Skip to content

Commit

Permalink
AE-2325: Create KeyEntityTSPSource with self-signed certificate
Browse files Browse the repository at this point in the history
  • Loading branch information
@solita-juhohaa
solita-juhohaa committed Nov 26, 2024
1 parent 5d33ebc commit f5826d0
Show file tree
Hide file tree
Showing 2 changed files with 147 additions and 59 deletions.
132 changes: 73 additions & 59 deletions etp-core/etp-backend/deps.edn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,52 +2,54 @@
"src/main/sql"
"src/main/resources"]
:mvn/repos {"shibboleth" {:url "https://build.shibboleth.net/maven/releases/"}}
:deps {org.clojure/clojure {:mvn/version "1.12.0"}
ch.qos.logback/logback-classic {:mvn/version "1.5.12"}
org.slf4j/log4j-over-slf4j {:mvn/version "2.0.16"}
flathead/flathead {:mvn/version "0.0.6"}
integrant/integrant {:mvn/version "0.13.1"}
hikari-cp/hikari-cp {:mvn/version "3.1.0"}
org.postgresql/postgresql {:mvn/version "42.7.4"}
org.clojure/java.jdbc {:mvn/version "0.7.12"}
org.clojure/data.csv {:mvn/version "1.1.0"}
http-kit/http-kit {:mvn/version "2.8.0"}
ring/ring-core {:mvn/version "1.13.0"}
javax.servlet/servlet-api {:mvn/version "2.5"}
org.clojure/tools.logging {:mvn/version "1.3.0"}
prismatic/schema {:mvn/version "1.4.1"}
metosin/reitit-ring {:mvn/version "0.7.2"}
metosin/reitit-swagger {:mvn/version "0.7.2"}
metosin/reitit-swagger-ui {:mvn/version "0.7.2"}
metosin/ring-swagger-ui {:mvn/version "5.17.14"}
metosin/reitit-middleware {:mvn/version "0.7.2"}
metosin/reitit-dev {:mvn/version "0.7.2"}
metosin/reitit-schema {:mvn/version "0.7.2"}
fi.metosin/reitit-openapi {:mvn/version "0.7.2"}
metosin/muuntaja {:mvn/version "0.6.10"}
metosin/jsonista {:mvn/version "0.3.12"}
metosin/schema-tools {:mvn/version "0.13.1"}
webjure/jeesql {:mvn/version "0.4.7"}
clj-http/clj-http {:mvn/version "3.13.0"}
buddy/buddy-core {:mvn/version "1.12.0-430"}
buddy/buddy-sign {:mvn/version "3.6.1-359"}
buddy/buddy-hashers {:mvn/version "2.0.167"}
:deps {org.clojure/clojure {:mvn/version "1.12.0"}
ch.qos.logback/logback-classic {:mvn/version "1.5.12"}
org.slf4j/log4j-over-slf4j {:mvn/version "2.0.16"}
flathead/flathead {:mvn/version "0.0.6"}
integrant/integrant {:mvn/version "0.13.1"}
hikari-cp/hikari-cp {:mvn/version "3.1.0"}
org.postgresql/postgresql {:mvn/version "42.7.4"}
org.clojure/java.jdbc {:mvn/version "0.7.12"}
org.clojure/data.csv {:mvn/version "1.1.0"}
http-kit/http-kit {:mvn/version "2.8.0"}
ring/ring-core {:mvn/version "1.13.0"}
javax.servlet/servlet-api {:mvn/version "2.5"}
org.clojure/tools.logging {:mvn/version "1.3.0"}
prismatic/schema {:mvn/version "1.4.1"}
metosin/reitit-ring {:mvn/version "0.7.2"}
metosin/reitit-swagger {:mvn/version "0.7.2"}
metosin/reitit-swagger-ui {:mvn/version "0.7.2"}
metosin/ring-swagger-ui {:mvn/version "5.17.14"}
metosin/reitit-middleware {:mvn/version "0.7.2"}
metosin/reitit-dev {:mvn/version "0.7.2"}
metosin/reitit-schema {:mvn/version "0.7.2"}
fi.metosin/reitit-openapi {:mvn/version "0.7.2"}
metosin/muuntaja {:mvn/version "0.6.10"}
metosin/jsonista {:mvn/version "0.3.12"}
metosin/schema-tools {:mvn/version "0.13.1"}
webjure/jeesql {:mvn/version "0.4.7"}
clj-http/clj-http {:mvn/version "3.13.0"}
buddy/buddy-core {:mvn/version "1.12.0-430"}
buddy/buddy-sign {:mvn/version "3.6.1-359"}
buddy/buddy-hashers {:mvn/version "2.0.167"}

