Modifier and Type | Class and Description |
---|---|
static class |
PdfPKCS7.X509Name
a class that holds an X509 name
|
static class |
PdfPKCS7.X509NameTokenizer
class for breaking up an X500 Name into it's component tokens, ala
java.util.StringTokenizer.
|
Modifier and Type | Field and Description |
---|---|
private static HashMap<String,String> |
algorithmNames |
private static HashMap<String,String> |
allowedDigests |
private BasicOCSPResp |
basicResp |
private Collection<Certificate> |
certs |
private Collection<CRL> |
crls |
private byte[] |
digest |
private String |
digestAlgorithm |
private Set<String> |
digestalgos |
private byte[] |
digestAttr |
private String |
digestEncryptionAlgorithm |
private static HashMap<String,String> |
digestNames |
private byte[] |
externalDigest |
private byte[] |
externalRSAdata |
private static String |
ID_ADBE_REVOCATION |
private static String |
ID_CONTENT_TYPE |
private static String |
ID_DSA |
private static String |
ID_MESSAGE_DIGEST |
private static String |
ID_PKCS7_DATA |
private static String |
ID_PKCS7_SIGNED_DATA |
private static String |
ID_RSA |
private static String |
ID_SIGNING_TIME |
private String |
location
Holds value of property location.
|
private MessageDigest |
messageDigest |
private PrivateKey |
privKey |
private String |
provider |
private String |
reason
Holds value of property reason.
|
private byte[] |
RSAdata |
private Signature |
sig |
private byte[] |
sigAttr |
private X509Certificate |
signCert |
private Collection<Certificate> |
signCerts |
private Calendar |
signDate
Holds value of property signDate.
|
private int |
signerversion |
private String |
signName
Holds value of property signName.
|
private TimeStampToken |
timeStampToken |
private boolean |
verified |
private boolean |
verifyResult |
private int |
version |
Constructor and Description |
---|
PdfPKCS7(byte[] contentsKey,
byte[] certsKey,
String provider)
Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
|
PdfPKCS7(byte[] contentsKey,
String provider)
Verifies a signature using the sub-filter adbe.pkcs7.detached or
adbe.pkcs7.sha1.
|
PdfPKCS7(PrivateKey privKey,
Certificate[] certChain,
CRL[] crlList,
String hashAlgorithm,
String provider,
boolean hasRSAdata)
Generates a signature.
|
Modifier and Type | Method and Description |
---|---|
private ASN1EncodableVector |
buildUnauthenticatedAttributes(byte[] timeStampToken)
Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007
to start with the timeStampToken (signedData 1.2.840.113549.1.7.2).
|
private void |
findCRL(ASN1Sequence seq) |
private void |
findOcsp(ASN1Sequence seq) |
static String |
getAlgorithm(String oid)
Gets the algorithm name for a certain id.
|
byte[] |
getAuthenticatedAttributeBytes(byte[] secondDigest,
Calendar signingTime,
byte[] ocsp)
When using authenticatedAttributes the authentication process is different.
|
private DERSet |
getAuthenticatedAttributeSet(byte[] secondDigest,
Calendar signingTime,
byte[] ocsp) |
Certificate[] |
getCertificates()
Get all the X.509 certificates associated with this PKCS#7 object in no particular order.
|
Collection<CRL> |
getCRLs()
Get the X.509 certificate revocation lists associated with this PKCS#7 object
|
static String |
getDigest(String oid)
Gets the digest name for a certain id
|
String |
getDigestAlgorithm()
Get the algorithm used to calculate the message digest
|
byte[] |
getEncodedPKCS1()
Gets the bytes for the PKCS#1 object.
|
byte[] |
getEncodedPKCS7()
Gets the bytes for the PKCS7SignedData object.
|
byte[] |
getEncodedPKCS7(byte[] secondDigest,
Calendar signingTime)
Gets the bytes for the PKCS7SignedData object.
|
byte[] |
getEncodedPKCS7(byte[] secondDigest,
Calendar signingTime,
TSAClient tsaClient,
byte[] ocsp)
Gets the bytes for the PKCS7SignedData object.
|
private static DERObject |
getExtensionValue(X509Certificate cert,
String oid) |
String |
getHashAlgorithm()
Returns the algorithm.
|
private static DERObject |
getIssuer(byte[] enc)
Get the "issuer" from the TBSCertificate bytes that are passed in
|
static PdfPKCS7.X509Name |
getIssuerFields(X509Certificate cert)
Get the issuer fields from an X509 Certificate
|
String |
getLocation()
Getter for property location.
|
BasicOCSPResp |
getOcsp()
Gets the OCSP basic response if there is one.
|
static String |
getOCSPURL(X509Certificate certificate)
Retrieves the OCSP URL from the given certificate.
|
String |
getReason()
Getter for property reason.
|
Certificate[] |
getSignCertificateChain()
Get the X.509 sign certificate chain associated with this PKCS#7 object.
