Java tutorial
/* * DSS - Digital Signature Services * * Copyright (C) 2013 European Commission, Directorate-General Internal Market and Services (DG MARKT), B-1049 Bruxelles/Brussel * * Developed by: 2013 ARHS Developments S.A. (rue Nicolas Bov 2B, L-1253 Luxembourg) http://www.arhs-developments.com * * This file is part of the "DSS - Digital Signature Services" project. * * "DSS - Digital Signature Services" is free software: you can redistribute it and/or modify it under the terms of * the GNU Lesser General Public License as published by the Free Software Foundation, either version 2.1 of the * License, or (at your option) any later version. * * DSS is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License along with * "DSS - Digital Signature Services". If not, see <http://www.gnu.org/licenses/>. */ package eu.europa.ec.markt.dss.signature.cades; import java.io.IOException; import java.io.InputStream; import java.util.ArrayList; import java.util.Collection; import java.util.List; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1Object; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.cms.Attribute; import org.bouncycastle.asn1.cms.AttributeTable; import org.bouncycastle.cms.CMSException; import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.SignerInformationStore; import org.bouncycastle.tsp.TimeStampToken; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import eu.europa.ec.markt.dss.DSSASN1Utils; import eu.europa.ec.markt.dss.DSSUtils; import eu.europa.ec.markt.dss.DigestAlgorithm; import eu.europa.ec.markt.dss.exception.DSSConfigurationException; import eu.europa.ec.markt.dss.exception.DSSException; import eu.europa.ec.markt.dss.exception.DSSNullReturnedException; import eu.europa.ec.markt.dss.parameter.SignatureParameters; import eu.europa.ec.markt.dss.signature.DSSDocument; import eu.europa.ec.markt.dss.signature.SignatureExtension; import eu.europa.ec.markt.dss.validation102853.bean.SignatureCryptographicVerification; import eu.europa.ec.markt.dss.validation102853.cades.CAdESSignature; import eu.europa.ec.markt.dss.validation102853.tsp.TSPSource; /** * Base class for extending a CAdESSignature. * * @version $Revision$ - $Date$ */ abstract class CAdESSignatureExtension implements SignatureExtension { private static final Logger LOG = LoggerFactory.getLogger(CAdESSignatureExtension.class); protected final TSPSource signatureTsa; /** * true if only the last signature must be extended */ private final boolean onlyLastCMSSignature; /** * @param signatureTsa * @param onlyLastCMSSignature true if only the last signature must be extended, otherwise all signatures are extended */ public CAdESSignatureExtension(final TSPSource signatureTsa, final boolean onlyLastCMSSignature) { this.signatureTsa = signatureTsa; this.onlyLastCMSSignature = onlyLastCMSSignature; if (signatureTsa == null) { throw new DSSConfigurationException(DSSConfigurationException.MSG.CONFIGURE_TSP_SERVER); } } /** * @return the TSA used for the signature-time-stamp attribute */ public TSPSource getSignatureTsa() { return signatureTsa; } /** * @param signatureToExtend to be extended * @param parameters of the extension * @return a new extended document * @throws eu.europa.ec.markt.dss.exception.DSSException */ public CMSSignedDocument extendSignatures(final DSSDocument signatureToExtend, final SignatureParameters parameters) throws DSSException { LOG.info("EXTEND SIGNATURES."); try { final InputStream inputStream = signatureToExtend.openStream(); final CMSSignedData cmsSignedData = new CMSSignedData(inputStream); DSSUtils.closeQuietly(inputStream); final CMSSignedData extendCMSSignedData = extendCMSSignatures(cmsSignedData, parameters); final CMSSignedDocument cmsSignedDocument = new CMSSignedDocument(extendCMSSignedData); return cmsSignedDocument; } catch (CMSException e) { throw new DSSException("Cannot parse CMS data", e); } } public CMSSignedData extendCMSSignatures(CMSSignedData cmsSignedData, SignatureParameters parameters) { CMSSignedData extendCMSSignedData; if (onlyLastCMSSignature) { extendCMSSignedData = extendLastCMSSignature(cmsSignedData, parameters); } else { extendCMSSignedData = extendAllCMSSignatures(cmsSignedData, parameters); } return extendCMSSignedData; } /** * Loops on each signerInformation of the cmsSignedData and extends the signature * * @param cmsSignedData * @return */ private CMSSignedData extendAllCMSSignatures(CMSSignedData cmsSignedData, SignatureParameters parameters) { LOG.info("EXTEND ALL CMS SIGNATURES."); Collection<SignerInformation> signerInformationCollection = cmsSignedData.getSignerInfos().getSigners(); for (SignerInformation signerInformation : signerInformationCollection) { cmsSignedData = preExtendCMSSignedData(cmsSignedData, parameters); } signerInformationCollection = cmsSignedData.getSignerInfos().getSigners(); final List<SignerInformation> newSignerInformationList = new ArrayList<SignerInformation>(); for (SignerInformation signerInformation : signerInformationCollection) { final CAdESSignature cadesSignature = new CAdESSignature(cmsSignedData, signerInformation); cadesSignature.setDetachedContents(parameters.getDetachedContent()); assertSignatureValid(cadesSignature, parameters); final SignerInformation newSignerInformation = extendCMSSignature(cmsSignedData, signerInformation, parameters); newSignerInformationList.add(newSignerInformation); } final SignerInformationStore newSignerStore = new SignerInformationStore(newSignerInformationList); cmsSignedData = CMSSignedData.replaceSigners(cmsSignedData, newSignerStore); signerInformationCollection = cmsSignedData.getSignerInfos().getSigners(); for (SignerInformation signerInformation : signerInformationCollection) { cmsSignedData = postExtendCMSSignedData(cmsSignedData, signerInformation, parameters); } return cmsSignedData; } /** * Take the last signerInformation of the cmsSignedData and extends the signature * * @param cmsSignedData * @return */ private CMSSignedData extendLastCMSSignature(CMSSignedData cmsSignedData, SignatureParameters parameters) { LOG.info("EXTEND LAST CMS SIGNATURES."); cmsSignedData = preExtendCMSSignedData(cmsSignedData, parameters); Collection<SignerInformation> signerInformationCollection = cmsSignedData.getSignerInfos().getSigners(); SignerInformation lastSignerInformation = getFirstSigner(cmsSignedData); final List<SignerInformation> newSignerInformationList = new ArrayList<SignerInformation>(); for (SignerInformation signerInformation : signerInformationCollection) { if (lastSignerInformation == signerInformation) { final CAdESSignature cadesSignature = new CAdESSignature(cmsSignedData, signerInformation); cadesSignature.setDetachedContents(parameters.getDetachedContent()); assertSignatureValid(cadesSignature, parameters); final SignerInformation newSignerInformation = extendCMSSignature(cmsSignedData, signerInformation, parameters); newSignerInformationList.add(newSignerInformation); } else { newSignerInformationList.add(signerInformation); } } final SignerInformationStore newSignerStore = new SignerInformationStore(newSignerInformationList); cmsSignedData = CMSSignedData.replaceSigners(cmsSignedData, newSignerStore); lastSignerInformation = getFirstSigner(cmsSignedData); cmsSignedData = postExtendCMSSignedData(cmsSignedData, lastSignerInformation, parameters); return cmsSignedData; } private SignerInformation getFirstSigner(CMSSignedData cmsSignedData) { final Collection<SignerInformation> signers = cmsSignedData.getSignerInfos().getSigners(); SignerInformation lastSignerInformation; lastSignerInformation = null; for (SignerInformation signerInformation : signers) { lastSignerInformation = signerInformation; break; } return lastSignerInformation; } private void assertSignatureValid(final CAdESSignature cadesSignature, final SignatureParameters parameters) { // TODO: (Bob: 2014 Jan 22) To be changed to enum check and not string! if (!parameters.getSignatureLevel().toString().toLowerCase().startsWith("pades")) { final SignatureCryptographicVerification signatureCryptographicVerification = cadesSignature .checkSignatureIntegrity(); if (!signatureCryptographicVerification.isSignatureIntact()) { final