com.lowagie.text.pdf

Class PdfPKCS7

public class PdfPKCS7 extends Object

This class does all the processing related to signing and verifying a PKCS#7 signature.

It's based in code found at org.bouncycastle.

Nested Class Summary
static classPdfPKCS7.X509Name
a class that holds an X509 name
static classPdfPKCS7.X509NameTokenizer
class for breaking up an X500 Name into it's component tokens, ala java.util.StringTokenizer.
Field Summary
Collectioncerts
Collectioncrls
byte[]digest
StringdigestAlgorithm
byte[]digestAttr
Setdigestalgos
StringdigestEncryptionAlgorithm
byte[]externalDigest
byte[]externalRSAdata
static StringID_ADBE_REVOCATION
static StringID_CONTENT_TYPE
static StringID_DSA
static StringID_MD2
static StringID_MD2RSA
static StringID_MD5
static StringID_MD5RSA
static StringID_MESSAGE_DIGEST
static StringID_PKCS7_DATA
static StringID_PKCS7_SIGNED_DATA
static StringID_RSA
static StringID_SHA1
static StringID_SHA1RSA
static StringID_SIGNING_TIME
Stringlocation
Holds value of property location.
MessageDigestmessageDigest
PrivateKeyprivKey
Stringreason
Holds value of property reason.
byte[]RSAdata
Signaturesig
byte[]sigAttr
X509CertificatesignCert
CalendarsignDate
Holds value of property signDate.
intsignerversion
StringsignName
Holds value of property signName.
booleanverified
booleanverifyResult
intversion
Constructor Summary
PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
Verifies a signature using the sub-filter adbe.x509.rsa_sha1.
PdfPKCS7(byte[] contentsKey, String provider)
Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.
PdfPKCS7(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata)
Generates a signature.
Method Summary
byte[]getAuthenticatedAttributeBytes(byte[] secondDigest, Calendar signingTime)
When using authenticatedAttributes the authentication process is different.
Certificate[]getCertificates()
Get the X.509 certificates associated with this PKCS#7 object
CollectiongetCRLs()
Get the X.509 certificate revocation lists associated with this PKCS#7 object
StringgetDigestAlgorithm()
Get the algorithm used to calculate the message digest
byte[]getEncodedPKCS1()
Gets the bytes for the PKCS#1 object.
byte[]getEncodedPKCS7()
Gets the bytes for the PKCS7SignedData object.
byte[]getEncodedPKCS7(byte[] secondDigest, Calendar signingTime)
Gets the bytes for the PKCS7SignedData object.
StringgetHashAlgorithm()
Returns the algorithm.
static DERObjectgetIssuer(byte[] enc)
Get the "issuer" from the TBSCertificate bytes that are passed in
static PdfPKCS7.X509NamegetIssuerFields(X509Certificate cert)
Get the issuer fields from an X509 Certificate
StringgetLocation()
Getter for property location.
StringgetReason()
Getter for property reason.
CalendargetSignDate()
Getter for property signDate.
X509CertificategetSigningCertificate()
Get the X.509 certificate actually used to sign the digest.
intgetSigningInfoVersion()
Get the version of the PKCS#7 "SignerInfo" object.
StringgetSignName()
Getter for property sigName.
static DERObjectgetSubject(byte[] enc)
Get the "subject" from the TBSCertificate bytes that are passed in
static PdfPKCS7.X509NamegetSubjectFields(X509Certificate cert)
Get the subject fields from an X509 Certificate
intgetVersion()
Get the version of the PKCS#7 object.
static KeyStoreloadCacertsKeyStore()
Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.
static KeyStoreloadCacertsKeyStore(String provider)
Loads the default root certificates at <java.home>/lib/security/cacerts.
voidsetExternalDigest(byte[] digest, byte[] RSAdata, String digestEncryptionAlgorithm)
Sets the digest/signature to an external calculated value.
voidsetLocation(String location)
Setter for property location.
voidsetReason(String reason)
Setter for property reason.
voidsetSignDate(Calendar signDate)
Setter for property signDate.
voidsetSignName(String signName)
Setter for property sigName.
voidupdate(byte[] buf, int off, int len)
Update the digest with the specified bytes.
booleanverify()
Verify the digest.
static StringverifyCertificate(X509Certificate cert, Collection crls, Calendar calendar)
Verifies a single certificate.
static Object[]verifyCertificates(Certificate[] certs, KeyStore keystore, Collection crls, Calendar calendar)
Verifies a certificate chain against a KeyStore.

