Package com.lowagie.text.pdf
Class PdfPKCS7
java.lang.Object
com.lowagie.text.pdf.PdfPKCS7
This class does all the processing related to signing and verifying a PKCS#7 signature.
It's based in code found at org.bouncycastle.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic class
a class that holds an X509 namestatic class
class for breaking up an X500 Name into it's component tokens, ala java.util.StringTokenizer. -
Field Summary
FieldsModifier and TypeFieldDescriptionprivate org.bouncycastle.cert.ocsp.BasicOCSPResp
private final List
<Certificate> private byte[]
private String
private byte[]
private String
private byte[]
private byte[]
private static final String
private static final String
private static final String
private static final String
private static final String
private static final String
private static final String
private static final String
private static final String
private String
Holds value of property location.private MessageDigest
private PrivateKey
private final String
private String
Holds value of property reason.private byte[]
private Signature
private byte[]
private X509Certificate
private List
<Certificate> private Calendar
Holds value of property signDate.private int
private String
Holds value of property signName.private org.bouncycastle.tsp.TimeStampToken
private boolean
private boolean
private int
-
Constructor Summary
ConstructorsConstructorDescriptionVerifies a signature using the sub-filter adbe.x509.rsa_sha1.Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.PdfPKCS7
(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata) Generates a signature. -
Method Summary
Modifier and TypeMethodDescriptionprivate org.bouncycastle.asn1.ASN1EncodableVector
buildUnauthenticatedAttributes
(byte[] timeStampToken) Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2).private void
findOcsp
(org.bouncycastle.asn1.ASN1Sequence seq) static String
getAlgorithm
(String oid) Gets the algorithm name for a certain id.byte[]
getAuthenticatedAttributeBytes
(byte[] secondDigest, Calendar signingTime, byte[] ocsp) When using authenticatedAttributes the authentication process is different.private org.bouncycastle.asn1.DERSet
getAuthenticatedAttributeSet
(byte[] secondDigest, Calendar signingTime, byte[] ocsp) Get all the X.509 certificates associated with this PKCS#7 object in no particular order.getCRLs()
Get the X.509 certificate revocation lists associated with this PKCS#7 objectstatic String
Gets the digest name for a certain idGet the algorithm used to calculate the message digeststatic String
getDigestOid
(String digestName) Gets the oid for given digest name.byte[]
Gets the bytes for the PKCS#1 object.byte[]
Gets the bytes for the PKCS7SignedData object.byte[]
getEncodedPKCS7
(byte[] secondDigest, Calendar signingTime) Gets the bytes for the PKCS7SignedData object.byte[]
getEncodedPKCS7
(byte[] secondDigest, Calendar signingTime, TSAClient tsaClient, byte[] ocsp) Gets the bytes for the PKCS7SignedData object.private static org.bouncycastle.asn1.ASN1Primitive
getExtensionValue
(X509Certificate cert, String oid) Returns the algorithm.private static org.bouncycastle.asn1.ASN1Primitive
getIssuer
(byte[] enc) Get the "issuer" from the TBSCertificate bytes that are passed instatic PdfPKCS7.X509Name
Get the issuer fields from an X509 CertificateGetter for property location.org.bouncycastle.cert.ocsp.BasicOCSPResp
getOcsp()
Gets the OCSP basic response if there is one.static String
getOCSPURL
(X509Certificate certificate) Retrieves the OCSP URL from the given certificate.private static String
getOidForAlgorithmAndHash
(String signingAlgorithm, String hashAlgorithm) Determines an OID by signing and hash algorithm.Getter for property reason.Get the X.509 sign certificate chain associated with this PKCS#7 object.Getter for property signDate.Get the X.509 certificate actually used to sign the digest.int
Get the version of the PKCS#7 "SignerInfo" object.Getter for property sigName.private static String
getStandardJavaName
(String algName) private static String
getStringFromGeneralName
(org.bouncycastle.asn1.ASN1Primitive names) private static org.bouncycastle.asn1.ASN1Primitive
getSubject
(byte[] enc) Get the "subject" from the TBSCertificate bytes that are passed instatic PdfPKCS7.X509Name
Get the subject fields from an X509 CertificateGets the timestamp dateorg.bouncycastle.tsp.TimeStampToken
Gets the timestamp token if there is one.int
Get the version of the PKCS#7 object.boolean
Checks if OCSP revocation refers to the document signing certificate.static KeyStore
Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.static KeyStore
loadCacertsKeyStore
(String provider) Loads the default root certificates at <java.home>/lib/security/cacerts.void
setExternalDigest
(byte[] digest, byte[] RSAdata, String digestEncryptionAlgorithm) Sets the digest/signature to an external calculated value.void
setLocation
(String location) Setter for property location.void
Setter for property reason.void
setSignDate
(Calendar signDate) Setter for property signDate.void
setSignName
(String signName) Setter for property sigName.private void
void
update
(byte[] buf, int off, int len) Update the digest with the specified bytes.boolean
verify()
Verify the digest.static String
verifyCertificate
(X509Certificate cert, Collection crls, Calendar calendar) Verifies a single certificate.static Object[]
verifyCertificates
(Certificate[] certs, KeyStore keystore, Collection crls, Calendar calendar) Verifies a certificate chain against a KeyStore.boolean
Checks if the timestamp refers to this document.
