com.itextpdf.text.pdf
Class PdfPKCS7

java.lang.Object
  extended by com.itextpdf.text.pdf.PdfPKCS7

public class PdfPKCS7
extends Object

This class does all the processing related to signing and verifying a PKCS#7 signature.

It's based in code found at org.bouncycastle.


Nested Class Summary
static class PdfPKCS7.X509Name
          a class that holds an X509 name
static class PdfPKCS7.X509NameTokenizer
          class for breaking up an X500 Name into it's component tokens, ala java.util.StringTokenizer.
 
Field Summary
private static HashMap<String,String> algorithmNames
           
private static HashMap<String,String> allowedDigests
           
private  BasicOCSPResp basicResp
           
private  Collection<Certificate> certs
           
private  Collection<CRL> crls
           
private  byte[] digest
           
private  String digestAlgorithm
           
private  Set<String> digestalgos
           
private  byte[] digestAttr
           
private  String digestEncryptionAlgorithm
           
private static HashMap<String,String> digestNames
           
private  byte[] externalDigest
           
private  byte[] externalRSAdata
           
private static String ID_ADBE_REVOCATION
           
private static String ID_CONTENT_TYPE
           
private static String ID_DSA
           
private static String ID_MESSAGE_DIGEST
           
private static String ID_PKCS7_DATA
           
private static String ID_PKCS7_SIGNED_DATA
           
private static String ID_RSA
           
private static String ID_SIGNING_TIME
           
private  String location
          Holds value of property location.
private  MessageDigest messageDigest
           
private  PrivateKey privKey
           
private  String provider
           
private  String reason
          Holds value of property reason.
private  byte[] RSAdata
           
private  Signature sig
           
private  byte[] sigAttr
           
private  X509Certificate signCert
           
private  Collection<Certificate> signCerts
           
private  Calendar signDate
          Holds value of property signDate.
private  int signerversion
           
private  String signName
          Holds value of property signName.
private  org.bouncycastle.tsp.TimeStampToken timeStampToken
           
private  boolean verified
           
private  boolean verifyResult
           
private  int version
           
 
Constructor Summary
PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
          Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
PdfPKCS7(byte[] contentsKey, String provider)
          Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
PdfPKCS7(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata)
          Generates a signature.
 
Method Summary
private  ASN1EncodableVector buildUnauthenticatedAttributes(byte[] timeStampToken)
          Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2).
private  void findCRL(ASN1Sequence seq)
           
private  void findOcsp(ASN1Sequence seq)
           
static String getAlgorithm(String oid)
          Gets the algorithm name for a certain id.
 byte[] getAuthenticatedAttributeBytes(byte[] secondDigest, Calendar signingTime, byte[] ocsp)
          When using authenticatedAttributes the authentication process is different.
private  DERSet getAuthenticatedAttributeSet(byte[] secondDigest, Calendar signingTime, byte[] ocsp)
           
 Certificate[] getCertificates()
          Get all the X.509 certificates associated with this PKCS#7 object in no particular order.
 Collection<CRL> getCRLs()
          Get the X.509 certificate revocation lists associated with this PKCS#7 object
static String getDigest(String oid)
          Gets the digest name for a certain id
 String getDigestAlgorithm()
          Get the algorithm used to calculate the message digest
 byte[] getEncodedPKCS1()
          Gets the bytes for the PKCS#1 object.
 byte[] getEncodedPKCS7()
          Gets the bytes for the PKCS7SignedData object.
 byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime)
          Gets the bytes for the PKCS7SignedData object.
 byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime, TSAClient tsaClient, byte[] ocsp)
          Gets the bytes for the PKCS7SignedData object.
private static DERObject getExtensionValue(X509Certificate cert, String oid)
           
