Package com.gitlab.pdftk_java.com.lowagie.text.pdf

Class PdfPKCS7

  • public class PdfPKCS7
extends java.lang.Object
    This class does all the processing related to signing and verifying a PKCS#7 signature.

    It's based in code found at org.bouncycastle.

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  PdfPKCS7.X500Name
      a class that holds an X509 name
      static class  PdfPKCS7.X509NameTokenizer
      class for breaking up an X500 Name into it's component tokens, ala java.util.StringTokenizer.

    • Constructor Summary

      Constructors 
      Constructor Description
      PdfPKCS7​(byte[] contentsKey, byte[] certsKey, java.lang.String provider)
      Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
      PdfPKCS7​(byte[] contentsKey, java.lang.String provider)
      Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
      PdfPKCS7​(java.security.PrivateKey privKey, java.security.cert.Certificate[] certChain, java.security.cert.CRL[] crlList, java.lang.String hashAlgorithm, java.lang.String provider, boolean hasRSAdata)
      Generates a signature.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      byte[] getAuthenticatedAttributeBytes​(byte[] secondDigest, java.util.Calendar signingTime)
      When using authenticatedAttributes the authentication process is different.
      java.security.cert.Certificate[] getCertificates()
      Get the X.509 certificates associated with this PKCS#7 object
      java.util.Collection getCRLs()
      Get the X.509 certificate revocation lists associated with this PKCS#7 object
      java.lang.String getDigestAlgorithm()
      Get the algorithm used to calculate the message digest
      byte[] getEncodedPKCS1()
      Gets the bytes for the PKCS#1 object.
      byte[] getEncodedPKCS7()
      Gets the bytes for the PKCS7SignedData object.
      byte[] getEncodedPKCS7​(byte[] secondDigest, java.util.Calendar signingTime)
      Gets the bytes for the PKCS7SignedData object.
      java.lang.String getHashAlgorithm()
      Returns the algorithm.
      private static org.bouncycastle.asn1.ASN1Primitive getIssuer​(byte[] enc)
      Get the "issuer" from the TBSCertificate bytes that are passed in
      static PdfPKCS7.X500Name getIssuerFields​(java.security.cert.X509Certificate cert)
      Get the issuer fields from an X509 Certificate
      java.lang.String getLocation()
      Getter for property location.
      java.lang.String getReason()
      Getter for property reason.
      java.util.Calendar getSignDate()
      Getter for property signDate.
      java.security.cert.X509Certificate getSigningCertificate()
      Get the X.509 certificate actually used to sign the digest.
      int getSigningInfoVersion()
      Get the version of the PKCS#7 "SignerInfo" object.
      java.lang.String getSignName()
      Getter for property sigName.
      private static org.bouncycastle.asn1.ASN1Primitive getSubject​(byte[] enc)
      Get the "subject" from the TBSCertificate bytes that are passed in
      static PdfPKCS7.X500Name getSubjectFields​(java.security.cert.X509Certificate cert)
      Get the subject fields from an X509 Certificate
      int getVersion()
      Get the version of the PKCS#7 object.
      static java.security.KeyStore loadCacertsKeyStore()
      Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.
      static java.security.KeyStore loadCacertsKeyStore​(java.lang.String provider)
      Loads the default root certificates at <java.home>/lib/security/cacerts.
      void setExternalDigest​(byte[] digest, byte[] RSAdata, java.lang.String digestEncryptionAlgorithm)
      Sets the digest/signature to an external calculated value.
      void setLocation​(java.lang.String location)
      Setter for property location.
      void setReason​(java.lang.String reason)
      Setter for property reason.
      void setSignDate​(java.util.Calendar signDate)
      Setter for property signDate.
      void setSignName​(java.lang.String signName)
      Setter for property sigName.
      void update​(byte[] buf, int off, int len)
      Update the digest with the specified bytes.
      boolean verify()
      Verify the digest.
      static java.lang.String verifyCertificate​(java.security.cert.X509Certificate cert, java.util.Collection crls, java.util.Calendar calendar)
      Verifies a single certificate.
      static java.lang.Object[] verifyCertificates​(java.security.cert.Certificate[] certs, java.security.KeyStore keystore, java.util.Collection crls, java.util.Calendar calendar)
      Verifies a certificate chain against a KeyStore.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • sigAttr

