xades4j.verification.SigningCertificateVerifier Maven / Gradle / Ivy

Show more of this group Show more artifacts with this name
Show all versions of xades4j Show documentation

The XAdES4j library is an high-level, configurable and extensible Java implementation of XML Advanced Electronic Signatures (XAdES 1.3.2 and 1.4.1). It enables producing, verifying and extending signatures in the main XAdES forms: XAdES-BES, XAdES-EPES, XAdES-T and XAdES-C. Also, extended forms are supported through the enrichment of an existing signature.

There is a newer version: 2.2.2

Show newest version

/*
 * XAdES4j - A Java library for generation and verification of XAdES signatures.
 * Copyright (C) 2010 Luis Goncalves.
 *
 * XAdES4j is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Lesser General Public License as published by the Free
 * Software Foundation; either version 3 of the License, or any later version.
 *
 * XAdES4j is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
 * details.
 *
 * You should have received a copy of the GNU Lesser General Public License along
 * with XAdES4j. If not, see .
 */
package xades4j.verification;

import com.google.inject.Inject;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import javax.security.auth.x500.X500Principal;
import xades4j.properties.QualifyingProperty;
import xades4j.properties.SigningCertificateProperty;
import xades4j.properties.data.CertRef;
import xades4j.providers.MessageDigestEngineProvider;
import xades4j.properties.data.SigningCertificateData;
import xades4j.verification.QualifyingPropertyVerificationContext.CertificationChainData;

/**
 * XAdES section G.2.2.5
 * @author Luís
 */
class SigningCertificateVerifier implements QualifyingPropertyVerifier
{
    private final MessageDigestEngineProvider messageDigestProvider;

    @Inject
    public SigningCertificateVerifier(
            MessageDigestEngineProvider messageDigestProvider)
    {
        this.messageDigestProvider = messageDigestProvider;
    }

    @Override
    public QualifyingProperty verify(
            SigningCertificateData propData,
            QualifyingPropertyVerificationContext ctx) throws SigningCertificateVerificationException
    {
        Collection certRefs = propData.getCertRefs();
        CertificationChainData certChainData = ctx.getCertChainData();

        Iterator certPathIter = certChainData.getCertificateChain().iterator();

        /* Check the signing certificate */

        // "If the verifier does not find any reference matching the signing certificate,
        // the validation of this property should be taken as failed."
        X509Certificate signingCert = certPathIter.next();
        CertRef signingCertRef = CertRefUtils.findCertRef(signingCert, certRefs);
        if (null == signingCertRef)
            throw new SigningCertificateReferenceNotFoundException(signingCert);

        // "If the ds:KeyInfo contains the ds:X509IssuerSerial element, check that
        // the issuer and the serial number indicated in both, that one and IssuerSerial
        // from SigningCertificate, are the same."
        X500Principal keyInfoIssuer = certChainData.getValidationCertIssuer();
        if (keyInfoIssuer != null &&
                (!new X500Principal(signingCertRef.issuerDN).equals(keyInfoIssuer) ||
                !signingCertRef.serialNumber.equals(certChainData.getValidationCertSerialNumber())))
            throw new SigningCertificateIssuerSerialMismatchException(
                    signingCertRef.issuerDN,
                    signingCertRef.serialNumber,
                    keyInfoIssuer.getName(),
                    certChainData.getValidationCertSerialNumber());

        try
        {
            CertRefUtils.checkCertRef(signingCertRef, signingCert, messageDigestProvider);
        } catch (CertRefUtils.InvalidCertRefException ex)
        {
            throw new SigningCertificateReferenceException(signingCert, signingCertRef, ex);
        }

        /* Check the other certificates in the certification path */

        int nMatchedRefs = 1;

        while (certPathIter.hasNext())
        {
            X509Certificate cert = certPathIter.next();
            CertRef certRef = CertRefUtils.findCertRef(cert, certRefs);
            // "Should one or more certificates in the certification path not be
            // referenced by this property, the verifier should assume that the
            // verification is successful (...)"
            if (null == certRef)
                continue;
            nMatchedRefs++;
            try
            {
                CertRefUtils.checkCertRef(certRef, cert, messageDigestProvider);
            } catch (CertRefUtils.InvalidCertRefException ex)
            {
                throw new SigningCertificateReferenceException(cert, certRef, ex);
            }
        }

        // "Should this property contain one or more references to certificates
        // other than those present in the certification path, the verifier should
        // assume that a failure has occurred during the verification."
        if (nMatchedRefs < certRefs.size())
            throw new SigningCertificateCertsNotInCertPathException();

        return new SigningCertificateProperty(certChainData.getCertificateChain());
    }
}