public class PdfPKCS7 extends Object
Constructor and Description |
---|
PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
Use this constructor if you want to verify a signature using the sub-filter adbe.x509.rsa_sha1.
|
PdfPKCS7(byte[] contentsKey, PdfName filterSubtype, String provider)
Use this constructor if you want to verify a signature.
|
PdfPKCS7(PrivateKey privKey, Certificate[] certChain, String hashAlgorithm, String provider, IExternalDigest interfaceDigest, boolean hasRSAdata)
Assembles all the elements needed to create a signature, except for the data.
|
Modifier and Type | Method and Description |
---|---|
byte[] |
getAuthenticatedAttributeBytes(byte[] secondDigest, byte[] ocsp, Collection
Deprecated.
This method overload is deprecated. Please use
getAuthenticatedAttributeBytes(byte[], PdfSigner.CryptoStandard, Collection, Collection)
|
byte[] |
getAuthenticatedAttributeBytes(byte[] secondDigest, PdfSigner.CryptoStandard sigtype, Collection
When using authenticatedAttributes the authentication process is different.
|
Certificate[] |
getCertificates()
Get all the X.509 certificates associated with this PKCS#7 object in no particular order.
|
Collection<CRL> |
getCRLs()
Get the X.509 certificate revocation lists associated with this PKCS#7 object
|
String |
getDigestAlgorithm()
Get the algorithm used to calculate the message digest, e.g.
|
String |
getDigestAlgorithmOid()
Getter for the ID of the digest algorithm, e.g.
|
String |
getDigestEncryptionAlgorithmOid()
Getter for the digest encryption algorithm
|
byte[] |
getEncodedPKCS1()
Gets the bytes for the PKCS#1 object.
|
byte[] |
getEncodedPKCS7()
Gets the bytes for the PKCS7SignedData object.
|
byte[] |
getEncodedPKCS7(byte[] secondDigest)
Gets the bytes for the PKCS7SignedData object.
|
byte[] |
getEncodedPKCS7(byte[] secondDigest, ITSAClient tsaClient, byte[] ocsp, Collection
Deprecated.
This overload is deprecated, use
getEncodedPKCS7(byte[], PdfSigner.CryptoStandard, ITSAClient, Collection, Collection) instead.
|
byte[] |
getEncodedPKCS7(byte[] secondDigest, PdfSigner.CryptoStandard sigtype, ITSAClient tsaClient, Collection
Gets the bytes for the PKCS7SignedData object.
|
String |
getEncryptionAlgorithm()
Returns the encryption algorithm
|
PdfName |
getFilterSubtype()
Returns the filter subtype.
|
String |
getHashAlgorithm()
Returns the name of the digest algorithm, e.g.
|
String |
getLocation()
Getter for property location.
|
org.bouncycastle.cert.ocsp.BasicOCSPResp |
getOcsp()
Gets the OCSP basic response if there is one.
|
String |
getReason()
Getter for property reason.
|
Certificate[] |
getSignCertificateChain()
Get the X.509 sign certificate chain associated with this PKCS#7 object.
|
Calendar |
getSignDate()
Getter for property signDate.
|
X509Certificate |
getSigningCertificate()
Get the X.509 certificate actually used to sign the digest.
|
int |
getSigningInfoVersion()
Get the version of the PKCS#7 "SignerInfo" object.
|
String |
getSignName()
Getter for property sigName.
|
Calendar |
getTimeStampDate()
Gets the timestamp date.
|
org.bouncycastle.tsp.TimeStampToken |
getTimeStampToken()
Gets the timestamp token if there is one.
|
int |
getVersion()
Get the version of the PKCS#7 object.
|
boolean |
isRevocationValid()
Checks if OCSP revocation refers to the document signing certificate.
|
boolean |
isTsp()
Check if it's a PAdES-LTV time stamp.
|
void |
setExternalDigest(byte[] digest, byte[] rsaData, String digestEncryptionAlgorithm)
Sets the digest/signature to an external calculated value.
