示例#1
0
  private boolean isDSSDictionaryPresentInPreviousRevision(byte[] originalBytes) {
    ByteArrayInputStream bais = null;
    PDDocument doc = null;
    PdfDssDict dssDictionary = null;
    try {
      bais = new ByteArrayInputStream(originalBytes);
      doc = PDDocument.load(bais);
      List<PDSignature> pdSignatures = doc.getSignatureDictionaries();
      if (CollectionUtils.isNotEmpty(pdSignatures)) {
        PdfDict catalog = new PdfBoxDict(doc.getDocumentCatalog().getCOSDictionary(), doc);
        dssDictionary = PdfDssDict.extract(catalog);
      }
    } catch (Exception e) {
      logger.warn(
          "Cannot check in previous revisions if DSS dictionary already exist : " + e.getMessage(),
          e);
    } finally {
      IOUtils.closeQuietly(bais);
      IOUtils.closeQuietly(doc);
    }

    return dssDictionary != null;
  }
示例#2
0
  @Override
  protected void onDocumentSigned(byte[] byteArray) {
    try {
      InputStream inputStream = new ByteArrayInputStream(byteArray);

      PDDocument document = PDDocument.load(inputStream);
      List<PDSignature> signatures = document.getSignatureDictionaries();
      assertEquals(1, signatures.size());

      for (PDSignature pdSignature : signatures) {
        byte[] contents = pdSignature.getContents(byteArray);
        byte[] signedContent = pdSignature.getSignedContent(byteArray);

        logger.info("Byte range : " + Arrays.toString(pdSignature.getByteRange()));

        // IOUtils.write(contents, new FileOutputStream("sig.p7s"));

        ASN1InputStream asn1sInput = new ASN1InputStream(contents);
        ASN1Sequence asn1Seq = (ASN1Sequence) asn1sInput.readObject();

        logger.info("SEQ : " + asn1Seq.toString());

        ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(asn1Seq.getObjectAt(0));
        assertEquals(PKCSObjectIdentifiers.signedData, oid);

        SignedData signedData =
            SignedData.getInstance(DERTaggedObject.getInstance(asn1Seq.getObjectAt(1)).getObject());

        ASN1Set digestAlgorithmSet = signedData.getDigestAlgorithms();
        ASN1ObjectIdentifier oidDigestAlgo =
            ASN1ObjectIdentifier.getInstance(
                ASN1Sequence.getInstance(digestAlgorithmSet.getObjectAt(0)).getObjectAt(0));
        DigestAlgorithm digestAlgorithm = DigestAlgorithm.forOID(oidDigestAlgo.getId());
        logger.info("DIGEST ALGO : " + digestAlgorithm);

        ContentInfo encapContentInfo = signedData.getEncapContentInfo();
        ASN1ObjectIdentifier contentTypeOID = encapContentInfo.getContentType();
        logger.info("ENCAPSULATED CONTENT INFO TYPE : " + contentTypeOID);
        assertEquals(PKCSObjectIdentifiers.data, contentTypeOID);

        ASN1Encodable content = encapContentInfo.getContent();
        logger.info("ENCAPSULATED CONTENT INFO CONTENT : " + content);
        assertNull(content);

        List<X509Certificate> certificates = extractCertificates(signedData);

        ASN1Set signerInfosAsn1 = signedData.getSignerInfos();
        logger.info("SIGNER INFO ASN1 : " + signerInfosAsn1.toString());
        SignerInfo signedInfo =
            SignerInfo.getInstance(ASN1Sequence.getInstance(signerInfosAsn1.getObjectAt(0)));

        ASN1Set authenticatedAttributeSet = signedInfo.getAuthenticatedAttributes();
        logger.info("AUTHENTICATED ATTR : " + authenticatedAttributeSet);

        List<ASN1ObjectIdentifier> attributeOids = new ArrayList<ASN1ObjectIdentifier>();
        for (int i = 0; i < authenticatedAttributeSet.size(); i++) {
          Attribute attribute = Attribute.getInstance(authenticatedAttributeSet.getObjectAt(i));
          attributeOids.add(attribute.getAttrType());
        }
        logger.info("List of OID for Auth Attrb : " + attributeOids);

        Attribute attributeDigest = Attribute.getInstance(authenticatedAttributeSet.getObjectAt(1));
        assertEquals(PKCSObjectIdentifiers.pkcs_9_at_messageDigest, attributeDigest.getAttrType());

        ASN1OctetString asn1ObjString =
            ASN1OctetString.getInstance(attributeDigest.getAttrValues().getObjectAt(0));
        String embeddedDigest = Base64.encode(asn1ObjString.getOctets());
        logger.info("MESSAGE DIGEST : " + embeddedDigest);

        byte[] digestSignedContent = DSSUtils.digest(digestAlgorithm, signedContent);
        String computedDigestSignedContentEncodeBase64 = Base64.encode(digestSignedContent);
        logger.info(
            "COMPUTED DIGEST SIGNED CONTENT BASE64 : " + computedDigestSignedContentEncodeBase64);
        assertEquals(embeddedDigest, computedDigestSignedContentEncodeBase64);

        SignerIdentifier sid = signedInfo.getSID();
        logger.info("SIGNER IDENTIFIER : " + sid.getId());

        IssuerAndSerialNumber issuerAndSerialNumber =
            IssuerAndSerialNumber.getInstance(signedInfo.getSID());
        ASN1Integer signerSerialNumber = issuerAndSerialNumber.getSerialNumber();
        logger.info(
            "ISSUER AND SN : " + issuerAndSerialNumber.getName() + " " + signerSerialNumber);

