/** * Finalize signature to desired level * * @param sdoc SignedDoc object * @param sig Signature object * @param sigVal signature value * @param profile profile. Use null for default (e.g. profile in signed doc) * @return finalized signature */ public static Signature finalizeSignature( SignedDoc sdoc, Signature sig, byte[] sigVal, String profile) throws DigiDocException { String prf = profile; if (prf == null) prf = sdoc.getProfile(); if (m_logger.isDebugEnabled()) m_logger.debug( "Finalize sig: " + sig.getId() + " profile: " + prf + " sdoc: " + sdoc.getFormat() + "/" + sdoc.getVersion()); // xades-bes finalizeXadesBES(sig, sigVal); if (prf != null) { // T if (prf.equals(SignedDoc.BDOC_PROFILE_T) || prf.equals(SignedDoc.BDOC_PROFILE_CL) || prf.equals(SignedDoc.BDOC_PROFILE_TS)) finalizeXadesT(sdoc, sig); // C-L if (prf.equals(SignedDoc.BDOC_PROFILE_CL) || prf.equals(SignedDoc.BDOC_PROFILE_TM) || prf.equals(SignedDoc.BDOC_PROFILE_TS)) finalizeXadesC(sdoc, sig); // TM if (prf.equals(SignedDoc.BDOC_PROFILE_TM)) finalizeXadesXL_TM(sdoc, sig); // TS if (prf.equals(SignedDoc.BDOC_PROFILE_TS)) finalizeXadesXL_TS(sdoc, sig); } return sig; }
/** * Adds a new uncomplete signature to signed doc * * @param sdoc SignedDoc object * @param profile new signature profile. Use NULL for default * @param cert signers certificate * @param claimedRoles signers claimed roles * @param adr signers address * @param sId new signature id, Use NULL for default value * @param sSigMethod signature method uri - ddoc: SignedDoc.RSA_SHA1_SIGNATURE_METHOD, bdoc: * depends on card type. Use null for default value * @param sDigType digest type (all other hashes but SignedInfo). Use null for default type * @return new Signature object */ public static Signature prepareXadesBES( SignedDoc sdoc, String profile, X509Certificate cert, String[] claimedRoles, SignatureProductionPlace adr, String sId, String sSigMethod, String sDigType) throws DigiDocException { if (m_logger.isDebugEnabled()) m_logger.debug( "Prepare signature in sdoc: " + sdoc.getFormat() + "/" + sdoc.getVersion() + "/" + sdoc.getProfile() + " profile: " + profile + " signer: " + ((cert != null) ? SignedDoc.getCommonName(cert.getSubjectDN().getName()) : "unknown") + " id " + sId); boolean bWeakSig = false; for (int i = 0; i < sdoc.countSignatures(); i++) { Signature sig = sdoc.getSignature(i); if (sig.getAltDigestMatch()) bWeakSig = true; } if (bWeakSig) { m_logger.error( "One or more signatures has wrong DataFile hash even if alternative hash matches!"); throw new DigiDocException( DigiDocException.ERR_VERIFY, "One or more signatures has wrong DataFile hash even if alternative hash matches!", null); } // count roles if (claimedRoles != null && claimedRoles.length > 1) { m_logger.error("Currently supports no more than 1 ClaimedRole"); throw new DigiDocException( DigiDocException.ERR_UNSUPPORTED, "Currently supports no more than 1 ClaimedRole", null); } // cannot proceed if cert has not been read if (cert == null) { m_logger.error("Signers certificate missing during signature preparation!"); throw new DigiDocException( DigiDocException.ERR_SIGNERS_CERT, "Signers certificate missing during signature preparation!", null); } boolean bCheckNonRepu = ConfigManager.instance().getBooleanProperty("KEY_USAGE_CHECK", true); if (bCheckNonRepu && !ConfigManager.isSignatureKey(cert)) { if (m_logger.isDebugEnabled()) m_logger.debug("Signers cert does not have non-repudiation bit set!"); throw new DigiDocException( DigiDocException.ERR_SIGNERS_CERT_NONREPUD, "Signers cert does not have non-repudiation bit set!", null); } Signature sig = new Signature(sdoc); sig.setId(sId != null ? sId : sdoc.getNewSignatureId()); if (profile != null) { // use new profile for this signature sig.setProfile(profile); if (sdoc.getProfile() == null || sdoc.getProfile().equals(SignedDoc.BDOC_PROFILE_BES)) sdoc.setProfile(profile); // change also container to new profile } else // use default profile sig.setProfile(sdoc.getProfile()); // create SignedInfo block SignedInfo si = new SignedInfo( sig, ((sSigMethod != null) ? sSigMethod : SignedDoc.RSA_SHA1_SIGNATURE_METHOD), SignedDoc.CANONICALIZATION_METHOD_20010315); if (sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && sdoc.getVersion().equals(SignedDoc.BDOC_VERSION_2_1)) { si.setCanonicalizationMethod(SignedDoc.CANONICALIZATION_METHOD_1_1); sdoc.setDefaultNsPref(SignedDoc.FORMAT_BDOC); } if (m_logger.isDebugEnabled()) m_logger.debug( "Signer: " + cert.getSubjectDN().getName() + " EC key: " + isEcPubKey(cert) + " pre-2011: " + isPre2011IdCard(cert) + " digi-id: " + isDigiIdCard(cert) + " 2011: " + is2011Card(cert)); if (sSigMethod == null) { // default values if (sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) { if (isPre2011IdCard(cert)) { if (m_logger.isDebugEnabled()) m_logger.debug("Generating