 String getHashAlgorithm()
          Returns the algorithm.
private static DERObject getIssuer(byte[] enc)
          Get the "issuer" from the TBSCertificate bytes that are passed in
static PdfPKCS7.X509Name getIssuerFields(X509Certificate cert)
          Get the issuer fields from an X509 Certificate
 String getLocation()
          Getter for property location.
 BasicOCSPResp getOcsp()
          Gets the OCSP basic response if there is one.
static String getOCSPURL(X509Certificate certificate)
          Retrieves the OCSP URL from the given certificate.
 String getReason()
          Getter for property reason.
 Certificate[] getSignCertificateChain()
          Get the X.509 sign certificate chain associated with this PKCS#7 object.
 Calendar getSignDate()
          Getter for property signDate.
 X509Certificate getSigningCertificate()
          Get the X.509 certificate actually used to sign the digest.
 int getSigningInfoVersion()
          Get the version of the PKCS#7 "SignerInfo" object.
 String getSignName()
          Getter for property sigName.
private static String getStringFromGeneralName(DERObject names)
           
private static DERObject getSubject(byte[] enc)
          Get the "subject" from the TBSCertificate bytes that are passed in
static PdfPKCS7.X509Name getSubjectFields(X509Certificate cert)
          Get the subject fields from an X509 Certificate
 Calendar getTimeStampDate()
          Gets the timestamp date
 org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
          Gets the timestamp token if there is one.
 int getVersion()
          Get the version of the PKCS#7 object.
 boolean isRevocationValid()
          Checks if OCSP revocation refers to the document signing certificate.
static KeyStore loadCacertsKeyStore()
          Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.
static KeyStore loadCacertsKeyStore(String provider)
          Loads the default root certificates at <java.home>/lib/security/cacerts.
 void setExternalDigest(byte[] digest, byte[] RSAdata, String digestEncryptionAlgorithm)
          Sets the digest/signature to an external calculated value.
 void setLocation(String location)
          Setter for property location.
 void setReason(String reason)
          Setter for property reason.
 void setSignDate(Calendar signDate)
          Setter for property signDate.
 void setSignName(String signName)
          Setter for property sigName.
private  void signCertificateChain()
           
 void update(byte[] buf, int off, int len)
          Update the digest with the specified bytes.
 boolean verify()
          Verify the digest.
static String verifyCertificate(X509Certificate cert, Collection<CRL> crls, Calendar calendar)
          Verifies a single certificate.
static Object[] verifyCertificates(Certificate[] certs, KeyStore keystore, Collection<CRL> crls, Calendar calendar)
          Verifies a certificate chain against a KeyStore.
static boolean verifyOcspCertificates(BasicOCSPResp ocsp, KeyStore keystore, String provider)
          Verifies an OCSP response against a KeyStore.
static boolean verifyTimestampCertificates(org.bouncycastle.tsp.TimeStampToken ts, KeyStore keystore, String provider)
          Verifies a timestamp against a KeyStore.
 boolean verifyTimestampImprint()
          Checks if the timestamp refers to this document.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

sigAttr

private byte[] sigAttr

digestAttr

private byte[] digestAttr

version

private int version

signerversion

private int signerversion

digestalgos

private Set<String> digestalgos

certs

private Collection<Certificate> certs

crls

private Collection<CRL> crls

signCerts

private Collection<Certificate> signCerts

signCert

private X509Certificate signCert

digest

private byte[] digest

messageDigest

private MessageDigest messageDigest

digestAlgorithm

private String digestAlgorithm

digestEncryptionAlgorithm

private String digestEncryptionAlgorithm

sig

private Signature sig

privKey

private transient PrivateKey privKey

RSAdata

private byte[] RSAdata

verified

private boolean verified

verifyResult

private boolean verifyResult

externalDigest

private byte[] externalDigest

externalRSAdata

private byte[] externalRSAdata

provider

private String provider

ID_PKCS7_DATA

private static final String ID_PKCS7_DATA
See Also:
Constant Field Values

ID_PKCS7_SIGNED_DATA

private static final String ID_PKCS7_SIGNED_DATA
See Also:
Constant Field Values

ID_RSA

private static final String ID_RSA
See Also:
Constant Field Values

ID_DSA

private static final String ID_DSA
See Also:
Constant Field Values

ID_CONTENT_TYPE

private static final String ID_CONTENT_TYPE
See Also:
Constant Field Values

ID_MESSAGE_DIGEST

private static final String ID_MESSAGE_DIGEST
See Also:
Constant Field Values

ID_SIGNING_TIME

private static final String ID_SIGNING_TIME
See Also:
Constant Field Values

ID_ADBE_REVOCATION

private static final String ID_ADBE_REVOCATION
See Also:
Constant Field Values

reason

private String reason
Holds value of property reason.


