List of usage examples for org.bouncycastle.tsp TimeStampToken getSID
public SignerId getSID()
From source file:net.sf.jsignpdf.verify.VerifierLogic.java
License:Mozilla Public License
public Exception validateTimeStampToken(TimeStampToken token) { if (token == null) { return null; }//from www . ja v a 2 s. co m try { SignerId signer = token.getSID(); X509Certificate certificate = null; X500Principal sign_cert_issuer = signer.getIssuer(); BigInteger sign_cert_serial = signer.getSerialNumber(); CertStore store = token.getCertificatesAndCRLs("Collection", "BC"); // Iterate CertStore to find a signing certificate Collection<? extends Certificate> certs = store.getCertificates(null); Iterator<? extends Certificate> iter = certs.iterator(); while (iter.hasNext()) { X509Certificate cert = (X509Certificate) iter.next(); if (cert.getIssuerX500Principal().equals(sign_cert_issuer) && cert.getSerialNumber().equals(sign_cert_serial)) { certificate = cert; break; } } if (certificate == null) { throw new TSPException("Missing signing certificate for TSA."); } // check TS token's certificate against keystore if (certs.size() == 1) { boolean verifyTimestampCertificates = PdfPKCS7.verifyTimestampCertificates(token, kall, null); if (!verifyTimestampCertificates) { throw new Exception("Timestamp certificate can't be verified."); } } else { int certSize = certs.size(); Certificate[] array = certs.toArray(new Certificate[certSize]); Certificate[] certArray = new Certificate[certSize]; // reverse order for (int i = 0; i < certSize; i++) { certArray[i] = array[certSize - 1 - i]; } // token.validate(SignerInformationVerifier) will check if certificate has been valid at the time the timestamp was created Object[] verifyCertificates = PdfPKCS7.verifyCertificates(certArray, kall, null, null); if (verifyCertificates != null) { throw new Exception("Timestamp certificate can't be verified."); } } SignerInformationVerifier verifier = new JcaSimpleSignerInfoVerifierBuilder().build(certificate); token.validate(verifier); } catch (Exception e) { return e; } return null; }
From source file:org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService.java
License:Apache License
@SuppressWarnings("unchecked") public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception { // digest the message MessageDigest messageDigest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo()); byte[] digest = messageDigest.digest(data); // generate the TSP request BigInteger nonce = new BigInteger(128, new SecureRandom()); TimeStampRequestGenerator requestGenerator = new TimeStampRequestGenerator(); requestGenerator.setCertReq(true);/* ww w .j av a 2s . c o m*/ String requestPolicy = signatureConfig.getTspRequestPolicy(); if (requestPolicy != null) { requestGenerator.setReqPolicy(new ASN1ObjectIdentifier(requestPolicy)); } ASN1ObjectIdentifier digestAlgoOid = mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo()); TimeStampRequest request = requestGenerator.generate(digestAlgoOid, digest, nonce); byte[] encodedRequest = request.getEncoded(); // create the HTTP POST request Proxy proxy = Proxy.NO_PROXY; if (signatureConfig.getProxyUrl() != null) { URL proxyUrl = new URL(signatureConfig.getProxyUrl()); String host = proxyUrl.getHost(); int port = proxyUrl.getPort(); proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(host, (port == -1 ? 80 : port))); } HttpURLConnection huc = (HttpURLConnection) new URL(signatureConfig.getTspUrl()).openConnection(proxy); if (signatureConfig.getTspUser() != null) { String userPassword = signatureConfig.getTspUser() + ":" + signatureConfig.getTspPass(); String encoding = DatatypeConverter .printBase64Binary(userPassword.getBytes(Charset.forName("iso-8859-1"))); huc.setRequestProperty("Authorization", "Basic " + encoding); } huc.setRequestMethod("POST"); huc.setConnectTimeout(20000); huc.setReadTimeout(20000); huc.setDoOutput(true); // also sets method to POST. huc.setRequestProperty("User-Agent", signatureConfig.getUserAgent()); huc.setRequestProperty("Content-Type", signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : "application/timestamp-query"); // "; charset=ISO-8859-1"); OutputStream hucOut = huc.getOutputStream(); hucOut.write(encodedRequest); // invoke TSP service huc.connect(); int