-
Field Details
-
ID_PKCS7_DATA
- See Also:
-
ID_PKCS7_SIGNED_DATA
- See Also:
-
ID_RSA
- See Also:
-
ID_DSA
- See Also:
-
ID_ECDSA
- See Also:
-
ID_CONTENT_TYPE
- See Also:
-
ID_MESSAGE_DIGEST
- See Also:
-
ID_SIGNING_TIME
- See Also:
-
ID_ADBE_REVOCATION
- See Also:
-
digestNames
-
algorithmNames
-
allowedDigests
-
rsaOids
-
dsaOids
-
ecdsaOids
-
certs
-
crls
-
provider
-
sigAttr
private byte[] sigAttr -
digestAttr
private byte[] digestAttr -
version
private int version -
signerversion
private int signerversion -
digestalgos
-
signCerts
-
signCert
-
digest
private byte[] digest -
messageDigest
-
digestAlgorithm
-
digestEncryptionAlgorithm
-
sig
-
privKey
-
RSAdata
private byte[] RSAdata -
verified
private boolean verified -
verifyResult
private boolean verifyResult -
externalDigest
private byte[] externalDigest -
externalRSAdata
private byte[] externalRSAdata -
reason
Holds value of property reason. -
location
Holds value of property location. -
signDate
Holds value of property signDate. -
signName
Holds value of property signName. -
timeStampToken
private org.bouncycastle.tsp.TimeStampToken timeStampToken -
basicResp
private org.bouncycastle.cert.ocsp.BasicOCSPResp basicResp
-
-
Constructor Details
-
PdfPKCS7
Verifies a signature using the sub-filter adbe.x509.rsa_sha1.- Parameters:
contentsKey
- the /Contents keycertsKey
- the /Cert keyprovider
- the provider ornull
for the default provider
-
PdfPKCS7
Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.- Parameters:
contentsKey
- the /Contents keyprovider
- the provider ornull
for the default provider
-
PdfPKCS7
public PdfPKCS7(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata) throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException Generates a signature.- Parameters:
privKey
- the private keycertChain
- the certificate chaincrlList
- the certificate revocation listhashAlgorithm
- the hash algorithmprovider
- the provider ornull
for the default providerhasRSAdata
-true
if the sub-filter is adbe.pkcs7.sha1- Throws:
InvalidKeyException
- on errorNoSuchProviderException
- on errorNoSuchAlgorithmException
- on error
-
-
Method Details
-
getOidForAlgorithmAndHash
Determines an OID by signing and hash algorithm. If nothing is found null will be returned.- Parameters:
signingAlgorithm
- - currently RSA, DSA and ECDSA are supported.hashAlgorithm
- like SHA1, SHA2 or SHA3
-
getDigest
Gets the digest name for a certain id- Parameters:
oid
- an id (for instance "1.2.840.113549.2.5")- Returns:
- a digest name (for instance "MD5")
- Since:
- 2.1.6
-
getAlgorithm
Gets the algorithm name for a certain id.- Parameters:
oid
- an id (for instance "1.2.840.113549.1.1.1")- Returns:
- an algorithm name (for instance "RSA")
- Since:
- 2.1.6
-
getDigestOid
Gets the oid for given digest name.- Parameters:
digestName
- digest name (for instance "SHA-256")- Returns:
- a digest OID (for instance "2.16.840.1.101.3.4.2.1") or
null
if the oid for provided name is not found
-
loadCacertsKeyStore
Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.- Returns:
- a
KeyStore
-
loadCacertsKeyStore
Loads the default root certificates at <java.home>/lib/security/cacerts.- Parameters:
provider
- the provider ornull
for the default provider- Returns:
- a
KeyStore
-
verifyCertificate
Verifies a single certificate.- Parameters:
cert
- the certificate to verifycrls
- the certificate revocation list ornull
calendar
- the date ornull
for the current date- Returns:
- a
String
with the error description ornull
if no error
-
verifyCertificates
public static Object[] verifyCertificates(Certificate[] certs, KeyStore keystore, Collection crls, Calendar calendar) Verifies a certificate chain against a KeyStore.- Parameters:
certs
