODE, keyPair.getPrivate());
    byte[] digestInfoValue = ArrayUtils.addAll(PkiTestUtils.SHA1_DIGEST_INFO_PREFIX, digestValue);
    byte[] signatureValue = cipher.doFinal(digestInfoValue);
    LOG.debug("signature value: " + Hex.encodeHexString(signatureValue));

    // operate
    signatureService.postSign(signatureValue, signingCertificateChain);

    // verify
    byte[] cmsSignature = signatureService.getCMSSignature();
    CMSSignedData signedData = new CMSSignedData(cmsSignature);
    SignerInformationStore signers = signedData.getSignerInfos();
    Iterator<SignerInformation> iter = signers.getSigners().iterator();
    while (iter.hasNext()) {
      SignerInformation signer = iter.next();
      SignerId signerId = signer.getSID();
      assertTrue(signerId.match(certificate));
      assertTrue(signer.verify(keyPair.getPublic(), BouncyCastleProvider.PROVIDER_NAME));
    }
    byte[] data = (byte[]) signedData.getSignedContent().getContent();
    assertArrayEquals(toBeSigned, data);
  }