Class FormSignature
- java.lang.Object
-
- org.faceless.pdf2.FormElement
-
- org.faceless.pdf2.FormSignature
-
- All Implemented Interfaces:
java.lang.Cloneable
public class FormSignature extends FormElement
This class represents a public key "Digital Signature" which can be used to sign a PDF document. Signatures from existing documents can be verified and new signatures can be added.
Signatures may be applied and verified using the full version of Acrobat, but not Acrobat Reader. Verifying or creating a Signature requires a "Handler", both in our library and Acrobat. Acrobat 4 and 5 had "self-signed" signatures, and a plugin from VeriSign was available, but Acrobat 6 and later are supplied with a handler supporting full key management. Signatures targeting this handler can be created using an
AcrobatSignatureHandlerFactory
.Since version 2.0, the framework is in place to allow custom signature handlers to be written. This means that with the right
SignatureHandler
, the library can be used to create or verify any type of digital signature. The library is distributed with theAcrobatSignatureHandlerFactory
, which we recommend using, as well as the olderHANDLER_VERISIGN
andHANDLER_SELFSIGN
factories. All of these handlers use the standardKeyStore
class supplied with Java, and do not necessarily need any third party libraries to work.A feature of PDF is that only a single
STATE_PENDING
signature can be applied to a PDF - ie. when saving a document, only a single signature may be applied. If multiple signatures must be applied then another signature may be added and the PDF saved again.So how do you use this class? The following examples show how to sign and verify documents using the supplied signature handlers.
Verifying existing signatures
To verify a document has been signed and not altered since signing, and to be sure of the signatory, three steps are required. These three steps apply to any type of digital signature, not just PKI (Public Key Infrastuction) signatures, but for these examples we'll focus on the PKI signatures only.
- You must verify that content of the document matches the signature
- You must verify that the signature covers the whole document
- You must verify that the key used to sign the document belongs to who it says it does
First, verifying that the signature matches the document content is done using the
verify()
method. This can be done like so:PDF pdf = new PDF(new PDFReader(new FileInputStream(args[0]))); Map elements = pdf.getForm().getElements(); for (Iterator i=elements.values().iterator(); i.hasNext();) { FormElement e = (FormElement)i.next(); if (e instanceof FormSignature && ((FormSignature)e).verify()) { System.out.println("Signature from "+sig.getName()+" matches PDF checksum"); } }
Second, you must verify that the signature covers the latest revision of the document - otherwise the document could have been altered after signing (see the
PDFReader
class documentation for more information about revisions). To verify the signature covers the latest revision, you need to compare the value ofPDF.getNumberOfRevisions()
with the value ofgetNumberOfRevisionsCovered()
. Something like this should do it:int pdfrevision = pdf.getNumberOfRevisions(); int sigrevision = signature.getNumberOfRevisionsCovered(); if (pdfrevision == sigrevision) { System.out.println("Whole document is covered"); }
At this point you know the signature covers the whole document, and that the document hasn't been changed since signing. You then need to confirm that the PDF really was signed by the name on the signature. The handlers supplied with this library are all based on PKCS#7, and contain a chain of X.509 certificates which should be verified. A full discussion of Public Key Infrastructure could fill a book in itself, so instead we'll show you how to get the certificates and how to verify them against a keystore.
Each Java distribution comes with a list of CA certificates which are used to verify signed JAR files, but if your signature is signed by one of those CA's we can also use it to verify the signature (if not, you can supply your own keystore with CA certificates - the principle is the same). The certificates are accessed via the
PKCS7SignatureHandler.getCertificates()
method, and theisValidCertificate
method used to perform some basic validation if you want to check the certificates yourself. Here we use theverifyCertificates
method to confirm the certificates are valid and signed by a CA:PDF pdf = new PDF(new PDFReader(new FileInputStream(args[0]))); KeyStore ca = FormSignature.loadDefaultKeyStore(); // Load CA certificates for (Iterator i=pdf.getForm().getElements().values().iterator(); i.hasNext();) { FormElement e = (FormElement)i.next(); if (e instanceof FormSignature) { FormSignature sig = (FormSignature)e; if (sig.getSignatureHandler() instanceof PKCS7SignatureHandler) { PKCS7SignatureHandler handler = (PKCS7SignatureHandler)sig.getSignatureHandler(); Calender when = sig.getSignDate(); X509Certificate[] certs = handler.getCertificates(); if (FormSignature.verifyCertificates(certs, ca, null, when) == null) { System.out.println("Certificates for "+sig.getName()+" verified"); } } else { System.out.println("Not a PKCS#7 public-key signature!"); } } }
Signing documents
A single signature can be applied to a PDF document by adding the signature to the PDF documents Form. Here's an example:
PDF pdf = new PDF(); pdf.newPage("A4"); KeyStore keystore = loadMyKeyStore(); // Somehow load a keystore String alias = "mykey"; char[] password = "secret".toCharArray(); SignatureHandlerFactory factory = new AcrobatSignatureHandlerFactory(); FormSignature sig = new FormSignature(keystore, alias, password, factory); pdf.getForm().addElement("Test Signature", sig);
This slightly oversimplified example demonstrates two things. One, that the private key and its associated certificates used to sign a document must be loaded from a
KeyStore
, and two, that you must specify the signature handler that will be used to verify the document in Acrobat.Since Acrobat 6.0, theoretically any PKCS#7 signature can be verified without an external plugin - simply use the
AcrobatSignatureHandlerFactory
factory. Prior to Acrobat 6, the situation is more complex - you must create a signature for a specific handler (typically usingHANDLER_SELFSIGN
orHANDLER_VERISIGN
).Finally to get you started, here is a complete example showing how to create a PDF that can be verified in Acrobat 6.0 or later. Rather than type all this out we suggest you take a look at the "Sign.java" example supplied with the package, which does all this and more.