|
void |
setLocation(String location)
Setter for property location.
|
void |
setReason(String reason)
Setter for property reason.
|
void |
setSignaturePolicy(org.bouncycastle.asn1.esf.SignaturePolicyIdentifier signaturePolicy) |
void |
setSignaturePolicy(SignaturePolicyInfo signaturePolicy) |
void |
setSignDate(Calendar signDate)
Setter for property signDate.
|
void |
setSignName(String signName)
Setter for property sigName.
|
void |
update(byte[] buf, int off, int len)
Update the digest with the specified bytes.
|
boolean |
verify()
Deprecated.
This method will be removed in future versions. Please use
verifySignatureIntegrityAndAuthenticity() instead.
|
boolean |
verifySignatureIntegrityAndAuthenticity()
Verifies that signature integrity is intact (or in other words that signed data wasn't modified) by checking that embedded data digest corresponds to the calculated one.
|
boolean |
verifyTimestampImprint()
Checks if the timestamp refers to this document.
|
public PdfPKCS7(PrivateKey privKey, Certificate[] certChain, String hashAlgorithm, String provider, IExternalDigest interfaceDigest, boolean hasRSAdata) throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException
privKey
- the private key
certChain
- the certificate chain
interfaceDigest
- the interface digest
hashAlgorithm
- the hash algorithm
provider
- the provider or null
for the default provider
hasRSAdata
- true
if the sub-filter is adbe.pkcs7.sha1
InvalidKeyException
- on error
NoSuchProviderException
- on error
NoSuchAlgorithmException
- on error
public PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
contentsKey
- the /Contents key
certsKey
- the /Cert key
provider
- the provider or null
for the default provider
public void setSignaturePolicy(SignaturePolicyInfo signaturePolicy)
public void setSignaturePolicy(org.bouncycastle.asn1.esf.SignaturePolicyIdentifier signaturePolicy)
public String getSignName()
public void setSignName(String signName)
signName
- New value of property sigName.
public String getReason()
public void setReason(String reason)
reason
- New value of property reason.
public String getLocation()
public void setLocation(String location)
location
- New value of property location.
public Calendar getSignDate()
public void setSignDate(Calendar signDate)
signDate
- New value of property signDate.
public int getVersion()
public int getSigningInfoVersion()
public String getDigestAlgorithmOid()
public String getHashAlgorithm()
public String getDigestEncryptionAlgorithmOid()
public String getDigestAlgorithm()
public void setExternalDigest(byte[] digest, byte[] rsaData, String digestEncryptionAlgorithm)
digest
- the digest. This is the actual signature
rsaData
- the extra data that goes into the data tag in PKCS#7
digestEncryptionAlgorithm
- the encryption algorithm. It may must be null
if the digest
is also null
. If the digest
is not null
then it may be "RSA" or "DSA"
public void update(byte[] buf, int off, int len) throws SignatureException
buf
- the data buffer
off
- the offset in the data buffer
len
- the data length
SignatureException
- on error
public byte[] getEncodedPKCS1()
public byte[] getEncodedPKCS7()
public byte[] getEncodedPKCS7(byte[] secondDigest)
null
, none will be used.
secondDigest
- the digest in the authenticatedAttributes
@Deprecated public byte[] getEncodedPKCS7(byte[] secondDigest, ITSAClient tsaClient, byte[] ocsp, CollectioncrlBytes, PdfSigner.CryptoStandard sigtype)
getEncodedPKCS7(byte[], PdfSigner.CryptoStandard, ITSAClient, Collection, Collection)
instead.
secondDigest
- the digest in the authenticatedAttributes
tsaClient
- TSAClient - null or an optional time stamp authority client
ocsp
- DER-encoded OCSP response for the first certificate in the signature certificates chain, or null if OCSP revocation data is not to be added.
crlBytes
- collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added.
sigtype
- specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES
public byte[] getEncodedPKCS7(byte[] secondDigest, PdfSigner.CryptoStandard sigtype, ITSAClient tsaClient, Collectionocsp, Collection crlBytes)
secondDigest
- the digest in the authenticatedAttributes
sigtype
- specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES
tsaClient
- TSAClient - null or an optional time stamp authority client
ocsp
- collection of DER-encoded OCSP responses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added.
crlBytes
- collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added.
