Package com.aowagie.text.pdf

Class PdfPKCS7

  • public final class PdfPKCS7
extends java.lang.Object
    This class does all the processing related to signing and verifying a PKCS#7 signature.

    It's based in code found at org.bouncycastle.

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  PdfPKCS7.X509Name
      a class that holds an X509 name

    • Constructor Summary

      Constructors 
      Constructor Description
      PdfPKCS7​(byte[] contentsKey, byte[] certsKey, java.lang.String provider)
      Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
      PdfPKCS7​(byte[] contentsKey, java.lang.String provider)
      Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
      PdfPKCS7​(java.security.PrivateKey privKey, java.security.cert.Certificate[] certChain, java.security.cert.CRL[] crlList, java.lang.String hashAlgorithm, java.lang.String provider, boolean hasRSAdata)
      Generates a signature.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      private static org.bouncycastle.asn1.ASN1EncodableVector buildUnauthenticatedAttributes​(byte[] timeStampToken)
      Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2).
      private void findOcsp​(org.bouncycastle.asn1.ASN1Sequence seq)  
      private static java.lang.String getAlgorithm​(java.lang.String oid)
      Gets the algorithm name for a certain id.
      private org.bouncycastle.asn1.DERSet getAuthenticatedAttributeSet​(byte[] secondDigest, java.util.Calendar signingTime, byte[] ocsp)  
      java.security.cert.Certificate[] getCertificates()
      Get all the X.509 certificates associated with this PKCS#7 object in no particular order.
      java.util.Collection<java.security.cert.CRL> getCRLs()
      Get the X.509 certificate revocation lists associated with this PKCS#7 object
      private static java.lang.String getDigest​(java.lang.String oid)
      Gets the digest name for a certain id
      java.lang.String getDigestAlgorithm()
      Get the algorithm used to calculate the message digest
      private static java.lang.String getDigestAlgorithmName​(java.lang.String pseudoName)
      Obtiene el nombre de un algoritmo de huella digital a partir de una de las variantes de este.
      byte[] getEncodedPKCS1()
      Gets the bytes for the PKCS#1 object.
      byte[] getEncodedPKCS7()
      Gets the bytes for the PKCS7SignedData object.
      private byte[] getEncodedPKCS7​(byte[] secondDigest, java.util.Calendar signingTime, TSAClient tsaClient, byte[] ocsp)
      Gets the bytes for the PKCS7SignedData object.
      java.lang.String getHashAlgorithm()
      Returns the algorithm.
      private static org.bouncycastle.asn1.ASN1Primitive getIssuer​(byte[] enc)
      Get the "issuer" from the TBSCertificate bytes that are passed in
      java.lang.String getLocation()
      Getter for property location.
      org.bouncycastle.cert.ocsp.BasicOCSPResp getOcsp()
      Gets the OCSP basic response if there is one.
      byte[] getPkcs1()
      Obtiene el PKCS#1 de la firma PKCS#7 del PDF.
      java.lang.String getReason()
      Getter for property reason.
      java.security.cert.Certificate[] getSignCertificateChain()
      Get the X.509 sign certificate chain associated with this PKCS#7 object.
      java.util.Calendar getSignDate()
      Getter for property signDate.
      java.security.cert.X509Certificate getSigningCertificate()
      Get the X.509 certificate actually used to sign the digest.
      int getSigningInfoVersion()
      Get the version of the PKCS#7 "SignerInfo" object.
      java.lang.String getSignName()
      Getter for property sigName.
      java.lang.String getStrictHashAlgorithm()
      Returns the algorithm de hash declarado.
      private static org.bouncycastle.asn1.ASN1Primitive getSubject​(byte[] enc)
      Get the "subject" from the TBSCertificate bytes that are passed in
      static PdfPKCS7.X509Name getSubjectFields​(java.security.cert.X509Certificate cert)
      Get the subject fields from an X509 Certificate
      java.util.Calendar getTimeStampDate()
      Gets the timestamp date
      org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
      Gets the timestamp token if there is one.
      int getVersion()
      Get the version of the PKCS#7 object.
      boolean isRevocationValid()
      Checks if OCSP revocation refers to the document signing certificate.
      void setExternalDigest​(byte[] digest, byte[] RSAdata, java.lang.String digestEncryptionAlgorithm)
      Sets the digest/signature to an external calculated value.
      void setLocation​(java.lang.String location)
      Setter for property location.
      void setReason​(java.lang.String reason)
      Setter for property reason.
      void setSignDate​(java.util.Calendar signDate)
      Setter for property signDate.
      void setSignName​(java.lang.String signName)
      Setter for property sigName.
      private void signCertificateChain()  
      (package private) void update​(byte[] buf, int off, int len)
      Update the digest with the specified bytes.
      boolean verify()
      Verify the digest.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • sigAttr