-
Create a self-signed key using the "keytool" program supplied with the JDK.
The following command will create a 1024-bit RSA key plus certificate in
the file "mykeystore". You'll be prompted for a password.
keytool -genkey -alias mykey -keyalg RSA -sigalg MD5withRSA \ -keystore mykeystore.jks -dname 'C=UK, O=YourOrganization, CN=YourName'
-
The following code can be used to create a blank PDF which is digitally signed with this key.
import java.security.KeyStore; import java.io.*; import org.faceless.pdf2.*; public static void TestSign { static final String KEYFILE = "mykeystore.jks"; // Keystore filename static final String KEYALIAS = "mykey"; // Alias for private key static final char[] PASSWORD = "secret".toCharArray(); // Password public static void main(String[] args) throws Exception { PDF pdf = new PDF(); PDFPage page = pdf.newPage("A4"); KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream(KEYFILE), PASSWORD); SignatureHandlerFactory factory = new AcrobatSignatureHandlerFactory(); FormSignature sig = new FormSignature(keystore, KEYALIAS, PASSWORD, factory); pdf.getForm().addElement("Test Signature", sig); pdf.render(new FileOutputStream("Signed.pdf")); } }
-
Run the program - it creates "Signed.pdf" which can be verified in Acrobat 6.0 or greater.
java TestSign
More information on digital signatures is available in the userguide.
- Since:
- 1.1.13
- See Also:
AcrobatSignatureHandlerFactory
,PKCS7SignatureHandler
-
-
Field Summary
Fields Modifier and Type Field Description static int
CERTIFICATION_ALLOWCOMMENTS
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will be a certifying signature that allows only commenting and form fill-in actions on the Document.static int
CERTIFICATION_ALLOWFORMS
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will be a certifying signature that allows only form fill-in actions on the Document.static int
CERTIFICATION_NOCHANGES
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will be a certifying signature that disallows any changes to the Document.static int
CERTIFICATION_UNCERTIFIED
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will not be a certifying signature.static SignatureHandlerFactory
HANDLER_ACROBATSIX
A type of handler representing the general purpose PKI signature plugin supplied with Acrobat 6.0 and later.static SignatureHandlerFactory
HANDLER_SELFSIGN
Deprecated.There is no need to use this handler.static SignatureHandlerFactory
HANDLER_VERISIGN
Deprecated.There is no need to use this handler.static int
STATE_BLANK
This value is returned from thegetState()
method if the signature field has not been completed yet.static int
STATE_PENDING
This value is returned from thegetState()
method if the signature is "new" - it has been added to the document and is waiting for the document to be completed before it is applied.static int
STATE_SIGNED
This value is returned from thegetState()
method if the signature is "old" - the PDF document that was read in was already signed with this signature.