Field Detail

certs

private Collection certs

crls

private Collection crls

digest

private byte[] digest

digestAlgorithm

private String digestAlgorithm

digestAttr

private byte[] digestAttr

digestalgos

private Set digestalgos

digestEncryptionAlgorithm

private String digestEncryptionAlgorithm

externalDigest

private byte[] externalDigest

externalRSAdata

private byte[] externalRSAdata

ID_ADBE_REVOCATION

private static final String ID_ADBE_REVOCATION

ID_CONTENT_TYPE

private static final String ID_CONTENT_TYPE

ID_DSA

private static final String ID_DSA

ID_MD2

private static final String ID_MD2

ID_MD2RSA

private static final String ID_MD2RSA

ID_MD5

private static final String ID_MD5

ID_MD5RSA

private static final String ID_MD5RSA

ID_MESSAGE_DIGEST

private static final String ID_MESSAGE_DIGEST

ID_PKCS7_DATA

private static final String ID_PKCS7_DATA

ID_PKCS7_SIGNED_DATA

private static final String ID_PKCS7_SIGNED_DATA

ID_RSA

private static final String ID_RSA

ID_SHA1

private static final String ID_SHA1

ID_SHA1RSA

private static final String ID_SHA1RSA

ID_SIGNING_TIME

private static final String ID_SIGNING_TIME

location

private String location
Holds value of property location.

messageDigest

private MessageDigest messageDigest

privKey

private transient PrivateKey privKey

reason

private String reason
Holds value of property reason.

RSAdata

private byte[] RSAdata

sig

private Signature sig

sigAttr

private byte[] sigAttr

signCert

private X509Certificate signCert

signDate

private Calendar signDate
Holds value of property signDate.

signerversion

private int signerversion

signName

private String signName
Holds value of property signName.

verified

private boolean verified

verifyResult

private boolean verifyResult

version

private int version

Constructor Detail

PdfPKCS7

public PdfPKCS7(byte[] contentsKey, byte[] certsKey, String provider)
Verifies a signature using the sub-filter adbe.x509.rsa_sha1.

Parameters: contentsKey the /Contents key certsKey the /Cert key provider the provider or null for the default provider

Throws: SecurityException on error InvalidKeyException on error CertificateException on error NoSuchProviderException on error NoSuchAlgorithmException on error IOException on error

PdfPKCS7

public PdfPKCS7(byte[] contentsKey, String provider)
Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1.

Parameters: contentsKey the /Contents key provider the provider or null for the default provider

Throws: SecurityException on error CRLException on error InvalidKeyException on error CertificateException on error NoSuchProviderException on error NoSuchAlgorithmException on error

PdfPKCS7

public PdfPKCS7(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm, String provider, boolean hasRSAdata)
Generates a signature.

Parameters: privKey the private key certChain the certificate chain crlList the certificate revocation list hashAlgorithm the hash algorithm provider the provider or null for the default provider hasRSAdata true if the sub-filter is adbe.pkcs7.sha1

Throws: SecurityException on error InvalidKeyException on error NoSuchProviderException on error NoSuchAlgorithmException on error

Method Detail

getAuthenticatedAttributeBytes

public byte[] getAuthenticatedAttributeBytes(byte[] secondDigest, Calendar signingTime)
When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in (byte[],Calendar).

A simple example:

 Calendar cal = Calendar.getInstance();
 PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);
 MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
 byte buf[] = new byte[8192];
 int n;
 InputStream inp = sap.getRangeStream();
 while ((n = inp.read(buf)) > 0) {
    messageDigest.update(buf, 0, n);
 }
 byte hash[] = messageDigest.digest();
 byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal);
 pk7.update(sh, 0, sh.length);
 byte sg[] = pk7.getEncodedPKCS7(hash, cal);
 

Parameters: secondDigest the content digest signingTime the signing time

Returns: the byte array representation of the authenticatedAttributes ready to be signed

getCertificates

public Certificate[] getCertificates()
Get the X.509 certificates associated with this PKCS#7 object

Returns: the X.509 certificates associated with this PKCS#7 object

getCRLs

public Collection getCRLs()
Get the X.509 certificate revocation lists associated with this PKCS#7 object

Returns: the X.509 certificate revocation lists associated with this PKCS#7 object

getDigestAlgorithm

public String getDigestAlgorithm()
Get the algorithm used to calculate the message digest

Returns: the algorithm used to calculate the message digest

getEncodedPKCS1

public byte[] getEncodedPKCS1()
Gets the bytes for the PKCS#1 object.

