use PAdESService for signing toBeSigned 1.3.0

Author: sarah897

src/main/java/de/governikus/datasign/cookbook/cades/SealDocumentExample.java

@@ -2,12 +2,14 @@
 
 import de.governikus.datasign.cookbook.AbstractExample;
 import de.governikus.datasign.cookbook.types.*;
+import de.governikus.datasign.cookbook.types.request.DocumentSignatureParameter;
 import de.governikus.datasign.cookbook.types.request.DocumentToBeSigned;
 import de.governikus.datasign.cookbook.types.request.SealDocumentTransactionRequest;
-import de.governikus.datasign.cookbook.types.request.DocumentSignatureParameter;
 import de.governikus.datasign.cookbook.types.response.AvailableSeals;
 import de.governikus.datasign.cookbook.types.response.DocumentSealTransaction;
 import de.governikus.datasign.cookbook.types.response.UploadedDocument;
+import de.governikus.datasign.cookbook.util.DSSFactory;
+import eu.europa.esig.dss.model.InMemoryDocument;
 
 import java.io.FileInputStream;
 import java.util.List;
@@ -69,6 +71,14 @@ public void runExample() throws Exception {
         var pkcs7SignatureBytes = retrieveBytes(GET(pkcs7Signatures.href().toString())
                 .header("Authorization", accessToken.toAuthorizationHeader()));
 
+        // check if the signature is valid
+        var report = DSSFactory.signedDocumentValidator(new InMemoryDocument(new FileInputStream("sample.docx")),
+                new InMemoryDocument(pkcs7SignatureBytes)).validateDocument().getSimpleReport();
+        var indication = report.getIndication(report.getFirstSignatureId()).name();
+        if (indication.equals("FAILED") || indication.equals("TOTAL_FAILED") || indication.equals("NO_SIGNATURE_FOUND")) {
+            System.err.println("signature is not valid");
+        }
+
         writeToDisk(pkcs7SignatureBytes, "sample_sealed.docx.p7s");
         System.out.println("sample.pdf is now sealed and the signature is written to disk as sample_sealed.docx.p7s");
     }

src/main/java/de/governikus/datasign/cookbook/cades/SealToBeSignedExample.java

@@ -6,15 +6,17 @@
 import de.governikus.datasign.cookbook.types.SignatureLevel;
 import de.governikus.datasign.cookbook.types.SignatureNiveau;
 import de.governikus.datasign.cookbook.types.request.SealToBeSignedTransactionRequest;
-import de.governikus.datasign.cookbook.types.request.DocumentSignatureParameter;
 import de.governikus.datasign.cookbook.types.request.ToBeSigned;
 import de.governikus.datasign.cookbook.types.request.ToBeSignedSignatureParameter;
 import de.governikus.datasign.cookbook.types.response.AvailableSeals;
 import de.governikus.datasign.cookbook.types.response.Certificate;
 import de.governikus.datasign.cookbook.types.response.ToBeSignedSealTransaction;
 import de.governikus.datasign.cookbook.util.DSSFactory;
 import eu.europa.esig.dss.cades.CAdESSignatureParameters;
-import eu.europa.esig.dss.enumerations.*;
+import eu.europa.esig.dss.enumerations.DigestAlgorithm;
+import eu.europa.esig.dss.enumerations.EncryptionAlgorithm;
+import eu.europa.esig.dss.enumerations.SignatureAlgorithm;
+import eu.europa.esig.dss.enumerations.SignaturePackaging;
 import eu.europa.esig.dss.model.InMemoryDocument;
 import eu.europa.esig.dss.model.SignatureValue;
 import eu.europa.esig.dss.model.x509.CertificateToken;
@@ -95,10 +97,11 @@ public void runExample() throws Exception {
                 new SignatureValue(signatureAlgorithm(provider), signatureValueWithTimestamp.signatureValue()));
         var detachedSignature = DSSUtils.toCMSSignedData(signedDocument).getEncoded();
 