-
Constructor Summary
Constructors Constructor Description FormSignature()
Create a newblank
digital signature field.FormSignature(java.security.KeyStore keystore, java.lang.String alias, char[] password, SignatureHandlerFactory factory)
Create a newpending
digital signature to sign a PDF document.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description WidgetAnnotation
addAnnotation(PDFPage page, float x1, float y1, float x2, float y2)
Add an annotation for this Signature to the specified page at the specified location.WidgetAnnotation
addAnnotation(PDFPage page, float x1, float y1, float x2, float y2, PDFCanvas appearance)
Add an annotation for this Signature to the specified page at the specified location, with the specified appearance.void
cancelVerify()
If a verification is currently running, cancel it.protected java.lang.Object
clone()
long[]
getByteRangeCovered()
Return the bytes of the PDF file covered by this signature.int
getCertificationType()
Return the type of "Certification" this signature attests to.java.lang.String
getContactInfo()
Return the contact information field for this signature if that information is available, ornull
otherwise.java.lang.String
getFilter()
Return the name of the digital signature handler used to sign the document.static java.lang.String
getIssuerField(java.security.cert.X509Certificate cert, java.lang.String field)
Return the specified X.500 field from the specified X.509 certificates Issuer.java.lang.String
getLocation()
Return the location where this document was signed if if that information is available, ornull
otherwise.java.lang.String
getName()
Get the name of the person or entity that signed this PDF if that information is available, ornull
otherwise.int
getNumberOfRevisionsCovered()
Return the number of document revisions covered by this signature.java.lang.String
getReason()
Return the reason this signature was applied to the PDF if that information is available, ornull
otherwise.java.net.URI
getRequiredCertificateFallbackURI()
Return the URI to be used if the "issuers" and "subjects" Certificate restrictions are not met, as set bysetRequiredCertificateFallbackURI(java.net.URI)
, ornull
if none were specified.java.security.cert.X509Certificate[]
getRequiredCertificateIssuers()
Return the list of required Issuer certificates as set bysetRequiredCertificateIssuers(java.security.cert.X509Certificate[])
, ornull
if none were specified.java.security.cert.X509Certificate[]
getRequiredCertificateSubjects()
Return the list of required Issuer certificates as set bysetRequiredCertificateSubjects(java.security.cert.X509Certificate[])
, ornull
if none were specified.java.lang.String[]
getRequiredDigestAlgorithms()
Return the list of allowable digest algorithms that can be used to sign this signature, ornull
if this is not specified.java.lang.String[]
getRequiredReasons()
Set the list of reasons that must be chosen from when signing, as set bysetRequiredReasons(java.lang.String[])
java.net.URI
getRequiredTimestampServer()
Get the URI of the TimeStamp server that must be used when signing as set bysetRequiredTimestampServer(java.net.URI)
, ornull
if none is specifiedSignatureHandler
getSignatureHandler()
Return theSignatureHandler
that is used with this Signature, ornull
if the signature has not been signed yet (ie. the state is stillSTATE_BLANK
).SignaturePolicy
getSignaturePolicy()
Return theSignaturePolicy
that was previously set bysetSignaturePolicy(org.faceless.pdf2.SignaturePolicy)
java.util.Calendar
getSignDate()
Return the time the signature was applied to the document.int
getState()
Returns the current state of the signature.static java.lang.String
getSubjectField(java.security.cert.X509Certificate cert, java.lang.String field)
Return the specified X.500 field from the specified X.509 certificates Subject.java.lang.String
getValue()
As signatures do not have a "value" as such, this method always returns null.static boolean
isValidCertificate(java.security.cert.X509Certificate cert, java.security.cert.CRL crl, java.util.Date signdate)
Return true if the specified X.509 Certificate is valid for the specified date, has not been revoked and has no unknown critical extensions.boolean
isVerifying()
Return true if theverify()
method is currently running in another thread.static java.security.KeyStore
loadAKFKeyStore(java.io.InputStream in)
Load an X.509 certificate from an "Adobe Key File" keystore, the type exported from the Adobe Self-Sign signature handler in Acrobat 4.0.static java.security.KeyStore
loadDefaultKeyStore()
Return the default Java keystore to validate keys against.static java.security.KeyStore
loadFDFKeyStore(java.io.InputStream in)
Load an X.509 certificate from an "Adobe Self-Sign Key" keystore, the type exported from the Adobe Self-Sign signature handler in Acrobat 5.0.static java.security.KeyStore
loadPKCS7KeyStore(java.io.InputStream in)
Load a list of one or more X.509 certificates from a PKCS#7 file.static java.security.KeyStore
loadTrustedKeyStore()
Return a KeyStore containing various trusted roots that are widely approved by national or multi-national bodies.void
putLiteral(java.lang.String key, java.lang.String tokens)
Put a literal token sequnce.void
rebuild()
Cause the annotation list to be rebuilt.static void
registerHandlerForVerification(SignatureHandlerFactory factory)
This method must be called to register a newSignatureHandlerFactory
that can be used when verifying signatures, although it's not necessary for handlers that are only used for signing.void
setCertificationType(int certificationtype, java.lang.String attestation)