Returns: a byte array

getEncodedPKCS7

public byte[] getEncodedPKCS7()
Gets the bytes for the PKCS7SignedData object.

Returns: the bytes for the PKCS7SignedData object

getEncodedPKCS7

public byte[] getEncodedPKCS7(byte[] secondDigest, Calendar signingTime)
Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used.

Parameters: secondDigest the digest in the authenticatedAttributes signingTime the signing time in the authenticatedAttributes

Returns: the bytes for the PKCS7SignedData object

getHashAlgorithm

public String getHashAlgorithm()
Returns the algorithm.

Returns: the digest algorithm

getIssuer

private static DERObject getIssuer(byte[] enc)
Get the "issuer" from the TBSCertificate bytes that are passed in

Parameters: enc a TBSCertificate in a byte array

Returns: a DERObject

getIssuerFields

public static PdfPKCS7.X509Name getIssuerFields(X509Certificate cert)
Get the issuer fields from an X509 Certificate

Parameters: cert an X509Certificate

Returns: an X509Name

getLocation

public String getLocation()
Getter for property location.

Returns: Value of property location.

getReason

public String getReason()
Getter for property reason.

Returns: Value of property reason.

getSignDate

public Calendar getSignDate()
Getter for property signDate.

Returns: Value of property signDate.

getSigningCertificate

public X509Certificate getSigningCertificate()
Get the X.509 certificate actually used to sign the digest.

Returns: the X.509 certificate actually used to sign the digest

getSigningInfoVersion

public int getSigningInfoVersion()
Get the version of the PKCS#7 "SignerInfo" object. Always 1

Returns: the version of the PKCS#7 "SignerInfo" object. Always 1

getSignName

public String getSignName()
Getter for property sigName.

Returns: Value of property sigName.

getSubject

private static DERObject getSubject(byte[] enc)
Get the "subject" from the TBSCertificate bytes that are passed in

Parameters: enc A TBSCertificate in a byte array

Returns: a DERObject

getSubjectFields

public static PdfPKCS7.X509Name getSubjectFields(X509Certificate cert)
Get the subject fields from an X509 Certificate

Parameters: cert an X509Certificate

Returns: an X509Name

getVersion

public int getVersion()
Get the version of the PKCS#7 object. Always 1

Returns: the version of the PKCS#7 object. Always 1

loadCacertsKeyStore

public static KeyStore loadCacertsKeyStore()
Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.

Returns: a KeyStore

loadCacertsKeyStore

public static KeyStore loadCacertsKeyStore(String provider)
Loads the default root certificates at <java.home>/lib/security/cacerts.

Parameters: provider the provider or null for the default provider

Returns: a KeyStore

setExternalDigest

public void setExternalDigest(byte[] digest, byte[] RSAdata, String digestEncryptionAlgorithm)
Sets the digest/signature to an external calculated value.

Parameters: digest the digest. This is the actual signature RSAdata the extra data that goes into the data tag in PKCS#7 digestEncryptionAlgorithm the encryption algorithm. It may must be null if the digest is also null. If the digest is not null then it may be "RSA" or "DSA"

setLocation

public void setLocation(String location)
Setter for property location.

Parameters: location New value of property location.

setReason

public void setReason(String reason)
Setter for property reason.

Parameters: reason New value of property reason.

setSignDate

public void setSignDate(Calendar signDate)
Setter for property signDate.

Parameters: signDate New value of property signDate.

setSignName

public void setSignName(String signName)
Setter for property sigName.

Parameters: signName New value of property sigName.

update

public void update(byte[] buf, int off, int len)
Update the digest with the specified bytes. This method is used both for signing and verifying

Parameters: buf the data buffer off the offset in the data buffer len the data length

Throws: SignatureException on error

verify

public boolean verify()
Verify the digest.

Returns: true if the signature checks out, false otherwise

Throws: SignatureException on error

verifyCertificate

public static String verifyCertificate(X509Certificate cert, Collection crls, Calendar calendar)
Verifies a single certificate.

Parameters: cert the certificate to verify crls the certificate revocation list or null calendar the date or null for the current date

Returns: a String with the error description or null if no error

verifyCertificates

public static Object[] verifyCertificates(Certificate[] certs, KeyStore keystore, Collection crls, Calendar calendar)
Verifies a certificate chain against a KeyStore.

Parameters: certs the certificate chain keystore the KeyStore crls the certificate revocation list or null calendar the date or null for the current date

Returns: null if the certificate chain could be validade or a Object[]{cert,error} where cert is the failed certificate and error is the error message