Package com.itextpdf.signatures
Class LtvVerification
java.lang.Object
com.itextpdf.signatures.LtvVerification
Add verification according to PAdES-LTV (part 4).
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enum
Certificate inclusion in the DSS and VRI dictionaries in the CERT and CERTS keys.static enum
Options for how many certificates to include.static enum
What type of verification to include.static enum
Option to determine whether revocation information is required for the signing certificate.private static class
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate static final IBouncyCastleFactory
private final PdfDocument
private IIssuingCertificateRetriever
private static final org.slf4j.Logger
private String
private final SignatureUtil
private boolean
private final Map
<PdfName, LtvVerification.ValidationData> -
Constructor Summary
ConstructorsConstructorDescriptionLtvVerification
(PdfDocument document) The verification constructor.LtvVerification
(PdfDocument document, String securityProviderCode) The verification constructor. -
Method Summary
Modifier and TypeMethodDescriptionprivate void
addRevocationDataForCertificate
(X509Certificate signingCert, Certificate[] certificateChain, X509Certificate cert, IOcspClient ocsp, ICrlClient crl, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude, LtvVerification.CertificateOption certOption, LtvVerification.ValidationData validationData, Set<X509Certificate> processedCerts) private void
addRevocationDataForChain
(X509Certificate signingCert, Certificate[] certChain, IOcspClient ocsp, ICrlClient crl, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude, LtvVerification.CertificateOption certOption, LtvVerification.ValidationData validationData, Set<X509Certificate> processedCerts) private void
addRevocationDataForOcspCert
(byte[] ocspEnc, X509Certificate signingCert, IOcspClient ocsp, ICrlClient crl, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude, LtvVerification.CertificateOption certOption, LtvVerification.ValidationData validationData, Set<X509Certificate> processedCerts) boolean
addVerification
(String signatureName, IOcspClient ocsp, ICrlClient crl, LtvVerification.CertificateOption certOption, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude) Add verification for a particular signature.boolean
addVerification
(String signatureName, Collection<byte[]> ocsps, Collection<byte[]> crls, Collection<byte[]> certs) Adds verification to the signature.private static byte[]
buildOCSPResponse
(byte[] basicOcspResponse) static String
convertToHex
(byte[] bytes) Converts an array of bytes to a String of hexadecimal valuesprivate void
private static void
deleteOldReferences
(PdfArray all, PdfArray toDelete) (package private) X509Certificate
getParent
(X509Certificate cert, Certificate[] certs) Get the issuing certificate for a child certificate.private PdfName
getSignatureHashKey
(String signatureName) private static byte[]
hashBytesSha1
(byte[] b) private static List
<X509Certificate> iterableToList
(Iterable<X509Certificate> iterable) void
merge()
Merges the validation with any validation already in the document or creates a new one.private void
outputDss
(PdfDictionary dss, PdfDictionary vrim, PdfArray ocsps, PdfArray crls, PdfArray certs) private Certificate[]
retrieveMissingCertificates
(Certificate[] certChain) setIssuingCertificateRetriever
(IIssuingCertificateRetriever issuingCertificateRetriever) SetsIIssuingCertificateRetriever
instance needed to get CRL issuer certificates (using AIA extension).setRevocationDataNecessity
(LtvVerification.RevocationDataNecessity revocationDataNecessity) SetsLtvVerification.RevocationDataNecessity
option to specify the necessity of revocation data.private void
-
Field Details
-
BOUNCY_CASTLE_FACTORY
-
LOGGER
private static final org.slf4j.Logger LOGGER -
document
-
sgnUtil
-
validated
-
used
private boolean used -
securityProviderCode
-
revocationDataNecessity
-
issuingCertificateRetriever
-
-
Constructor Details
-
LtvVerification
The verification constructor. This class should only be created with PdfStamper.getLtvVerification() otherwise the information will not be added to the Pdf.- Parameters:
document
- ThePdfDocument
to apply the validation to.
