Examples of org.apache.poi.poifs.crypt.dsig.SignatureInfo

• org.apache.poi.poifs.crypt.dsig.SignatureInfo
  ing the keystore - pkcs12 is used here, but of course jks & co are also valid // the keystore needs to contain a private key and it's certificate having a // 'digitalSignature' key usage char password[] = "test".toCharArray(); File file = new File("test.pfx"); KeyStore keystore = KeyStore.getInstance("PKCS12"); FileInputStream fis = new FileInputStream(file); keystore.load(fis, password); fis.close(); // extracting private key and certificate String alias = "xyz"; // alias of the keystore entry Key key = keystore.getKey(alias, password); X509Certificate x509 = (X509Certificate)keystore.getCertificate(alias); // filling the SignatureConfig entries (minimum fields, more options are available ...) SignatureConfig signatureConfig = new SignatureConfig(); signatureConfig.setKey(keyPair.getPrivate()); signatureConfig.setSigningCertificateChain(Collections.singletonList(x509)); OPCPackage pkg = OPCPackage.open(..., PackageAccess.READ_WRITE); signatureConfig.setOpcPackage(pkg); // adding the signature document to the package SignatureInfo si = new SignatureInfo(); si.setSignatureConfig(signatureConfig); si.confirmSignature(); // optionally verify the generated signature boolean b = si.verifySignature(); assert (b); // write the changes back to disc pkg.close();

  Implementation notes:

  Although there's a XML signature implementation in the Oracle JDKs 6 and higher, compatibility with IBM JDKs is also in focus (... but maybe not thoroughly tested ...). Therefore we are using the Apache Santuario libs (xmlsec) instead of the built-in classes, as the compatibility seems to be provided there.

  To use SignatureInfo and its sibling classes, you'll need to have the following libs in the classpath:

  • BouncyCastle bcpkix and bcprov (tested against 1.51)
  • Apache Santuario "xmlsec" (tested against 2.0.1)
  • and slf4j-api (tested against 1.7.7)

        for (String testFile : testFiles) {
            OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
            SignatureConfig sic = new SignatureConfig();
            sic.setOpcPackage(pkg);
            SignatureInfo si = new SignatureInfo();
            si.setSignatureConfig(sic);
            List<X509Certificate> result = new ArrayList<X509Certificate>();
            for (SignaturePart sp : si.getSignatureParts()) {
                if (sp.validate()) {
                    result.add(sp.getSigner());
                }
            }
            pkg.revert();

        for (String testFile : testFiles) {
            OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
            try {
                SignatureConfig sic = new SignatureConfig();
                sic.setOpcPackage(pkg);
                SignatureInfo si = new SignatureInfo();
                si.setSignatureConfig(sic);
                List<X509Certificate> result = new ArrayList<X509Certificate>();
                for (SignaturePart sp : si.getSignatureParts()) {
                    if (sp.validate()) {
                        result.add(sp.getSigner());
                    }
                }

                assertNotNull(result);
                assertEquals("test-file: "+testFile, 1, result.size());
                X509Certificate signer = result.get(0);
                LOG.log(POILogger.DEBUG, "signer: " + signer.getSubjectX500Principal());

                boolean b = si.verifySignature();
                assertTrue("test-file: "+testFile, b);
                pkg.revert();
            } finally {
                pkg.close();
            }

        String testFile = "hello-world-signed-twice.docx";
        OPCPackage pkg = OPCPackage.open(testdata.getFile(testFile), PackageAccess.READ);
        try {
            SignatureConfig sic = new SignatureConfig();
            sic.setOpcPackage(pkg);
            SignatureInfo si = new SignatureInfo();
            si.setSignatureConfig(sic);
            List<X509Certificate> result = new ArrayList<X509Certificate>();
            for (SignaturePart sp : si.getSignatureParts()) {
                if (sp.validate()) {
                    result.add(sp.getSigner());
                }
            }

            assertNotNull(result);
            assertEquals("test-file: "+testFile, 2, result.size());
            X509Certificate signer1 = result.get(0);
            X509Certificate signer2 = result.get(1);
            LOG.log(POILogger.DEBUG, "signer 1: " + signer1.getSubjectX500Principal());
            LOG.log(POILogger.DEBUG, "signer 2: " + signer2.getSubjectX500Principal());

            boolean b = si.verifySignature();
            assertTrue("test-file: "+testFile, b);
            pkg.revert();
        } finally {
            pkg.close();
        }

