more flexible signer verification through Iterable-Interface

git-svn-id: https://svn.apache.org/repos/asf/poi/branches/xml_signature@1627434 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andreas Beeker 2014-09-24 22:54:21 +00:00
parent ff38e12652
commit 123784df81
2 changed files with 164 additions and 129 deletions

View File

@ -44,8 +44,10 @@ import java.security.cert.X509Certificate;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.NoSuchElementException;
import javax.crypto.Cipher; import javax.crypto.Cipher;
import javax.xml.crypto.MarshalException; import javax.xml.crypto.MarshalException;
@ -142,6 +144,58 @@ public class SignatureInfo implements SignatureConfigurable {
public static final byte[] RIPEMD256_DIGEST_INFO_PREFIX = new byte[] public static final byte[] RIPEMD256_DIGEST_INFO_PREFIX = new byte[]
{ 0x30, 0x2b, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x03, 0x04, 0x20 }; { 0x30, 0x2b, 0x30, 0x07, 0x06, 0x05, 0x2b, 0x24, 0x03, 0x02, 0x03, 0x04, 0x20 };
private static final POILogger LOG = POILogFactory.getLogger(SignatureInfo.class);
private static boolean isInitialized = false;
private SignatureConfig signatureConfig;
public class SignaturePart {
private final PackagePart signaturePart;
private X509Certificate signer;
private SignaturePart(PackagePart signaturePart) {
this.signaturePart = signaturePart;
}
public PackagePart getPackagePart() {
return signaturePart;
}
public X509Certificate getSigner() {
return signer;
}
public SignatureDocument getSignatureDocument() throws IOException, XmlException {
// TODO: check for XXE
return SignatureDocument.Factory.parse(signaturePart.getInputStream());
}
public boolean validate() {
KeyInfoKeySelector keySelector = new KeyInfoKeySelector();
try {
Document doc = DocumentHelper.readDocument(signaturePart.getInputStream());
registerIds(doc);
DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc);
domValidateContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE);
domValidateContext.setURIDereferencer(signatureConfig.getUriDereferencer());
XMLSignatureFactory xmlSignatureFactory = getSignatureFactory();
XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext);
boolean valid = xmlSignature.validate(domValidateContext);
if (valid) {
signer = keySelector.getCertificate();
}
return valid;
} catch (Exception e) {
LOG.log(POILogger.ERROR, "error in marshalling and validating the signature", e);
return false;
}
}
}
protected static class SignCreationListener implements EventListener, SignatureConfigurable { protected static class SignCreationListener implements EventListener, SignatureConfigurable {
ThreadLocal<EventTarget> target = new ThreadLocal<EventTarget>(); ThreadLocal<EventTarget> target = new ThreadLocal<EventTarget>();
@ -168,11 +222,10 @@ public class SignatureInfo implements SignatureConfigurable {
} }
private static final POILogger LOG = POILogFactory.getLogger(SignatureInfo.class); public SignatureInfo() {
private static boolean isInitialized = false; initXmlProvider();
}
private SignatureConfig signatureConfig;
public SignatureConfig getSignatureConfig() { public SignatureConfig getSignatureConfig() {
return signatureConfig; return signatureConfig;
} }
@ -182,10 +235,12 @@ public class SignatureInfo implements SignatureConfigurable {
} }
public boolean verifySignature() { public boolean verifySignature() {
initXmlProvider();
// http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html // http://www.oracle.com/technetwork/articles/javase/dig-signature-api-140772.html
List<X509Certificate> signers = new ArrayList<X509Certificate>(); for (SignaturePart sp : getSignatureParts()){
return getSignersAndValidate(signers, true); // only validate first part
return sp.validate();
}
return false;
} }
public void confirmSignature() public void confirmSignature()