        private byte[] sigAttr

      • digestAttr

        private byte[] digestAttr

      • version

        private int version

      • signerversion

        private int signerversion

      • digestalgos

        private java.util.Set<java.lang.String> digestalgos

      • certs

        private java.util.Collection<java.security.cert.Certificate> certs

      • crls

        private java.util.Collection<java.security.cert.CRL> crls

      • signCerts

        private java.util.Collection<java.security.cert.Certificate> signCerts

      • signCert

        private java.security.cert.X509Certificate signCert

      • digest

        private byte[] digest

      • messageDigest

        private java.security.MessageDigest messageDigest

      • digestAlgorithm

        private java.lang.String digestAlgorithm

      • digestEncryptionAlgorithm

        private java.lang.String digestEncryptionAlgorithm

      • sig

        private java.security.Signature sig

      • RSAdata

        private byte[] RSAdata

      • verified

        private boolean verified

      • verifyResult

        private boolean verifyResult

      • externalDigest

        private byte[] externalDigest

      • externalRSAdata

        private byte[] externalRSAdata

      • provider

        private java.lang.String provider

      • ID_PKCS7_SIGNED_DATA

        private static final java.lang.String ID_PKCS7_SIGNED_DATA
        See Also:
        Constant Field Values

      • ID_MESSAGE_DIGEST

        private static final java.lang.String ID_MESSAGE_DIGEST
        See Also:
        Constant Field Values

      • ID_ADBE_REVOCATION

        private static final java.lang.String ID_ADBE_REVOCATION
        See Also:
        Constant Field Values

      • reason

        private java.lang.String reason
        Holds value of property reason.

      • location

        private java.lang.String location
        Holds value of property location.

      • signDate

        private java.util.Calendar signDate
        Holds value of property signDate.

      • signName

        private java.lang.String signName
        Holds value of property signName.

      • timeStampToken

        private org.bouncycastle.tsp.TimeStampToken timeStampToken

      • STRICT_DIGEST_NAMES

        private static final java.util.HashMap<java.lang.String,​java.lang.String> STRICT_DIGEST_NAMES

      • DIGEST_NAMES

        private static final java.util.HashMap<java.lang.String,​java.lang.String> DIGEST_NAMES

      • ALGORITHM_NAMES

        private static final java.util.HashMap<java.lang.String,​java.lang.String> ALGORITHM_NAMES

      • ALLOWED_DIGESTS

        private static final java.util.HashMap<java.lang.String,​java.lang.String> ALLOWED_DIGESTS

      • basicResp

        private org.bouncycastle.cert.ocsp.BasicOCSPResp basicResp

      • OID_ECDSA_SHA224

        private static final java.lang.String OID_ECDSA_SHA224
        See Also:
        Constant Field Values

      • OID_ECDSA_SHA256

        private static final java.lang.String OID_ECDSA_SHA256
        See Also:
        Constant Field Values

      • OID_ECDSA_SHA384

        private static final java.lang.String OID_ECDSA_SHA384
        See Also:
        Constant Field Values

      • OID_ECDSA_SHA512

        private static final java.lang.String OID_ECDSA_SHA512
        See Also:
        Constant Field Values

      • OID_RSA_SHA3_224

        private static final java.lang.String OID_RSA_SHA3_224
        See Also:
        Constant Field Values

      • OID_RSA_SHA3_256

        private static final java.lang.String OID_RSA_SHA3_256
        See Also:
        Constant Field Values

      • OID_RSA_SHA3_384

        private static final java.lang.String OID_RSA_SHA3_384
        See Also:
        Constant Field Values

      • OID_RSA_SHA3_512

        private static final java.lang.String OID_RSA_SHA3_512
        See Also:
        Constant Field Values

      • OID_ECDSA_SHA3_224

        private static final java.lang.String OID_ECDSA_SHA3_224
        See Also:
        Constant Field Values

      • OID_ECDSA_SHA3_256

        private static final java.lang.String OID_ECDSA_SHA3_256
        See Also:
        Constant Field Values

      • OID_ECDSA_SHA3_384

        private static final java.lang.String OID_ECDSA_SHA3_384
        See Also:
        Constant Field Values

      • OID_ECDSA_SHA3_512

        private static final java.lang.String OID_ECDSA_SHA3_512
        See Also:
        Constant Field Values

      • OIDS

        private static final java.util.Dictionary<java.lang.String,​java.lang.String> OIDS

    • Constructor Detail

      • PdfPKCS7

        PdfPKCS7​(byte[] contentsKey,
         byte[] certsKey,
         java.lang.String provider)
        Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
        Parameters:
        contentsKey - the /Contents key
        certsKey - the /Cert key
        provider - the provider or null for the default provider