Causes this signatures be "Certifying" signature when it's signed - also known as an "Author" signature..void
setContactInfo(java.lang.String info)
Set the contact information field for this signature.void
setLocation(java.lang.String location)
Set the location where the signer is signing the PDF document - e.g.void
setName(java.lang.String name)
Set the name of the person or entity who is applying this signature.void
setReason(java.lang.String reason)
Set the reason why the the document is being signed - e.g.void
setRequiredCertificateFallbackURI(java.net.URI uri)
Set the URI the user is directed to if the conditions set bysetRequiredCertificateIssuers(java.security.cert.X509Certificate[])
andsetRequiredCertificateSubjects(java.security.cert.X509Certificate[])
are not met.void
setRequiredCertificateIssuers(java.security.cert.X509Certificate[] certs)
Set restrictions on which X.509 Certificates can be used when this (blank) signature is eventually signed.void
setRequiredCertificateSubjects(java.security.cert.X509Certificate[] certs)
Set restrictions on which X.509 Certificates can be used when this (blank) signature is eventually signed.void
setRequiredDigestAlgorithms(java.lang.String[] algorithms)
Set the list of allowable digest algorithms that can be used to sign this signature, ornull
to remove any existing restrictions.void
setRequiredReasons(java.lang.String[] validreasons)
Set the list of Reasons from which the user must choose when this (blank) signature is eventually signed.void
setRequiredTimestampServer(java.net.URI uri)
Set the URI of the TimeStamp server that must be used when this (blank) signature is eventually signed.void
setSignaturePolicy(SignaturePolicy policy)
Set theSignaturePolicy
that should be used when validating this Signature.void
sign(java.security.KeyStore keystore, java.lang.String alias, char[] password, SignatureHandlerFactory factory)
Sign aSTATE_BLANK
digital signature.java.lang.String
toString()
boolean
verify()
Verify a signature by ensuring that the PDF document hasn't been altered since it was signed.static java.security.cert.X509Certificate
verifyCertificates(java.security.cert.X509Certificate[] certs, java.security.KeyStore keystore, java.security.cert.CRL crl, java.util.Calendar signdate)
Verify a list of X.509 certificates against a list of trusted certificates.-
Methods inherited from class org.faceless.pdf2.FormElement
addPropertyChangeListener, duplicate, flatten, getAction, getAnnotation, getAnnotations, getDescription, getForm, isReadOnly, isRequired, isSubmitted, removePropertyChangeListener, setAction, setDescription, setReadOnly, setRequired, setSubmitted
-
-
-
-
Field Detail
-
CERTIFICATION_UNCERTIFIED
public static final int CERTIFICATION_UNCERTIFIED
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will not be a certifying signature. This is the default.- Since:
- 2.7.4
- See Also:
- Constant Field Values
-
CERTIFICATION_NOCHANGES
public static final int CERTIFICATION_NOCHANGES
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will be a certifying signature that disallows any changes to the Document. No legal attestation is required in this case, as the document cannot be changed.- Since:
- 2.7.4
- See Also:
- Constant Field Values
-
CERTIFICATION_ALLOWFORMS
public static final int CERTIFICATION_ALLOWFORMS
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will be a certifying signature that allows only form fill-in actions on the Document. Specifically, existing form fields can be modified, but the position of those fields cannot be changed, and no fields can be added or deleted (this includes adding new signatures, although pre-existing blank signature fields can be signed). Other annotations cannot be changed. A legal attestation is recommended if this type of certification is used.- Since:
- 2.7.4
- See Also:
- Constant Field Values
-
CERTIFICATION_ALLOWCOMMENTS
public static final int CERTIFICATION_ALLOWCOMMENTS
A value that can be passed in tosetCertificationType(int, java.lang.String)
and returned fromgetCertificationType()
to indicate that the signature will be a certifying signature that allows only commenting and form fill-in actions on the Document. Specifically, existing form fields can have their values modified and the position of their annotations can be changed. New signature fields can be added, but other types of field cannot and no fields can be deleted. Other types of annotation can be added or deleted. A legal attestation is recommended if this type of certification is used.- Since:
- 2.7.4
- See Also:
- Constant Field Values
-
HANDLER_SELFSIGN
@Deprecated public static final SignatureHandlerFactory HANDLER_SELFSIGN
Deprecated.There is no need to use this handler. Use anAcrobatSignatureHandlerFactory
instead.A type of handler representing the Adobe "self-sign" signature handler supplied with Acrobat 4.x and 5.x. Keys must use the RSA algorithm and may be any length (we've tested 512, 1024 and 2048-bit keys). Certificates must use the MD5/RSA signature algorithm. Obviously the certificate associated with the key must be self-signed, and Acrobat also insists that the country code, if specified, must be exactly 2 letters long.
Self-sign signatures are limited in that only certificates in the viewing users "Personal Address Book" are considered to be trusted - a Certifying Authority is not used. Certificates may be added to the address book if they're not already there, and provided they are confirmed (by manually checking the serial number with the issuer), this handler does most of what is required of a PKI system.
