Gets the first entry from the field array retrieved from the values Map. @param name the field name name @return the (first) field value

Gets a field array from the values Map. @param name The field name name @return List

Get the "issuer" from the TBSCertificate bytes that are passed in. @param enc a TBSCertificate in a byte array array @return an ASN1Primitive IASN1Primitive

Get the issuer fields from an X509 Certificate. @param cert an X509Certificate X509Certificate @return an X500Name

Get the "subject" from the TBSCertificate bytes that are passed in. @param enc A TBSCertificate in a byte array array @return a ASN1Primitive IASN1Primitive

Get the subject fields from an X509 Certificate. @param cert an X509Certificate X509Certificate @return an X500Name

Gets the CRL object using a CRL URL. @param url url the URL where the CRL is located located @return CRL object object @throws IOException thrown when the URL couldn't be opened properly. @throws CertificateException thrown if there's no X509 implementation in the provider. @throws CRLException thrown when encountering errors when parsing the CRL.

Gets a CRL from an X509 certificate. @param certificate the X509Certificate to extract the CRL from from @return CRL or null if there's no CRL available available @throws IOException thrown when the URL couldn't be opened properly. @throws CertificateException thrown if there's no X509 implementation in the provider. @throws CRLException thrown when encountering errors when parsing the CRL.

Gets the URL of the Certificate Revocation List for a Certificate Certificate @param certificate the certificate the Certificate Certificate @ return the return the String where you can check if the certificate was revoked

Retrieves the OCSP URL from the given certificate. @param certificate the certificate certificate @return the URL or null

Gets the URL of the TSA if it's available on the certificate certificate @param certificate a certificate certificate a certificate @ return a return a TSA URL

Verifies a certificate chain against a KeyStore for the current date. @param certs the certificate chain @param keystore the KeyStore @return null if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message message @throws CertificateEncodingException if an encoding error occurs in Certificate.

Verifies a certificate chain against a KeyStore. @param certs the certificate chain @param keystore the KeyStore @param calendar the date, shall not be null @return null if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message message @throws CertificateEncodingException if an encoding error occurs in Certificate.

Verifies a certificate chain against a KeyStore for the current date. @param certs the certificate chain @param keystore the KeyStore @param crls the certificate revocation list or null @return empty list if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message message @throws CertificateEncodingException if an encoding error occurs in Certificate.

Verifies a certificate chain against a KeyStore. @param certs the certificate chain @param keystore the KeyStore @param crls the certificate revocation list or null @param calendar the date, shall not be null @return empty list if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message message @throws CertificateEncodingException if an encoding error occurs in Certificate.

Fetches the CRL bytes from an URL. If no url is passed as parameter, the url will be obtained from the certificate. If you want to load a CRL from a local file, subclass this method and pass an URL with the path to the local file to this method. An other option is to use the CrlClientOffline class. @throws CertificateEncodingException if an encoding error occurs in X509Certificate. @see ICrlClient#getEncoded(java.security.cert.X509Certificate, java.lang.String)

Gets an encoded byte array. @param checkCert The certificate which a CRL URL can be obtained from. @param url A CRL url if you don't want to obtain it from the certificate. @return A collection of byte array each representing a crl. It may return null or an empty collection. @throws CertificateEncodingException if an encoding error occurs in X509Certificate.

When a timestamp is created using TSAClientBouncyCastle, this method is triggered passing an object that contains info about the timestamp and the time stamping authority. @param info a TimeStampTokenInfo ITimeStampTokenInfo object

The verification constructor. This class should only be created with PdfStamper.getLtvVerification() otherwise the information will not be added to the Pdf. @param document The PdfDocument to apply the validation to. @param securityProviderCode Security provider to use

Adds verification to the signature. @param signatureName name of the signature @param ocsps collection of DER-encoded BasicOCSPResponses @param crls collection of DER-encoded CRLs @param certs collection of DER-encoded certificates certificates @return boolean boolean @throws IOException signals that an I/O exception has occurred @throws GeneralSecurityException when requested cryptographic algorithm or security provider is not available

Add verification for a particular signature. @param signatureName the signature to validate (it may be a timestamp) @param ocsp the interface to get the OCSP @param crl the interface to get the CRL @param certOption options as to how many certificates to include @param level the validation options to include @param certInclude certificate inclusion options options @return true if a validation was generated, false otherwise otherwise @throws GeneralSecurityException when requested cryptographic algorithm or security provider is not available @throws IOException signals that an I/O exception has occurred