org.apache.poi/poi {:mvn/version "5.3.0"}
org.apache.poi/poi-ooxml {:mvn/version "5.3.0"}
org.apache.poi/poi {:mvn/version "5.3.0"}
org.apache.poi/poi-ooxml {:mvn/version "5.3.0"}

org.apache.pdfbox/pdfbox {:mvn/version "2.0.32"}
io.github.solita/puumerkki {:mvn/version "0.12.0"}
org.clojure/core.match {:mvn/version "1.1.0"}
com.cognitect.aws/api {:mvn/version "0.8.692"}
com.cognitect.aws/endpoints {:mvn/version "1.1.12.772"}
com.cognitect.aws/s3 {:mvn/version "869.2.1687.0"}
com.cognitect.aws/kms {:mvn/version "869.2.1687.0"}
de.ubercode.clostache/clostache {:mvn/version "1.4.0"}
commonmark-hiccup/commonmark-hiccup {:mvn/version "0.3.0"}
org.bouncycastle/bcprov-jdk18on {:mvn/version "1.79"}
org.bouncycastle/bcmail-jdk18on {:mvn/version "1.79"}
org.apache.pdfbox/pdfbox {:mvn/version "2.0.32"}
io.github.solita/puumerkki {:mvn/version "0.12.0"}
org.clojure/core.match {:mvn/version "1.1.0"}
com.cognitect.aws/api {:mvn/version "0.8.692"}
com.cognitect.aws/endpoints {:mvn/version "1.1.12.772"}
com.cognitect.aws/s3 {:mvn/version "869.2.1687.0"}
com.cognitect.aws/kms {:mvn/version "869.2.1687.0"}
de.ubercode.clostache/clostache {:mvn/version "1.4.0"}
commonmark-hiccup/commonmark-hiccup {:mvn/version "0.3.0"}

com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"}
com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"}
com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"}
com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"}

;; Contains vulnerable version of batik-* libraries, exclude those
;; and add direct dependency to newer versions
Expand All @@ -56,27 +58,39 @@
:exclusions [org.apache.xmlgraphics/batik-transcoder
org.apache.xmlgraphics/batik-codec
org.apache.xmlgraphics/batik-ext]}
org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-codec {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-ext {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-codec {:mvn/version "1.18"}
org.apache.xmlgraphics/batik-ext {:mvn/version "1.18"}

;; Non-alpha version does not support xml namespaces
org.clojure/data.xml {:mvn/version "0.2.0-alpha9"}
camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.3"}
com.jcraft/jsch {:mvn/version "0.1.55"}
com.sun.mail/javax.mail {:mvn/version "1.6.2"}
org.clojure/data.xml {:mvn/version "0.2.0-alpha9"}
camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.3"}
com.jcraft/jsch {:mvn/version "0.1.55"}
com.sun.mail/javax.mail {:mvn/version "1.6.2"}

org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.3"}
org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.3"}
com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.4"}
org.apache.axis/axis {:mvn/version "1.4"}
commons-io/commons-io {:mvn/version "2.17.0"}
org.apache.wss4j/wss4j-ws-security-dom {:mvn/version "3.0.3"}
org.apache.wss4j/wss4j-ws-security-common {:mvn/version "3.0.3"}
com.sun.xml.messaging.saaj/saaj-impl {:mvn/version "3.0.4"}
org.apache.axis/axis {:mvn/version "1.4"}
commons-io/commons-io {:mvn/version "2.17.0"}
;; commons-discovery is needed by some other library dynamically at runtime
;; related to suomi.fi-viestit implementation
commons-discovery/commons-discovery {:mvn/version "0.5"}
com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"}
kovacnica/clojure.network.ip {:mvn/version "0.1.5"
:exclusions [org.clojure/clojurescript]}}
commons-discovery/commons-discovery {:mvn/version "0.5"}
com.sun.xml.ws/webservices-rt {:mvn/version "2.0.1"}
kovacnica/clojure.network.ip {:mvn/version "0.1.5"
:exclusions [org.clojure/clojurescript]}

eu.europa.ec.joinup.sd-dss/dss-enumerations {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-model {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-service {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-pades {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-utils-apache-commons {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-utils {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-validation {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-spi {:mvn/version "6.1"}
eu.europa.ec.joinup.sd-dss/dss-pades-pdfbox {:mvn/version "6.1"}

