Skip to content

Commit

Permalink
Almost works but certificate needs some extensions
Browse files Browse the repository at this point in the history
  • Loading branch information
@solita-juhohaa
solita-juhohaa committed Nov 26, 2024
1 parent 61f8bb7 commit 6562ec0
Show file tree
Hide file tree
Showing 6 changed files with 289 additions and 113 deletions.
1 change: 1 addition & 0 deletions etp-core/docker/ocsp-test-pki/easyrsa
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../easy-rsa/easyrsa3/easyrsa
34 changes: 17 additions & 17 deletions etp-core/docker/ocsp-test-pki/logs/ocsp-int.log
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,33 @@ OCSP Response Data:
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = ocsp_responder
Produced At: Nov 18 11:09:59 2024 GMT
Produced At: Nov 20 12:06:30 2024 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D400C058FC5CF4203C162D8714B1F9B7C6015085
Issuer Key Hash: 349950A5B055D478A28DD8B99D71B82708DC389D
Serial Number: 2A9CA93992A09BDC571978753A01868B
Cert Status: good
This Update: Nov 18 11:09:59 2024 GMT
This Update: Nov 20 12:06:30 2024 GMT

Signature Algorithm: sha256WithRSAEncryption
Signature Value:
4f:61:cd:33:70:0e:ec:b6:58:d7:de:1f:94:00:36:aa:d3:4c:
40:e0:83:e4:c0:1c:7c:fe:ec:86:8d:da:c3:5a:ba:71:44:12:
ec:8e:86:97:32:f0:94:39:37:f0:c9:ff:de:58:db:1a:c6:4b:
77:84:c3:59:fc:51:e6:38:42:07:e6:82:ea:a1:08:4e:ef:46:
48:97:6a:ee:52:07:06:96:75:f8:9f:29:4e:0d:29:be:94:69:
59:f0:f9:15:7d:50:87:36:7e:41:01:8e:20:73:88:2b:aa:d5:
0f:b2:4d:cd:9b:9a:34:2a:c6:cd:d9:c4:e2:03:f4:7f:e2:78:
4b:bc:1e:63:c4:82:c2:63:5b:90:99:9c:cf:d3:78:0f:de:9f:
17:49:93:fd:c0:9b:ad:87:e1:56:b8:e9:38:9a:0d:58:81:49:
e9:05:ef:84:e7:f3:46:cb:8f:70:da:8a:69:00:3d:40:44:3c:
ac:76:e2:c9:dc:32:e1:18:77:5e:79:84:50:6c:2e:62:c7:58:
95:4b:cd:2c:b3:5b:f3:3f:a6:95:20:83:20:56:26:dd:23:eb:
5a:11:3d:33:27:14:36:4e:ae:3c:00:a4:13:00:ca:93:f5:18:
7c:fe:6e:d8:b3:3d:9d:e7:d1:c2:42:9a:c7:f0:96:81:24:55:
93:cf:51:b4
c3:fa:ca:14:99:17:57:23:b8:43:93:42:78:67:7a:c0:81:ef:
d5:81:5a:06:72:84:3c:f4:15:a5:f8:7b:71:b7:bb:c8:b0:ab:
80:cb:86:d5:59:f1:c8:ff:77:38:40:e6:c6:cb:10:0c:30:37:
43:a9:e5:b8:1d:46:ca:0d:cc:44:cd:76:6c:7e:cc:15:38:06:
c8:2e:dc:2d:98:ed:41:f8:b4:b8:4d:c5:66:ff:47:d9:ab:e4:
60:34:56:9a:ca:6c:98:1f:23:b2:3a:7a:ee:cf:3d:13:0c:5f:
03:02:d7:f6:91:4b:96:eb:d7:a4:10:64:7e:3f:3e:e2:b0:32:
05:90:fd:ca:37:2f:ec:a8:e2:1f:fd:c2:1c:08:f0:b1:c3:8c:
ee:12:bc:58:39:59:96:b0:2b:de:16:c9:31:b0:9a:a9:53:36:
6a:a8:58:b3:24:45:00:3b:d6:9e:f9:af:a1:f8:8f:8d:98:2c:
f0:49:45:8e:ff:eb:0f:04:c4:47:54:83:c6:3e:80:e3:20:d8:
a5:c4:70:90:d1:ff:ef:35:f4:fb:a2:a9:76:13:80:3c:b1:70:
7e:a2:55:f0:9d:a2:7d:6a:95:55:4c:58:39:ba:20:34:86:e1:
b1:84:18:48:84:d3:44:65:8f:72:2c:f4:b5:22:c1:fc:21:94:
77:81:08:40
Certificate:
Data:
Version: 3 (0x2)
Expand Down
134 changes: 73 additions & 61 deletions etp-core/etp-backend/deps.edn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,54 +2,54 @@