Converts an array of bytes to a String of hexadecimal values @param bytes a bytes a byte array array @ return the return the same bytes expressed as hexadecimal values

Creates a VerificationData object for a PdfReader PdfReader @param document The document we want to verify. @throws GeneralSecurityException if some problem with signature or security are occurred

Checks if the signature covers the whole document and throws an exception if the document was altered altered @return a PdfPKCS7 object object @throws GeneralSecurityException if some problems with signature or security occurred

Gets a list of X509CRL objects from a Document Security Store. @ return a return a list of CRLs @throws GeneralSecurityException when requested cryptographic algorithm or security provider is not available

Gets OCSP responses from the Document Security Store. @ return a return a list of BasicOCSPResp objects IBasicOCSPResp objects @throws GeneralSecurityException if OCSP response failed

Sets the certificate option. @ param option Either param option Either CertificateOption.SIGNING_CERTIFICATE (default) or CertificateOption.WHOLE_CHAIN

Sets an extra verifier. @param verifier the verifier to set

Switches to the previous revision. @throws IOException signals that an I/O exception has occurred @throws GeneralSecurityException if some problems with signature or security occurred

Verifies all the document-level timestamps and all the signatures in the document. @param result a list of VerificationOK objects objects @return a list of all VerificationOK objects after verification verification @throws IOException signals that an I/O exception has occurred @throws GeneralSecurityException if some problems with signature or security occurred

Verifies certificates against a list of CRLs and OCSP responses. @param signCert the signing certificate @param issuerCert the issuer's certificate certificate @return a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified. @throws GeneralSecurityException if some problems with signature or security occurred @see com.itextpdf.signatures.RootStoreVerifier#verify(java.security.cert.X509Certificate, java.security.cert.X509Certificate, java.util.Date)

Checks the certificates in a certificate chain: are they valid on a specific date, and do they chain up correctly? @param chain the certificate chain chain @throws GeneralSecurityException when requested cryptographic algorithm or security provider is not available, if the certificate is invalid on a specific date and if the the certificates certificates chained up incorrectly

Verifies a document level timestamp. @return a list of VerificationOK objects objects @throws GeneralSecurityException if some problems with signature or security occurred @throws IOException signals that an I/O exception has occurred

Creates an OCSPVerifier instance. @param verifier the next verifier in the chain @param ocsps a list of IBasicOCSPResp OCSP responses response wrappers

Gets an OCSP response online and returns it if the status is GOOD (without further checking!). @param signCert the signing certificate @param issuerCert the issuer certificate @return IBasicOCSPResp an OCSP response wrapper

Checks if an OCSP response is genuine @param ocspResp the ocspResp IBasicOCSPResp the OCSP response response wrapper @param responderCert the responder certificate @return true if the OCSP response verifies against the responder certificate

Verifies if an OCSP response is genuine If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert. @param ocspResp IBasicOCSPResp the OCSP response response wrapper @param issuerCert the issuer certificate. This certificate is considered trusted and valid by this method. @param signDate sign date @throws GeneralSecurityException if OCSP response verification cannot be done or failed

Verifies a certificate against a single OCSP response @param ocspResp IBasicOCSPResp the OCSP response response wrapper @param signCert the certificate that needs to be checked @param issuerCert the certificate of CA (certificate that issued signCert). This certificate is considered trusted and valid by this method. @param signDate sign date @return {@code true}, in case successful check, otherwise false. @throws GeneralSecurityException if OCSP response verification cannot be done or failed

The list of IBasicOCSPResp OCSP responses response wrappers.

Gets OCSP response. If OCSPVerifier was set, the response will be checked. @param checkCert to certificate to check @param rootCert the parent certificate @param url to get the verification @return IBasicOCSPResp an OCSP response wrapper

This class does all the processing related to signing and verifying a PKCS#7 / CMS signature.

Assembles all the elements needed to create a signature, except for the data. @param privKey the private key @param certChain the certificate chain @param interfaceDigest the interface digest @param hashAlgorithm the hash algorithm @param provider the provider or null for the default provider @param hasRSAdata hasEncapContent true if the sub-filter is adbe.pkcs7.sha1 @throws InvalidKeyException on error @throws NoSuchProviderException on error @throws NoSuchAlgorithmException on error

When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in .getEncodedPKCS7(byte[]).

Note: do not pass in the full DER-encoded OCSPResponse object obtained from the responder, only the DER-encoded BasicOCSPResponse IBasicOCSPResponse value contained in the response data.