|
Calendar |
getSignDate()
Getter for property signDate.
|
X509Certificate |
getSigningCertificate()
Get the X.509 certificate actually used to sign the digest.
|
int |
getSigningInfoVersion()
Get the version of the PKCS#7 "SignerInfo" object.
|
String |
getSignName()
Getter for property sigName.
|
private static String |
getStringFromGeneralName(DERObject names) |
private static DERObject |
getSubject(byte[] enc)
Get the "subject" from the TBSCertificate bytes that are passed in
|
static PdfPKCS7.X509Name |
getSubjectFields(X509Certificate cert)
Get the subject fields from an X509 Certificate
|
Calendar |
getTimeStampDate()
Gets the timestamp date
|
TimeStampToken |
getTimeStampToken()
Gets the timestamp token if there is one.
|
int |
getVersion()
Get the version of the PKCS#7 object.
|
boolean |
isRevocationValid()
Checks if OCSP revocation refers to the document signing certificate.
|
static KeyStore |
loadCacertsKeyStore()
Loads the default root certificates at <java.home>/lib/security/cacerts
with the default provider.
|
static KeyStore |
loadCacertsKeyStore(String provider)
Loads the default root certificates at <java.home>/lib/security/cacerts.
|
void |
setExternalDigest(byte[] digest,
byte[] RSAdata,
String digestEncryptionAlgorithm)
Sets the digest/signature to an external calculated value.
|
void |
setLocation(String location)
Setter for property location.
|
void |
setReason(String reason)
Setter for property reason.
|
void |
setSignDate(Calendar signDate)
Setter for property signDate.
|
void |
setSignName(String signName)
Setter for property sigName.
|
private void |
signCertificateChain() |
void |
update(byte[] buf,
int off,
int len)
Update the digest with the specified bytes.
|
boolean |
verify()
Verify the digest.
|
static String |
verifyCertificate(X509Certificate cert,
Collection<CRL> crls,
Calendar calendar)
Verifies a single certificate.
|
static Object[] |
verifyCertificates(Certificate[] certs,
KeyStore keystore,
Collection<CRL> crls,
Calendar calendar)
Verifies a certificate chain against a KeyStore.
|
static boolean |
verifyOcspCertificates(BasicOCSPResp ocsp,
KeyStore keystore,
String provider)
Verifies an OCSP response against a KeyStore.
|
static boolean |
verifyTimestampCertificates(TimeStampToken ts,
KeyStore keystore,
String provider)
Verifies a timestamp against a KeyStore.
|
boolean |
verifyTimestampImprint()
Checks if the timestamp refers to this document.
|
private byte[] sigAttr
private byte[] digestAttr
private int version
private int signerversion
private Set<String> digestalgos
private Collection<Certificate> certs
private Collection<CRL> crls
private Collection<Certificate> signCerts
private X509Certificate signCert
private byte[] digest
private MessageDigest messageDigest
private String digestAlgorithm
private String digestEncryptionAlgorithm
private transient PrivateKey privKey
private byte[] RSAdata
private boolean verified
private boolean verifyResult
private byte[] externalDigest
private byte[] externalRSAdata
private static final String ID_PKCS7_DATA
private static final String ID_PKCS7_SIGNED_DATA
private static final String ID_RSA
private static final String ID_DSA
private static final String ID_CONTENT_TYPE
private static final String ID_MESSAGE_DIGEST
private static final String ID_SIGNING_TIME
private static final String ID_ADBE_REVOCATION
private TimeStampToken timeStampToken
private static final HashMap<String,String> digestNames
private static final HashMap<String,String> algorithmNames
private static final HashMap<String,String> allowedDigests
private BasicOCSPResp basicResp
public PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
contentsKey
- the /Contents keycertsKey
- the /Cert keyprovider
- the provider or null
for the default providerpublic PdfPKCS7(byte[] contentsKey, String provider)
contentsKey
- the /Contents keyprovider
- the provider or null
for the default providerpublic PdfPKCS7(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata) throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException
privKey
- the private keycertChain
- the certificate chaincrlList
- the certificate revocation listhashAlgorithm
- the hash algorithmprovider
- the provider or null
for the default providerhasRSAdata
- true
if the sub-filter is adbe.pkcs7.sha1InvalidKeyException
- on errorNoSuchProviderException
- on errorNoSuchAlgorithmException
- on errorpublic static String getDigest(String oid)
oid
- an id (for instance "1.2.840.113549.2.5")public static String getAlgorithm(String oid)
oid
- an id (for instance "1.2.840.113549.1.1.1")public TimeStampToken getTimeStampToken()
public Calendar getTimeStampDate()
public BasicOCSPResp getOcsp()
private void findCRL(ASN1Sequence seq) throws IOException, CertificateException, CRLException
private void findOcsp(ASN1Sequence seq) throws IOException
IOException
public void update(byte[] buf, int off, int len) throws SignatureException
buf
- the data bufferoff
- the offset in the data bufferlen
- the data lengthSignatureException