}
:aliases {:dev {:extra-paths ["src/test/clj"
"src/test/resources"
"src/dev/clj"]
Expand Down
74 changes: 74 additions & 0 deletions etp-core/etp-backend/src/main/clj/solita/etp/service/signing/dss_augmentation.clj
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
(ns solita.etp.service.signing.dss-augmentation
(:import (eu.europa.esig.dss.alert LogOnStatusAlert)
(eu.europa.esig.dss.enumerations SignatureLevel)
(eu.europa.esig.dss.model FileDocument)
(eu.europa.esig.dss.pades PAdESSignatureParameters)
(eu.europa.esig.dss.pades.signature PAdESService)
(eu.europa.esig.dss.service.ocsp OnlineOCSPSource)
(eu.europa.esig.dss.spi.validation CommonCertificateVerifier)
(eu.europa.esig.dss.spi.x509.tsp KeyEntityTSPSource)
(java.io File)
(java.security KeyPair KeyPairGenerator KeyStore PrivateKey SecureRandom Security)
(java.security.cert X509Certificate)
(java.util ArrayList Date List)
(org.bouncycastle.asn1.x500 X500Name)
(org.bouncycastle.cert X509v3CertificateBuilder)
(org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509v3CertificateBuilder)
(org.bouncycastle.jce.provider BouncyCastleProvider)
(org.bouncycastle.operator ContentSigner)
(org.bouncycastle.operator.jcajce JcaContentSignerBuilder)))

(def tsp-key-and-cert
(let [_ (Security/addProvider (BouncyCastleProvider.)) ;; TODO: Should this be done elsewhere?
^KeyPairGenerator keyPairGenerator (doto (KeyPairGenerator/getInstance "RSA")
(.initialize 2048))
^KeyPair keyPair (-> keyPairGenerator .generateKeyPair)

subjectDN "CN=Self-Signed, O=Example, C=FI"
issuerDN subjectDN
serialNumber (BigInteger. 64 (SecureRandom.))
^Date notBefore (Date.)
^Date notAfter (Date. ^long (+ (System/currentTimeMillis) (* 365 24 60 60 1000)))

^X509v3CertificateBuilder certBuilder (JcaX509v3CertificateBuilder.
(X500Name. issuerDN)
serialNumber
notBefore
notAfter
(X500Name. subjectDN)
(-> keyPair .getPublic))

^ContentSigner signer (-> (JcaContentSignerBuilder. "SHA256withRSA") (.build (-> keyPair .getPrivate)))
^X509Certificate certificate (-> (doto (JcaX509CertificateConverter.) (.setProvider "BC")) (.getCertificate (-> certBuilder (.build signer))))]
{:private-key (-> keyPair .getPrivate)
:public-key (-> keyPair .getPublic)
:certificate certificate}))

(defn create-longer-validation-document [pdf-file]
(let [parameters (PAdESSignatureParameters.)
_ (-> parameters (.setSignatureLevel SignatureLevel/PAdES_BASELINE_T))

certificate-verifier (doto (CommonCertificateVerifier.)
(.setOcspSource (OnlineOCSPSource.))
(.setAlertOnInvalidTimestamp (LogOnStatusAlert.)))

#_(-> certificate-verifier (.setTrustedCertSources ""))
key-store-file (File. "/tmp/test-key-store")
key-store-pw (char-array "kissa")
^KeyStore key-store (doto (KeyStore/getInstance "PKCS12")
(.load nil key-store-pw))
;;key-entity-tsp-source (KeyEntityTSPSource. key-store "self-signed-tsa" key-store-pw)
key-entity-tsp-source (KeyEntityTSPSource. ^PrivateKey (:private-key tsp-key-and-cert)
^X509Certificate (:certificate tsp-key-and-cert)
^List (doto (ArrayList.) (.add (:certificate tsp-key-and-cert))))
_ (-> key-entity-tsp-source (.setTsaPolicy "1.2.3.4"))

pades-service (doto (PAdESService. certificate-verifier)
(.setTspSource key-entity-tsp-source))

;;hopefully-document-with-ocsp (-> pades-service (.extendDocument pdf-file parameters))
]))

;;TODO: Continue "Certificate must have an ExtendedKeyUsage extension."
(def pdf-file (FileDocument. "src/test/resources/energiatodistukset/signed-with-ocsp-information.pdf"))
;;(create-longer-validation-document pdf-file)

0 comments on commit f5826d0

Please sign in to comment.