A simple example:

 Calendar cal = Calendar.getInstance();
 PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);
 MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
 byte[] buf = new byte[8192];
 int n;
 InputStream inp = sap.getRangeStream();
 while ((n = inp.read(buf)) > 0) {
    messageDigest.update(buf, 0, n);
 }
 byte[] hash = messageDigest.digest();
 byte[] sh = pk7.getAuthenticatedAttributeBytes(hash, cal);
 pk7.update(sh, 0, sh.length);
 byte[] sg = pk7.getEncodedPKCS7(hash, cal);
 

@param secondDigest the content digest @param sigtype specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES @param ocsp collection of DER-encoded BasicOCSPResponses for the certificate in the signature signature certificates chain, or null if OCSP revocation data is not to be added. @param crlBytes collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. @return the byte array representation of the authenticatedAttributes ready to be signed signed @see RFC 6960 # 4.2.1

Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used. @param secondDigest the digest in the authenticatedAttributes authenticatedAttributes @return the bytes for the PKCS7SignedData object

Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, and/or a time-stamp-authority client may be provided. @param secondDigest the digest in the authenticatedAttributes @param sigtype specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES @param tsaClient TSAClient - null or an optional time stamp authority client @param ocsp collection of DER-encoded BasicOCSPResponses for the certificate in the signature signature certificates chain, or null if OCSP revocation data is not to be added. @param crlBytes collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. @see RFC 6960 # 4.2.1 @return byte[] the bytes for the PKCS7SignedData object object @see RFC 6960 # 4.2.1

Gets the timestamp date.

In case the signed document doesn't contain timestamp, TimestampConstants.UNDEFINED_TIMESTAMP_DATE will be returned. @return the timestamp date

Update the digest with the specified bytes. This method is used both for signing and verifying @param buf the data buffer @param off the offset in the data buffer @param len the data length length @throws SignatureException on error

Verifies that signature integrity is intact (or in other words that signed data wasn't modified) by checking that embedded data digest corresponds to the calculated one. Also ensures that signature is genuine and is created by the owner of private key that corresponds to the declared public certificate.

Even though signature can be authentic and signed data integrity can be intact, one shall also always check that signed data is not only a part of PDF contents but is actually a complete PDF PDF file. In order to check that given signature covers the current com.itextpdf.kernel.pdf.PdfDocument please use SignatureUtil.signatureCoversWholeDocument(String) method. @return true if the signature checks out, false otherwise otherwise @throws java.security.GeneralSecurityException if this signature object is not initialized properly, the passed-in signature is improperly encoded or of the wrong wrong type, if this signature algorithm is unable to process the input data provided, if the public key is invalid or or if security provider or signature algorithm are not recognized, etc.

Checks if the timestamp refers to this document. @return true if it checks false otherwise otherwise @throws GeneralSecurityException on error

Processes a CRL list. @param cert a Certificate if one of the CrlList implementations needs to retrieve the CRL URL from it. @param crlList a list of CrlClient implementations @return a collection of CRL bytes that can be embedded in a PDF PDF @throws CertificateEncodingException if an encoding error occurs in Certificate.

Class that encapsulates the signature policy information information Sample:

Sample:

SignaturePolicyInfo spi = new SignaturePolicyInfo("2.16.724.1.3.1.1.2.1.9", "G7roucf600+f03r/o0bAOQ6WAs0=", "SHA-1", "https://sede.060.gob.es/politica_de_firma_anexo_1.pdf");

Constructs a new SignaturePolicyInfo instance instance @param policyIdentifier the id of the signature policy @param policyHashBase64 the Base64 presentation of the hash of the signature policy @param policyDigestAlgorithm the digestion algorithm of the signature policy @param policyUri the uri of the full policy description

Constructs a new SignaturePolicyInfo instance instance @param policyIdentifier the id of the signature policy @param policyHash the hash of the signature policy @param policyDigestAlgorithm the digestion algorithm of the signature policy @param policyUri the uri of the full policy description

Get RFC 3161 timeStampToken. Method may return null indicating that timestamp should be skipped. @param imprint data imprint to be time-stamped @return encoded, TSA signed data of the timeStampToken @throws IOException if I/O error occurs @throws TSPException AbstractTSPException if the TSA response is malformed

Creates a VerificationException. @param cert is a failed certificate @param message is a reason of failure failure @throws CertificateEncodingException if an encoding error occurs in Certificate.