Table of Contents

Class PdfPkcs7

Namespace
iTextSharp.text.pdf
Assembly
iTextSharp.LGPLv2.Core.dll

This class does all the processing related to signing and verifying a PKCS#7 signature. It's based in code found at org.bouncycastle.

public class PdfPkcs7
Inheritance
PdfPkcs7
Inherited Members

Constructors

PdfPkcs7(ICipherParameters, X509Certificate[], object[], string, bool)

Generates a signature. @throws SecurityException on error @throws InvalidKeyException on error @throws NoSuchProviderException on error @throws NoSuchAlgorithmException on error

public PdfPkcs7(ICipherParameters privKey, X509Certificate[] certChain, object[] crlList, string hashAlgorithm, bool hasRsAdata)

Parameters

privKey ICipherParameters

the private key

certChain X509Certificate[]

the certificate chain

crlList object[]

the certificate revocation list

hashAlgorithm string

the hash algorithm

hasRsAdata bool

true if the sub-filter is adbe.pkcs7.sha1

PdfPkcs7(byte[])

Verifies a signature using the sub-filter adbe.pkcs7.detached or adbe.pkcs7.sha1. @throws SecurityException on error @throws CRLException on error @throws InvalidKeyException on error @throws CertificateException on error @throws NoSuchProviderException on error @throws NoSuchAlgorithmException on error

public PdfPkcs7(byte[] contentsKey)

Parameters

contentsKey byte[]

the /Contents key

PdfPkcs7(byte[], byte[])

Verifies a signature using the sub-filter adbe.x509.rsa_sha1.

public PdfPkcs7(byte[] contentsKey, byte[] certsKey)

Parameters

contentsKey byte[]

the /Contents key

certsKey byte[]

the /Cert key

Properties

Certificates

Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included.

public X509Certificate[] Certificates { get; }

Property Value

X509Certificate[]

the X.509 certificates associated with this PKCS#7 object

CrLs

Get the X.509 certificate revocation lists associated with this PKCS#7 object

public List<object> CrLs { get; }

Property Value

List<object>

the X.509 certificate revocation lists associated with this PKCS#7 object

Location

Holds value of property location.

public string Location { get; set; }

Property Value

string

Ocsp

Gets the OCSP basic response if there is one. @since 2.1.6

public BasicOcspResp Ocsp { get; }

Property Value

BasicOcspResp

the OCSP basic response or null

Reason

Holds value of property reason.

public string Reason { get; set; }

Property Value

string

SignCertificateChain

Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first. @since 2.1.6

public X509Certificate[] SignCertificateChain { get; }

Property Value

X509Certificate[]

the X.509 certificates associated with this PKCS#7 object

SignDate

Holds value of property signDate.

public DateTime SignDate { get; set; }

Property Value

DateTime

SignName

Holds value of property signName.

public string SignName { get; set; }

Property Value

string

SigningCertificate

Get the X.509 certificate actually used to sign the digest.

public X509Certificate SigningCertificate { get; }

Property Value

X509Certificate

the X.509 certificate actually used to sign the digest

SigningInfoVersion

Get the version of the PKCS#7 "SignerInfo" object. Always 1

public int SigningInfoVersion { get; }

Property Value

int

the version of the PKCS#7 "SignerInfo" object. Always 1

TimeStampDate

Gets the timestamp date @since 2.1.6

public DateTime TimeStampDate { get; }

Property Value

DateTime

a date

TimeStampToken

Gets the timestamp token if there is one. @since 2.1.6

public TimeStampToken TimeStampToken { get; }

Property Value

TimeStampToken

the timestamp token or null

Version

Get the version of the PKCS#7 object. Always 1

public int Version { get; }

Property Value

int

the version of the PKCS#7 object. Always 1

Methods

GetAlgorithm(string)

Gets the algorithm name for a certain id. @since 2.1.6

public static string GetAlgorithm(string oid)

Parameters

oid string

an id (for instance "1.2.840.113549.1.1.1")

Returns

string

an algorithm name (for instance "RSA")

GetAuthenticatedAttributeBytes(byte[], DateTime, byte[])

When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in {@link #getEncodedPKCS7(byte[],Calendar)}. A simple example: Calendar cal = Calendar.GetInstance(); PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false); MessageDigest messageDigest = MessageDigest.GetInstance("SHA1"); byte buf[] = new byte[8192]; int n; Stream inp = sap.GetRangeStream(); while ((n = inp.Read(buf)) > 0) { messageDigest.Update(buf, 0, n); } byte hash[] = messageDigest.Digest(); byte sh[] = pk7.GetAuthenticatedAttributeBytes(hash, cal); pk7.Update(sh, 0, sh.length); byte sg[] = pk7.GetEncodedPKCS7(hash, cal);

public static byte[] GetAuthenticatedAttributeBytes(byte[] secondDigest, DateTime signingTime, byte[] ocsp)

Parameters

secondDigest byte[]

the content digest

signingTime DateTime

the signing time

ocsp byte[]

Returns

byte[]

the byte array representation of the authenticatedAttributes ready to be signed

GetDigest(string)

Gets the digest name for a certain id @since 2.1.6

public static string GetDigest(string oid)

Parameters

oid string

an id (for instance "1.2.840.113549.2.5")

Returns

string

a digest name (for instance "MD5")

GetDigestAlgorithm()

Get the algorithm used to calculate the message digest

public string GetDigestAlgorithm()