        private byte[] sigAttr

      • digestAttr

        private byte[] digestAttr

      • version

        private int version

      • signerversion

        private int signerversion

      • digestalgos

        private java.util.Set digestalgos

      • certs

        private java.util.Collection certs

      • crls

        private java.util.Collection crls

      • signCert

        private java.security.cert.X509Certificate signCert

      • digest

        private byte[] digest

      • messageDigest

        private java.security.MessageDigest messageDigest

      • digestAlgorithm

        private java.lang.String digestAlgorithm

      • digestEncryptionAlgorithm

        private java.lang.String digestEncryptionAlgorithm

      • sig

        private java.security.Signature sig

      • privKey

        private transient java.security.PrivateKey privKey

      • RSAdata

        private byte[] RSAdata

      • verified

        private boolean verified

      • verifyResult

        private boolean verifyResult

      • externalDigest

        private byte[] externalDigest

      • externalRSAdata

        private byte[] externalRSAdata

      • ID_PKCS7_SIGNED_DATA

        private static final java.lang.String ID_PKCS7_SIGNED_DATA
        See Also:
        Constant Field Values

      • ID_MESSAGE_DIGEST

        private static final java.lang.String ID_MESSAGE_DIGEST
        See Also:
        Constant Field Values

      • reason

        private java.lang.String reason
        Holds value of property reason.

      • location

        private java.lang.String location
        Holds value of property location.

      • signDate

        private java.util.Calendar signDate
        Holds value of property signDate.

      • signName

        private java.lang.String signName
        Holds value of property signName.

    • Constructor Detail

      • PdfPKCS7

        public PdfPKCS7​(byte[] contentsKey,
                byte[] certsKey,
                java.lang.String provider)
         throws java.lang.SecurityException,
                java.security.cert.CRLException,
                java.security.InvalidKeyException,
                java.security.cert.CertificateException,
                java.security.NoSuchProviderException,
                java.security.NoSuchAlgorithmException,
                java.io.IOException
        Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
        Parameters:
        contentsKey - the /Contents key
        certsKey - the /Cert key
        provider - the provider or null for the default provider
        Throws:
        java.lang.SecurityException - on error
        java.security.cert.CRLException - on error
        java.security.InvalidKeyException - on error
        java.security.cert.CertificateException - on error
        java.security.NoSuchProviderException - on error
        java.security.NoSuchAlgorithmException - on error
        java.io.IOException - on error

      • PdfPKCS7

        public PdfPKCS7​(byte[] contentsKey,
                java.lang.String provider)
         throws java.lang.SecurityException,
                java.security.cert.CRLException,
                java.security.InvalidKeyException,
                java.security.cert.CertificateException,
                java.security.NoSuchProviderException,
                java.security.NoSuchAlgorithmException
        Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
        Parameters:
        contentsKey - the /Contents key
        provider - the provider or null for the default provider
        Throws:
        java.lang.SecurityException - on error
        java.security.cert.CRLException - on error
        java.security.InvalidKeyException - on error
        java.security.cert.CertificateException - on error
        java.security.NoSuchProviderException - on error
        java.security.NoSuchAlgorithmException - on error