@ -218,77 +273,50 @@ public class SignatureInfo implements SignatureConfigurable {
} }
} }
public List<X509Certificate> getSigners() { public Iterable<SignaturePart> getSignatureParts() {
initXmlProvider(); return new Iterable<SignaturePart>() {
List<X509Certificate> signers = new ArrayList<X509Certificate>(); public Iterator<SignaturePart> iterator() {
getSignersAndValidate(signers, false); return new Iterator<SignaturePart>() {
return signers; OPCPackage pkg = signatureConfig.getOpcPackage();
} Iterator<PackageRelationship> sigOrigRels =
pkg.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN).iterator();
protected boolean getSignersAndValidate(List<X509Certificate> signers, boolean onlyFirst) { Iterator<PackageRelationship> sigRels = null;
signatureConfig.init(true); PackagePart sigPart = null;
boolean allValid = true; public boolean hasNext() {
List<PackagePart> signatureParts = getSignatureParts(onlyFirst); while (sigRels == null || !sigRels.hasNext()) {
if (signatureParts.isEmpty()) { if (!sigOrigRels.hasNext()) return false;
LOG.log(POILogger.DEBUG, "no signature resources"); sigPart = pkg.getPart(sigOrigRels.next());
allValid = false; LOG.log(POILogger.DEBUG, "Digital Signature Origin part", sigPart);
} try {
sigRels = sigPart.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE).iterator();
for (PackagePart signaturePart : signatureParts) { } catch (InvalidFormatException e) {
KeyInfoKeySelector keySelector = new KeyInfoKeySelector(); LOG.log(POILogger.WARN, "Reference to signature is invalid.", e);
}
try { }
Document doc = DocumentHelper.readDocument(signaturePart.getInputStream()); return true;
registerIds(doc); }
DOMValidateContext domValidateContext = new DOMValidateContext(keySelector, doc); public SignaturePart next() {
domValidateContext.setProperty("org.jcp.xml.dsig.validateManifests", Boolean.TRUE); PackagePart sigRelPart = null;
domValidateContext.setURIDereferencer(signatureConfig.getUriDereferencer()); do {
try {
XMLSignatureFactory xmlSignatureFactory = getSignatureFactory(); if (!hasNext()) throw new NoSuchElementException();
XMLSignature xmlSignature = xmlSignatureFactory.unmarshalXMLSignature(domValidateContext); sigRelPart = sigPart.getRelatedPart(sigRels.next());
boolean validity = xmlSignature.validate(domValidateContext); LOG.log(POILogger.DEBUG, "XML Signature part", sigRelPart);
allValid &= validity; } catch (InvalidFormatException e) {
if (!validity) continue; LOG.log(POILogger.WARN, "Reference to signature is invalid.", e);
// TODO: check what has been signed. }
} catch (Exception e) { } while (sigPart == null);
LOG.log(POILogger.ERROR, "error in marshalling and validating the signature", e); return new SignaturePart(sigRelPart);
continue; }
public void remove() {
throw new UnsupportedOperationException();
}
};
} }
};
X509Certificate signer = keySelector.getCertificate();
signers.add(signer);
}
return allValid;
}
protected List<PackagePart> getSignatureParts(boolean onlyFirst) {
List<PackagePart> packageParts = new ArrayList<PackagePart>();
OPCPackage pkg = signatureConfig.getOpcPackage();
PackageRelationshipCollection sigOrigRels = pkg.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE_ORIGIN);
for (PackageRelationship rel : sigOrigRels) {
PackagePart sigPart = pkg.getPart(rel);
LOG.log(POILogger.DEBUG, "Digital Signature Origin part", sigPart);
try {
PackageRelationshipCollection sigRels = sigPart.getRelationshipsByType(PackageRelationshipTypes.DIGITAL_SIGNATURE);
for (PackageRelationship sigRel : sigRels) {
PackagePart sigRelPart = sigPart.getRelatedPart(sigRel);
LOG.log(POILogger.DEBUG, "XML Signature part", sigRelPart);
packageParts.add(sigRelPart);
if (onlyFirst) break;
}
} catch (InvalidFormatException e) {
LOG.log(POILogger.WARN, "Reference to signature is invalid.", e);