      • PdfPKCS7

        PdfPKCS7​(byte[] contentsKey,
         java.lang.String provider)
        Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
        Parameters:
        contentsKey - the /Contents key
        provider - the provider or null for the default provider

      • PdfPKCS7

        PdfPKCS7​(java.security.PrivateKey privKey,
         java.security.cert.Certificate[] certChain,
         java.security.cert.CRL[] crlList,
         java.lang.String hashAlgorithm,
         java.lang.String provider,
         boolean hasRSAdata)
  throws java.security.InvalidKeyException,
         java.security.NoSuchProviderException,
         java.security.NoSuchAlgorithmException
        Generates a signature.
        Parameters:
        privKey - the private key
        certChain - the certificate chain
        crlList - the certificate revocation list
        hashAlgorithm - the hash algorithm
        provider - the provider or null for the default provider
        hasRSAdata - true if the sub-filter is adbe.pkcs7.sha1
        Throws:
        java.security.InvalidKeyException - on error
        java.security.NoSuchProviderException - on error
        java.security.NoSuchAlgorithmException - on error

    • Method Detail

      • getPkcs1

        public byte[] getPkcs1()
        Obtiene el PKCS#1 de la firma PKCS#7 del PDF.
        Returns:
        PKCS#1 de la firma PKCS#7 del PDF.

      • getDigest

        private static java.lang.String getDigest​(java.lang.String oid)
        Gets the digest name for a certain id
        Parameters:
        oid - an id (for instance "1.2.840.113549.2.5")
        Returns:
        a digest name (for instance "MD5")
        Since:
        2.1.6

      • getAlgorithm

        private static java.lang.String getAlgorithm​(java.lang.String oid)
        Gets the algorithm name for a certain id.
        Parameters:
        oid - an id (for instance "1.2.840.113549.1.1.1")
        Returns:
        an algorithm name (for instance "RSA")
        Since:
        2.1.6

      • getTimeStampToken

        public org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
        Gets the timestamp token if there is one.
        Returns:
        the timestamp token or null
        Since:
        2.1.6

      • getTimeStampDate

        public java.util.Calendar getTimeStampDate()
        Gets the timestamp date
        Returns:
        a date
        Since:
        2.1.6

      • getOcsp

        public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcsp()
        Gets the OCSP basic response if there is one.
        Returns:
        the OCSP basic response or null
        Since:
        2.1.6

      • findOcsp

        private void findOcsp​(org.bouncycastle.asn1.ASN1Sequence seq)
               throws java.io.IOException
        Throws:
        java.io.IOException

      • update

        void update​(byte[] buf,
            int off,
            int len)
     throws java.security.SignatureException
        Update the digest with the specified bytes. This method is used both for signing and verifying
        Parameters:
        buf - the data buffer
        off - the offset in the data buffer
        len - the data length
        Throws:
        java.security.SignatureException - on error

      • getCertificates

        public java.security.cert.Certificate[] getCertificates()
        Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.
        Returns:
        the X.509 certificates associated with this PKCS#7 object

      • getSignCertificateChain

        public java.security.cert.Certificate[] getSignCertificateChain()
        Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first.
        Returns:
        the X.509 certificates associated with this PKCS#7 object
        Since:
        2.1.6

      • signCertificateChain

        private void signCertificateChain()

      • getCRLs

        public java.util.Collection<java.security.cert.CRL> getCRLs()
        Get the X.509 certificate revocation lists associated with this PKCS#7 object
        Returns:
        the X.509 certificate revocation lists associated with this PKCS#7 object

      • getSigningCertificate

        public java.security.cert.X509Certificate getSigningCertificate()
        Get the X.509 certificate actually used to sign the digest.
        Returns:
        the X.509 certificate actually used to sign the digest

      • getVersion

        public int getVersion()
        Get the version of the PKCS#7 object. Always 1
        Returns:
        the version of the PKCS#7 object. Always 1

      • getSigningInfoVersion

        public int getSigningInfoVersion()
        Get the version of the PKCS#7 "SignerInfo" object. Always 1
        Returns:
        the version of the PKCS#7 "SignerInfo" object. Always 1

      • getDigestAlgorithm

        public java.lang.String getDigestAlgorithm()
        Get the algorithm used to calculate the message digest
        Returns:
        the algorithm used to calculate the message digest or null if it couldn't identify the encryption algorithm.

      • getHashAlgorithm

        public java.lang.String getHashAlgorithm()
        Returns the algorithm.
        Returns:
        the digest algorithm

      • getStrictHashAlgorithm

        public java.lang.String getStrictHashAlgorithm()
        Returns the algorithm de hash declarado.
        Returns:
        the digest algorithm or null is there isn't a valid hash algorithm.

