Package com.lowagie.text.pdf

Class PdfPKCS7

  • public class PdfPKCS7
extends Object
    This class does all the processing related to signing and verifying a PKCS#7 signature.

    It's based in code found at org.bouncycastle.

    • Constructor Detail

      • PdfPKCS7

        public PdfPKCS7​(byte[] contentsKey,
                byte[] certsKey,
                String provider)
        Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
        Parameters:
        contentsKey - the /Contents key
        certsKey - the /Cert key
        provider - the provider or null for the default provider

      • PdfPKCS7

        public PdfPKCS7​(byte[] contentsKey,
                String provider)
        Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
        Parameters:
        contentsKey - the /Contents key
        provider - the provider or null for the default provider

    • Method Detail

      • getDigest

        public static String getDigest​(String oid)
        Gets the digest name for a certain id
        Parameters:
        oid - an id (for instance "1.2.840.113549.2.5")
        Returns:
        a digest name (for instance "MD5")
        Since:
        2.1.6

      • getAlgorithm

        public static String getAlgorithm​(String oid)
        Gets the algorithm name for a certain id.
        Parameters:
        oid - an id (for instance "1.2.840.113549.1.1.1")
        Returns:
        an algorithm name (for instance "RSA")
        Since:
        2.1.6

      • getDigestOid

        public static String getDigestOid​(String digestName)
        Gets the oid for given digest name.
        Parameters:
        digestName - digest name (for instance "SHA-256")
        Returns:
        a digest OID (for instance "2.16.840.1.101.3.4.2.1") or null if the oid for provided name is not found

      • getTimeStampToken

        public org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
        Gets the timestamp token if there is one.
        Returns:
        the timestamp token or null
        Since:
        2.1.6

      • getTimeStampDate

        public Calendar getTimeStampDate()
        Gets the timestamp date
        Returns:
        a date
        Since:
        2.1.6

      • getOcsp

        public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcsp()
        Gets the OCSP basic response if there is one.
        Returns:
        the OCSP basic response or null
        Since:
        2.1.6

      • update

        public void update​(byte[] buf,
                   int off,
                   int len)
            throws SignatureException
        Update the digest with the specified bytes. This method is used both for signing and verifying
        Parameters:
        buf - the data buffer
        off - the offset in the data buffer
        len - the data length
        Throws:
        SignatureException - on error

      • verifyTimestampImprint

        public boolean verifyTimestampImprint()
                               throws NoSuchAlgorithmException
        Checks if the timestamp refers to this document.
        Returns:
        true if it checks false otherwise
        Throws:
        NoSuchAlgorithmException - on error
        Since:
        2.1.6

      • getCertificates

        public Certificate[] getCertificates()
        Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.
        Returns:
        the X.509 certificates associated with this PKCS#7 object

      • getSignCertificateChain

        public Certificate[] getSignCertificateChain()
        Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first.
        Returns:
        the X.509 certificates associated with this PKCS#7 object
        Since:
        2.1.6

      • getCRLs

        public Collection getCRLs()
        Get the X.509 certificate revocation lists associated with this PKCS#7 object
        Returns:
        the X.509 certificate revocation lists associated with this PKCS#7 object

      • getSigningCertificate

        public X509Certificate getSigningCertificate()
        Get the X.509 certificate actually used to sign the digest.
        Returns:
        the X.509 certificate actually used to sign the digest

      • getVersion

        public int getVersion()
        Get the version of the PKCS#7 object. Always 1
        Returns:
        the version of the PKCS#7 object. Always 1

      • getSigningInfoVersion

        public int getSigningInfoVersion()
        Get the version of the PKCS#7 "SignerInfo" object. Always 1
        Returns:
        the version of the PKCS#7 "SignerInfo" object. Always 1

      • getDigestAlgorithm

        public String getDigestAlgorithm()
        Get the algorithm used to calculate the message digest
        Returns:
        the algorithm used to calculate the message digest

      • getHashAlgorithm

        public String getHashAlgorithm()
        Returns the algorithm.
        Returns:
        the digest algorithm

      • loadCacertsKeyStore

        public static KeyStore loadCacertsKeyStore()
        Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.
        Returns:
        a KeyStore

      • loadCacertsKeyStore

        public static KeyStore loadCacertsKeyStore​(String provider)
        Loads the default root certificates at <java.home>/lib/security/cacerts.
        Parameters:
        provider - the provider or null for the default provider
        Returns:
        a KeyStore

      • verifyCertificate

        public static String verifyCertificate​(X509Certificate cert,
                                       Collection crls,
                                       Calendar calendar)
        Verifies a single certificate.
        Parameters:
        cert - the certificate to verify
        crls - the certificate revocation list or null
        calendar - the date or null for the current date
        Returns:
        a String with the error description or null if no error

