Class PdfPKCS7

java.lang.Object
com.lowagie.text.pdf.PdfPKCS7

public class PdfPKCS7 extends Object
This class does all the processing related to signing and verifying a PKCS#7 signature.

It's based in code found at org.bouncycastle.

  • Field Details

    • ID_PKCS7_DATA

      private static final String ID_PKCS7_DATA
      See Also:
    • ID_PKCS7_SIGNED_DATA

      private static final String ID_PKCS7_SIGNED_DATA
      See Also:
    • ID_RSA

      private static final String ID_RSA
      See Also:
    • ID_DSA

      private static final String ID_DSA
      See Also:
    • ID_ECDSA

      private static final String ID_ECDSA
      See Also:
    • ID_CONTENT_TYPE

      private static final String ID_CONTENT_TYPE
      See Also:
    • ID_MESSAGE_DIGEST

      private static final String ID_MESSAGE_DIGEST
      See Also:
    • ID_SIGNING_TIME

      private static final String ID_SIGNING_TIME
      See Also:
    • ID_ADBE_REVOCATION

      private static final String ID_ADBE_REVOCATION
      See Also:
    • digestNames

      private static final Map<String,String> digestNames
    • algorithmNames

      private static final Map<String,String> algorithmNames
    • allowedDigests

      private static final Map<String,String> allowedDigests
    • rsaOids

      private static final HashMap<String,String> rsaOids
    • dsaOids

      private static final HashMap<String,String> dsaOids
    • ecdsaOids

      private static final HashMap<String,String> ecdsaOids
    • certs

      private final List<Certificate> certs
    • crls

      private final List<CRL> crls
    • provider

      private final String provider
    • sigAttr

      private byte[] sigAttr
    • digestAttr

      private byte[] digestAttr
    • version

      private int version
    • signerversion

      private int signerversion
    • digestalgos

      private Set<String> digestalgos
    • signCerts

      private List<Certificate> signCerts
    • signCert

      private X509Certificate signCert
    • digest

      private byte[] digest
    • messageDigest

      private MessageDigest messageDigest
    • digestAlgorithm

      private String digestAlgorithm
    • digestEncryptionAlgorithm

      private String digestEncryptionAlgorithm
    • sig

      private Signature sig
    • privKey

      private transient PrivateKey privKey
    • RSAdata

      private byte[] RSAdata
    • verified

      private boolean verified
    • verifyResult

      private boolean verifyResult
    • externalDigest

      private byte[] externalDigest
    • externalRSAdata

      private byte[] externalRSAdata
    • reason

      private String reason
      Holds value of property reason.
    • location

      private String location
      Holds value of property location.
    • signDate

      private Calendar signDate
      Holds value of property signDate.
    • signName

      private String signName
      Holds value of property signName.
    • timeStampToken

      private org.bouncycastle.tsp.TimeStampToken timeStampToken
    • basicResp

      private org.bouncycastle.cert.ocsp.BasicOCSPResp basicResp
  • Constructor Details

    • PdfPKCS7

      public PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
      Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
      Parameters:
      contentsKey - the /Contents key
      certsKey - the /Cert key
      provider - the provider or null for the default provider
    • PdfPKCS7

      public PdfPKCS7(byte[] contentsKey, String provider)
      Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
      Parameters:
      contentsKey - the /Contents key
      provider - the provider or null for the default provider
    • PdfPKCS7

      public PdfPKCS7(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata) throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException
      Generates a signature.
      Parameters:
      privKey - the private key
      certChain - the certificate chain
      crlList - the certificate revocation list
      hashAlgorithm - the hash algorithm
      provider - the provider or null for the default provider
      hasRSAdata - true if the sub-filter is adbe.pkcs7.sha1
      Throws:
      InvalidKeyException - on error
      NoSuchProviderException - on error
      NoSuchAlgorithmException - on error
  • Method Details

    • getOidForAlgorithmAndHash

      private static String getOidForAlgorithmAndHash(String signingAlgorithm, String hashAlgorithm)
      Determines an OID by signing and hash algorithm. If nothing is found null will be returned.
      Parameters:
      signingAlgorithm - - currently RSA, DSA and ECDSA are supported.
      hashAlgorithm - like SHA1, SHA2 or SHA3
    • getDigest

      public static String getDigest(String oid)
      Gets the digest name for a certain id
      Parameters:
      oid - an id (for instance "1.2.840.113549.2.5")
      Returns:
      a digest name (for instance "MD5")
      Since:
      2.1.6
    • getAlgorithm

      public static String getAlgorithm(String oid)
      Gets the algorithm name for a certain id.
      Parameters:
      oid - an id (for instance "1.2.840.113549.1.1.1")
      Returns:
      an algorithm name (for instance "RSA")
      Since:
      2.1.6
    • getDigestOid