statusCode = huc.getResponseCode(); if (statusCode != 200) { LOG.log(POILogger.ERROR, "Error contacting TSP server ", signatureConfig.getTspUrl()); throw new IOException("Error contacting TSP server " + signatureConfig.getTspUrl()); } // HTTP input validation String contentType = huc.getHeaderField("Content-Type"); if (null == contentType) { throw new RuntimeException("missing Content-Type header"); } ByteArrayOutputStream bos = new ByteArrayOutputStream(); IOUtils.copy(huc.getInputStream(), bos); LOG.log(POILogger.DEBUG, "response content: ", bos.toString()); if (!contentType.startsWith(signatureConfig.isTspOldProtocol() ? "application/timestamp-response" : "application/timestamp-reply")) { throw new RuntimeException("invalid Content-Type: " + contentType); } if (bos.size() == 0) { throw new RuntimeException("Content-Length is zero"); } // TSP response parsing and validation TimeStampResponse timeStampResponse = new TimeStampResponse(bos.toByteArray()); timeStampResponse.validate(request); if (0 != timeStampResponse.getStatus()) { LOG.log(POILogger.DEBUG, "status: " + timeStampResponse.getStatus()); LOG.log(POILogger.DEBUG, "status string: " + timeStampResponse.getStatusString()); PKIFailureInfo failInfo = timeStampResponse.getFailInfo(); if (null != failInfo) { LOG.log(POILogger.DEBUG, "fail info int value: " + failInfo.intValue()); if (/*PKIFailureInfo.unacceptedPolicy*/(1 << 8) == failInfo.intValue()) { LOG.log(POILogger.DEBUG, "unaccepted policy"); } } throw new RuntimeException("timestamp response status != 0: " + timeStampResponse.getStatus()); } TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken(); SignerId signerId = timeStampToken.getSID(); BigInteger signerCertSerialNumber = signerId.getSerialNumber(); X500Name signerCertIssuer = signerId.getIssuer(); LOG.log(POILogger.DEBUG, "signer cert serial number: " + signerCertSerialNumber); LOG.log(POILogger.DEBUG, "signer cert issuer: " + signerCertIssuer); // TSP signer certificates retrieval Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null); X509CertificateHolder signerCert = null; Map<X500Name, X509CertificateHolder> certificateMap = new HashMap<X500Name, X509CertificateHolder>(); for (X509CertificateHolder certificate : certificates) { if (signerCertIssuer.equals(certificate.getIssuer()) && signerCertSerialNumber.equals(certificate.getSerialNumber())) { signerCert = certificate; } certificateMap.put(certificate.getSubject(), certificate); } // TSP signer cert path building if (signerCert == null) { throw new RuntimeException("TSP response token has no signer certificate"); } List<X509Certificate> tspCertificateChain = new ArrayList<X509Certificate>(); JcaX509CertificateConverter x509converter = new JcaX509CertificateConverter(); x509converter.setProvider("BC"); X509CertificateHolder certificate = signerCert; do { LOG.log(POILogger.DEBUG, "adding to certificate chain: " + certificate.getSubject()); tspCertificateChain.add(x509converter.getCertificate(certificate)); if (certificate.getSubject().equals(certificate.getIssuer())) { break; } certificate = certificateMap.get(certificate.getIssuer()); } while (null != certificate); // verify TSP signer signature X509CertificateHolder holder = new X509CertificateHolder(tspCertificateChain.get(0).getEncoded()); DefaultCMSSignatureAlgorithmNameGenerator nameGen = new DefaultCMSSignatureAlgorithmNameGenerator(); DefaultSignatureAlgorithmIdentifierFinder sigAlgoFinder = new DefaultSignatureAlgorithmIdentifierFinder(); DefaultDigestAlgorithmIdentifierFinder hashAlgoFinder = new DefaultDigestAlgorithmIdentifierFinder(); BcDigestCalculatorProvider calculator = new BcDigestCalculatorProvider(); BcRSASignerInfoVerifierBuilder verifierBuilder = new BcRSASignerInfoVerifierBuilder(nameGen, sigAlgoFinder, hashAlgoFinder, calculator); SignerInformationVerifier verifier = verifierBuilder.build(holder); timeStampToken.validate(verifier); // verify TSP signer certificate if (signatureConfig.getTspValidator() != null) { signatureConfig.getTspValidator().validate(tspCertificateChain, revocationData); } LOG.log(POILogger.DEBUG, "time-stamp token time: " + timeStampToken.getTimeStampInfo().getGenTime()); byte[] timestamp = timeStampToken.getEncoded(); return timestamp; }