        // ... maybe in combination with #56164

        // validate
        SignatureConfig sic = new SignatureConfig();
        sic.setOpcPackage(pkg);
        SignatureInfo si = new SignatureInfo();
        si.setSignatureConfig(sic);
        boolean b = si.verifySignature();
        assertFalse("signature should be broken", b);

        wb.close();
    }

        OPCPackage pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
        SignatureConfig sic = new SignatureConfig();
        sic.setOpcPackage(pkg);
        sic.setKey(keyPair.getPrivate());
        sic.setSigningCertificateChain(Collections.singletonList(x509));
        SignatureInfo si = new SignatureInfo();
        si.setSignatureConfig(sic);
        // hash > sha1 doesn't work in excel viewer ...
        si.confirmSignature();
        List<X509Certificate> result = new ArrayList<X509Certificate>();
        for (SignaturePart sp : si.getSignatureParts()) {
            if (sp.validate()) {
                result.add(sp.getSigner());
            }
        }
        assertEquals(1, result.size());

            }
        };
        signatureConfig.setRevocationDataService(revocationDataService);

        // operate
        SignatureInfo si = new SignatureInfo();
        si.setSignatureConfig(signatureConfig);
        try {
            si.confirmSignature();
        } catch (RuntimeException e) {
            // only allow a ConnectException because of timeout, we see this in Jenkins from time to time...
            assertNotNull("Only allowing ConnectException here, but had: " + e, e.getCause());
            assertTrue("Only allowing ConnectException here, but had: " + e, e.getCause() instanceof ConnectException);
            assertTrue("Only allowing ConnectException here, but had: " + e, e.getCause().getMessage().contains("timed out"));
        }

        // verify
        Iterator<SignaturePart> spIter = si.getSignatureParts().iterator();
        assertTrue(spIter.hasNext());
        SignaturePart sp = spIter.next();
        boolean valid = sp.validate();
        assertTrue(valid);

        cal.set(2007, 7, 1);
        signatureConfig.setExecutionTime(cal.getTime());
        signatureConfig.setDigestAlgo(HashAlgorithm.sha1);
        signatureConfig.setOpcPackage(pkg);

        SignatureInfo si = new SignatureInfo();
        si.setSignatureConfig(signatureConfig);

        si.confirmSignature();

        for (SignaturePart sp : si.getSignatureParts()){
            assertTrue("Could not validate", sp.validate());
            X509Certificate signer = sp.getSigner();
            assertNotNull("signer undefined?!", signer);
            List<X509Certificate> certChainRes = sp.getCertChain();
            assertEquals(3, certChainRes.size());

            try {
                signatureConfig.setDigestAlgo(ha);
                pkg = OPCPackage.open(copy(testdata.getFile(testFile)), PackageAccess.READ_WRITE);
                signatureConfig.setOpcPackage(pkg);

                SignatureInfo si = new SignatureInfo();
                si.setSignatureConfig(signatureConfig);

                si.confirmSignature();
                boolean b = si.verifySignature();
                assertTrue("Signature not correctly calculated for " + ha, b);
//            } catch (EncryptedDocumentException e) {
//                // see http://apache-poi.1045710.n5.nabble.com/org-apache-poi-poifs-crypt-TestSignatureInfo-failing-on-trunk-on-Java-6-tp5717032.html
//                Throwable cause = e.getCause();
//                if (cause instanceof ArrayIndexOutOfBoundsException) {

        signatureConfig.setSigningCertificateChain(Collections.singletonList(x509));
        signatureConfig.setExecutionTime(cal.getTime());
        signatureConfig.setDigestAlgo(HashAlgorithm.sha1);
        signatureConfig.setOpcPackage(pkgCopy);

        SignatureInfo si = new SignatureInfo();
        si.setSignatureConfig(signatureConfig);

        Document document = DocumentHelper.createDocument();

        // operate
        DigestInfo digestInfo = si.preSign(document, null);

        // verify
        assertNotNull(digestInfo);
        LOG.log(POILogger.DEBUG, "digest algo: " + digestInfo.hashAlgo);
        LOG.log(POILogger.DEBUG, "digest description: " + digestInfo.description);
        assertEquals("Office OpenXML Document", digestInfo.description);
        assertNotNull(digestInfo.hashAlgo);
        assertNotNull(digestInfo.digestValue);

        // setup: key material, signature value
        byte[] signatureValue = si.signDigest(digestInfo.digestValue);

        // operate: postSign
        si.postSign(document, signatureValue);

        // verify: signature
        si.getSignatureConfig().setOpcPackage(pkgCopy);
        List<X509Certificate> result = new ArrayList<X509Certificate>();
        for (SignaturePart sp : si.getSignatureParts()) {
            if (sp.validate()) {
                result.add(sp.getSigner());
            }
        }
        assertEquals(signerCount, result.size());