-        try {
-            DSSFactory.signedDocumentValidator(unsignedDocument, signedDocument).validateDocument();
-        } catch (Exception e) {
-            System.err.println("signatureValue is not coherent with document digest");
+        // check if the signature is valid
+        var report = DSSFactory.signedDocumentValidator(unsignedDocument, signedDocument).validateDocument().getSimpleReport();
+        var indication = report.getIndication(report.getFirstSignatureId()).name();
+        if (indication.equals("FAILED") || indication.equals("TOTAL_FAILED") || indication.equals("NO_SIGNATURE_FOUND")) {
+            System.err.println("signature is not valid");
         }
 
         writeToDisk(detachedSignature, "sample_sealed.docx.p7s");

src/main/java/de/governikus/datasign/cookbook/cades/SignDocumentExample.java

@@ -2,10 +2,15 @@
 
 import de.governikus.datasign.cookbook.AbstractExample;
 import de.governikus.datasign.cookbook.types.*;
-import de.governikus.datasign.cookbook.types.request.*;
+import de.governikus.datasign.cookbook.types.request.DocumentSignatureParameter;
+import de.governikus.datasign.cookbook.types.request.DocumentToBeSigned;
+import de.governikus.datasign.cookbook.types.request.SignatureDocumentTransactionRequest;
+import de.governikus.datasign.cookbook.types.request.TanAuthorizeRequest;
 import de.governikus.datasign.cookbook.types.response.DocumentSignTransaction;
 import de.governikus.datasign.cookbook.types.response.UploadedDocument;
 import de.governikus.datasign.cookbook.types.response.UserState;
+import de.governikus.datasign.cookbook.util.DSSFactory;
+import eu.europa.esig.dss.model.InMemoryDocument;
 
 import java.io.FileInputStream;
 import java.net.URLEncoder;
@@ -108,11 +113,18 @@ public void runExample() throws Exception {
                 r.documentId().equals(uploadedDocument.documentId())).findFirst().orElseThrow();
 
         // GET /documents/{documentId}/signatures/{signatureId}
-        var documentRevisionBytes = retrieveBytes(GET(result.href().toString())
+        var pkcs7SignatureBytes = retrieveBytes(GET(result.href().toString())
                 .header("Authorization", accessToken.toAuthorizationHeader()));
 
+        // check if the signature is valid
+        var report = DSSFactory.signedDocumentValidator(new InMemoryDocument(new FileInputStream("sample.docx")),
+                new InMemoryDocument(pkcs7SignatureBytes)).validateDocument().getSimpleReport();
+        var indication = report.getIndication(report.getFirstSignatureId()).name();
+        if (indication.equals("FAILED") || indication.equals("TOTAL_FAILED") || indication.equals("NO_SIGNATURE_FOUND")) {
+            System.err.println("signature is not valid");
+        }
 
-        writeToDisk(documentRevisionBytes, "sample_signed.pdf.p7s");
+        writeToDisk(pkcs7SignatureBytes, "sample_signed.pdf.p7s");
         System.out.println("sample.pdf is now signed and the signature is written to disk as sample_signed.pdf.p7s");
     }
 

src/main/java/de/governikus/datasign/cookbook/cades/SignToBeSignedExample.java

@@ -5,7 +5,10 @@
 import de.governikus.datasign.cookbook.types.Provider;
 import de.governikus.datasign.cookbook.types.SignatureLevel;
 import de.governikus.datasign.cookbook.types.SignatureNiveau;
-import de.governikus.datasign.cookbook.types.request.*;
+import de.governikus.datasign.cookbook.types.request.SignatureToBeSignedTransactionRequest;
+import de.governikus.datasign.cookbook.types.request.TanAuthorizeRequest;
+import de.governikus.datasign.cookbook.types.request.ToBeSigned;
+import de.governikus.datasign.cookbook.types.request.ToBeSignedSignatureParameter;
 import de.governikus.datasign.cookbook.types.response.Certificate;
 import de.governikus.datasign.cookbook.types.response.ToBeSignedSignTransaction;
 import de.governikus.datasign.cookbook.types.response.UserState;
@@ -137,10 +140,11 @@ public void runExample() throws Exception {
                 new SignatureValue(signatureAlgorithm(provider), signatureValueWithTimestamp.signatureValue()));
         var detachedSignature = DSSUtils.toCMSSignedData(signedDocument).getEncoded();
 