From source file:org.linagora.linshare.core.service.impl.TimeStampingServiceImpl.java
License:Open Source License
public SignerId getSignerID(TimeStampResponse response) { TimeStampToken tsToken = response.getTimeStampToken(); return tsToken.getSID(); }
From source file:org.signserver.client.cli.defaultimpl.TimeStampCommand.java
License:Open Source License
private void tsaPrintReply() throws Exception { final byte[] bytes = readFiletoBuffer(inrepstring); TimeStampResponse response = null;// www. ja v a 2s .co m out.println("Time-stamp response {"); try { response = new TimeStampResponse(bytes); out.println(" Status: " + response.getStatus()); out.println(" Status message: " + response.getStatusString()); } catch (TSPException ex) { out.println(" Not a response"); } if (response != null) { PKIFailureInfo failureInfo = response.getFailInfo(); if (failureInfo != null) { out.print(" Failure info: "); out.println(failureInfo.intValue()); } } final TimeStampToken token; if (response == null) { token = new TimeStampToken(new CMSSignedData(bytes)); } else { token = response.getTimeStampToken(); } if (token != null) { out.println(" Time-stamp token:"); TimeStampTokenInfo info = token.getTimeStampInfo(); if (info != null) { out.println(" Info:"); out.print(" " + "Accuracy: "); out.println(info.getAccuracy() != null ? info.getAccuracy() : "(null)"); out.print(" " + "Gen Time: "); out.println(info.getGenTime()); out.print(" " + "Gen Time Accuracy: "); out.println(info.getGenTimeAccuracy()); out.print(" " + "Message imprint digest: "); out.println(new String(Hex.encode(info.getMessageImprintDigest()))); out.print(" " + "Message imprint algorithm: "); out.println(info.getMessageImprintAlgOID()); out.print(" " + "Nonce: "); out.println(info.getNonce() != null ? info.getNonce().toString(16) : "(null)"); out.print(" " + "Serial Number: "); out.println(info.getSerialNumber() != null ? info.getSerialNumber().toString(16) : "(null)"); out.print(" " + "TSA: "); out.println(info.getTsa() != null ? info.getTsa() : "(null)"); out.print(" " + "Policy: "); out.println(info.getPolicy()); } out.println(" Signer ID: "); out.println(" Serial Number: " + token.getSID().getSerialNumber().toString(16)); out.println(" Issuer: " + token.getSID().getIssuer()); out.println(" Signer certificate: "); Store certs = token.getCertificates(); Selector signerSelector = new AttributeCertificateHolder(token.getSID().getIssuer(), token.getSID().getSerialNumber()); Collection certCollection = certs.getMatches(signerSelector); for (Object o : certCollection) { if (o instanceof X509CertificateHolder) { X509CertificateHolder cert = (X509CertificateHolder) o; out.println(" Certificate: "); out.println(" Serial Number: " + cert.getSerialNumber().toString(16)); out.println(" Subject: " + cert.getSubject()); out.println(" Issuer: " + cert.getIssuer()); } else { out.println("Not an X.509 certificate: " + o); } } out.println(" Other certificates: "); certCollection = certs.getMatches(new InvertedSelector(signerSelector)); for (Object o : certCollection) { if (o instanceof X509CertificateHolder) { X509CertificateHolder cert = (X509CertificateHolder) o; out.println(" Certificate: "); out.println(" Serial Number: " + cert.getSerialNumber().toString(16)); out.println(" Subject: " + cert.getSubject()); out.println(" Issuer: " + cert.getIssuer()); } else { out.println("Not an X.509 certificate: " + o); } } } out.println("}"); }
From source file:test.integ.be.fedict.trust.TSATest.java
License:Open Source License
private void testTimestampServerTrust(String tsaLocation) throws Exception { // setup/*from w ww . j a v a 2 s . c om*/ TimeStampRequestGenerator requestGen = new TimeStampRequestGenerator(); requestGen.setCertReq(true); TimeStampRequest request = requestGen.generate(TSPAlgorithms.SHA1, new byte[20], BigInteger.valueOf(100)); byte[] requestData = request.getEncoded(); DefaultHttpClient httpClient = new DefaultHttpClient(); // HttpHost proxy = new HttpHost("proxy.yourict.net", 8080); // httpClient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, // proxy); HttpPost postMethod = new HttpPost(tsaLocation); ContentType contentType = ContentType.create("application/timestamp-query"); HttpEntity requestEntity = new ByteArrayEntity(requestData, contentType); postMethod.addHeader("User-Agent", "jTrust