Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null);
/** * Processes a signer store and goes through the signers certificate-chain. Adds the found data * to the certInfo. Handles only the first signer, although multiple would be possible, but is * not yet practicable. * * @param certificatesStore To get the certificate information from. Certificates will be saved * in certificatesMap. * @param signedData data from which to get the SignerInformation * @param certInfo where to add certificate information * @return Signer Information of the processed certificatesStore for further usage. * @throws IOException on data-processing error * @throws CertificateProccessingException on a specific error with a certificate */ private SignerInformation processSignerStore(Store<X509CertificateHolder> certificatesStore, CMSSignedData signedData, CertSignatureInformation certInfo) throws IOException, CertificateProccessingException { Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); SignerInformation signerInformation = signers.iterator().next(); @SuppressWarnings("unchecked") Collection<X509CertificateHolder> matches = certificatesStore .getMatches((Selector<X509CertificateHolder>) signerInformation.getSID()); X509Certificate certificate = getCertFromHolder(matches.iterator().next()); Collection<X509CertificateHolder> allCerts = certificatesStore.getMatches(null); addAllCerts(allCerts); traverseChain(certificate, certInfo, MAX_CERTIFICATE_CHAIN_DEPTH); return signerInformation; }
private void verifyCertificateChain(Store<X509CertificateHolder> certificatesStore, X509Certificate certFromSignedData, Date signDate) throws CertificateVerificationException, CertificateException { // Verify certificate chain (new since 10/2018) // Please post bad PDF files that succeed and // good PDF files that fail in // https://issues.apache.org/jira/browse/PDFBOX-3017 Collection<X509CertificateHolder> certificateHolders = certificatesStore.getMatches(null); Set<X509Certificate> additionalCerts = new HashSet<>(); JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter(); for (X509CertificateHolder certHolder : certificateHolders) { X509Certificate certificate = certificateConverter.getCertificate(certHolder); if (!certificate.equals(certFromSignedData)) { additionalCerts.add(certificate); } } CertificateVerifier.verifyCertificate(certFromSignedData, additionalCerts, true, signDate); }
private void validateTimestampToken(TimeStampToken timeStampToken) throws TSPException, CertificateException, OperatorCreationException, IOException { // https://stackoverflow.com/questions/42114742/ Collection<X509CertificateHolder> tstMatches = timeStampToken.getCertificates().getMatches(timeStampToken.getSID()); X509CertificateHolder holder = tstMatches.iterator().next(); X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder); SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(tstCert); timeStampToken.validate(siv); System.out.println("TimeStampToken validated"); }
/** * get certificate info */ @SuppressWarnings("unchecked") public List<CertificateMeta> parse() throws CertificateException { CMSSignedData cmsSignedData; try { cmsSignedData = new CMSSignedData(data); } catch (CMSException e) { throw new CertificateException(e); } Store<X509CertificateHolder> certStore = cmsSignedData.getCertificates(); SignerInformationStore signerInfos = cmsSignedData.getSignerInfos(); Collection<SignerInformation> signers = signerInfos.getSigners(); List<X509Certificate> certificates = new ArrayList<>(); for (SignerInformation signer : signers) { Collection<X509CertificateHolder> matches = certStore.getMatches(signer.getSID()); for (X509CertificateHolder holder : matches) { certificates.add(new JcaX509CertificateConverter().setProvider(provider).getCertificate(holder)); } } return CertificateMetas.from(certificates); }
@SuppressWarnings("unchecked") Collection<X509CertificateHolder> matches = certificatesStore.getMatches((Selector<X509CertificateHolder>) signerInformation.getSID()); X509CertificateHolder certificateHolder = matches.iterator().next(); X509Certificate certFromSignedData = new JcaX509CertificateConverter().getCertificate(certificateHolder); X509CertificateHolder tstCertHolder = (X509CertificateHolder) timeStampToken.getCertificates().getMatches(null).iterator().next(); X509Certificate certFromTimeStamp = new JcaX509CertificateConverter().getCertificate(tstCertHolder); certificateHolderSet.addAll(certificatesStore.getMatches(null)); certificateHolderSet.addAll(timeStampToken.getCertificates().getMatches(null)); verifyCertificateChain(new CollectionStore<>(certificateHolderSet), certFromTimeStamp,
@SuppressWarnings("unchecked") private static Collection<X509CertificateHolder> getCertificates(Store store) { return store.getMatches(null); }
/** * Get the first certificate matching the provided selector. * * @param selector the selector. * @return a certificate holder. */ public X509CertificateHolder getCertificate(Selector selector) { try { return (X509CertificateHolder) this.store.getMatches(selector).iterator().next(); } catch (Throwable t) { return null; } }
@Override protected Collection<X509CertificateHolder> getExtraCertificates(CMSSignedData token) { return token.getCertificates().getMatches(null); }
TimeStampToken tok = response.getTimeStampToken(); Store certs = tok.getCertificates(); ArrayList<X509CertificateHolder> listCert = new ArrayList(certs.getMatches(null)); X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(listCert.get(0)); expiration = cert.getNotAfter();
@Override public Collection<CertifiedPublicKey> getCertificate(PrincipalIndentifier subject) { AttributeCertificateHolder selector = new AttributeCertificateHolder(BcUtils.getX500Name(subject)); try { Collection<?> matches = this.store.getMatches(selector); Collection<CertifiedPublicKey> result = new ArrayList<CertifiedPublicKey>(matches.size()); for (Object holder : matches) { if (holder instanceof X509CertificateHolder) { result.add(BcUtils.convertCertificate(this.factory, (X509CertificateHolder) holder)); } } return (!result.isEmpty()) ? result : null; } catch (Throwable t) { return null; } } }