-        try {
-            DSSFactory.signedDocumentValidator(unsignedDocument, signedDocument).validateDocument();
-        } catch (Exception e) {
-            System.err.println("signatureValue is not coherent with document digest");
+        // check if the signature is valid
+        var report = DSSFactory.signedDocumentValidator(unsignedDocument, signedDocument).validateDocument().getSimpleReport();
+        var indication = report.getIndication(report.getFirstSignatureId()).name();
+        if (indication.equals("FAILED") || indication.equals("TOTAL_FAILED") || indication.equals("NO_SIGNATURE_FOUND")) {
+            System.err.println("signature is not valid");
         }
 
         writeToDisk(detachedSignature, "sample_signed.docx.p7s");

src/main/java/de/governikus/datasign/cookbook/pades/SealDocumentExample.java

@@ -2,8 +2,15 @@
 
 import de.governikus.datasign.cookbook.AbstractExample;
 import de.governikus.datasign.cookbook.types.*;
-import de.governikus.datasign.cookbook.types.request.*;
-import de.governikus.datasign.cookbook.types.response.*;
+import de.governikus.datasign.cookbook.types.request.DocumentSignatureParameter;
+import de.governikus.datasign.cookbook.types.request.DocumentToBeSigned;
+import de.governikus.datasign.cookbook.types.request.SealDocumentTransactionRequest;
+import de.governikus.datasign.cookbook.types.request.VisualParameter;
+import de.governikus.datasign.cookbook.types.response.AvailableSeals;
+import de.governikus.datasign.cookbook.types.response.DocumentSealTransaction;
+import de.governikus.datasign.cookbook.types.response.UploadedDocument;
+import de.governikus.datasign.cookbook.util.DSSFactory;
+import eu.europa.esig.dss.model.InMemoryDocument;
 
 import java.io.FileInputStream;
 import java.util.List;
@@ -67,8 +74,15 @@ public void runExample() throws Exception {
 
         // GET /documents/{documentId}/revisions/{revisionId}
         var documentRevisionBytes = retrieveBytes(GET(documentRevision.href().toString())
-                .header("Authorization", accessToken.toAuthorizationHeader())
-                .header("Accept", "application/octet-stream"));
+                .header("Authorization", accessToken.toAuthorizationHeader()));
+
+        // check if the signature is valid
+        var report = DSSFactory.signedDocumentValidator(new InMemoryDocument(new FileInputStream("sample.pdf")),
+                new InMemoryDocument(documentRevisionBytes)).validateDocument().getSimpleReport();
+        var indication = report.getIndication(report.getFirstSignatureId()).name();
+        if (indication.equals("FAILED") || indication.equals("TOTAL_FAILED") || indication.equals("NO_SIGNATURE_FOUND")) {
+            System.err.println("signature is not valid");
+        }
 
         writeToDisk(documentRevisionBytes, "sample_sealed.pdf");
         System.out.println("sample.pdf is now sealed and written to disk as sample_sealed.pdf");

src/main/java/de/governikus/datasign/cookbook/pades/SealToBeSignedExample.java

@@ -5,7 +5,6 @@
 import de.governikus.datasign.cookbook.types.Provider;
 import de.governikus.datasign.cookbook.types.SignatureLevel;
 import de.governikus.datasign.cookbook.types.SignatureNiveau;
-import de.governikus.datasign.cookbook.types.request.DocumentSignatureParameter;
 import de.governikus.datasign.cookbook.types.request.SealToBeSignedTransactionRequest;
 import de.governikus.datasign.cookbook.types.request.ToBeSigned;
 import de.governikus.datasign.cookbook.types.request.ToBeSignedSignatureParameter;
@@ -24,7 +23,6 @@
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
-import java.util.Scanner;
 import java.util.UUID;
 
 import static de.governikus.datasign.cookbook.util.AccessTokenUtil.retrieveAccessToken;
@@ -69,12 +67,8 @@ public void runExample() throws Exception {
         // calculate the DTBS from the unsigned document
         var unsignedDocument = new InMemoryDocument(new FileInputStream("sample.pdf"));
 