TSP Client"); postMethod.setEntity(requestEntity); // operate long t0 = System.currentTimeMillis(); HttpResponse httpResponse = httpClient.execute(postMethod); StatusLine statusLine = httpResponse.getStatusLine(); int statusCode = statusLine.getStatusCode(); long t1 = System.currentTimeMillis(); LOG.debug("dt TSP: " + (t1 - t0) + " ms"); if (statusCode != HttpURLConnection.HTTP_OK) { LOG.error("Error contacting TSP server " + TSA_LOCATION); throw new Exception("Error contacting TSP server " + TSA_LOCATION); } HttpEntity httpEntity = httpResponse.getEntity(); TimeStampResponse tspResponse = new TimeStampResponse(httpEntity.getContent()); postMethod.releaseConnection(); TimeStampToken timeStampToken = tspResponse.getTimeStampToken(); SignerId signerId = timeStampToken.getSID(); Store certificatesStore = timeStampToken.getCertificates(); Collection<X509CertificateHolder> signerCollection = certificatesStore.getMatches(signerId); Iterator<X509CertificateHolder> signerCollectionIterator = signerCollection.iterator(); X509CertificateHolder signerCertificateHolder = signerCollectionIterator.next(); // TODO: check time-stamp token signature List<X509Certificate> certificateChain = getCertificateChain(signerCertificateHolder, certificatesStore); for (X509Certificate cert : certificateChain) { LOG.debug("certificate subject: " + cert.getSubjectX500Principal()); LOG.debug("certificate issuer: " + cert.getIssuerX500Principal()); } CertificateRepository certificateRepository = BelgianTrustValidatorFactory.createTSACertificateRepository(); TrustValidator trustValidator = new TrustValidator(certificateRepository); // NetworkConfig networkConfig = new NetworkConfig("proxy.yourict.net", // 8080); TrustValidatorDecorator trustValidatorDecorator = new TrustValidatorDecorator(null); trustValidatorDecorator.addDefaultTrustLinkerConfig(trustValidator); trustValidator.isTrusted(certificateChain); }
From source file:xades4j.providers.impl.DefaultTimeStampVerificationProvider.java
License:Open Source License
@Override public Date verifyToken(byte[] timeStampToken, byte[] tsDigestInput) throws TimeStampTokenVerificationException { TimeStampToken tsToken; try {//from w w w .j a v a 2s . c om ASN1InputStream asn1is = new ASN1InputStream(timeStampToken); ContentInfo tsContentInfo = ContentInfo.getInstance(asn1is.readObject()); asn1is.close(); tsToken = new TimeStampToken(tsContentInfo); } catch (IOException ex) { throw new TimeStampTokenStructureException("Error parsing encoded token", ex); } catch (TSPException ex) { throw new TimeStampTokenStructureException("Invalid token", ex); } X509Certificate tsaCert = null; try { /* Validate the TSA certificate */ LinkedList<X509Certificate> certs = new LinkedList<X509Certificate>(); for (Object certHolder : tsToken.getCertificates().getMatches(new AllCertificatesSelector())) { certs.add(this.x509CertificateConverter.getCertificate((X509CertificateHolder) certHolder)); } ValidationData vData = this.certificateValidationProvider.validate( x509CertSelectorConverter.getCertSelector(tsToken.getSID()), tsToken.getTimeStampInfo().getGenTime(), certs); tsaCert = vData.getCerts().get(0); } catch (CertificateException ex) { throw new TimeStampTokenVerificationException(ex.getMessage(), ex); } catch (XAdES4jException ex) { throw new TimeStampTokenTSACertException("cannot validate TSA certificate", ex); } try { tsToken.validate(this.signerInfoVerifierBuilder.build(tsaCert)); } catch (TSPValidationException ex) { throw new TimeStampTokenSignatureException("Invalid token signature or certificate", ex); } catch (Exception ex) { throw new TimeStampTokenVerificationException("Error when verifying the token signature", ex); } org.bouncycastle.tsp.TimeStampTokenInfo tsTokenInfo = tsToken.getTimeStampInfo(); try { String digestAlgUri = uriForDigest(tsTokenInfo.getMessageImprintAlgOID()); MessageDigest md = messageDigestProvider.getEngine(digestAlgUri); if (!Arrays.equals(md.digest(tsDigestInput), tsTokenInfo.getMessageImprintDigest())) { throw new TimeStampTokenDigestException(); } } catch (UnsupportedAlgorithmException ex) { throw new TimeStampTokenVerificationException("The token's digest algorithm is not supported", ex); } return tsTokenInfo.getGenTime(); }