      public static String getDigestOid(String digestName)
      Gets the oid for given digest name.
      Parameters:
      digestName - digest name (for instance "SHA-256")
      Returns:
      a digest OID (for instance "2.16.840.1.101.3.4.2.1") or null if the oid for provided name is not found
    • loadCacertsKeyStore

      public static KeyStore loadCacertsKeyStore()
      Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.
      Returns:
      a KeyStore
    • loadCacertsKeyStore

      public static KeyStore loadCacertsKeyStore(String provider)
      Loads the default root certificates at <java.home>/lib/security/cacerts.
      Parameters:
      provider - the provider or null for the default provider
      Returns:
      a KeyStore
    • verifyCertificate

      public static String verifyCertificate(X509Certificate cert, Collection crls, Calendar calendar)
      Verifies a single certificate.
      Parameters:
      cert - the certificate to verify
      crls - the certificate revocation list or null
      calendar - the date or null for the current date
      Returns:
      a String with the error description or null if no error
    • verifyCertificates

      public static Object[] verifyCertificates(Certificate[] certs, KeyStore keystore, Collection crls, Calendar calendar)
      Verifies a certificate chain against a KeyStore.
      Parameters:
      certs - the certificate chain
      keystore - the KeyStore
      crls - the certificate revocation list or null
      calendar - the date or null for the current date
      Returns:
      null if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message
    • getOCSPURL

      public static String getOCSPURL(X509Certificate certificate)
      Retrieves the OCSP URL from the given certificate.
      Parameters:
      certificate - the certificate
      Returns:
      the URL or null
      Since:
      2.1.6
    • getExtensionValue

      private static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(X509Certificate cert, String oid) throws IOException
      Throws:
      IOException
    • getStringFromGeneralName

      private static String getStringFromGeneralName(org.bouncycastle.asn1.ASN1Primitive names)
    • getIssuer

      private static org.bouncycastle.asn1.ASN1Primitive getIssuer(byte[] enc)
      Get the "issuer" from the TBSCertificate bytes that are passed in
      Parameters:
      enc - a TBSCertificate in a byte array
      Returns:
      a ASN1Primitive
    • getSubject

      private static org.bouncycastle.asn1.ASN1Primitive getSubject(byte[] enc)
      Get the "subject" from the TBSCertificate bytes that are passed in
      Parameters:
      enc - A TBSCertificate in a byte array
      Returns:
      a ASN1Primitive
    • getIssuerFields

      public static PdfPKCS7.X509Name getIssuerFields(X509Certificate cert)
      Get the issuer fields from an X509 Certificate
      Parameters:
      cert - an X509Certificate
      Returns:
      an X509Name
    • getSubjectFields

      public static PdfPKCS7.X509Name getSubjectFields(X509Certificate cert)
      Get the subject fields from an X509 Certificate
      Parameters:
      cert - an X509Certificate
      Returns:
      an X509Name
    • getStandardJavaName

      private static String getStandardJavaName(String algName)
    • getTimeStampToken

      public org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
      Gets the timestamp token if there is one.
      Returns:
      the timestamp token or null
      Since:
      2.1.6
    • getTimeStampDate

      public Calendar getTimeStampDate()
      Gets the timestamp date
      Returns:
      a date
      Since:
      2.1.6
    • getOcsp

      public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcsp()
      Gets the OCSP basic response if there is one.
      Returns:
      the OCSP basic response or null
      Since:
      2.1.6
    • findOcsp

      private void findOcsp(org.bouncycastle.asn1.ASN1Sequence seq) throws IOException
      Throws:
      IOException
    • update

      public void update(byte[] buf, int off, int len) throws SignatureException
      Update the digest with the specified bytes. This method is used both for signing and verifying
      Parameters:
      buf - the data buffer
      off - the offset in the data buffer
      len - the data length
      Throws:
      SignatureException - on error
    • verify

      public boolean verify() throws SignatureException
      Verify the digest.
      Returns:
      true if the signature checks out, false otherwise
      Throws:
      SignatureException - on error
    • verifyTimestampImprint

      public boolean verifyTimestampImprint() throws NoSuchAlgorithmException
      Checks if the timestamp refers to this document.
      Returns:
      true if it checks false otherwise
      Throws:
      NoSuchAlgorithmException - on error
      Since:
      2.1.6
    • getCertificates

      public Certificate[] getCertificates()
      Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.
      Returns:
      the X.509 certificates associated with this PKCS#7 object
    • getSignCertificateChain

      public Certificate[] getSignCertificateChain()
      Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first.
      Returns:
      the X.509 certificates associated with this PKCS#7 object
      Since:
      2.1.6
    • signCertificateChain

      private void signCertificateChain()
    • getCRLs

      public Collection getCRLs()
      Get the X.509 certificate revocation lists associated with this PKCS#7 object
      Returns:
      the X.509 certificate revocation lists associated with this PKCS#7 object
    • getSigningCertificate

