Class PdfPKCS7

java.lang.Object
com.aowagie.text.pdf.PdfPKCS7
public final class PdfPKCS7 extends Object
This class does all the processing related to signing and verifying a PKCS#7 signature.

It's based in code found at org.bouncycastle.

  • Field Details

  • Constructor Details

    • PdfPKCS7

      PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
      Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
      Parameters:
      contentsKey - the /Contents key
      certsKey - the /Cert key
      provider - the provider or null for the default provider

    • PdfPKCS7

      PdfPKCS7(byte[] contentsKey, String provider)
      Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
      Parameters:
      contentsKey - the /Contents key
      provider - the provider or null for the default provider

    • PdfPKCS7

      PdfPKCS7(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata) throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException
      Generates a signature.
      Parameters:
      privKey - the private key
      certChain - the certificate chain
      crlList - the certificate revocation list
      hashAlgorithm - the hash algorithm
      provider - the provider or null for the default provider
      hasRSAdata - true if the sub-filter is adbe.pkcs7.sha1
      Throws:
      InvalidKeyException - on error
      NoSuchProviderException - on error
      NoSuchAlgorithmException - on error

  • Method Details

    • getPkcs1

      public byte[] getPkcs1()
      Obtiene el PKCS#1 de la firma PKCS#7 del PDF.
      Returns:
      PKCS#1 de la firma PKCS#7 del PDF.

    • getDigest

      private static String getDigest(String oid)
      Gets the digest name for a certain id
      Parameters:
      oid - an id (for instance "1.2.840.113549.2.5")
      Returns:
      a digest name (for instance "MD5")
      Since:
      2.1.6

    • getAlgorithm

      private static String getAlgorithm(String oid)
      Gets the algorithm name for a certain id.
      Parameters:
      oid - an id (for instance "1.2.840.113549.1.1.1")
      Returns:
      an algorithm name (for instance "RSA")
      Since:
      2.1.6

    • getTimeStampToken

      public org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
      Gets the timestamp token if there is one.
      Returns:
      the timestamp token or null
      Since:
      2.1.6

    • getTimeStampDate

      public Calendar getTimeStampDate()
      Gets the timestamp date
      Returns:
      a date
      Since:
      2.1.6

    • getOcsp

      public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcsp()
      Gets the OCSP basic response if there is one.
      Returns:
      the OCSP basic response or null
      Since:
      2.1.6

    • findOcsp

      private void findOcsp(org.bouncycastle.asn1.ASN1Sequence seq) throws IOException
      Throws:
      IOException

    • update

      void update(byte[] buf, int off, int len) throws SignatureException
      Update the digest with the specified bytes. This method is used both for signing and verifying
      Parameters:
      buf - the data buffer
      off - the offset in the data buffer
      len - the data length
      Throws:
      SignatureException - on error

    • getCertificates

      public Certificate[] getCertificates()
      Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.
      Returns:
      the X.509 certificates associated with this PKCS#7 object

    • getSignCertificateChain

      public Certificate[] getSignCertificateChain()
      Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first.
      Returns:
      the X.509 certificates associated with this PKCS#7 object
      Since:
      2.1.6

    • signCertificateChain

      private void signCertificateChain()

    • getCRLs

      public Collection<CRL> getCRLs()
      Get the X.509 certificate revocation lists associated with this PKCS#7 object
      Returns:
      the X.509 certificate revocation lists associated with this PKCS#7 object

    • getSigningCertificate

      public X509Certificate getSigningCertificate()
      Get the X.509 certificate actually used to sign the digest.
      Returns:
      the X.509 certificate actually used to sign the digest

    • getVersion

      public int getVersion()
      Get the version of the PKCS#7 object. Always 1
      Returns:
      the version of the PKCS#7 object. Always 1

    • getSigningInfoVersion

      public int getSigningInfoVersion()
      Get the version of the PKCS#7 "SignerInfo" object. Always 1
      Returns:
      the version of the PKCS#7 "SignerInfo" object. Always 1

    • getDigestAlgorithm

      public String getDigestAlgorithm()
      Get the algorithm used to calculate the message digest
      Returns:
      the algorithm used to calculate the message digest or null if it couldn't identify the encryption algorithm.

    • getHashAlgorithm

      public String getHashAlgorithm()
      Returns the algorithm.
      Returns:
      the digest algorithm

    • getStrictHashAlgorithm

      public String getStrictHashAlgorithm()
      Returns the algorithm de hash declarado.
      Returns:
      the digest algorithm or null is there isn't a valid hash algorithm.