"src/main/sql"
"src/main/resources"]
:mvn/repos {"shibboleth" {:url "https://build.shibboleth.net/maven/releases/"}}
:deps {org.clojure/clojure {:mvn/version "1.12.0"}
ch.qos.logback/logback-classic {:mvn/version "1.5.12"}
org.slf4j/log4j-over-slf4j {:mvn/version "2.0.16"}
flathead/flathead {:mvn/version "0.0.6"}
integrant/integrant {:mvn/version "0.13.1"}
hikari-cp/hikari-cp {:mvn/version "3.1.0"}
org.postgresql/postgresql {:mvn/version "42.7.4"}
org.clojure/java.jdbc {:mvn/version "0.7.12"}
org.clojure/data.csv {:mvn/version "1.1.0"}
http-kit/http-kit {:mvn/version "2.8.0"}
ring/ring-core {:mvn/version "1.13.0"}
javax.servlet/servlet-api {:mvn/version "2.5"}
org.clojure/tools.logging {:mvn/version "1.3.0"}
prismatic/schema {:mvn/version "1.4.1"}
metosin/reitit-ring {:mvn/version "0.7.2"}
metosin/reitit-swagger {:mvn/version "0.7.2"}
metosin/reitit-swagger-ui {:mvn/version "0.7.2"}
metosin/ring-swagger-ui {:mvn/version "5.17.14"}
metosin/reitit-middleware {:mvn/version "0.7.2"}
metosin/reitit-dev {:mvn/version "0.7.2"}
metosin/reitit-schema {:mvn/version "0.7.2"}
fi.metosin/reitit-openapi {:mvn/version "0.7.2"}
metosin/muuntaja {:mvn/version "0.6.10"}
metosin/jsonista {:mvn/version "0.3.12"}
metosin/schema-tools {:mvn/version "0.13.1"}
webjure/jeesql {:mvn/version "0.4.7"}
clj-http/clj-http {:mvn/version "3.13.0"}
buddy/buddy-core {:mvn/version "1.12.0-430"}
buddy/buddy-sign {:mvn/version "3.6.1-359"}
buddy/buddy-hashers {:mvn/version "2.0.167"}
:deps {org.clojure/clojure {:mvn/version "1.12.0"}
ch.qos.logback/logback-classic {:mvn/version "1.5.12"}
org.slf4j/log4j-over-slf4j {:mvn/version "2.0.16"}
flathead/flathead {:mvn/version "0.0.6"}
integrant/integrant {:mvn/version "0.13.1"}
hikari-cp/hikari-cp {:mvn/version "3.1.0"}
org.postgresql/postgresql {:mvn/version "42.7.4"}
org.clojure/java.jdbc {:mvn/version "0.7.12"}
org.clojure/data.csv {:mvn/version "1.1.0"}
http-kit/http-kit {:mvn/version "2.8.0"}
ring/ring-core {:mvn/version "1.13.0"}
javax.servlet/servlet-api {:mvn/version "2.5"}
org.clojure/tools.logging {:mvn/version "1.3.0"}
prismatic/schema {:mvn/version "1.4.1"}
metosin/reitit-ring {:mvn/version "0.7.2"}
metosin/reitit-swagger {:mvn/version "0.7.2"}
metosin/reitit-swagger-ui {:mvn/version "0.7.2"}
metosin/ring-swagger-ui {:mvn/version "5.17.14"}
metosin/reitit-middleware {:mvn/version "0.7.2"}
metosin/reitit-dev {:mvn/version "0.7.2"}
metosin/reitit-schema {:mvn/version "0.7.2"}
fi.metosin/reitit-openapi {:mvn/version "0.7.2"}
metosin/muuntaja {:mvn/version "0.6.10"}
metosin/jsonista {:mvn/version "0.3.12"}
metosin/schema-tools {:mvn/version "0.13.1"}
webjure/jeesql {:mvn/version "0.4.7"}
clj-http/clj-http {:mvn/version "3.13.0"}
buddy/buddy-core {:mvn/version "1.12.0-430"}
buddy/buddy-sign {:mvn/version "3.6.1-359"}
buddy/buddy-hashers {:mvn/version "2.0.167"}