location

private String location
Holds value of property location.


signDate

private Calendar signDate
Holds value of property signDate.


signName

private String signName
Holds value of property signName.


timeStampToken

private org.bouncycastle.tsp.TimeStampToken timeStampToken

digestNames

private static final HashMap<String,String> digestNames

algorithmNames

private static final HashMap<String,String> algorithmNames

allowedDigests

private static final HashMap<String,String> allowedDigests

basicResp

private BasicOCSPResp basicResp
Constructor Detail

PdfPKCS7

public PdfPKCS7(byte[] contentsKey,
                byte[] certsKey,
                String provider)
Verifies a signature using the sub-filter adbe.x509.rsa_sha1.

Parameters:
contentsKey - the /Contents key
certsKey - the /Cert key
provider - the provider or null for the default provider

PdfPKCS7

public PdfPKCS7(byte[] contentsKey,
                String provider)
Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.

Parameters:
contentsKey - the /Contents key
provider - the provider or null for the default provider

PdfPKCS7

public PdfPKCS7(PrivateKey privKey,
                Certificate[] certChain,
                CRL[] crlList,
                String hashAlgorithm,
                String provider,
                boolean hasRSAdata)
         throws InvalidKeyException,
                NoSuchProviderException,
                NoSuchAlgorithmException
Generates a signature.

Parameters:
privKey - the private key
certChain - the certificate chain
crlList - the certificate revocation list
hashAlgorithm - the hash algorithm
provider - the provider or null for the default provider
hasRSAdata - true if the sub-filter is adbe.pkcs7.sha1
Throws:
InvalidKeyException - on error
NoSuchProviderException - on error
NoSuchAlgorithmException - on error
Method Detail

getDigest

public static String getDigest(String oid)
Gets the digest name for a certain id

Parameters:
oid - an id (for instance "1.2.840.113549.2.5")
Returns:
a digest name (for instance "MD5")
Since:
2.1.6

getAlgorithm

public static String getAlgorithm(String oid)
Gets the algorithm name for a certain id.

Parameters:
oid - an id (for instance "1.2.840.113549.1.1.1")
Returns:
an algorithm name (for instance "RSA")
Since:
2.1.6

getTimeStampToken

public org.bouncycastle.tsp.TimeStampToken getTimeStampToken()
Gets the timestamp token if there is one.

Returns:
the timestamp token or null
Since:
2.1.6

getTimeStampDate

public Calendar getTimeStampDate()
Gets the timestamp date

Returns:
a date
Since:
2.1.6

getOcsp

public BasicOCSPResp getOcsp()
Gets the OCSP basic response if there is one.

Returns:
the OCSP basic response or null
Since:
2.1.6

findCRL

private void findCRL(ASN1Sequence seq)
              throws IOException,
                     CertificateException,
                     CRLException
Throws:
IOException
CertificateException
CRLException

findOcsp

private void findOcsp(ASN1Sequence seq)
               throws IOException
Throws:
IOException

update

public void update(byte[] buf,
                   int off,
                   int len)
            throws SignatureException
Update the digest with the specified bytes. This method is used both for signing and verifying

Parameters:
buf - the data buffer
off - the offset in the data buffer
len - the data length
Throws:
SignatureException - on error

verify

public boolean verify()
               throws SignatureException
Verify the digest.

Returns:
true if the signature checks out, false otherwise
Throws:
SignatureException - on error

verifyTimestampImprint

public boolean verifyTimestampImprint()
                               throws NoSuchAlgorithmException
Checks if the timestamp refers to this document.

Returns:
true if it checks false otherwise
Throws:
NoSuchAlgorithmException - on error
Since:
2.1.6

getCertificates

public Certificate[] getCertificates()
Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.

Returns:
the X.509 certificates associated with this PKCS#7 object

getSignCertificateChain

public Certificate[] getSignCertificateChain()
Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first.