- on errorpublic boolean verify() throws SignatureException
true
if the signature checks out, false
otherwiseSignatureException
- on errorpublic boolean verifyTimestampImprint() throws NoSuchAlgorithmException
NoSuchAlgorithmException
- on errorpublic Certificate[] getCertificates()
public Certificate[] getSignCertificateChain()
private void signCertificateChain()
public Collection<CRL> getCRLs()
public X509Certificate getSigningCertificate()
public int getVersion()
public int getSigningInfoVersion()
public String getDigestAlgorithm()
public String getHashAlgorithm()
public static KeyStore loadCacertsKeyStore()
KeyStore
public static KeyStore loadCacertsKeyStore(String provider)
provider
- the provider or null
for the default providerKeyStore
public static String verifyCertificate(X509Certificate cert, Collection<CRL> crls, Calendar calendar)
cert
- the certificate to verifycrls
- the certificate revocation list or null
calendar
- the date or null
for the current dateString
with the error description or null
if no errorpublic static Object[] verifyCertificates(Certificate[] certs, KeyStore keystore, Collection<CRL> crls, Calendar calendar)
certs
- the certificate chainkeystore
- the KeyStore
crls
- the certificate revocation list or null
calendar
- the date or null
for the current datenull
if the certificate chain could be validated or a
Object[]{cert,error}
where cert
is the
failed certificate and error
is the error messagepublic static boolean verifyOcspCertificates(BasicOCSPResp ocsp, KeyStore keystore, String provider)
ocsp
- the OCSP responsekeystore
- the KeyStore
provider
- the provider or null
to use the BouncyCastle providertrue
is a certificate was foundpublic static boolean verifyTimestampCertificates(TimeStampToken ts, KeyStore keystore, String provider)
ts
- the timestampkeystore
- the KeyStore
provider
- the provider or null
to use the BouncyCastle providertrue
is a certificate was foundpublic static String getOCSPURL(X509Certificate certificate) throws CertificateParsingException
certificate
- the certificateCertificateParsingException
- on errorpublic boolean isRevocationValid()
private static DERObject getExtensionValue(X509Certificate cert, String oid) throws IOException
IOException
private static String getStringFromGeneralName(DERObject names) throws IOException
IOException
private static DERObject getIssuer(byte[] enc)
enc
- a TBSCertificate in a byte arrayprivate static DERObject getSubject(byte[] enc)
enc
- A TBSCertificate in a byte arraypublic static PdfPKCS7.X509Name getIssuerFields(X509Certificate cert)
cert
- an X509Certificatepublic static PdfPKCS7.X509Name getSubjectFields(X509Certificate cert)
cert
- an X509Certificatepublic byte[] getEncodedPKCS1()
public void setExternalDigest(byte[] digest, byte[] RSAdata, String digestEncryptionAlgorithm)
digest
- the digest. This is the actual signatureRSAdata
- the extra data that goes into the data tag in PKCS#7digestEncryptionAlgorithm
- the encryption algorithm. It may must be null
if the digest
is also null
. If the digest
is not null
then it may be "RSA" or "DSA"public byte[] getEncodedPKCS7()
public byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime)
null
, none will be used.secondDigest
- the digest in the authenticatedAttributessigningTime
- the signing time in the authenticatedAttributespublic byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime, TSAClient tsaClient, byte[] ocsp)
secondDigest
- the digest in the authenticatedAttributessigningTime
- the signing time in the authenticatedAttributestsaClient
- TSAClient - null or an optional time stamp authority clientprivate ASN1EncodableVector buildUnauthenticatedAttributes(byte[] timeStampToken) throws IOException
timeStampToken
- byte[] - time stamp token, DER encoded signedDataIOException
public byte[] getAuthenticatedAttributeBytes(byte[] secondDigest, Calendar signingTime, byte[] ocsp)
getEncodedPKCS7(byte[],Calendar)
.
A simple example:
Calendar cal = Calendar.getInstance(); PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte buf[] = new byte[8192]; int n; InputStream inp = sap.getRangeStream(); while ((n = inp.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte hash[] = messageDigest.digest(); byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal); pk7.update(sh, 0, sh.length); byte sg[] = pk7.getEncodedPKCS7(hash, cal);
secondDigest
- the content digestsigningTime
- the signing timeprivate DERSet getAuthenticatedAttributeSet(byte[] secondDigest, Calendar signingTime, byte[] ocsp)
public void setReason(String reason)
reason
- New value of property reason.public String getLocation()
public void setLocation(String location)
location
- New value of property location.public Calendar getSignDate()
public void setSignDate(Calendar signDate)
signDate
- New value of property signDate.public String getSignName()
public void setSignName(String signName)
signName
- New value of property sigName.WebARTS Library Licensed Under the GNU - General Public License. Other Libraries licensed under their respective Open Source Licenses