- Generated by
1.8.16
|
iText 7 7.1.9 API
|
This class does all the processing related to signing and verifying a PKCS#7 signature. More...
Public Member Functions |
|
| PdfPKCS7 (ICipherParameters privKey, X509Certificate[] certChain, String hashAlgorithm, bool hasRSAdata) | |
| Assembles all the elements needed to create a signature, except for the data. More... |
|
| PdfPKCS7 (byte[] contentsKey, byte[] certsKey) | |
| Use this constructor if you want to verify a signature using the sub-filter adbe.x509.rsa_sha1. More... |
|
| PdfPKCS7 (byte[] contentsKey, PdfName filterSubtype) | |
| Use this constructor if you want to verify a signature. More... |
|
| virtual void | SetSignaturePolicy (SignaturePolicyInfo signaturePolicy) |
| virtual void | SetSignaturePolicy (SignaturePolicyIdentifier signaturePolicy) |
| virtual String | GetSignName () |
| Getter for property sigName. More... |
|
| virtual void | SetSignName (String signName) |
| Setter for property sigName. More... |
|
| virtual String | GetReason () |
| Getter for property reason. More... |
|
| virtual void | SetReason (String reason) |
| Setter for property reason. More... |
|
| virtual String | GetLocation () |
| Getter for property location. More... |
|
| virtual void | SetLocation (String location) |
| Setter for property location. More... |
|
| virtual DateTime | GetSignDate () |
| Getter for property signDate. More... |
|
| virtual void | SetSignDate (DateTime signDate) |
| Setter for property signDate. More... |
|
| virtual int | GetVersion () |
| Get the version of the PKCS#7 object. More... |
|
| virtual int | GetSigningInfoVersion () |
| Get the version of the PKCS#7 "SignerInfo" object. More... |
|
| virtual String | GetDigestAlgorithmOid () |
| Getter for the ID of the digest algorithm, e.g. "2.16.840.1.101.3.4.2.1" More... |
|
| virtual String | GetHashAlgorithm () |
| Returns the name of the digest algorithm, e.g. "SHA256". More... |
|
| virtual String | GetDigestEncryptionAlgorithmOid () |
| Getter for the digest encryption algorithm More... |
|
| virtual String | GetDigestAlgorithm () |
| Get the algorithm used to calculate the message digest, e.g. "SHA1withRSA". More... |
|
| virtual void | SetExternalDigest (byte[] digest, byte[] rsaData, String digestEncryptionAlgorithm) |
| Sets the digest/signature to an external calculated value. More... |
|
| virtual void | Update (byte[] buf, int off, int len) |
| Update the digest with the specified bytes. More... |
|
| virtual byte[] | GetEncodedPKCS1 () |
| Gets the bytes for the PKCS#1 object. More... |
|
| virtual byte[] | GetEncodedPKCS7 () |
| Gets the bytes for the PKCS7SignedData object. More... |
|
| virtual byte[] | GetEncodedPKCS7 (byte[] secondDigest) |
| Gets the bytes for the PKCS7SignedData object. More... |
|
| virtual byte[] | GetEncodedPKCS7 (byte[] secondDigest, ITSAClient tsaClient, byte[] ocsp, ICollection< byte[]> crlBytes, PdfSigner.CryptoStandard sigtype) |
| Gets the bytes for the PKCS7SignedData object. More... |
|
| virtual byte[] | GetEncodedPKCS7 (byte[] secondDigest, PdfSigner.CryptoStandard sigtype, ITSAClient tsaClient, ICollection< byte[]> ocsp, ICollection< byte[]> crlBytes) |
| Gets the bytes for the PKCS7SignedData object. More... |
|
| virtual byte[] | GetAuthenticatedAttributeBytes (byte[] secondDigest, byte[] ocsp, ICollection< byte[]> crlBytes, PdfSigner.CryptoStandard sigtype) |
| When using authenticatedAttributes the authentication process is different. More... |
|
| virtual byte[] | GetAuthenticatedAttributeBytes (byte[] secondDigest, PdfSigner.CryptoStandard sigtype, ICollection< byte[]> ocsp, ICollection< byte[]> crlBytes) |
| When using authenticatedAttributes the authentication process is different. More... |
|
| virtual bool | Verify () |
| Verify the digest. More... |
|
| virtual bool | VerifySignatureIntegrityAndAuthenticity () |
| Verifies that signature integrity is intact (or in other words that signed data wasn't modified) by checking that embedded data digest corresponds to the calculated one. More... |
|
| virtual bool | VerifyTimestampImprint () |