      • PdfPKCS7

        public PdfPKCS7​(java.security.PrivateKey privKey,
                java.security.cert.Certificate[] certChain,
                java.security.cert.CRL[] crlList,
                java.lang.String hashAlgorithm,
                java.lang.String provider,
                boolean hasRSAdata)
         throws java.lang.SecurityException,
                java.security.InvalidKeyException,
                java.security.NoSuchProviderException,
                java.security.NoSuchAlgorithmException
        Generates a signature.
        Parameters:
        privKey - the private key
        certChain - the certificate chain
        crlList - the certificate revocation list
        hashAlgorithm - the hash algorithm
        provider - the provider or null for the default provider
        hasRSAdata - true if the sub-filter is adbe.pkcs7.sha1
        Throws:
        java.lang.SecurityException - on error
        java.security.InvalidKeyException - on error
        java.security.NoSuchProviderException - on error
        java.security.NoSuchAlgorithmException - on error

    • Method Detail

      • update

        public void update​(byte[] buf,
                   int off,
                   int len)
            throws java.security.SignatureException
        Update the digest with the specified bytes. This method is used both for signing and verifying
        Parameters:
        buf - the data buffer
        off - the offset in the data buffer
        len - the data length
        Throws:
        java.security.SignatureException - on error

      • verify

        public boolean verify()
               throws java.security.SignatureException
        Verify the digest.
        Returns:
        true if the signature checks out, false otherwise
        Throws:
        java.security.SignatureException - on error

      • getCertificates

        public java.security.cert.Certificate[] getCertificates()
        Get the X.509 certificates associated with this PKCS#7 object
        Returns:
        the X.509 certificates associated with this PKCS#7 object

      • getCRLs

        public java.util.Collection getCRLs()
        Get the X.509 certificate revocation lists associated with this PKCS#7 object
        Returns:
        the X.509 certificate revocation lists associated with this PKCS#7 object

      • getSigningCertificate

        public java.security.cert.X509Certificate getSigningCertificate()
        Get the X.509 certificate actually used to sign the digest.
        Returns:
        the X.509 certificate actually used to sign the digest

      • getVersion

        public int getVersion()
        Get the version of the PKCS#7 object. Always 1
        Returns:
        the version of the PKCS#7 object. Always 1

      • getSigningInfoVersion

        public int getSigningInfoVersion()
        Get the version of the PKCS#7 "SignerInfo" object. Always 1
        Returns:
        the version of the PKCS#7 "SignerInfo" object. Always 1

      • getDigestAlgorithm

        public java.lang.String getDigestAlgorithm()
        Get the algorithm used to calculate the message digest
        Returns:
        the algorithm used to calculate the message digest

      • getHashAlgorithm

        public java.lang.String getHashAlgorithm()
        Returns the algorithm.
        Returns:
        the digest algorithm

      • loadCacertsKeyStore

        public static java.security.KeyStore loadCacertsKeyStore()
        Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.
        Returns:
        a KeyStore

      • loadCacertsKeyStore

        public static java.security.KeyStore loadCacertsKeyStore​(java.lang.String provider)
        Loads the default root certificates at <java.home>/lib/security/cacerts.
        Parameters:
        provider - the provider or null for the default provider
        Returns:
        a KeyStore

      • verifyCertificate

        public static java.lang.String verifyCertificate​(java.security.cert.X509Certificate cert,
                                                 java.util.Collection crls,
                                                 java.util.Calendar calendar)
        Verifies a single certificate.
        Parameters:
        cert - the certificate to verify
        crls - the certificate revocation list or null
        calendar - the date or null for the current date
        Returns:
        a String with the error description or null if no error

      • verifyCertificates

        public static java.lang.Object[] verifyCertificates​(java.security.cert.Certificate[] certs,
                                                    java.security.KeyStore keystore,
                                                    java.util.Collection crls,
                                                    java.util.Calendar calendar)
        Verifies a certificate chain against a KeyStore.
        Parameters:
        certs - the certificate chain
        keystore - the KeyStore
        crls - the certificate revocation list or null
        calendar - the date or null for the current date
        Returns:
        null if the certificate chain could be validade or a Object[]{cert,error} where cert is the failed certificate and error is the error message

      • getIssuer

        private static org.bouncycastle.asn1.ASN1Primitive getIssuer​(byte[] enc)
        Get the "issuer" from the TBSCertificate bytes that are passed in
        Parameters:
        enc - a TBSCertificate in a byte array
        Returns:
        a ASN1Primitive