Documents signed with this handler can be verifed in Acrobat 4, 5 and 6 out of the box. Note that unless you're specifically targeting Acrobat 5.0 or earlier you should use
HANDLER_ACROBATSIX
instead.- Since:
- 2.0 (prior to 2.0 this constant existed, but was an integer)
-
HANDLER_VERISIGN
@Deprecated public static final SignatureHandlerFactory HANDLER_VERISIGN
Deprecated.There is no need to use this handler. Use anAcrobatSignatureHandlerFactory
instead.A type of handler representing the VeriSign "Document Signer" digital signature handler available for Acrobat 4.x and 5.x. Keys must use the RSA algorithm and may be any length, but must be signed by a VeriSign CA key or they will be considered invalid by the VeriSign plugin. VeriSign also distribute an "Administrator Tool" which allows you to set your own list of trusted certificates, although we haven't tested this functionality.
The plugin itself is available from the VeriSign website as a free download. Details on how to use and install the plugin are also available from this site.
The VeriSign test certificate we worked with was MD5/RSA, and we expect that all keys that work with this plugin must use this algorithm.
Documents signed with this handler can be verifed in Acrobat 4, 5 with the VeriSign plugin, and Acrobat 6 out of the box. Note that unless you're specifically targeting Acrobat 5.0 or earlier you should use
HANDLER_ACROBATSIX
instead.- Since:
- 2.0 (prior to 2.0 this constant existed, but was an integer)
-
HANDLER_ACROBATSIX
public static final SignatureHandlerFactory HANDLER_ACROBATSIX
A type of handler representing the general purpose PKI signature plugin supplied with Acrobat 6.0 and later. This handler (which has the Filter name "Adobe.PPKLite") is an instanceof of
AcrobatSignatureHandlerFactory
, and while it can be used, for maximum flexiblity we recommend creating your own instance of that class and setting whichever options you required.Documents signed with this handler can only be verifed in Acrobat 6 or later. Unless you're specifically targetting Acrobat 5.0 or earlier, we recommend always using this handler instead of
HANDLER_SELFSIGN
orHANDLER_VERISIGN
.- Since:
- 2.0
-
STATE_SIGNED
public static final int STATE_SIGNED
This value is returned from thegetState()
method if the signature is "old" - the PDF document that was read in was already signed with this signature. The signature may be validated, but will not be exported again if the document is resaved.- See Also:
STATE_PENDING
,STATE_BLANK
,getState()
, Constant Field Values
-
STATE_PENDING
public static final int STATE_PENDING
This value is returned from thegetState()
method if the signature is "new" - it has been added to the document and is waiting for the document to be completed before it is applied. Only one "pending" signature may currently be applied to each document.- See Also:
STATE_SIGNED
,STATE_BLANK
,getState()
, Constant Field Values
-
STATE_BLANK
public static final int STATE_BLANK
This value is returned from thegetState()
method if the signature field has not been completed yet. A document may contain more than one blank signature fields.- See Also:
STATE_SIGNED
,STATE_PENDING
, Constant Field Values
-
-
Constructor Detail
-
FormSignature
public FormSignature()
Create a newblank
digital signature field. The field may have a signature applied to it at a later date, either by this library or by Acrobat- Since:
- 2.0
-
FormSignature
public FormSignature(java.security.KeyStore keystore, java.lang.String alias, char[] password, SignatureHandlerFactory factory) throws java.security.GeneralSecurityException, java.lang.IllegalArgumentException
Create a newpending
digital signature to sign a PDF document. The private key and the certificates used to sign the PDF are contained in the specified keystore. This constructor is identical to calling:FormSignature sig = new FormSignature(); sig.sign(keystore, alias, password, factory);
- Parameters:
keystore
- the KeyStore containing the private key and a list of certificates to sign the document withalias
- the alias or "friendly-name" which the private key is stored under in the keystorepassword
- the password to unlock the private keyfactory
- the digital signature handler that will be used to verify the signature. Probably one ofHANDLER_SELFSIGN
orHANDLER_VERISIGN
- Throws:
java.security.GeneralSecurityException
- if the keystore, private key, password or certificates are invalid in any wayjava.lang.IllegalArgumentException
- if the arguments are technically correct but will result in an invalid signature for any reason.- Since:
- 2.0 (prior to 2.0 the last parameter was an integer)
-
-
Method Detail
-
registerHandlerForVerification
public static void registerHandlerForVerification(SignatureHandlerFactory factory)
This method must be called to register a new
SignatureHandlerFactory
that can be used when verifying signatures, although it's not necessary for handlers that are only used for signing.When a signature is verified, the appropriate handler is chosen from the list of registered handlers by matching the "Filter" and "SubFilter" fields in the handler to those in the signature. By default, the
HANDLER_VERISIGN
,HANDLER_SELFSIGN
andHANDLER_ACROBATSIX
factories are the only three that are registered.- Since:
- 2.0
-
addAnnotation
public WidgetAnnotation addAnnotation(PDFPage page, float x1, float y1, float x2, float y2)
Add an annotation for this Signature to the specified page at the specified location. Unlike other form elements, it is not necessary for a signature to have an annotation - those that don't are called "invisible" signatures in Acrobat. The annotation will take on the appearance defined by the
SignatureHandler.getLayerAppearance()
method.Note that Acrobat 9 and later will only support one annotation per signature.