        BigInteger serial = issuerAndSerialNumber.getSerialNumber().getValue();
        X509Certificate signerCertificate = null;
        for (X509Certificate x509Certificate : certificates) {
          if (serial.equals(x509Certificate.getSerialNumber())) {
            signerCertificate = x509Certificate;
          }
        }
        assertNotNull(signerCertificate);

        String algorithm = signerCertificate.getPublicKey().getAlgorithm();
        EncryptionAlgorithm encryptionAlgorithm = EncryptionAlgorithm.forName(algorithm);

        ASN1OctetString encryptedInfoOctedString = signedInfo.getEncryptedDigest();
        String signatureValue = Hex.toHexString(encryptedInfoOctedString.getOctets());

        logger.info("SIGNATURE VALUE : " + signatureValue);

        Cipher cipher = Cipher.getInstance(encryptionAlgorithm.getName());
        cipher.init(Cipher.DECRYPT_MODE, signerCertificate);
        byte[] decrypted = cipher.doFinal(encryptedInfoOctedString.getOctets());

        ASN1InputStream inputDecrypted = new ASN1InputStream(decrypted);

        ASN1Sequence seqDecrypt = (ASN1Sequence) inputDecrypted.readObject();
        logger.info("DECRYPTED : " + seqDecrypt);

        DigestInfo digestInfo = new DigestInfo(seqDecrypt);
        assertEquals(oidDigestAlgo, digestInfo.getAlgorithmId().getAlgorithm());

        String decryptedDigestEncodeBase64 = Base64.encode(digestInfo.getDigest());
        logger.info("DECRYPTED BASE64 : " + decryptedDigestEncodeBase64);

        byte[] encoded = authenticatedAttributeSet.getEncoded();
        byte[] digest = DSSUtils.digest(digestAlgorithm, encoded);
        String computedDigestFromSignatureEncodeBase64 = Base64.encode(digest);
        logger.info(
            "COMPUTED DIGEST FROM SIGNATURE BASE64 : " + computedDigestFromSignatureEncodeBase64);

        assertEquals(decryptedDigestEncodeBase64, computedDigestFromSignatureEncodeBase64);

        IOUtils.closeQuietly(inputDecrypted);
        IOUtils.closeQuietly(asn1sInput);
      }

      IOUtils.closeQuietly(inputStream);
      document.close();
    } catch (Exception e) {
      logger.error(e.getMessage(), e);
      fail(e.getMessage());
    }
  }
示例#3
0
  private List<PdfSignatureOrDocTimestampInfo> getSignatures(
      CertificatePool validationCertPool, byte[] originalBytes) {
    List<PdfSignatureOrDocTimestampInfo> signatures =
        new ArrayList<PdfSignatureOrDocTimestampInfo>();
    ByteArrayInputStream bais = null;
    PDDocument doc = null;
    try {

      bais = new ByteArrayInputStream(originalBytes);
      doc = PDDocument.load(bais);

      List<PDSignature> pdSignatures = doc.getSignatureDictionaries();
      if (CollectionUtils.isNotEmpty(pdSignatures)) {
        logger.debug("{} signature(s) found", pdSignatures.size());

        PdfDict catalog = new PdfBoxDict(doc.getDocumentCatalog().getCOSDictionary(), doc);
        PdfDssDict dssDictionary = PdfDssDict.extract(catalog);

        for (PDSignature signature : pdSignatures) {
          String subFilter = signature.getSubFilter();
          byte[] cms = signature.getContents(originalBytes);

          if (StringUtils.isEmpty(subFilter) || ArrayUtils.isEmpty(cms)) {
            logger.warn("Wrong signature with empty subfilter or cms.");
            continue;
          }

          byte[] signedContent = signature.getSignedContent(originalBytes);
          int[] byteRange = signature.getByteRange();

          PdfSignatureOrDocTimestampInfo signatureInfo = null;
          if (PdfBoxDocTimeStampService.SUB_FILTER_ETSI_RFC3161.getName().equals(subFilter)) {
            boolean isArchiveTimestamp = false;

            // LT or LTA
            if (dssDictionary != null) {
              // check is DSS dictionary already exist
              if (isDSSDictionaryPresentInPreviousRevision(
                  getOriginalBytes(byteRange, signedContent))) {
                isArchiveTimestamp = true;
              }
            }

            signatureInfo =
                new PdfBoxDocTimestampInfo(
                    validationCertPool,
                    signature,
                    dssDictionary,
                    cms,
                    signedContent,
                    isArchiveTimestamp);
          } else {
            signatureInfo =
                new PdfBoxSignatureInfo(
                    validationCertPool, signature, dssDictionary, cms, signedContent);
          }

          if (signatureInfo != null) {
            signatures.add(signatureInfo);
          }
        }
        Collections.sort(signatures, new PdfSignatureOrDocTimestampInfoComparator());
        linkSignatures(signatures);

        for (PdfSignatureOrDocTimestampInfo sig : signatures) {
          logger.debug(
              "Signature "
                  + sig.uniqueId()
                  + " found with byteRange "
                  + Arrays.toString(sig.getSignatureByteRange())
                  + " ("
                  + sig.getSubFilter()
                  + ")");
        }
      }

    } catch (Exception e) {
      logger.warn("Cannot analyze signatures : " + e.getMessage(), e);
    } finally {
      IOUtils.closeQuietly(bais);
      IOUtils.closeQuietly(doc);
    }

    return signatures;
  }