    • isRevocationValid

      public boolean isRevocationValid()
      Checks if OCSP revocation refers to the document signing certificate.
      Returns:
      true if it checks false otherwise
      Since:
      2.1.6

    • getIssuer

      private static org.bouncycastle.asn1.ASN1Primitive getIssuer(byte[] enc)
      Get the "issuer" from the TBSCertificate bytes that are passed in
      Parameters:
      enc - a TBSCertificate in a byte array
      Returns:
      a DERObject

    • getSubject

      private static org.bouncycastle.asn1.ASN1Primitive getSubject(byte[] enc)
      Get the "subject" from the TBSCertificate bytes that are passed in
      Parameters:
      enc - A TBSCertificate in a byte array
      Returns:
      a DERObject

    • getSubjectFields

      public static PdfPKCS7.X509Name getSubjectFields(X509Certificate cert)
      Get the subject fields from an X509 Certificate
      Parameters:
      cert - an X509Certificate
      Returns:
      an X509Name

    • getEncodedPKCS1

      public byte[] getEncodedPKCS1()
      Gets the bytes for the PKCS#1 object.
      Returns:
      a byte array

    • setExternalDigest

      public void setExternalDigest(byte[] digest, byte[] RSAdata, String digestEncryptionAlgorithm)
      Sets the digest/signature to an external calculated value.
      Parameters:
      digest - the digest. This is the actual signature
      RSAdata - the extra data that goes into the data tag in PKCS#7
      digestEncryptionAlgorithm - the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA"

    • getEncodedPKCS7

      public byte[] getEncodedPKCS7()
      Gets the bytes for the PKCS7SignedData object.
      Returns:
      the bytes for the PKCS7SignedData object

    • getEncodedPKCS7

      private byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime, TSAClient tsaClient, byte[] ocsp)
      Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, OR a time-stamp-authority client may be provided.
      Parameters:
      secondDigest - the digest in the authenticatedAttributes
      signingTime - the signing time in the authenticatedAttributes
      tsaClient - TSAClient - null or an optional time stamp authority client
      Returns:
      byte[] the bytes for the PKCS7SignedData object
      Since:
      2.1.6

    • buildUnauthenticatedAttributes

      private static org.bouncycastle.asn1.ASN1EncodableVector buildUnauthenticatedAttributes(byte[] timeStampToken) throws IOException
      Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2). Token is the TSA response without response status, which is usually handled by the (vendor supplied) TSA request/response interface).
      Parameters:
      timeStampToken - byte[] - time stamp token, DER encoded signedData
      Returns:
      ASN1EncodableVector
      Throws:
      IOException

    • getAuthenticatedAttributeSet

      private org.bouncycastle.asn1.DERSet getAuthenticatedAttributeSet(byte[] secondDigest, Calendar signingTime, byte[] ocsp)

    • getReason

      public String getReason()
      Getter for property reason.
      Returns:
      Value of property reason.

    • setReason

      public void setReason(String reason)
      Setter for property reason.
      Parameters:
      reason - New value of property reason.

    • getLocation

      public String getLocation()
      Getter for property location.
      Returns:
      Value of property location.

    • setLocation

      public void setLocation(String location)
      Setter for property location.
      Parameters:
      location - New value of property location.

    • getSignDate

      public Calendar getSignDate()
      Getter for property signDate.
      Returns:
      Value of property signDate.

    • setSignDate

      public void setSignDate(Calendar signDate)
      Setter for property signDate.
      Parameters:
      signDate - New value of property signDate.

    • getSignName

      public String getSignName()
      Getter for property sigName.
      Returns:
      Value of property sigName.

    • setSignName

      public void setSignName(String signName)
      Setter for property sigName.
      Parameters:
      signName - New value of property sigName.

    • getDigestAlgorithmName

      private static String getDigestAlgorithmName(String pseudoName)
      Obtiene el nombre de un algoritmo de huella digital a partir de una de las variantes de este.
      Parameters:
      pseudoName - Nombre o variante del nombre del algoritmo de huella digital
      Returns:
      Nombre del algoritmo de huella digital

    • verify

      public boolean verify() throws SignatureException
      Verify the digest.
      Returns:
      true if the signature checks out, false otherwise.
      Throws:
      SignatureException - on error