      • getSubject

        private static org.bouncycastle.asn1.ASN1Primitive getSubject​(byte[] enc)
        Get the "subject" from the TBSCertificate bytes that are passed in
        Parameters:
        enc - A TBSCertificate in a byte array
        Returns:
        a ASN1Primitive

      • getIssuerFields

        public static PdfPKCS7.X500Name getIssuerFields​(java.security.cert.X509Certificate cert)
        Get the issuer fields from an X509 Certificate
        Parameters:
        cert - an X509Certificate
        Returns:
        an X500Name

      • getSubjectFields

        public static PdfPKCS7.X500Name getSubjectFields​(java.security.cert.X509Certificate cert)
        Get the subject fields from an X509 Certificate
        Parameters:
        cert - an X509Certificate
        Returns:
        an X500Name

      • getEncodedPKCS1

        public byte[] getEncodedPKCS1()
        Gets the bytes for the PKCS#1 object.
        Returns:
        a byte array

      • setExternalDigest

        public void setExternalDigest​(byte[] digest,
                              byte[] RSAdata,
                              java.lang.String digestEncryptionAlgorithm)
        Sets the digest/signature to an external calculated value.
        Parameters:
        digest - the digest. This is the actual signature
        RSAdata - the extra data that goes into the data tag in PKCS#7
        digestEncryptionAlgorithm - the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA"

      • getEncodedPKCS7

        public byte[] getEncodedPKCS7()
        Gets the bytes for the PKCS7SignedData object.
        Returns:
        the bytes for the PKCS7SignedData object

      • getEncodedPKCS7

        public byte[] getEncodedPKCS7​(byte[] secondDigest,
                              java.util.Calendar signingTime)
        Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used.
        Parameters:
        secondDigest - the digest in the authenticatedAttributes
        signingTime - the signing time in the authenticatedAttributes
        Returns:
        the bytes for the PKCS7SignedData object

      • getAuthenticatedAttributeBytes

        public byte[] getAuthenticatedAttributeBytes​(byte[] secondDigest,
                                             java.util.Calendar signingTime)
        When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in getEncodedPKCS7(byte[],Calendar).

        A simple example: 

         Calendar cal = Calendar.getInstance();
 PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);
 MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
 byte buf[] = new byte[8192];
 int n;
 InputStream inp = sap.getRangeStream();
 while ((n = inp.read(buf)) > 0) {
    messageDigest.update(buf, 0, n);
 }
 byte hash[] = messageDigest.digest();
 byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal);
 pk7.update(sh, 0, sh.length);
 byte sg[] = pk7.getEncodedPKCS7(hash, cal);
        Parameters:
        secondDigest - the content digest
        signingTime - the signing time
        Returns:
        the byte array representation of the authenticatedAttributes ready to be signed

      • getReason

        public java.lang.String getReason()
        Getter for property reason.
        Returns:
        Value of property reason.

      • setReason

        public void setReason​(java.lang.String reason)
        Setter for property reason.
        Parameters:
        reason - New value of property reason.

      • getLocation

        public java.lang.String getLocation()
        Getter for property location.
        Returns:
        Value of property location.

      • setLocation

        public void setLocation​(java.lang.String location)
        Setter for property location.
        Parameters:
        location - New value of property location.

      • getSignDate

        public java.util.Calendar getSignDate()
        Getter for property signDate.
        Returns:
        Value of property signDate.

      • setSignDate

        public void setSignDate​(java.util.Calendar signDate)
        Setter for property signDate.
        Parameters:
        signDate - New value of property signDate.

      • getSignName

        public java.lang.String getSignName()
        Getter for property sigName.
        Returns:
        Value of property sigName.

      • setSignName

        public void setSignName​(java.lang.String signName)
        Setter for property sigName.
        Parameters:
        signName - New value of property sigName.