}
if (onlyFirst && !packageParts.isEmpty()) break;
}
return packageParts;
} }
public static XMLSignatureFactory getSignatureFactory() { public static XMLSignatureFactory getSignatureFactory() {

View File

@ -45,19 +45,16 @@ import java.util.ArrayList;
import java.util.Calendar; import java.util.Calendar;
import java.util.Collections; import java.util.Collections;
import java.util.Date; import java.util.Date;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.TimeZone; import java.util.TimeZone;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import org.apache.poi.POIDataSamples; import org.apache.poi.POIDataSamples;
import org.apache.poi.openxml4j.opc.OPCPackage; import org.apache.poi.openxml4j.opc.OPCPackage;
import org.apache.poi.openxml4j.opc.PackageAccess; import org.apache.poi.openxml4j.opc.PackageAccess;
import org.apache.poi.poifs.crypt.dsig.SignatureConfig; import org.apache.poi.poifs.crypt.dsig.SignatureConfig;
import org.apache.poi.poifs.crypt.dsig.SignatureInfo; import org.apache.poi.poifs.crypt.dsig.SignatureInfo;
import org.apache.poi.poifs.crypt.dsig.SignatureInfo.SignaturePart;
import org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet; import org.apache.poi.poifs.crypt.dsig.facets.EnvelopedSignatureFacet;
import org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet; import org.apache.poi.poifs.crypt.dsig.facets.KeyInfoSignatureFacet;
import org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet; import org.apache.poi.poifs.crypt.dsig.facets.XAdESSignatureFacet;
@ -78,6 +75,7 @@ import org.etsi.uri.x01903.v13.DigestAlgAndValueType;
import org.etsi.uri.x01903.v13.QualifyingPropertiesType; import org.etsi.uri.x01903.v13.QualifyingPropertiesType;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import org.w3.x2000.x09.xmldsig.ReferenceType;
import org.w3.x2000.x09.xmldsig.SignatureDocument; import org.w3.x2000.x09.xmldsig.SignatureDocument;
import org.w3c.dom.Document; import org.w3c.dom.Document;
@ -122,7 +120,12 @@ public class TestSignatureInfo {
sic.setOpcPackage(pkg); sic.setOpcPackage(pkg);
SignatureInfo si = new SignatureInfo(); SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(sic); si.setSignatureConfig(sic);
List<X509Certificate> result = si.getSigners(); List<X509Certificate> result = new ArrayList<X509Certificate>();
for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
pkg.revert(); pkg.revert();
pkg.close(); pkg.close();
assertNotNull(result); assertNotNull(result);
@ -151,7 +154,12 @@ public class TestSignatureInfo {
sic.setOpcPackage(pkg); sic.setOpcPackage(pkg);
SignatureInfo si = new SignatureInfo(); SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(sic); si.setSignatureConfig(sic);
List<X509Certificate> result = si.getSigners(); List<X509Certificate> result = new ArrayList<X509Certificate>();
for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
assertNotNull(result); assertNotNull(result);
assertEquals("test-file: "+testFile, 1, result.size()); assertEquals("test-file: "+testFile, 1, result.size());
@ -172,7 +180,12 @@ public class TestSignatureInfo {
sic.setOpcPackage(pkg); sic.setOpcPackage(pkg);
SignatureInfo si = new SignatureInfo(); SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(sic); si.setSignatureConfig(sic);
List<X509Certificate> result = si.getSigners(); List<X509Certificate> result = new ArrayList<X509Certificate>();
for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
assertNotNull(result); assertNotNull(result);
assertEquals("test-file: "+testFile, 2, result.size()); assertEquals("test-file: "+testFile, 2, result.size());
@ -207,12 +220,16 @@ public class TestSignatureInfo {
si.setSignatureConfig(sic); si.setSignatureConfig(sic);
// hash > sha1 doesn't work in excel viewer ... // hash > sha1 doesn't work in excel viewer ...