      public X509Certificate getSigningCertificate()
      Get the X.509 certificate actually used to sign the digest.
      Returns:
      the X.509 certificate actually used to sign the digest
    • getVersion

      public int getVersion()
      Get the version of the PKCS#7 object. Always 1
      Returns:
      the version of the PKCS#7 object. Always 1
    • getSigningInfoVersion

      public int getSigningInfoVersion()
      Get the version of the PKCS#7 "SignerInfo" object. Always 1
      Returns:
      the version of the PKCS#7 "SignerInfo" object. Always 1
    • getDigestAlgorithm

      public String getDigestAlgorithm()
      Get the algorithm used to calculate the message digest
      Returns:
      the algorithm used to calculate the message digest
    • getHashAlgorithm

      public String getHashAlgorithm()
      Returns the algorithm.
      Returns:
      the digest algorithm
    • isRevocationValid

      public boolean isRevocationValid()
      Checks if OCSP revocation refers to the document signing certificate.
      Returns:
      true if it checks false otherwise
      Since:
      2.1.6
    • getEncodedPKCS1

      public byte[] getEncodedPKCS1()
      Gets the bytes for the PKCS#1 object.
      Returns:
      a byte array
    • setExternalDigest

      public void setExternalDigest(byte[] digest, byte[] RSAdata, String digestEncryptionAlgorithm)
      Sets the digest/signature to an external calculated value.
      Parameters:
      digest - the digest. This is the actual signature
      RSAdata - the extra data that goes into the data tag in PKCS#7
      digestEncryptionAlgorithm - the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA"
    • getEncodedPKCS7

      public byte[] getEncodedPKCS7()
      Gets the bytes for the PKCS7SignedData object.
      Returns:
      the bytes for the PKCS7SignedData object
    • getEncodedPKCS7

      public byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime)
      Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used.
      Parameters:
      secondDigest - the digest in the authenticatedAttributes
      signingTime - the signing time in the authenticatedAttributes
      Returns:
      the bytes for the PKCS7SignedData object
    • getEncodedPKCS7

      public byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime, TSAClient tsaClient, byte[] ocsp)
      Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, OR a time-stamp-authority client may be provided.
      Parameters:
      secondDigest - the digest in the authenticatedAttributes
      signingTime - the signing time in the authenticatedAttributes
      tsaClient - TSAClient - null or an optional time stamp authority client
      ocsp - a byte array
      Returns:
      byte[] the bytes for the PKCS7SignedData object
      Since:
      2.1.6
    • buildUnauthenticatedAttributes

      private org.bouncycastle.asn1.ASN1EncodableVector buildUnauthenticatedAttributes(byte[] timeStampToken) throws IOException
      Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2). Token is the TSA response without response status, which is usually handled by the (vendor supplied) TSA request/response interface).
      Parameters:
      timeStampToken - byte[] - time stamp token, DER encoded signedData
      Returns:
      ASN1EncodableVector
      Throws:
      IOException
    • getAuthenticatedAttributeBytes

      public byte[] getAuthenticatedAttributeBytes(byte[] secondDigest, Calendar signingTime, byte[] ocsp)
      When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in getEncodedPKCS7(byte[], Calendar). A simple example:
       Calendar cal = Calendar.getInstance();
       PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);
       MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
       byte buf[] = new byte[8192];
       int n;
       InputStream inp = sap.getRangeStream();
       while ((n = inp.read(buf)) > 0) {
         messageDigest.update(buf, 0, n);
       }
       byte hash[] = messageDigest.digest();
       byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal);
       pk7.update(sh, 0, sh.length);
       byte sg[] = pk7.getEncodedPKCS7(hash, cal);
       
      Parameters:
      secondDigest - the content digest
      signingTime - the signing time
      ocsp - a byte array
      Returns:
      the byte array representation of the authenticatedAttributes ready to be signed
    • getAuthenticatedAttributeSet

      private org.bouncycastle.asn1.DERSet getAuthenticatedAttributeSet(byte[] secondDigest, Calendar signingTime, byte[] ocsp)
    • getReason

      public String getReason()
      Getter for property reason.
      Returns:
      Value of property reason.
    • setReason

      public void setReason(String reason)
      Setter for property reason.
      Parameters:
      reason - New value of property reason.
    • getLocation

      public String getLocation()
      Getter for property location.
      Returns:
      Value of property location.
    • setLocation

      public void setLocation(String location)
      Setter for property location.
      Parameters:
      location - New value of property location.
    • getSignDate

      public Calendar getSignDate()
      Getter for property signDate.
      Returns:
      Value of property signDate.
    • setSignDate

      public void setSignDate(Calendar signDate)
      Setter for property signDate.
      Parameters:
      signDate - New value of property signDate.
    • getSignName

      public String getSignName()
      Getter for property sigName.
      Returns:
      Value of property sigName.
    • setSignName

      public void setSignName(String signName)
      Setter for property sigName.
      Parameters:
      signName - New value of property sigName.