Returns:
the X.509 certificates associated with this PKCS#7 object
Since:
2.1.6

signCertificateChain

private void signCertificateChain()

getCRLs

public Collection<CRL> getCRLs()
Get the X.509 certificate revocation lists associated with this PKCS#7 object

Returns:
the X.509 certificate revocation lists associated with this PKCS#7 object

getSigningCertificate

public X509Certificate getSigningCertificate()
Get the X.509 certificate actually used to sign the digest.

Returns:
the X.509 certificate actually used to sign the digest

getVersion

public int getVersion()
Get the version of the PKCS#7 object. Always 1

Returns:
the version of the PKCS#7 object. Always 1

getSigningInfoVersion

public int getSigningInfoVersion()
Get the version of the PKCS#7 "SignerInfo" object. Always 1

Returns:
the version of the PKCS#7 "SignerInfo" object. Always 1

getDigestAlgorithm

public String getDigestAlgorithm()
Get the algorithm used to calculate the message digest

Returns:
the algorithm used to calculate the message digest

getHashAlgorithm

public String getHashAlgorithm()
Returns the algorithm.

Returns:
the digest algorithm

loadCacertsKeyStore

public static KeyStore loadCacertsKeyStore()
Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.

Returns:
a KeyStore

loadCacertsKeyStore

public static KeyStore loadCacertsKeyStore(String provider)
Loads the default root certificates at <java.home>/lib/security/cacerts.

Parameters:
provider - the provider or null for the default provider
Returns:
a KeyStore

verifyCertificate

public static String verifyCertificate(X509Certificate cert,
                                       Collection<CRL> crls,
                                       Calendar calendar)
Verifies a single certificate.

Parameters:
cert - the certificate to verify
crls - the certificate revocation list or null
calendar - the date or null for the current date
Returns:
a String with the error description or null if no error

verifyCertificates

public static Object[] verifyCertificates(Certificate[] certs,
                                          KeyStore keystore,
                                          Collection<CRL> crls,
                                          Calendar calendar)
Verifies a certificate chain against a KeyStore.

Parameters:
certs - the certificate chain
keystore - the KeyStore
crls - the certificate revocation list or null
calendar - the date or null for the current date
Returns:
null if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message

verifyOcspCertificates

public static boolean verifyOcspCertificates(BasicOCSPResp ocsp,
                                             KeyStore keystore,
                                             String provider)
Verifies an OCSP response against a KeyStore.

Parameters:
ocsp - the OCSP response
keystore - the KeyStore
provider - the provider or null to use the BouncyCastle provider
Returns:
true is a certificate was found
Since:
2.1.6

verifyTimestampCertificates

public static boolean verifyTimestampCertificates(org.bouncycastle.tsp.TimeStampToken ts,
                                                  KeyStore keystore,
                                                  String provider)
Verifies a timestamp against a KeyStore.

Parameters:
ts - the timestamp
keystore - the KeyStore
provider - the provider or null to use the BouncyCastle provider
Returns:
true is a certificate was found
Since:
2.1.6

getOCSPURL

public static String getOCSPURL(X509Certificate certificate)
                         throws CertificateParsingException
Retrieves the OCSP URL from the given certificate.

Parameters:
certificate - the certificate
Returns:
the URL or null
Throws:
CertificateParsingException - on error
Since:
2.1.6

isRevocationValid

public boolean isRevocationValid()
Checks if OCSP revocation refers to the document signing certificate.

Returns:
true if it checks false otherwise
Since:
2.1.6

getExtensionValue

private static DERObject getExtensionValue(X509Certificate cert,
                                           String oid)
                                    throws IOException
Throws:
IOException

getStringFromGeneralName

private static String getStringFromGeneralName(DERObject names)
                                        throws IOException
Throws:
IOException

getIssuer

private static DERObject getIssuer(byte[] enc)
Get the "issuer" from the TBSCertificate bytes that are passed in

Parameters:
enc - a TBSCertificate in a byte array
Returns:
a DERObject

getSubject

private static DERObject getSubject(byte[] enc)
Get the "subject" from the TBSCertificate bytes that are passed in

Parameters:
enc - A TBSCertificate in a byte array
Returns:
a DERObject

getIssuerFields

public static PdfPKCS7.X509Name getIssuerFields(X509Certificate cert)
Get the issuer fields from an X509 Certificate

Parameters:
cert - an X509Certificate
Returns:
an X509Name

getSubjectFields

public static PdfPKCS7.X509Name getSubjectFields(X509Certificate cert)
Get the subject fields from an X509 Certificate

Parameters:
cert - an X509Certificate
Returns:
an X509Name

getEncodedPKCS1

public byte[] getEncodedPKCS1()
Gets the bytes for the PKCS#1 object.