-
LtvVerification
The verification constructor. This class should only be created with PdfStamper.getLtvVerification() otherwise the information will not be added to the Pdf.- Parameters:
document
- ThePdfDocument
to apply the validation to.securityProviderCode
- Security provider to use
-
-
Method Details
-
setRevocationDataNecessity
public LtvVerification setRevocationDataNecessity(LtvVerification.RevocationDataNecessity revocationDataNecessity) SetsLtvVerification.RevocationDataNecessity
option to specify the necessity of revocation data.Default value is
LtvVerification.RevocationDataNecessity.OPTIONAL
.- Parameters:
revocationDataNecessity
-LtvVerification.RevocationDataNecessity
value to set- Returns:
- this
LtvVerification
instance.
-
setIssuingCertificateRetriever
public LtvVerification setIssuingCertificateRetriever(IIssuingCertificateRetriever issuingCertificateRetriever) SetsIIssuingCertificateRetriever
instance needed to get CRL issuer certificates (using AIA extension).Default value is
DefaultIssuingCertificateRetriever
.- Parameters:
issuingCertificateRetriever
-IIssuingCertificateRetriever
instance to set- Returns:
- this
LtvVerification
instance.
-
addVerification
public boolean addVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, LtvVerification.CertificateOption certOption, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude) throws IOException, GeneralSecurityException Add verification for a particular signature.- Parameters:
signatureName
- the signature to validate (it may be a timestamp)ocsp
- the interface to get the OCSPcrl
- the interface to get the CRLcertOption
- options as to how many certificates to includelevel
- the validation options to includecertInclude
- certificate inclusion options- Returns:
- true if a validation was generated, false otherwise
- Throws:
GeneralSecurityException
- when requested cryptographic algorithm or security provider is not availableIOException
- signals that an I/O exception has occurred
-
addVerification
public boolean addVerification(String signatureName, Collection<byte[]> ocsps, Collection<byte[]> crls, Collection<byte[]> certs) throws IOException, GeneralSecurityException Adds verification to the signature.- Parameters:
signatureName
- name of the signatureocsps
- collection of DER-encoded BasicOCSPResponsescrls
- collection of DER-encoded CRLscerts
- collection of DER-encoded certificates- Returns:
- boolean
- Throws:
IOException
- signals that an I/O exception has occurredGeneralSecurityException
- when requested cryptographic algorithm or security provider is not available
-
merge
public void merge()Merges the validation with any validation already in the document or creates a new one. -
convertToHex
Converts an array of bytes to a String of hexadecimal values- Parameters:
bytes
- a byte array- Returns:
- the same bytes expressed as hexadecimal values
-
getParent
Get the issuing certificate for a child certificate.- Parameters:
cert
- the certificate for which we search the parentcerts
- an array with certificates that contains the parent- Returns:
- the parent certificate
-
addRevocationDataForChain
private void addRevocationDataForChain(X509Certificate signingCert, Certificate[] certChain, IOcspClient ocsp, ICrlClient crl, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude, LtvVerification.CertificateOption certOption, LtvVerification.ValidationData validationData, Set<X509Certificate> processedCerts) throws CertificateException, IOException, CRLException -
addRevocationDataForCertificate
private void addRevocationDataForCertificate(X509Certificate signingCert, Certificate[] certificateChain, X509Certificate cert, IOcspClient ocsp, ICrlClient crl, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude, LtvVerification.CertificateOption certOption, LtvVerification.ValidationData validationData, Set<X509Certificate> processedCerts) throws IOException, CertificateException, CRLException -
addRevocationDataForOcspCert
private void addRevocationDataForOcspCert(byte[] ocspEnc, X509Certificate signingCert, IOcspClient ocsp, ICrlClient crl, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude, LtvVerification.CertificateOption certOption, LtvVerification.ValidationData validationData, Set<X509Certificate> processedCerts) throws CertificateException, IOException, CRLException -
iterableToList
-
buildOCSPResponse
- Throws:
IOException
-
getSignatureHashKey
- Throws:
NoSuchAlgorithmException
-
hashBytesSha1
- Throws:
NoSuchAlgorithmException
-
updateDss
private void updateDss() -
deleteOldReferences
-
createDss
private void createDss() -
outputDss
private void outputDss(PdfDictionary dss, PdfDictionary vrim, PdfArray ocsps, PdfArray crls, PdfArray certs) -
retrieveMissingCertificates
-