Store store = signedData.getCertificates(); SignerInformationStore signers = signedData.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); Collection certCollection = store.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder certHolder = (X509CertificateHolder)certIt.next(); X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder); if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) { ret = true; } }
/** * @throws org.bouncycastle.util.StoreException * @throws eu.europa.ec.markt.dss.exception.DSSException */ @SuppressWarnings("unchecked") private ArrayList<CertificateToken> extractIdSignedDataCertificates() throws StoreException, DSSException { final ArrayList<CertificateToken> essCertIDCerts = new ArrayList<CertificateToken>(); final Collection<X509CertificateHolder> x509CertificateHolders = (Collection<X509CertificateHolder>) cmsSignedData.getCertificates().getMatches(null); for (final X509CertificateHolder x509CertificateHolder : x509CertificateHolders) { final X509Certificate x509Certificate = DSSUtils.getCertificate(x509CertificateHolder); final CertificateToken certificateToken = addCertificate(x509Certificate); if (!essCertIDCerts.contains(certificateToken)) { essCertIDCerts.add(certificateToken); } } return essCertIDCerts; } }
CMSSignedData s = new CMSSignedData(inputStream); Store certStore = s.getCertificates(); // This is where you access embedded certificates SignerInformationStore signers = s.getSignerInfos(); Collection c = signers.getSigners(); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation)it.next(); Collection certCollection = certStore.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder cert = (X509CertificateHolder)certIt.next(); if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert))) { verified++; } }
private boolean isSignatureValid(TimeStampToken timeStampToken) { try { JcaSimpleSignerInfoVerifierBuilder sigVerifierBuilder = new JcaSimpleSignerInfoVerifierBuilder(); Collection certCollection = timeStampToken.getCertificates().getMatches(timeStampToken.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); Certificate x509Cert = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(cert.getEncoded())); SignerInformationVerifier signerInfoVerifier = sigVerifierBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME).build(x509Cert.getPublicKey()); return timeStampToken.isSignatureValid(signerInfoVerifier); } catch (Exception e) { throw new MalformedDocumentException(e); } }
private void addBasicOcspRespFrom_id_pkix_ocsp_basic(final List<BasicOCSPResp> basicOCSPResps) { final Store otherRevocationInfo = cmsSignedData.getOtherRevocationInfo(OCSPObjectIdentifiers.id_pkix_ocsp_basic); final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null); for (final Object object : otherRevocationInfoMatches) { final DERSequence otherRevocationInfoMatch = (DERSequence) object; final BasicOCSPResp basicOCSPResp = DSSASN1Utils.getBasicOcspResp(otherRevocationInfoMatch); addBasicOcspResp(basicOCSPResps, basicOCSPResp); } }
private void validateTimestampToken(TimeStampToken timeStampToken) throws IOException, CertificateException, TSPException, OperatorCreationException { // https://stackoverflow.com/questions/42114742/ Collection<X509CertificateHolder> tstMatches = timeStampToken.getCertificates().getMatches(timeStampToken.getSID()); X509CertificateHolder holder = tstMatches.iterator().next(); X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder); SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider(SecurityProvider.getProvider()).build(tstCert); timeStampToken.validate(siv); System.out.println("TimeStampToken validated"); }
private boolean isSignatureValid(TimeStampToken token) { try { X509CertificateHolder holder = (X509CertificateHolder) token.getCertificates().getMatches(token.getSID()) .iterator().next(); return token.isSignatureValid( new JcaSimpleSignerInfoVerifierBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build( DSSUtils.loadCertificate(holder.getEncoded()).getCertificate().getPublicKey())); } catch (Exception e) { throw new DigiDoc4JException(e); } }
protected CMSSignedData modifySignedData(CMSSignedData sigData, AttributeTable unsignedAttributes, Collection<X509CertificateHolder> extraCertificates) throws IOException, CMSException { SignerInformation signerInformation = sigData.getSignerInfos().getSigners().iterator().next(); signerInformation = SignerInformation.replaceUnsignedAttributes(signerInformation, unsignedAttributes); Collection<X509CertificateHolder> certificates = new ArrayList<>(); certificates.addAll(sigData.getCertificates().getMatches(null)); if (extraCertificates != null) { certificates.addAll(extraCertificates); } Store<X509CertificateHolder> certificateStore = new CollectionStore<>(certificates); AuthenticodeSignedDataGenerator generator = new AuthenticodeSignedDataGenerator(); generator.addCertificates(certificateStore); generator.addSigners(new SignerInformationStore(signerInformation)); ASN1ObjectIdentifier contentType = new ASN1ObjectIdentifier(sigData.getSignedContentTypeOID()); ASN1Encodable content = ASN1Sequence.getInstance(sigData.getSignedContent().getContent()); return generator.generate(contentType, content); }
private void addBasicOcspRespFrom_id_ri_ocsp_response(final List<BasicOCSPResp> basicOCSPResps) { final Store otherRevocationInfo = cmsSignedData.getOtherRevocationInfo(CMSObjectIdentifiers.id_ri_ocsp_response); final Collection otherRevocationInfoMatches = otherRevocationInfo.getMatches(null); for (final Object object : otherRevocationInfoMatches) { final BasicOCSPResp basicOCSPResp; final DERSequence otherRevocationInfoMatch = (DERSequence) object; if (otherRevocationInfoMatch.size() == 4) { basicOCSPResp = DSSASN1Utils.getBasicOcspResp(otherRevocationInfoMatch); } else { final OCSPResp ocspResp = DSSASN1Utils.getOcspResp(otherRevocationInfoMatch); basicOCSPResp = DSSASN1Utils.getBasicOCSPResp(ocspResp); } addBasicOcspResp(basicOCSPResps, basicOCSPResp); } }