      • verifyCertificates

        public static Object[] verifyCertificates​(Certificate[] certs,
                                          KeyStore keystore,
                                          Collection crls,
                                          Calendar calendar)
        Verifies a certificate chain against a KeyStore.
        Parameters:
        certs - the certificate chain
        keystore - the KeyStore
        crls - the certificate revocation list or null
        calendar - the date or null for the current date
        Returns:
        null if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message

      • getOCSPURL

        public static String getOCSPURL​(X509Certificate certificate)
        Retrieves the OCSP URL from the given certificate.
        Parameters:
        certificate - the certificate
        Returns:
        the URL or null
        Since:
        2.1.6

      • isRevocationValid

        public boolean isRevocationValid()
        Checks if OCSP revocation refers to the document signing certificate.
        Returns:
        true if it checks false otherwise
        Since:
        2.1.6

      • getIssuerFields

        public static PdfPKCS7.X509Name getIssuerFields​(X509Certificate cert)
        Get the issuer fields from an X509 Certificate
        Parameters:
        cert - an X509Certificate
        Returns:
        an X509Name

      • getSubjectFields

        public static PdfPKCS7.X509Name getSubjectFields​(X509Certificate cert)
        Get the subject fields from an X509 Certificate
        Parameters:
        cert - an X509Certificate
        Returns:
        an X509Name

      • getEncodedPKCS1

        public byte[] getEncodedPKCS1()
        Gets the bytes for the PKCS#1 object.
        Returns:
        a byte array

      • setExternalDigest

        public void setExternalDigest​(byte[] digest,
                              byte[] RSAdata,
                              String digestEncryptionAlgorithm)
        Sets the digest/signature to an external calculated value.
        Parameters:
        digest - the digest. This is the actual signature
        RSAdata - the extra data that goes into the data tag in PKCS#7
        digestEncryptionAlgorithm - the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA"

      • getEncodedPKCS7

        public byte[] getEncodedPKCS7()
        Gets the bytes for the PKCS7SignedData object.
        Returns:
        the bytes for the PKCS7SignedData object

      • getEncodedPKCS7

        public byte[] getEncodedPKCS7​(byte[] secondDigest,
                              Calendar signingTime)
        Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used.
        Parameters:
        secondDigest - the digest in the authenticatedAttributes
        signingTime - the signing time in the authenticatedAttributes
        Returns:
        the bytes for the PKCS7SignedData object

      • getEncodedPKCS7

        public byte[] getEncodedPKCS7​(byte[] secondDigest,
                              Calendar signingTime,
                              TSAClient tsaClient,
                              byte[] ocsp)
        Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, OR a time-stamp-authority client may be provided.
        Parameters:
        secondDigest - the digest in the authenticatedAttributes
        signingTime - the signing time in the authenticatedAttributes
        tsaClient - TSAClient - null or an optional time stamp authority client
        ocsp - a byte array
        Returns:
        byte[] the bytes for the PKCS7SignedData object
        Since:
        2.1.6

      • getAuthenticatedAttributeBytes

        public byte[] getAuthenticatedAttributeBytes​(byte[] secondDigest,
                                             Calendar signingTime,
                                             byte[] ocsp)
        When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in getEncodedPKCS7(byte[], Calendar). A simple example: 
         Calendar cal = Calendar.getInstance();
 PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);
 MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
 byte buf[] = new byte[8192];
 int n;
 InputStream inp = sap.getRangeStream();
 while ((n = inp.read(buf)) > 0) {
   messageDigest.update(buf, 0, n);
 }
 byte hash[] = messageDigest.digest();
 byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal);
 pk7.update(sh, 0, sh.length);
 byte sg[] = pk7.getEncodedPKCS7(hash, cal);
        Parameters:
        secondDigest - the content digest
        signingTime - the signing time
        ocsp - a byte array
        Returns:
        the byte array representation of the authenticatedAttributes ready to be signed

      • getReason

        public String getReason()
        Getter for property reason.
        Returns:
        Value of property reason.

      • setReason

        public void setReason​(String reason)
        Setter for property reason.
        Parameters:
        reason - New value of property reason.

      • getLocation

        public String getLocation()
        Getter for property location.
        Returns:
        Value of property location.

      • setLocation

        public void setLocation​(String location)
        Setter for property location.
        Parameters:
        location - New value of property location.

      • getSignDate

        public Calendar getSignDate()
        Getter for property signDate.
        Returns:
        Value of property signDate.

      • setSignDate

        public void setSignDate​(Calendar signDate)
        Setter for property signDate.
        Parameters:
        signDate - New value of property signDate.

      • getSignName

        public String getSignName()
        Getter for property sigName.
        Returns:
        Value of property sigName.

      • setSignName

        public void setSignName​(String signName)
        Setter for property sigName.
        Parameters:
        signName - New value of property sigName.