rsa-sha224 signature for pre-2011 card"); si.setSignatureMethod(SignedDoc.RSA_SHA224_SIGNATURE_METHOD); } else { String dType = ConfigManager.instance().getStringProperty("DIGIDOC_DIGEST_TYPE", "SHA-256"); String sSigMeth = ConfigManager.digType2SigMeth(dType, isEcPubKey(cert)); if (m_logger.isDebugEnabled()) m_logger.debug("Generating digest: " + dType + " and signature: " + sSigMeth); if (sSigMeth != null) si.setSignatureMethod(sSigMeth); else throw new DigiDocException( DigiDocException.ERR_DIGEST_ALGORITHM, "Invalid digest type: " + dType, null); } } } if (sdoc.getFormat().equals(SignedDoc.FORMAT_XADES) || sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) si.setId(sig.getId() + "-SignedInfo"); // SignedDataObjectProperties SignedDataObjectProperties sdop = new SignedDataObjectProperties(); // add DataFile references for (int i = 0; i < sdoc.countDataFiles(); i++) { DataFile df = sdoc.getDataFile(i); if (sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) { if (!df.isDigestsCalculated()) { try { InputStream is = null; if (df.getDfCacheFile() != null) is = df.getBodyAsStream(); if (is == null) is = sdoc.findDataFileAsStream(df.getFileName()); if (is == null) is = new java.io.FileInputStream(df.getFileName()); df.calcHashes(is); } catch (java.io.FileNotFoundException ex) { throw new DigiDocException( DigiDocException.ERR_READ_FILE, "Cannot read file: " + df.getFileName(), null); } } } else { if (!df.isDigestsCalculated()) df.calculateFileSizeAndDigest(null); } if (m_logger.isDebugEnabled()) m_logger.debug("Add ref for df: " + df.getId()); Reference ref = new Reference(si, df, sDigType); if (sdoc.getFormat().equals(SignedDoc.FORMAT_XADES) || sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) ref.setId(sig.getId() + "-ref-" + i); si.addReference(ref); if (sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && sdoc.getVersion().equals(SignedDoc.BDOC_VERSION_2_1)) { DataObjectFormat dof = new DataObjectFormat("#" + ref.getId()); dof.setMimeType(df.getMimeType()); sdop.addDataObjectFormat(dof); } } // manifest.xml reference - bdoc 2.1-s ei allkirjasta manifest.xml-i // create key info KeyInfo ki = new KeyInfo(cert); if (sdoc.getFormat().equals(SignedDoc.FORMAT_XADES) || sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) ki.setId(sig.getId() + "-KeyInfo"); sig.setKeyInfo(ki); ki.setSignature(sig); registerCert(cert, CertValue.CERTVAL_TYPE_SIGNER, null, sig); if (m_logger.isDebugEnabled()) m_logger.debug("Signer cert: " + cert.getSubjectDN().getName()); boolean bUseLocal = ConfigManager.instance().getBooleanProperty("DIGIDOC_USE_LOCAL_TSL", false); if (sdoc.getFormat().equals(SignedDoc.FORMAT_XADES) || sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) { TrustServiceFactory tslFac = ConfigManager.instance().getTslFactory(); // first lookup in TSL-s X509Certificate ca = tslFac.findCaForCert(cert, bUseLocal, null); if (ca != null) { String caId = sig.getId() + "-" + ConvertUtils.getCommonName(ca.getSubjectDN().getName()); registerCert(ca, CertValue.CERTVAL_TYPE_CA, caId, sig); } // TODO: maybe copy local CA certs to signature until the first ca that is in TSL? } // create signed properties SignedProperties sp = new SignedProperties(sig, cert, claimedRoles, adr); sig.setSignedProperties(sp); // bdoc 2.0 nonce policy if (sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC) && sdoc.getVersion().equals(SignedDoc.BDOC_VERSION_2_1) && (sig.getProfile().equals(SignedDoc.BDOC_PROFILE_TM) || sig.getProfile().equals(SignedDoc.BDOC_PROFILE_BES) || sig.getProfile().equals(SignedDoc.BDOC_PROFILE_CL) || sig.getProfile().equals(SignedDoc.BDOC_PROFILE_TMA))) { sp.setSignedDataObjectProperties(sdop); Identifier id1 = new Identifier(Identifier.OIDAsURN); id1.setUri(BDOC_210_OID); ObjectIdentifier oid1 = new ObjectIdentifier(id1); SignaturePolicyId spi1 = new SignaturePolicyId(oid1); spi1.setDigestAlgorithm(BDOC_210_DIGEST_METHOD); spi1.setDigestValue(ConvertUtils.hex2bin(BDOC_210_DIGEST_HEX)); // System.out.println("Spec hash: " + BDOC_210_DIGEST_HEX + " b64: " + // Base64Util.encode(ConvertUtils.hex2bin(BDOC_210_DIGEST_HEX))); spi1.addSigPolicyQualifier(new SpUri(BDOC_210_SPURI)); SignaturePolicyIdentifier spid1 = new SignaturePolicyIdentifier(spi1); sp.setSignaturePolicyIdentifier(spid1); } else { SignaturePolicyIdentifier spid1 = new SignaturePolicyIdentifier(null); sp.setSignaturePolicyIdentifier(spid1); } Reference ref = new Reference(si, sp, sDigType); if (sdoc.getFormat().equals(SignedDoc.FORMAT_XADES) || sdoc.getFormat().equals(SignedDoc.FORMAT_BDOC)) ref.setId(sig.getId() + "-ref-sp"); ref.setType(SignedDoc.SIGNEDPROPERTIES_TYPE); si.addReference(ref); sig.setSignedInfo(si); sdoc.addSignature(sig); if (m_logger.isDebugEnabled()) m_logger.debug("Prepared signature: " + sig.getId() + "/" + sig.getProfile()); return sig; }