Для проверки ЭЦП необходимо сначало ее получить из XML файла или из файла (CMS).
CMSSignedData cmsSignedData = new CMSSignedData(Base64.decode(readFile(signaturePath)));
CMSProcessableByteArray signers = new CMSProcessableByteArray(readFile(documentPath).getBytes("UTF-8"));
cmsSignedData = new CMSSignedData(signers, cmsSignedData.getEncoded());
SignerInformationStore signerInformationStore = cmsSignedData.getSignerInfos();
CertStore clientCerts = cmsSignedData.getCertificatesAndCRLs("Collection", mProviderName);
Iterator it = signers.getSigners().iterator();
boolean overAllResult = true;
while (it.hasNext()) {
SignerInformation signer = (SignerInformation) it.next();
X509CertSelector signerConstraints = signer.getSID();
Collection certCollection = clientCerts.getCertificates(signerConstraints);
Iterator certIt = certCollection.iterator();
int indexOfSigner = 0;
while (certIt.hasNext()) {
indexOfSigner++;
X509Certificate cert = (X509Certificate) certIt.next();
/* other code */
}
}
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
Document doc = documentBuilder.parse(new ByteArrayInputStream(xmlString.getBytes("UTF-8")));
Element sigElement = null;
Element rootEl = (Element) doc.getFirstChild();
NodeList list = rootEl.getElementsByTagName("ds:Signature");
int length = list.getLength();
for (int i = 0; i < length; i++) {
Node sigNode = list.item(length - 1);
sigElement = (Element) sigNode;
if (sigElement == null) {
System.out.print(VERIFICATION_FAILED);
}
XMLSignature signature = new XMLSignature(sigElement, "");
KeyInfo ki = signature.getKeyInfo();
X509Certificate cert = ki.getX509Certificate();
/* other code */
}
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<X509Certificate> certList = new ArrayList<X509Certificate>();
certList.add(cert);
CertPath cp = cf.generateCertPath(certList);
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXParameters params = new PKIXParameters(getTrustedCertsFromResources(rootCAList));
List<X509CRL> crlList = getCrlFromFile(mCrlFiles);
for (X509CRL crl : crlList) {
params.addCertStore(CertStore.getInstance("Collection",
new CollectionCertStoreParameters(Collections.singletonList(crl))));
}
PKIXCertPathValidatorResult validationResult = (PKIXCertPathValidatorResult) certPathValidator.validate(cp, params);
result = signature.checkSignatureValue(cert);
CertificateFactory
CertPath
у CertificateFactory
используя метод generateCertPath
с параметров из п. 2CertPathValidator
PKIXParameters
на основе корневых сертификатов (корневые - самодподписанные)CertStore
к PKIXParameters
из п.5 с crl файламиCertPathValidator
из п.4 метод validate
с CertPath из п.3 и PKIXParameters из п.5