Returns

string

the algorithm used to calculate the message digest

GetEncodedPkcs1()

Gets the bytes for the PKCS#1 object.

public byte[] GetEncodedPkcs1()

Returns

byte[]

a byte array

GetEncodedPkcs7()

Gets the bytes for the PKCS7SignedData object.

public byte[] GetEncodedPkcs7()

Returns

byte[]

the bytes for the PKCS7SignedData object

GetEncodedPkcs7(byte[], DateTime)

Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null , none will be used.

public byte[] GetEncodedPkcs7(byte[] secondDigest, DateTime signingTime)

Parameters

secondDigest byte[]

the digest in the authenticatedAttributes

signingTime DateTime

the signing time in the authenticatedAttributes

Returns

byte[]

the bytes for the PKCS7SignedData object

GetEncodedPkcs7(byte[], DateTime, ITsaClient, byte[])

Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, OR a time-stamp-authority client may be provided. @since 2.1.6

public byte[] GetEncodedPkcs7(byte[] secondDigest, DateTime signingTime, ITsaClient tsaClient, byte[] ocsp)

Parameters

secondDigest byte[]

the digest in the authenticatedAttributes

signingTime DateTime

the signing time in the authenticatedAttributes

tsaClient ITsaClient

TSAClient - null or an optional time stamp authority client

ocsp byte[]

Returns

byte[]

byte[] the bytes for the PKCS7SignedData object

GetHashAlgorithm()

Returns the algorithm.

public string GetHashAlgorithm()

Returns

string

the digest algorithm

GetIssuerFields(X509Certificate)

Get the issuer fields from an X509 Certificate

public static PdfPkcs7.X509Name GetIssuerFields(X509Certificate cert)

Parameters

cert X509Certificate

an X509Certificate

Returns

PdfPkcs7.X509Name

an X509Name

GetOcspurl(X509Certificate)

Retrieves the OCSP URL from the given certificate. @throws CertificateParsingException on error @since 2.1.6

public static string GetOcspurl(X509Certificate certificate)

Parameters

certificate X509Certificate

the certificate

Returns

string

the URL or null

GetSubjectFields(X509Certificate)

Get the subject fields from an X509 Certificate

public static PdfPkcs7.X509Name GetSubjectFields(X509Certificate cert)

Parameters

cert X509Certificate

an X509Certificate

Returns

PdfPkcs7.X509Name

an X509Name

IsRevocationValid()

Checks if OCSP revocation refers to the document signing certificate. @since 2.1.6

public bool IsRevocationValid()

Returns

bool

true if it checks false otherwise

SetExternalDigest(byte[], byte[], string)

Sets the digest/signature to an external calculated value. is also null . If the digest is not null then it may be "RSA" or "DSA"

public void SetExternalDigest(byte[] digest, byte[] rsAdata, string digestEncryptionAlgorithm)

Parameters

digest byte[]

the digest. This is the actual signature

rsAdata byte[]

the extra data that goes into the data tag in PKCS#7

digestEncryptionAlgorithm string

the encryption algorithm. It may must be null if the digest

Update(byte[], int, int)

Update the digest with the specified bytes. This method is used both for signing and verifying @throws SignatureException on error

public void Update(byte[] buf, int off, int len)

Parameters

buf byte[]

the data buffer

off int

the offset in the data buffer

len int

the data length

Verify()

Verify the digest. @throws SignatureException on error

public bool Verify()

Returns

bool

true if the signature checks out, false otherwise

VerifyCertificate(X509Certificate, object[], DateTime)

Verifies a single certificate. if no error

public static string VerifyCertificate(X509Certificate cert, object[] crls, DateTime calendar)

Parameters

cert X509Certificate

the certificate to verify

crls object[]

the certificate revocation list or null

calendar DateTime

the date or null for the current date

Returns

string

a String with the error description or null

VerifyCertificates(X509Certificate[], IList<X509Certificate>, object[], DateTime)

Verifies a certificate chain against a KeyStore. Object[]{cert,error} where cert is the failed certificate and error is the error message

public static object[] VerifyCertificates(X509Certificate[] certs, IList<X509Certificate> keystore, object[] crls, DateTime calendar)

Parameters

certs X509Certificate[]

the certificate chain

keystore IList<X509Certificate>

the KeyStore

crls object[]

the certificate revocation list or null

calendar DateTime

the date or null for the current date

Returns

object[]

null if the certificate chain could be validade or a

VerifyOcspCertificates(BasicOcspResp, IList<X509Certificate>)

Loads the default root certificates at <java.home>/lib/security/cacerts with the default provider.

public static bool VerifyOcspCertificates(BasicOcspResp ocsp, IList<X509Certificate> keystore)

Parameters

ocsp BasicOcspResp

the OCSP response

keystore IList<X509Certificate>

the KeyStore

Returns

bool

a KeyStore

VerifyTimestampCertificates(TimeStampToken, IList<X509Certificate>)

Verifies a timestamp against a KeyStore. @since 2.1.6

public static bool VerifyTimestampCertificates(TimeStampToken ts, IList<X509Certificate> keystore)

Parameters

ts TimeStampToken

the timestamp

keystore IList<X509Certificate>

the KeyStore

Returns

bool

true is a certificate was found

VerifyTimestampImprint()

Checks if the timestamp refers to this document. @throws java.security.NoSuchAlgorithmException on error @since 2.1.6

public bool VerifyTimestampImprint()

Returns

bool

true if it checks false otherwise