Returns:
a byte array

setExternalDigest

public void setExternalDigest(byte[] digest,
                              byte[] RSAdata,
                              String digestEncryptionAlgorithm)
Sets the digest/signature to an external calculated value.

Parameters:
digest - the digest. This is the actual signature
RSAdata - the extra data that goes into the data tag in PKCS#7
digestEncryptionAlgorithm - the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA"

getEncodedPKCS7

public byte[] getEncodedPKCS7()
Gets the bytes for the PKCS7SignedData object.

Returns:
the bytes for the PKCS7SignedData object

getEncodedPKCS7

public byte[] getEncodedPKCS7(byte[] secondDigest,
                              Calendar signingTime)
Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used.

Parameters:
secondDigest - the digest in the authenticatedAttributes
signingTime - the signing time in the authenticatedAttributes
Returns:
the bytes for the PKCS7SignedData object

getEncodedPKCS7

public byte[] getEncodedPKCS7(byte[] secondDigest,
                              Calendar signingTime,
                              TSAClient tsaClient,
                              byte[] ocsp)
Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, OR a time-stamp-authority client may be provided.

Parameters:
secondDigest - the digest in the authenticatedAttributes
signingTime - the signing time in the authenticatedAttributes
tsaClient - TSAClient - null or an optional time stamp authority client
Returns:
byte[] the bytes for the PKCS7SignedData object
Since:
2.1.6

buildUnauthenticatedAttributes

private ASN1EncodableVector buildUnauthenticatedAttributes(byte[] timeStampToken)
                                                    throws IOException
Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2). Token is the TSA response without response status, which is usually handled by the (vendor supplied) TSA request/response interface).

Parameters:
timeStampToken - byte[] - time stamp token, DER encoded signedData
Returns:
ASN1EncodableVector
Throws:
IOException

getAuthenticatedAttributeBytes

public byte[] getAuthenticatedAttributeBytes(byte[] secondDigest,
                                             Calendar signingTime,
                                             byte[] ocsp)
When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in getEncodedPKCS7(byte[],Calendar).

A simple example:

 Calendar cal = Calendar.getInstance();
 PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);
 MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
 byte buf[] = new byte[8192];
 int n;
 InputStream inp = sap.getRangeStream();
 while ((n = inp.read(buf)) > 0) {
    messageDigest.update(buf, 0, n);
 }
 byte hash[] = messageDigest.digest();
 byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal);
 pk7.update(sh, 0, sh.length);
 byte sg[] = pk7.getEncodedPKCS7(hash, cal);
 

Parameters:
secondDigest - the content digest
signingTime - the signing time
Returns:
the byte array representation of the authenticatedAttributes ready to be signed

getAuthenticatedAttributeSet

private DERSet getAuthenticatedAttributeSet(byte[] secondDigest,
                                            Calendar signingTime,
                                            byte[] ocsp)

getReason

public String getReason()
Getter for property reason.

Returns:
Value of property reason.

setReason

public void setReason(String reason)
Setter for property reason.

Parameters:
reason - New value of property reason.

getLocation

public String getLocation()
Getter for property location.

Returns:
Value of property location.

setLocation

public void setLocation(String location)
Setter for property location.

Parameters:
location - New value of property location.

getSignDate

public Calendar getSignDate()
Getter for property signDate.

Returns:
Value of property signDate.

setSignDate

public void setSignDate(Calendar signDate)
Setter for property signDate.

Parameters:
signDate - New value of property signDate.

getSignName

public String getSignName()
Getter for property sigName.

Returns:
Value of property sigName.

setSignName

public void setSignName(String signName)
Setter for property sigName.

Parameters:
signName - New value of property sigName.

Hosted by Hostbasket