-        var padesWithExternalCMSService = DSSFactory.padesWithExternalCMSService();
         var signatureParameter = signatureParameter(provider, certificate.certificate());
-        var documentDigest = padesWithExternalCMSService.getMessageDigest(unsignedDocument, signatureParameter);
-
-        var externalCMSService = DSSFactory.externalCMSService();
-        var dtbs = externalCMSService.getDataToSign(documentDigest, signatureParameter);
+        var dtbs = DSSFactory.pAdESService().getDataToSign(unsignedDocument, signatureParameter);
 
         // POST /seal/to-be-signed/transactions
         var toBeSignedId = UUID.randomUUID();
@@ -92,15 +86,17 @@ public void runExample() throws Exception {
                 .filter(v -> v.id().equals(toBeSignedId)).findFirst().orElseThrow();
 
         // use the signature value to incorporate a signature into the unsigned document
-        var cmsSignedData = DSSFactory.externalCMSService(signatureValueWithTimestamp.timestamp())
-                .signMessageDigest(documentDigest, signatureParameter, new SignatureValue(signatureParameter.getSignatureAlgorithm(), signatureValueWithTimestamp.signatureValue()));
+        var signatureValue = new SignatureValue(signatureParameter.getSignatureAlgorithm(), signatureValueWithTimestamp.signatureValue());
+        var signedDocument = DSSFactory.pAdESService(signatureValueWithTimestamp.timestamp())
+                .signDocument(unsignedDocument, signatureParameter, signatureValue);
 
-        if (!padesWithExternalCMSService.isValidCMSSignedData(documentDigest, cmsSignedData)) {
+        if (!DSSFactory.pAdESService().isValidSignatureValue(dtbs, signatureValue, new CertificateToken(toX509Certificate(certificate.certificate())))) {
             System.err.println("signatureValue is not coherent with document digest");
             return;
         }
 
-        var signedDocument = padesWithExternalCMSService.signDocument(unsignedDocument, signatureParameter, cmsSignedData);
+        // extend signature to LT-Level
+        signedDocument = DSSFactory.pAdESExtensionService().incorporateValidationData(signedDocument, null, true);
 
         writeToDisk(signedDocument, "sample_sealed.pdf");
         System.out.println("sample.pdf is now sealed and written to disk as sample_sealed.pdf");
@@ -120,9 +116,4 @@ private static PAdESSignatureParameters signatureParameter(Provider provider, by
         return pAdESSignatureParameters;
     }
 
-    private String prompt(String toDisplay) {
-        System.out.println(toDisplay);
-        return new Scanner(System.in).nextLine().trim();
-    }
-
 }

src/main/java/de/governikus/datasign/cookbook/pades/SignDocumentExample.java

@@ -3,7 +3,11 @@
 import de.governikus.datasign.cookbook.AbstractExample;
 import de.governikus.datasign.cookbook.types.*;
 import de.governikus.datasign.cookbook.types.request.*;
-import de.governikus.datasign.cookbook.types.response.*;
+import de.governikus.datasign.cookbook.types.response.DocumentSignTransaction;
+import de.governikus.datasign.cookbook.types.response.UploadedDocument;
+import de.governikus.datasign.cookbook.types.response.UserState;
+import de.governikus.datasign.cookbook.util.DSSFactory;
+import eu.europa.esig.dss.model.InMemoryDocument;
 
 import java.io.FileInputStream;
 import java.net.URLEncoder;
@@ -110,9 +114,15 @@ public void runExample() throws Exception {
 