- Parameters:
page
- the page to place the annotation onx1
- the left-most X co-ordinate of the annotationy1
- the top-most Y co-ordinate of the annotationx2
- the right-most X co-ordinate of the annotationy2
- the bottom-most Y co-ordinate of the annotation- Returns:
- a new WidgetAnnotation at the specified location
- Since:
- 2.0
-
addAnnotation
public WidgetAnnotation addAnnotation(PDFPage page, float x1, float y1, float x2, float y2, PDFCanvas appearance)
Add an annotation for this Signature to the specified page at the specified location, with the specified appearance. Unlike other form elements, it is not necessary for a signature to have an annotation - those that don't are called "invisible" signatures in Acrobat.
Note that Acrobat 9 and later will only support one annotation per signature.
- Parameters:
page
- the page to place the annotation onx1
- the left-most X co-ordinate of the annotationy1
- the top-most Y co-ordinate of the annotationx2
- the right-most X co-ordinate of the annotationy2
- the bottom-most Y co-ordinate of the annotationappearance
- the PDFCanvas to use as the primary appearance of the signature.- Returns:
- a new WidgetAnnotation at the specified location
- Since:
- 2.23.5
-
sign
public void sign(java.security.KeyStore keystore, java.lang.String alias, char[] password, SignatureHandlerFactory factory) throws java.security.GeneralSecurityException, java.lang.IllegalArgumentException
Sign aSTATE_BLANK
digital signature. The private key and the certificates used to sign the PDF are contained in the specified keystore.- Parameters:
keystore
- the KeyStore containing the private key and a list of certificates to sign the document withalias
- the alias or "friendly-name" which the private key is stored under in the keystorepassword
- the password to unlock the private keyfactory
- the digital signature handler that will be used to verify the signature. Probably one ofHANDLER_SELFSIGN
orHANDLER_VERISIGN
- Throws:
java.security.GeneralSecurityException
- if the keystore, private key, password or certificates are invalid in any wayjava.lang.IllegalArgumentException
- if the arguments are technically correct but will result in an invalid signature for any reason.- Since:
- 2.0
-
getState
public int getState()
Returns the current state of the signature. The state is eitherSTATE_SIGNED
for existing signatures,STATE_PENDING
for new signatures that have been added, orSTATE_BLANK
for empty signature fields
-
setName
public void setName(java.lang.String name)
Set the name of the person or entity who is applying this signature. Setting this field is recommended but not necessary - for PKCS#7 signatures, it defaults to the Common Name (CN) of the signing certificate.- Parameters:
name
- the name of the entity signing the PDF, ornull
to clear the current name- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
-
getName
public java.lang.String getName()
Get the name of the person or entity that signed this PDF if that information is available, ornull
otherwise.- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
-
setReason
public void setReason(java.lang.String reason)
Set the reason why the the document is being signed - e.g. "Approved for distribution". This field is optional.- Parameters:
reason
- the reason the entity is signing the document, ornull
to clear the current reason- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
-
getReason
public java.lang.String getReason()
Return the reason this signature was applied to the PDF if that information is available, ornull
otherwise.- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
-
setLocation
public void setLocation(java.lang.String location)
Set the location where the signer is signing the PDF document - e.g. "Head Office". This field is optional.- Parameters:
location
- the location where the entity is signing the document, ornull
to clear the current location- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
-
getLocation
public java.lang.String getLocation()
Return the location where this document was signed if if that information is available, ornull
otherwise.- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
-
setContactInfo
public void setContactInfo(java.lang.String info)
Set the contact information field for this signature. This information would typically be provided by the signer to enable a recipient to contact the signer to verify the signature. This field is optional.- Parameters:
info
- the contact information for this signature, ornull
to clear the current value- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
- Since:
- 2.7.1
-
getContactInfo
public java.lang.String getContactInfo()
Return the contact information field for this signature if that information is available, ornull
otherwise.- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
- Since:
- 2.7.1
-
getSignDate
public java.util.Calendar getSignDate()
Return the time the signature was applied to the document. If the signature has been timestamped, this will be the date from the timestamp, otherwise it will be the date from the signature dictionary.- Returns:
- the time the document was signed.