String errorMessage = signatureCryptographicVerification.getErrorMessage(); throw new DSSException("Cryptographic signature verification has failed" + (errorMessage.isEmpty() ? "." : (" / " + errorMessage))); } } } /** * Extends the signer * * @param signedData * @param signerInformation * @param parameters * @return * @throws java.io.IOException */ abstract protected SignerInformation extendCMSSignature(CMSSignedData signedData, SignerInformation signerInformation, SignatureParameters parameters) throws DSSException; /** * Extends the root Signed Data. Nothing to do by default. * * @param cmsSignedData * @param parameters * @return */ protected CMSSignedData preExtendCMSSignedData(CMSSignedData cmsSignedData, SignatureParameters parameters) { return cmsSignedData; } /** * Extends the root Signed Data. Nothing to do by default. * * @param cmsSignedData * @param signerInformation * @param parameters * @return */ protected CMSSignedData postExtendCMSSignedData(CMSSignedData cmsSignedData, SignerInformation signerInformation, SignatureParameters parameters) { return cmsSignedData; } protected ASN1Object getTimeStampAttributeValue(TSPSource tspSource, byte[] message, SignatureParameters parameters) { final DigestAlgorithm timestampDigestAlgorithm = parameters.getSignatureTimestampParameters() .getDigestAlgorithm(); ASN1Object signatureTimeStampValue = getTimeStampAttributeValue(tspSource, message, timestampDigestAlgorithm); return signatureTimeStampValue; } public static ASN1Object getTimeStampAttributeValue(final TSPSource tspSource, final byte[] messageToTimestamp, final DigestAlgorithm timestampDigestAlgorithm, final Attribute... attributesForTimestampToken) { try { if (LOG.isDebugEnabled()) { LOG.debug("Message to timestamp is: " + DSSUtils.encodeHexString(messageToTimestamp)); } byte[] timestampDigest = DSSUtils.digest(timestampDigestAlgorithm, messageToTimestamp); if (LOG.isDebugEnabled()) { LOG.debug("Digested ({}) message to timestamp is {}", new Object[] { timestampDigestAlgorithm, DSSUtils.encodeHexString(timestampDigest) }); } final TimeStampToken timeStampToken = tspSource.getTimeStampResponse(timestampDigestAlgorithm, timestampDigest); if (timeStampToken == null) { throw new DSSNullReturnedException(TimeStampToken.class); } if (LOG.isDebugEnabled()) { final byte[] messageImprintDigest = timeStampToken.getTimeStampInfo().getMessageImprintDigest(); LOG.debug("Digested ({}) message in timestamp is {}", new Object[] { timestampDigestAlgorithm, DSSUtils.encodeHexString(messageImprintDigest) }); } CMSSignedData cmsSignedDataTimeStampToken = new CMSSignedData(timeStampToken.getEncoded()); // TODO (27/08/2014): attributesForTimestampToken cannot be null: to be modified if (attributesForTimestampToken != null) { // timeStampToken contains one and only one signer final SignerInformation signerInformation = (SignerInformation) cmsSignedDataTimeStampToken .getSignerInfos().getSigners().iterator().next(); AttributeTable unsignedAttributes = CAdESSignature.getUnsignedAttributes(signerInformation); for (final Attribute attributeToAdd : attributesForTimestampToken) { final ASN1ObjectIdentifier attrType = attributeToAdd.getAttrType(); final ASN1Encodable objectAt = attributeToAdd.getAttrValues().getObjectAt(0); unsignedAttributes = unsignedAttributes.add(attrType, objectAt); } final SignerInformation newSignerInformation = SignerInformation .replaceUnsignedAttributes(signerInformation, unsignedAttributes); final List<SignerInformation> signerInformationList = new ArrayList<SignerInformation>(); signerInformationList.add(newSignerInformation); final SignerInformationStore newSignerStore = new SignerInformationStore(signerInformationList); cmsSignedDataTimeStampToken = CMSSignedData.replaceSigners(cmsSignedDataTimeStampToken, newSignerStore); } final byte[] newTimeStampTokenBytes = cmsSignedDataTimeStampToken.getEncoded(); return DSSASN1Utils.toASN1Primitive(newTimeStampTokenBytes); } catch (IOException e) { throw new DSSException(e); } catch (CMSException e) { throw new DSSException(e); } } }