org.apache.poi/poi {:mvn/version "5.3.0"}
org.apache.poi/poi-ooxml {:mvn/version "5.3.0"}
org.apache.poi/poi {:mvn/version "5.3.0"}
org.apache.poi/poi-ooxml {:mvn/version "5.3.0"}

org.bouncycastle/bcprov-jdk18on {:mvn/version "1.79"}
org.bouncycastle/bcmail-jdk18on {:mvn/version "1.79"}
org.apache.pdfbox/pdfbox {:mvn/version "2.0.32"}
io.github.solita/puumerkki {:mvn/version "0.12.0"}
org.clojure/core.match {:mvn/version "1.1.0"}
com.cognitect.aws/api {:mvn/version "0.8.692"}
com.cognitect.aws/endpoints {:mvn/version "1.1.12.772"}
com.cognitect.aws/s3 {:mvn/version "869.2.1687.0"}
com.cognitect.aws/kms {:mvn/version "869.2.1687.0"}
de.ubercode.clostache/clostache {:mvn/version "1.4.0"}
commonmark-hiccup/commonmark-hiccup {:mvn/version "0.3.0"}
org.bouncycastle/bcprov-jdk18on {:mvn/version "1.79"}
org.bouncycastle/bcmail-jdk18on {:mvn/version "1.79"}
org.apache.pdfbox/pdfbox {:mvn/version "2.0.32"}
io.github.solita/puumerkki {:mvn/version "0.12.0"}
org.clojure/core.match {:mvn/version "1.1.0"}
com.cognitect.aws/api {:mvn/version "0.8.692"}
com.cognitect.aws/endpoints {:mvn/version "1.1.12.772"}
com.cognitect.aws/s3 {:mvn/version "869.2.1687.0"}
com.cognitect.aws/kms {:mvn/version "869.2.1687.0"}
de.ubercode.clostache/clostache {:mvn/version "1.4.0"}
commonmark-hiccup/commonmark-hiccup {:mvn/version "0.3.0"}

com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"}
com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"}
com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"}
com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"}

;; Contains vulnerable version of batik-* libraries, exclude those
;; and add direct dependency to newer versions
Expand All @@ -58,27 +58,39 @@
:exclusions [org.apache.xmlgraphics/batik-transcoder
org.apache.xmlgraphics/batik-codec
org.apache.xmlgraphics/batik-ext]}
org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-codec {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-ext {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-codec {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-ext {:mvn/version "1.18"}

;; Non-alpha version does not support xml namespaces
org.clojure/data.xml {:mvn/version "0.2.0-alpha9"}
camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.3"}
com.jcraft/jsch {:mvn/version "0.1.55"}
com.sun.mail/javax.mail {:mvn/version "1.6.2"}
org.clojure/data.xml {:mvn/version "0.2.0-alpha9"}
camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.3"}
com.jcraft/jsch {:mvn/version "0.1.55"}
com.sun.mail/javax.mail {:mvn/version "1.6.2"}

org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.3"}
org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.3"}
com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.4"}
org.apache.axis/axis {:mvn/version "1.4"}
commons-io/commons-io {:mvn/version "2.17.0"}
org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.3"}
org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.3"}
com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.4"}
org.apache.axis/axis {:mvn/version "1.4"}
commons-io/commons-io {:mvn/version "2.17.0"}
;; commons-discovery is needed by some other library dynamically at runtime
;; related to suomi.fi-viestit implementation
commons-discovery/commons-discovery {:mvn/version "0.5"}
com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"}
kovacnica/clojure.network.ip {:mvn/version "0.1.5"
:exclusions [org.clojure/clojurescript]}}
commons-discovery/commons-discovery {:mvn/version "0.5"}
com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"}
kovacnica/clojure.network.ip {:mvn/version "0.1.5"
:exclusions [org.clojure/clojurescript]}

eu.europa.ec.joinup.sd-dss/dss-enumerations {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-model {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-service {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-pades {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-utils-apache-commons {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-utils {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-validation {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-spi {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-pades-pdfbox {:mvn/version "6.1"}