- Throws:
java.lang.IllegalStateException
- if this signature isn'tSTATE_SIGNED
-
getFilter
public java.lang.String getFilter()
Return the name of the digital signature handler used to sign the document. This is the value of the "Filter" field from the signature handler being used. Values could well be one of "Adobe.PPKLite", "VeriSign.PPKVS", "Entrust.PPKEF", "CICI.SignIt", "Gemtools.GemSign" or "Silanis.ApproveIt". This method is identical to callinggetSignatureHandler().getFilter()
- Throws:
java.lang.IllegalStateException
- if this signature isSTATE_BLANK
- Since:
- 2.0 (was renamed from "getType" in 1.2.x release)
-
getSignatureHandler
public SignatureHandler getSignatureHandler()
Return theSignatureHandler
that is used with this Signature, ornull
if the signature has not been signed yet (ie. the state is stillSTATE_BLANK
).- Since:
- 2.0
-
setSignaturePolicy
public void setSignaturePolicy(SignaturePolicy policy)
Set the
SignaturePolicy
that should be used when validating this Signature. The Signature Policy describes the set of conditions that must for the signature to remain valid when the PDF is modified after signing. Setting the policy in the signature changes nothing permanent - it just changes the policy that will be used the next timeverify()
is called.By default the policy is
SignaturePolicy.getDefault()
, and unless you have a good reason we suggest leaving that unchanged. However if you're trying to reproduce a validation that was made several years ago (ie. at the time of signing), an alternative policy can be used.- Since:
- 2.28
- See Also:
SignaturePolicy
-
getSignaturePolicy
public SignaturePolicy getSignaturePolicy()
Return theSignaturePolicy
that was previously set bysetSignaturePolicy(org.faceless.pdf2.SignaturePolicy)
- Returns:
- the Signature Policy
- Since:
- 2.28
-
isVerifying
public boolean isVerifying()
Return true if theverify()
method is currently running in another thread.verify()
is not synchronized (as of 2.28) but can only be run in one thread at a time.- Since:
- 2.28
- See Also:
verify()
,cancelVerify()
-
cancelVerify
public void cancelVerify()
If a verification is currently running, cancel it. Theverify()
method will throw aRuntimeException
with a cause that is anInterruptedException
. If verify is not running this method has no effect.- Since:
- 2.28
- See Also:
verify()
,isVerifying()
-
verify
public boolean verify() throws java.security.GeneralSecurityException
Verify a signature by ensuring that the PDF document hasn't been altered since it was signed. Only signatures with a state of
STATE_SIGNED
may be verified.Calling this method on a Certified signature causes additional checks to be run to confirm subsequent changes to the signature haven't invalidated the signature - if the signature checksum is valid but a subsequent modification to the file was disallowed, this method will return false.
Note that this only ensures the document matches the checksum included in the signature object. To completely confirm the document is unaltered the signature object must be confirmed to belong to who it says it does. For the supplied handlers, this is done by checking the X.509 certificates returned by
PKCS7SignatureHandler.getCertificates()
, either manually or by calling theverifyCertificates
method.Verification is synchronized internally, so before calling this method we suggest checking if a verify is already running with
isVerifying()
. Verification can be cancelled by callingcancelVerify()
. Both these methods are new in 2.28- Returns:
true
if the document is unaltered,false
if the document has been altered since signing- Throws:
java.lang.IllegalStateException
- if the signature you're verifying isn'tSTATE_SIGNED
, or if this method is running in another Thread.java.security.GeneralSecurityException
- if the specified signing algorithm is unknown, or the certificate or key are invalidjava.lang.RuntimeException
- wrapping anInterruptedException
if thecancelVerify()
method was called while verifying.- See Also:
isVerifying()
,cancelVerify()
-
getNumberOfRevisionsCovered
public int getNumberOfRevisionsCovered()
Return the number of document revisions covered by this signature. A PDF document can be revised a number of times - for example, filling out a form in Acrobat and saving the document creates a new revision. Every revision of the document must be covered by a signature in order to be sure of the documents contents. See thePDFReader
class for more information on document revisions, and the class documentation for this class for examples of how to validate a signature using this method.- Returns:
- the number of revisions covered by this signature (always greater than or equal to one since version 2.7 of this library) or zero if the signature doesn't cover any (in which case it should be discounted)
- Throws:
java.lang.IllegalArgumentException
- if the signature is not signed yet (ie. does not have a state ofSTATE_SIGNED
)- Since:
- 1.2.1
-
getByteRangeCovered
public long[] getByteRangeCovered()
Return the bytes of the PDF file covered by this signature. The returned array is theoretically any multiple of four, long, but in practice should always be four bytes, with the first byte "0", the second byte the start of the signature block - 1, the third byte the end of the signature block + 1 and the last byte the length of the revision coverered by this signature (for a file with a single revision, this will be the length of the file).