      • isRevocationValid

        public boolean isRevocationValid()
        Checks if OCSP revocation refers to the document signing certificate.
        Returns:
        true if it checks false otherwise
        Since:
        2.1.6

      • getIssuer

        private static org.bouncycastle.asn1.ASN1Primitive getIssuer​(byte[] enc)
        Get the "issuer" from the TBSCertificate bytes that are passed in
        Parameters:
        enc - a TBSCertificate in a byte array
        Returns:
        a DERObject

      • getSubject

        private static org.bouncycastle.asn1.ASN1Primitive getSubject​(byte[] enc)
        Get the "subject" from the TBSCertificate bytes that are passed in
        Parameters:
        enc - A TBSCertificate in a byte array
        Returns:
        a DERObject

      • getSubjectFields

        public static PdfPKCS7.X509Name getSubjectFields​(java.security.cert.X509Certificate cert)
        Get the subject fields from an X509 Certificate
        Parameters:
        cert - an X509Certificate
        Returns:
        an X509Name

      • getEncodedPKCS1

        public byte[] getEncodedPKCS1()
        Gets the bytes for the PKCS#1 object.
        Returns:
        a byte array

      • setExternalDigest

        public void setExternalDigest​(byte[] digest,
                              byte[] RSAdata,
                              java.lang.String digestEncryptionAlgorithm)
        Sets the digest/signature to an external calculated value.
        Parameters:
        digest - the digest. This is the actual signature
        RSAdata - the extra data that goes into the data tag in PKCS#7
        digestEncryptionAlgorithm - the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA"

      • getEncodedPKCS7

        public byte[] getEncodedPKCS7()
        Gets the bytes for the PKCS7SignedData object.
        Returns:
        the bytes for the PKCS7SignedData object

      • getEncodedPKCS7

        private byte[] getEncodedPKCS7​(byte[] secondDigest,
                               java.util.Calendar signingTime,
                               TSAClient tsaClient,
                               byte[] ocsp)
        Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, OR a time-stamp-authority client may be provided.
        Parameters:
        secondDigest - the digest in the authenticatedAttributes
        signingTime - the signing time in the authenticatedAttributes
        tsaClient - TSAClient - null or an optional time stamp authority client
        Returns:
        byte[] the bytes for the PKCS7SignedData object
        Since:
        2.1.6

      • buildUnauthenticatedAttributes

        private static org.bouncycastle.asn1.ASN1EncodableVector buildUnauthenticatedAttributes​(byte[] timeStampToken)
                                                                                 throws java.io.IOException
        Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2). Token is the TSA response without response status, which is usually handled by the (vendor supplied) TSA request/response interface).
        Parameters:
        timeStampToken - byte[] - time stamp token, DER encoded signedData
        Returns:
        ASN1EncodableVector
        Throws:
        java.io.IOException

      • getAuthenticatedAttributeSet

        private org.bouncycastle.asn1.DERSet getAuthenticatedAttributeSet​(byte[] secondDigest,
                                                                  java.util.Calendar signingTime,
                                                                  byte[] ocsp)

      • getReason

        public java.lang.String getReason()
        Getter for property reason.
        Returns:
        Value of property reason.

      • setReason

        public void setReason​(java.lang.String reason)
        Setter for property reason.
        Parameters:
        reason - New value of property reason.

      • getLocation

        public java.lang.String getLocation()
        Getter for property location.
        Returns:
        Value of property location.

      • setLocation

        public void setLocation​(java.lang.String location)
        Setter for property location.
        Parameters:
        location - New value of property location.

      • getSignDate

        public java.util.Calendar getSignDate()
        Getter for property signDate.
        Returns:
        Value of property signDate.

      • setSignDate

        public void setSignDate​(java.util.Calendar signDate)
        Setter for property signDate.
        Parameters:
        signDate - New value of property signDate.

      • getSignName

        public java.lang.String getSignName()
        Getter for property sigName.
        Returns:
        Value of property sigName.

      • setSignName

        public void setSignName​(java.lang.String signName)
        Setter for property sigName.
        Parameters:
        signName - New value of property sigName.

      • getDigestAlgorithmName

        private static java.lang.String getDigestAlgorithmName​(java.lang.String pseudoName)
        Obtiene el nombre de un algoritmo de huella digital a partir de una de las variantes de este.
        Parameters:
        pseudoName - Nombre o variante del nombre del algoritmo de huella digital
        Returns:
        Nombre del algoritmo de huella digital

      • verify

        public boolean verify()
               throws java.security.SignatureException
        Verify the digest.
        Returns:
        true if the signature checks out, false otherwise.
        Throws:
        java.security.SignatureException - on error