         // GET /documents/{documentId}/revisions/{revisionId}
         var documentRevisionBytes = retrieveBytes(GET(documentRevision.href().toString())
-                .header("Authorization", accessToken.toAuthorizationHeader())
-                .header("Accept", "application/octet-stream"));
-
+                .header("Authorization", accessToken.toAuthorizationHeader()));
+
+        // check if the signature is valid
+        var report = DSSFactory.signedDocumentValidator(new InMemoryDocument(new FileInputStream("sample.pdf")),
+                new InMemoryDocument(documentRevisionBytes)).validateDocument().getSimpleReport();
+        var indication = report.getIndication(report.getFirstSignatureId()).name();
+        if (indication.equals("FAILED") || indication.equals("TOTAL_FAILED") || indication.equals("NO_SIGNATURE_FOUND")) {
+            System.err.println("signature is not valid");
+        }
 
         writeToDisk(documentRevisionBytes, "sample_signed.pdf");
         System.out.println("sample.pdf is now signed and written to disk as sample_signed.pdf");

src/main/java/de/governikus/datasign/cookbook/pades/SignToBeSignedExample.java

@@ -5,7 +5,10 @@
 import de.governikus.datasign.cookbook.types.Provider;
 import de.governikus.datasign.cookbook.types.SignatureLevel;
 import de.governikus.datasign.cookbook.types.SignatureNiveau;
-import de.governikus.datasign.cookbook.types.request.*;
+import de.governikus.datasign.cookbook.types.request.SignatureToBeSignedTransactionRequest;
+import de.governikus.datasign.cookbook.types.request.TanAuthorizeRequest;
+import de.governikus.datasign.cookbook.types.request.ToBeSigned;
+import de.governikus.datasign.cookbook.types.request.ToBeSignedSignatureParameter;
 import de.governikus.datasign.cookbook.types.response.Certificate;
 import de.governikus.datasign.cookbook.types.response.ToBeSignedSignTransaction;
 import de.governikus.datasign.cookbook.types.response.UserState;
@@ -69,12 +72,8 @@ public void runExample() throws Exception {
         // calculate the DTBS from the unsigned document
         var unsignedDocument = new InMemoryDocument(new FileInputStream("sample.pdf"));
 
-        var padesWithExternalCMSService = DSSFactory.padesWithExternalCMSService();
         var signatureParameter = signatureParameter(provider, certificate.certificate());
-        var documentDigest = padesWithExternalCMSService.getMessageDigest(unsignedDocument, signatureParameter);
-
-        var externalCMSService = DSSFactory.externalCMSService();
-        var dtbs = externalCMSService.getDataToSign(documentDigest, signatureParameter);
+        var dtbs = DSSFactory.pAdESService().getDataToSign(unsignedDocument, signatureParameter);
 
         // POST /sign/to-be-signed/transactions
         var toBeSignedId = UUID.randomUUID();
@@ -130,15 +129,19 @@ public void runExample() throws Exception {
                 .filter(v -> v.id().equals(toBeSignedId)).findFirst().orElseThrow();
 
         // use the signature value to incorporate a signature into the unsigned document
-        var cmsSignedData = DSSFactory.externalCMSService(signatureValueWithTimestamp.timestamp())
-                .signMessageDigest(documentDigest, signatureParameter, new SignatureValue(signatureParameter.getSignatureAlgorithm(), signatureValueWithTimestamp.signatureValue()));
+        var signatureValue = new SignatureValue(signatureParameter.getSignatureAlgorithm(), signatureValueWithTimestamp.signatureValue());
+        var signedDocument = DSSFactory.pAdESService(signatureValueWithTimestamp.timestamp())
+                .signDocument(unsignedDocument, signatureParameter, signatureValue);
 
-        if (!padesWithExternalCMSService.isValidCMSSignedData(documentDigest, cmsSignedData)) {
+        if (!DSSFactory.pAdESService().isValidSignatureValue(dtbs, signatureValue, new CertificateToken(toX509Certificate(certificate.certificate())))) {
             System.err.println("signatureValue is not coherent with document digest");
             return;
         }
 
-        var signedDocument = padesWithExternalCMSService.signDocument(unsignedDocument, signatureParameter, cmsSignedData);
+        // extend signature to LT-Level
+        signedDocument = DSSFactory.pAdESExtensionService().incorporateValidationData(signedDocument, null, true);
+
+        DSSFactory.signedDocumentValidator(unsignedDocument, signedDocument).validateDocument();
 
         writeToDisk(signedDocument, "sample_signed.pdf");
         System.out.println("sample.pdf is now signed and written to disk as sample_signed.pdf");