| Checks if the timestamp refers to this document. More... |
|
| virtual X509Certificate[] | GetCertificates () |
| Get all the X.509 certificates associated with this PKCS#7 object in no particular order. More... |
|
| virtual X509Certificate[] | GetSignCertificateChain () |
| Get the X.509 sign certificate chain associated with this PKCS#7 object. More... |
|
| virtual X509Certificate | GetSigningCertificate () |
| Get the X.509 certificate actually used to sign the digest. More... |
|
| virtual ICollection< X509Crl > | GetCRLs () |
| Get the X.509 certificate revocation lists associated with this PKCS#7 object More... |
|
| virtual BasicOcspResp | GetOcsp () |
| Gets the OCSP basic response if there is one. More... |
|
| virtual bool | IsRevocationValid () |
| Checks if OCSP revocation refers to the document signing certificate. More... |
|
| virtual bool | IsTsp () |
| Check if it's a PAdES-LTV time stamp. More... |
|
| virtual TimeStampToken | GetTimeStampToken () |
| Gets the timestamp token if there is one. More... |
|
| virtual DateTime | GetTimeStampDate () |
| Gets the timestamp date More... |
|
| virtual PdfName | GetFilterSubtype () |
| Returns the filter subtype. More... |
|
| virtual String | GetEncryptionAlgorithm () |
| Returns the encryption algorithm More... |
|
This class does all the processing related to signing and verifying a PKCS#7 signature.
|
inline |
Assembles all the elements needed to create a signature, except for the data.
| privKey | the private key |
| certChain | the certificate chain |
| interfaceDigest | the interface digest |
| hashAlgorithm | the hash algorithm |
| provider | the provider or null for the default provider |
| hasRSAdata | true if the sub-filter is adbe.pkcs7.sha1 |
|
inline |
Use this constructor if you want to verify a signature using the sub-filter adbe.x509.rsa_sha1.
| contentsKey | the /Contents key |
| certsKey | the /Cert key |
| provider | the provider or null for the default provider |
|
inline |
Use this constructor if you want to verify a signature.
| contentsKey | the /Contents key |
| filterSubtype | the filtersubtype |
| provider | the provider or null for the default provider |
|
inlinevirtual |
When using authenticatedAttributes the authentication process is different.
When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in GetEncodedPKCS7(byte[]).
A simple example:
Calendar cal = Calendar.getInstance(); PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte[] buf = new byte[8192]; int n; InputStream inp = sap.getRangeStream(); while ((n = inp.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte[] hash = messageDigest.digest(); byte[] sh = pk7.getAuthenticatedAttributeBytes(hash, cal); pk7.update(sh, 0, sh.length); byte[] sg = pk7.getEncodedPKCS7(hash, cal);
| secondDigest | the content digest |
| ocsp | collection of DER-encoded OCSP responses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added. |
| crlBytes | collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. |
| sigtype | specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES |
|
inlinevirtual |
When using authenticatedAttributes the authentication process is different.
When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in GetEncodedPKCS7(byte[]).
A simple example:
Calendar cal = Calendar.getInstance(); PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte[] buf = new byte[8192]; int n; InputStream inp = sap.getRangeStream(); while ((n = inp.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte[] hash = messageDigest.digest(); byte[] sh = pk7.getAuthenticatedAttributeBytes(hash, cal); pk7.update(sh, 0, sh.length); byte[] sg = pk7.getEncodedPKCS7(hash, cal);
| secondDigest | the content digest |
| sigtype | specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES |
| ocsp | collection of DER-encoded OCSP responses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added. |
| crlBytes | collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. |
|
inlinevirtual |
Get all the X.509 certificates associated with this PKCS#7 object in no particular order.
Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.
|
inlinevirtual |
Get the X.509 certificate revocation lists associated with this PKCS#7 object
|
inlinevirtual |
Get the algorithm used to calculate the message digest, e.g. "SHA1withRSA".
|
inlinevirtual |
Getter for the ID of the digest algorithm, e.g. "2.16.840.1.101.3.4.2.1"
|
inlinevirtual |
Getter for the digest encryption algorithm
|
inlinevirtual |
Gets the bytes for the PKCS#1 object.
|
inlinevirtual |
Gets the bytes for the PKCS7SignedData object.
|
inlinevirtual |
Gets the bytes for the PKCS7SignedData object.
Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used.
| secondDigest | the digest in the authenticatedAttributes |
|
inlinevirtual |
Gets the bytes for the PKCS7SignedData object.
Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, and/or a time-stamp-authority client may be provided.
| secondDigest | the digest in the authenticatedAttributes |
| tsaClient | TSAClient - null or an optional time stamp authority client |
| ocsp | DER-encoded OCSP response for the first certificate in the signature certificates chain, or null if OCSP revocation data is not to be added. |
| crlBytes | collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. |
| sigtype | specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES |
|
inlinevirtual |
Gets the bytes for the PKCS7SignedData object.
Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, and/or a time-stamp-authority client may be provided.
| secondDigest | the digest in the authenticatedAttributes |
| sigtype | specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES |
| tsaClient | TSAClient - null or an optional time stamp authority client |
| ocsp | collection of DER-encoded OCSP responses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added. |
| crlBytes | collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. |
|
inlinevirtual |
Returns the encryption algorithm
|
inlinevirtual |
Returns the filter subtype.
|
inlinevirtual |
Returns the name of the digest algorithm, e.g. "SHA256".
|
inlinevirtual |
Getter for property location.
|
inlinevirtual |
Gets the OCSP basic response if there is one.
|
inlinevirtual |
Getter for property reason.
|
inlinevirtual |
Get the X.509 sign certificate chain associated with this PKCS#7 object.
Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first.
|
inlinevirtual |
Getter for property signDate.
|
inlinevirtual |
Get the X.509 certificate actually used to sign the digest.
|
inlinevirtual |
Get the version of the PKCS#7 "SignerInfo" object.
|
inlinevirtual |
Getter for property sigName.
|
inlinevirtual |
Gets the timestamp date
|
inlinevirtual |
Gets the timestamp token if there is one.
|
inlinevirtual |
Get the version of the PKCS#7 object.
|
inlinevirtual |
Checks if OCSP revocation refers to the document signing certificate.
|
inlinevirtual |
Check if it's a PAdES-LTV time stamp.
|
inlinevirtual |
Sets the digest/signature to an external calculated value.
| digest | the digest. This is the actual signature |
| rsaData | the extra data that goes into the data tag in PKCS#7 |
| digestEncryptionAlgorithm | the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA" |
|
inlinevirtual |
Setter for property location.
| location | New value of property location. |
|
inlinevirtual |
Setter for property reason.
| reason | New value of property reason. |
|
inlinevirtual |
Setter for property signDate.
| signDate | New value of property signDate. |
|
inlinevirtual |
Setter for property sigName.
| signName | New value of property sigName. |
|
inlinevirtual |
Update the digest with the specified bytes.
Update the digest with the specified bytes. This method is used both for signing and verifying
| buf | the data buffer |
| off | the offset in the data buffer |
| len | the data length |
|
inlinevirtual |
Verify the digest.
true if the signature checks out, false otherwise
|
inlinevirtual |
Verifies that signature integrity is intact (or in other words that signed data wasn't modified) by checking that embedded data digest corresponds to the calculated one.
Verifies that signature integrity is intact (or in other words that signed data wasn't modified) by checking that embedded data digest corresponds to the calculated one. Also ensures that signature is genuine and is created by the owner of private key that corresponds to the declared public certificate.
Even though signature can be authentic and signed data integrity can be intact, one shall also always check that signed data is not only a part of PDF contents but is actually a complete PDF file. In order to check that given signature covers the current iText.Kernel.Pdf.PdfDocument please use SignatureUtil.SignatureCoversWholeDocument(System.String) method.
true if the signature checks out, false otherwise
|
inlinevirtual |
Checks if the timestamp refers to this document.
1.8.16