si.confirmSignature(); si.confirmSignature();
List<X509Certificate> signer = si.getSigners(); List<X509Certificate> result = new ArrayList<X509Certificate>();
assertEquals(1, signer.size()); for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
assertEquals(1, result.size());
pkg.close(); pkg.close();
} }
@SuppressWarnings("unused")
@Test @Test
public void testSignEnvelopingDocument() throws Exception { public void testSignEnvelopingDocument() throws Exception {
String testFile = "hello-world-unsigned.xlsx"; String testFile = "hello-world-unsigned.xlsx";
@ -283,60 +300,45 @@ public class TestSignatureInfo {
}; };
signatureConfig.setRevocationDataService(revocationDataService); signatureConfig.setRevocationDataService(revocationDataService);
// operate
SignatureInfo si = new SignatureInfo(); SignatureInfo si = new SignatureInfo();
si.setSignatureConfig(signatureConfig); si.setSignatureConfig(signatureConfig);
si.confirmSignature();
Document document = DocumentHelper.createDocument();
// operate
DigestInfo digestInfo = si.preSign(document, null);
// verify // verify
assertNotNull(digestInfo); Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();
assertEquals(HashAlgorithm.sha1, digestInfo.hashAlgo); assertTrue(spIter.hasNext());
assertNotNull(digestInfo.digestValue); SignaturePart sp = spIter.next();
boolean valid = sp.validate();
assertTrue(valid);
SignatureDocument sigDoc = SignatureDocument.Factory.parse(document); SignatureDocument sigDoc = sp.getSignatureDocument();
String certDigestXQuery = String declareNS =
"declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; " "declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; "
+ "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; " + "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; ";
+ "$this/ds:Signature/ds:Object/xades:QualifyingProperties/xades:SignedProperties/xades:SignedSignatureProperties/xades:SigningCertificate/xades:Cert/xades:CertDigest";
String digestValXQuery = declareNS +
"$this/ds:Signature/ds:SignedInfo/ds:Reference";
for (ReferenceType rt : (ReferenceType[])sigDoc.selectPath(digestValXQuery)) {
assertNotNull(rt.getDigestValue());
assertEquals(HashAlgorithm.sha1.xmlSignUri, rt.getDigestMethod().getAlgorithm());
}
String certDigestXQuery = declareNS +
"$this//xades:SigningCertificate/xades:Cert/xades:CertDigest";
XmlObject xoList[] = sigDoc.selectPath(certDigestXQuery); XmlObject xoList[] = sigDoc.selectPath(certDigestXQuery);
assertEquals(xoList.length, 1); assertEquals(xoList.length, 1);
DigestAlgAndValueType certDigest = (DigestAlgAndValueType)xoList[0]; DigestAlgAndValueType certDigest = (DigestAlgAndValueType)xoList[0];
assertNotNull(certDigest.getDigestValue()); assertNotNull(certDigest.getDigestValue());
// Sign the received XML signature digest value. String qualPropXQuery = declareNS +
byte[] signatureValue = si.signDigest(digestInfo.digestValue); "$this/ds:Signature/ds:Object/xades:QualifyingProperties";
// Operate: postSign
si.postSign(document, signatureValue);
DOMValidateContext domValidateContext = new DOMValidateContext(
KeySelector.singletonKeySelector(keyPair.getPublic()),
document);
XMLSignatureFactory xmlSignatureFactory = SignatureInfo.getSignatureFactory();
XMLSignature xmlSignature = xmlSignatureFactory
.unmarshalXMLSignature(domValidateContext);
boolean validity = xmlSignature.validate(domValidateContext);
assertTrue(validity);
sigDoc = SignatureDocument.Factory.parse(document);
xoList = sigDoc.selectPath(certDigestXQuery);
assertEquals(xoList.length, 1);
certDigest = (DigestAlgAndValueType)xoList[0];
assertNotNull(certDigest.getDigestValue());
String qualPropXQuery =
"declare namespace xades='http://uri.etsi.org/01903/v1.3.2#'; "
+ "declare namespace ds='http://www.w3.org/2000/09/xmldsig#'; "
+ "$this/ds:Signature/ds:Object/xades:QualifyingProperties";
xoList = sigDoc.selectPath(qualPropXQuery); xoList = sigDoc.selectPath(qualPropXQuery);
assertEquals(xoList.length, 1); assertEquals(xoList.length, 1);
QualifyingPropertiesType qualProp = (QualifyingPropertiesType)xoList[0]; QualifyingPropertiesType qualProp = (QualifyingPropertiesType)xoList[0];
boolean qualPropXsdOk = qualProp.validate(); boolean qualPropXsdOk = qualProp.validate();
assertTrue(qualPropXsdOk); assertTrue(qualPropXsdOk);
pkg.close(); pkg.close();
} }
@ -374,8 +376,13 @@ public class TestSignatureInfo {
// verify: signature // verify: signature
si.getSignatureConfig().setOpcPackage(pkgCopy); si.getSignatureConfig().setOpcPackage(pkgCopy);
List<X509Certificate> signers = si.getSigners(); List<X509Certificate> result = new ArrayList<X509Certificate>();
assertEquals(signerCount, signers.size()); for (SignaturePart sp : si.getSignatureParts()) {
if (sp.validate()) {
result.add(sp.getSigner());
}
}
assertEquals(signerCount, result.size());
return pkgCopy; return pkgCopy;
} }