@Deprecated public byte[] getAuthenticatedAttributeBytes(byte[] secondDigest, byte[] ocsp, CollectioncrlBytes, PdfSigner.CryptoStandard sigtype)
getAuthenticatedAttributeBytes(byte[], PdfSigner.CryptoStandard, Collection, Collection)
getEncodedPKCS7(byte[])
.
A simple example:
Calendar cal = Calendar.getInstance(); PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte[] buf = new byte[8192]; int n; InputStream inp = sap.getRangeStream(); while ((n = inp.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte[] hash = messageDigest.digest(); byte[] sh = pk7.getAuthenticatedAttributeBytes(hash, cal); pk7.update(sh, 0, sh.length); byte[] sg = pk7.getEncodedPKCS7(hash, cal);
secondDigest
- the content digest
ocsp
- collection of DER-encoded OCSP responses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added.
crlBytes
- collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added.
sigtype
- specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES
public byte[] getAuthenticatedAttributeBytes(byte[] secondDigest, PdfSigner.CryptoStandard sigtype, Collectionocsp, Collection crlBytes)
getEncodedPKCS7(byte[])
.
A simple example:
Calendar cal = Calendar.getInstance(); PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte[] buf = new byte[8192]; int n; InputStream inp = sap.getRangeStream(); while ((n = inp.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte[] hash = messageDigest.digest(); byte[] sh = pk7.getAuthenticatedAttributeBytes(hash, cal); pk7.update(sh, 0, sh.length); byte[] sg = pk7.getEncodedPKCS7(hash, cal);
secondDigest
- the content digest
sigtype
- specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES
ocsp
- collection of DER-encoded OCSP responses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added.
crlBytes
- collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added.
@Deprecated public boolean verify() throws GeneralSecurityException
verifySignatureIntegrityAndAuthenticity()
instead.
true
if the signature checks out, false
otherwise
GeneralSecurityException
- if this signature object is not initialized properly, the passed-in signature is improperly encoded or of the wrong type, if this signature algorithm is unable to process the input data provided, if the public key is invalid or if security provider or signature algorithm are not recognized, etc.
public boolean verifySignatureIntegrityAndAuthenticity() throws GeneralSecurityException
Even though signature can be authentic and signed data integrity can be intact, one shall also always check that signed data is not only a part of PDF contents but is actually a complete PDF file. In order to check that given signature covers the current PdfDocument
please use SignatureUtil.signatureCoversWholeDocument(String)
method.
true
if the signature checks out, false
otherwise
GeneralSecurityException
- if this signature object is not initialized properly, the passed-in signature is improperly encoded or of the wrong type, if this signature algorithm is unable to process the input data provided, if the public key is invalid or if security provider or signature algorithm are not recognized, etc.
public boolean verifyTimestampImprint() throws GeneralSecurityException
GeneralSecurityException
- on error
public Certificate[] getCertificates()
public Certificate[] getSignCertificateChain()
public X509Certificate getSigningCertificate()
public Collection<CRL> getCRLs()
public org.bouncycastle.cert.ocsp.BasicOCSPResp getOcsp()
public boolean isRevocationValid()
public boolean isTsp()
public org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
public Calendar getTimeStampDate()
TimestampConstants.UNDEFINED_TIMESTAMP_DATE
will be returned.
public PdfName getFilterSubtype()
public String getEncryptionAlgorithm()
Copyright © 1998–2020 iText Group NV. All rights reserved.