- the certificate chainkeystore
- theKeyStore
crls
- the certificate revocation list ornull
calendar
- the date ornull
for the current date- Returns:
null
if the certificate chain could be validated or aObject[]{cert,error}
wherecert
is the failed certificate anderror
is the error message
-
getOCSPURL
Retrieves the OCSP URL from the given certificate.- Parameters:
certificate
- the certificate- Returns:
- the URL or null
- Since:
- 2.1.6
-
getExtensionValue
private static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(X509Certificate cert, String oid) throws IOException - Throws:
IOException
-
getStringFromGeneralName
-
getIssuer
private static org.bouncycastle.asn1.ASN1Primitive getIssuer(byte[] enc) Get the "issuer" from the TBSCertificate bytes that are passed in- Parameters:
enc
- a TBSCertificate in a byte array- Returns:
- a ASN1Primitive
-
getSubject
private static org.bouncycastle.asn1.ASN1Primitive getSubject(byte[] enc) Get the "subject" from the TBSCertificate bytes that are passed in- Parameters:
enc
- A TBSCertificate in a byte array- Returns:
- a ASN1Primitive
-
getIssuerFields
Get the issuer fields from an X509 Certificate- Parameters:
cert
- an X509Certificate- Returns:
- an X509Name
-
getSubjectFields
Get the subject fields from an X509 Certificate- Parameters:
cert
- an X509Certificate- Returns:
- an X509Name
-
getStandardJavaName
-
getTimeStampToken
public org.bouncycastle.tsp.TimeStampToken getTimeStampToken()Gets the timestamp token if there is one.- Returns:
- the timestamp token or null
- Since:
- 2.1.6
-
getTimeStampDate
Gets the timestamp date- Returns:
- a date
- Since:
- 2.1.6
-
getOcsp
public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcsp()Gets the OCSP basic response if there is one.- Returns:
- the OCSP basic response or null
- Since:
- 2.1.6
-
findOcsp
- Throws:
IOException
-
update
Update the digest with the specified bytes. This method is used both for signing and verifying- Parameters:
buf
- the data bufferoff
- the offset in the data bufferlen
- the data length- Throws:
SignatureException
- on error
-
verify
Verify the digest.- Returns:
true
if the signature checks out,false
otherwise- Throws:
SignatureException
- on error
-
verifyTimestampImprint
Checks if the timestamp refers to this document.- Returns:
- true if it checks false otherwise
- Throws:
NoSuchAlgorithmException
- on error- Since:
- 2.1.6
-
getCertificates
Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.- Returns:
- the X.509 certificates associated with this PKCS#7 object
-
getSignCertificateChain
Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first.- Returns:
- the X.509 certificates associated with this PKCS#7 object
- Since:
- 2.1.6
-
signCertificateChain
private void signCertificateChain() -
getCRLs
Get the X.509 certificate revocation lists associated with this PKCS#7 object- Returns:
- the X.509 certificate revocation lists associated with this PKCS#7 object
-
getSigningCertificate
Get the X.509 certificate actually used to sign the digest.- Returns:
- the X.509 certificate actually used to sign the digest
-
getVersion
public int getVersion()Get the version of the PKCS#7 object. Always 1- Returns:
- the version of the PKCS#7 object. Always 1
-
getSigningInfoVersion
public int getSigningInfoVersion()Get the version of the PKCS#7 "SignerInfo" object. Always 1- Returns:
- the version of the PKCS#7 "SignerInfo" object. Always 1
-
getDigestAlgorithm
Get the algorithm used to calculate the message digest- Returns:
- the algorithm used to calculate the message digest
-
getHashAlgorithm
Returns the algorithm.- Returns:
- the digest algorithm
-
isRevocationValid
public boolean isRevocationValid()Checks if OCSP revocation refers to the document signing certificate.- Returns:
- true if it checks false otherwise
- Since:
- 2.1.6
-
getEncodedPKCS1
public byte[] getEncodedPKCS1()Gets the bytes for the PKCS#1 object.- Returns:
- a byte array
-
setExternalDigest
Sets the digest/signature to an external calculated value.- Parameters:
digest
- the digest. This is the actual signatureRSAdata
- the extra data that goes into the data tag in PKCS#7digestEncryptionAlgorithm
- the encryption algorithm. It may must benull
if thedigest
is alsonull
. If thedigest
is notnull
then it may be "RSA" or "DSA"
-
getEncodedPKCS7
public byte[] getEncodedPKCS7()Gets the bytes for the PKCS7SignedData object.- Returns:
- the bytes for the PKCS7SignedData object
-
getEncodedPKCS7
Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters isnull
, none will be used.- Parameters:
secondDigest
- the digest in the authenticatedAttributessigningTime
- the signing time in the authenticatedAttributes- Returns:
- the bytes for the PKCS7SignedData object
-
getEncodedPKCS7
public byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime, TSAClient tsaClient, byte[] ocsp) Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, OR a time-stamp-authority client may be provided.- Parameters:
secondDigest
- the digest in the authenticatedAttributessigningTime
- the signing time in the authenticatedAttributestsaClient
- TSAClient - null or an optional time stamp authority clientocsp
- a byte array- Returns:
- byte[] the bytes for the PKCS7SignedData object
- Since:
- 2.1.6
-
buildUnauthenticatedAttributes
private org.bouncycastle.asn1.ASN1EncodableVector buildUnauthenticatedAttributes(byte[] timeStampToken) throws IOException Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2). Token is the TSA response without response status, which is usually handled by the (vendor supplied) TSA request/response interface).- Parameters:
timeStampToken
- byte[] - time stamp token, DER encoded signedData- Returns:
- ASN1EncodableVector
- Throws:
IOException
-
getAuthenticatedAttributeBytes
public byte[] getAuthenticatedAttributeBytes(byte[] secondDigest, Calendar signingTime, byte[] ocsp) When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as ingetEncodedPKCS7(byte[], Calendar)
. A simple example:Calendar cal = Calendar.getInstance(); PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte buf[] = new byte[8192]; int n; InputStream inp = sap.getRangeStream(); while ((n = inp.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte hash[] = messageDigest.digest(); byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal); pk7.update(sh, 0, sh.length); byte sg[] = pk7.getEncodedPKCS7(hash, cal);
- Parameters:
secondDigest
- the content digestsigningTime
- the signing timeocsp
- a byte array- Returns:
- the byte array representation of the authenticatedAttributes ready to be signed
-
getAuthenticatedAttributeSet
private org.bouncycastle.asn1.DERSet getAuthenticatedAttributeSet(byte[] secondDigest, Calendar signingTime, byte[] ocsp) -
getReason
Getter for property reason.- Returns:
- Value of property reason.
-
setReason
Setter for property reason.- Parameters:
reason
- New value of property reason.
-
getLocation
Getter for property location.- Returns:
- Value of property location.
-
setLocation
Setter for property location.- Parameters:
location
- New value of property location.
-
getSignDate
Getter for property signDate.- Returns:
- Value of property signDate.
-
setSignDate
Setter for property signDate.- Parameters:
signDate
- New value of property signDate.
-
getSignName
Getter for property sigName.- Returns:
- Value of property sigName.
-
setSignName
Setter for property sigName.- Parameters:
signName
- New value of property sigName.
-