All Downloads are FREE. Search and download functionalities are using the official Maven repository.
  • Log In
  • Register

    • se.swedenconnect.sigval.pdf.verify.policy.impl.AbstractBasicPDFSignaturePolicyChecks Maven / Gradle / Ivy

    /*
 * Copyright (c) 2020. Sweden Connect
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package se.swedenconnect.sigval.pdf.verify.policy.impl;

import lombok.extern.slf4j.Slf4j;
import se.idsec.signservice.security.certificate.CertificateValidationResult;
import se.idsec.signservice.security.sign.SignatureValidationResult;
import se.swedenconnect.sigval.commons.data.PolicyValidationResult;
import se.swedenconnect.sigval.pdf.data.ExtendedPdfSigValResult;
import se.swedenconnect.sigval.pdf.pdfstruct.PDFSignatureContext;
import se.swedenconnect.sigval.pdf.verify.policy.PDFSignaturePolicyValidator;
import se.swedenconnect.sigval.svt.claims.PolicyValidationClaims;
import se.swedenconnect.sigval.svt.claims.ValidationConclusion;

import java.security.cert.X509Certificate;
import java.util.List;

/**
 * Abstract implementation of a PDF signature policy checker
 *
 * @author Martin Lindström ([email protected])
 * @author Stefan Santesson ([email protected])
 */
@Slf4j
public abstract class AbstractBasicPDFSignaturePolicyChecks implements PDFSignaturePolicyValidator {

  /**
   * Validate the signature according to a defined policy.
   *
   * @param verifyResultSignature the verification result of the signature
   * @param signatureContext      pdf signature context data holding data about revisions of the signed document
   * @return {@link PolicyValidationResult} for this signature
   */
  @Override public PolicyValidationResult validatePolicy(ExtendedPdfSigValResult verifyResultSignature,
    PDFSignatureContext signatureContext) {

    PolicyValidationClaims.PolicyValidationClaimsBuilder builder = PolicyValidationClaims.builder();
    builder.pol(getValidationPolicy());

    // Check if signature validation failed
    if (!verifyResultSignature.isSuccess()) {
      //Signature validation has failed. No more checks needed
      log.debug("Basic signature validation failed");
      return new PolicyValidationResult(
        builder.res(ValidationConclusion.FAILED)
          .msg(verifyResultSignature.getStatusMessage())
          .build(),
        SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE
      );
    }

    // Check for unsafe alterations to the document afters signing
    if (signatureContext.isSignatureExtendedByNonSafeUpdates(verifyResultSignature.getPdfSignature())) {
      log.debug("Signed document has been altered since it was signed");
      return new PolicyValidationResult(
        builder.res(ValidationConclusion.FAILED)
          .msg("Document content was altered after signing")
          .build(),
        SignatureValidationResult.Status.ERROR_INVALID_SIGNATURE
      );
    }

    CertificateValidationResult certificateValidationResult = verifyResultSignature.getCertificateValidationResult();
    List validatedCertificatePath = certificateValidationResult == null
      ? null
      : certificateValidationResult.getValidatedCertificatePath();
    if (validatedCertificatePath == null || validatedCertificatePath.isEmpty()) {
      log.debug("No valid certificate path was found");
      return new PolicyValidationResult(
        builder.res(ValidationConclusion.INDETERMINATE)
          .msg("No valid certificate path was found")
          .build(),
        SignatureValidationResult.Status.ERROR_NOT_TRUSTED
      );
    }

    return performAdditionalValidityChecks(verifyResultSignature, signatureContext);
  }

  /**
   * This function is called after performing the basic validity checks in the extended abstract superclass. The basic checks done when this
   * function is called are:
   *
   * 
      
   *   
    • Verified that basic signature validation succeeded
      • 
   *   
    • Verified that no non-signature alterations was made to the document after this signature was created
      • 
   *   
    • Verified that certificate path validation resulted in a trusted path
      • 
   * 
    
   *
   * 
    This function is responsible for processing any certificate validity results such as results of CRL or OCSP checking
    
   *
   * @param verifyResultSignature signature validation results
   * @param signatureContext      signature context data
   * @return results after extended validation checks
   */
  protected abstract PolicyValidationResult performAdditionalValidityChecks(ExtendedPdfSigValResult verifyResultSignature,
    PDFSignatureContext signatureContext);

  /**
   * Returns the validation policy implemented by this policy validator
   *
   * @return validation policy identifier
   */
  protected abstract String getValidationPolicy();
}




    © 2015 - 2025 Weber Informatics LLC | Privacy Policy