}
:aliases {:dev {:extra-paths ["src/test/clj"
"src/test/resources"
"src/dev/clj"]
Expand Down
98 changes: 98 additions & 0 deletions etp-core/etp-backend/src/main/clj/solita/etp/service/signing/dss_augmentation.clj
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
(ns solita.etp.service.signing.dss-augmentation
(:import (eu.europa.esig.dss.alert LogOnStatusAlert)
(eu.europa.esig.dss.enumerations SignatureLevel)
(eu.europa.esig.dss.model FileDocument)
(eu.europa.esig.dss.pades PAdESSignatureParameters)
(eu.europa.esig.dss.pades.signature PAdESService)
(eu.europa.esig.dss.service.crl OnlineCRLSource)
(eu.europa.esig.dss.service.tsp OnlineTSPSource)
(eu.europa.esig.dss.spi.x509.aia DefaultAIASource)
(eu.europa.esig.dss.service.ocsp OnlineOCSPSource)
(eu.europa.esig.dss.spi.validation CommonCertificateVerifier)
(eu.europa.esig.dss.spi.x509.tsp KeyEntityTSPSource)
(eu.europa.esig.dss.utils.apache.impl ApacheCommonsUtils)
(java.io File)
(java.nio.file Files OpenOption)
(java.security KeyPair KeyPairGenerator KeyStore PrivateKey SecureRandom Security)
(java.security.cert X509Certificate)
(java.util ArrayList Date List)
(org.bouncycastle.asn1.x500 X500Name)
(org.bouncycastle.cert X509v3CertificateBuilder)
(org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509v3CertificateBuilder)
(org.bouncycastle.jce.provider BouncyCastleProvider)
(org.bouncycastle.operator ContentSigner)
(org.bouncycastle.operator.jcajce JcaContentSignerBuilder)))



(def key-and-cert
(let [_ (Security/addProvider (BouncyCastleProvider.))
^KeyPairGenerator keyPairGenerator (KeyPairGenerator/getInstance "RSA")
_ (-> keyPairGenerator (.initialize 2048))
^KeyPair keyPair (-> keyPairGenerator .generateKeyPair)

subjectDN "CN=Self-Signed, O=Example, C=FI"
issuerDN subjectDN
serialNumber (BigInteger. 64 (SecureRandom.))
^Date notBefore (Date.)
^Date notAfter (Date. ^long (+ (System/currentTimeMillis) (* 365 24 60 60 1000)))

^X509v3CertificateBuilder certBuilder (JcaX509v3CertificateBuilder.
(X500Name. issuerDN)
serialNumber
notBefore
notAfter
(X500Name. subjectDN)
(-> keyPair .getPublic))

^ContentSigner signer (-> (JcaContentSignerBuilder. "SHA256withRSA") (.build (-> keyPair .getPrivate)))
^X509Certificate certificate (-> (JcaX509CertificateConverter.) (.setProvider "BC") (.getCertificate (-> certBuilder (.build signer))))]
{:private-key (-> keyPair .getPrivate)
:public-key (-> keyPair .getPublic)
:certificate certificate}))


(def pdf-file (FileDocument. "src/test/resources/energiatodistukset/signed-with-ocsp-information.pdf"))

(defn create-longer-validation-document [pdf-file]
(let [parameters (PAdESSignatureParameters.)
_ (-> parameters (.setSignatureLevel SignatureLevel/PAdES_BASELINE_T))

certificate-verifier (doto (CommonCertificateVerifier.)
(.setOcspSource (OnlineOCSPSource.))
(.setAlertOnInvalidTimestamp (LogOnStatusAlert.)))

#_(-> certificate-verifier (.setTrustedCertSources ""))
key-store-file (File. "/tmp/test-key-store")
key-store-pw (char-array "kissa")
^KeyStore key-store (doto (KeyStore/getInstance "PKCS12")
(.load nil key-store-pw))
;;key-entity-tsp-source (KeyEntityTSPSource. key-store "self-signed-tsa" key-store-pw)
key-entity-tsp-source (KeyEntityTSPSource. ^PrivateKey (:private-key key-and-cert)
^X509Certificate (:certificate key-and-cert)
^List (doto (ArrayList.) (.add (:certificate key-and-cert))))
_ (-> key-entity-tsp-source (.setTsaPolicy "1.2.3.4"))

pades-service (doto (PAdESService. certificate-verifier)
(.setTspSource key-entity-tsp-source))

;;hopefully-lt-level-document (-> pades-service (.extendDocument pdf-file parameters))
]))

(create-longer-validation-document pdf-file)

#_(defn hmm2 [document]
(let [cv (CommonCertificateVerifier.)
(-> cv (.setAIASource (DefaultAIASource.)))
(-> cv (.setOcspSource (OnlineOCSPSource.)))
(-> cv (.setCrlSource (OnlineCRLSource.)))

root-cert ()

#_(-> certificate-verifier (.setTrustedCertSources ""))

pades-service (PAdESService. certificate-verifier)
;;_ (-> padesService ())

hopefully-lt-level-document (-> pades-service (.extendDocument pdf-file parameters))
]))
Loading

0 comments on commit 6562ec0

Please sign in to comment.