These requirements are verified as part of the
getNumberOfRevisionsCovered()
method, which is the method you should call if you're trying to verify the file. It's anticipated that ths method will be more useful for those trying to insert a signature into the PDF after it's been created, asynchronously:long[] range = signature.getByteRangeCovered(); long offset = range[1] + 1; long len = range[2] - range[1]; // insert signature bytes between off and off+len
- Since:
- 2.24.4
-
verifyCertificates
public static java.security.cert.X509Certificate verifyCertificates(java.security.cert.X509Certificate[] certs, java.security.KeyStore keystore, java.security.cert.CRL crl, java.util.Calendar signdate) throws java.security.GeneralSecurityException
Verify a list of X.509 certificates against a list of trusted certificates.The X.509 certificate(s) used to sign the document are verified and compared against the certificates in the keystore, which are assumed to be trusted. An optional Certificate Revocation List may be specified with a list of compromised certificates.
The method returns the first certificate specified in the PDF that cannot be verified. If every certificate in the chain is verified and the final certificate is signed by a certificate in the specified keystore, the entire chain is considered valid and this method returns
null
.The specified keystore may be the result of
loadDefaultKeyStore()
, or a user specified keystore. The CRL may be (and usually is)null
.Note that self-signed certificates (as created by the Adobe Self-Sign handler) will generally fail, as they cannot be verified against a trusted root certificate. The only exception to this is if you're verifying against a keystore returned from
loadAKFKeyStore(java.io.InputStream)
orloadFDFKeyStore(java.io.InputStream)
, containing a certificate that was exported from Acrobat.Also note that unless you personally trust every entity (represented by a certificate) in the chain to issue certificates responsibly, verifying the chain integrity is worthless.
We are happy to provide source code to this method - ask if you need it.
- Parameters:
certs
- theX509Certificate
list to verify. Usually this is the return result fromPKCS7SignatureHandler.getCertificates()
keystore
- theKeyStore
containing one or more trusted certificates to verify the certificate chain against.crl
- the Certificate Revocation List to check the certificates against. May benull
.signdate
- the date the documents was signed. Usually the output ofgetSignDate()
- Returns:
- the first certificate in the chain that couldn't be
verified, or
null
if all were verified against a certificate from the keystore. - Throws:
java.security.GeneralSecurityException
- if the KeyStore or any of the certificates are invalid.- Since:
- 2.0
- See Also:
PKCS7SignatureHandler.getCertificates()
,loadAKFKeyStore(java.io.InputStream)
,loadFDFKeyStore(java.io.InputStream)
,loadPKCS7KeyStore(java.io.InputStream)
,loadDefaultKeyStore()
-
isValidCertificate
public static boolean isValidCertificate(java.security.cert.X509Certificate cert, java.security.cert.CRL crl, java.util.Date signdate)
Return true if the specified X.509 Certificate is valid for the specified date, has not been revoked and has no unknown critical extensions. The code looks like:try { cert.checkValidity(signdate); return !cert.hasUnsupportedCriticalExtensions() && (crl==null || !crl.isRevoked(cert)); } catch (Exception e) { return false; }
- Parameters:
cert
- the X.509 certificate to verifycrl
- the Certificate Revokation List to search - may benull
signdate
- the date the certificate was used for signing
-
loadDefaultKeyStore
public static java.security.KeyStore loadDefaultKeyStore() throws java.security.GeneralSecurityException
Return the default Java keystore to validate keys against. This is the same keystore used to verify signed JAR files, and is distributed with most versions of Java. It includes the public certificates for several certifying authorities - in our version (Sun JDK1.3.1), VeriSign and Thawte.- Throws:
java.security.GeneralSecurityException
- if the default keystore cannot be loaded - an unlikely situation
-
loadTrustedKeyStore
public static java.security.KeyStore loadTrustedKeyStore() throws java.security.GeneralSecurityException
Return a KeyStore containing various trusted roots that are widely approved by national or multi-national bodies. Currently this contains the various root certificates granted the ability to sign qualified or unqualified signatures, timestamps and OCSP responses under the eiDAS regulations. More may be added at some point.
This list will be kept up to date by BFO, but is not relied upon internally for any cryptographic process. It is referenced when we are trying to build a certificate chain when signing - if the chain stops at one of these certificates, no warning about a truncated certificate chain is printed.
- Throws:
java.security.GeneralSecurityException
- Since:
- 2.23.6
-
loadAKFKeyStore
public static java.security.KeyStore loadAKFKeyStore(java.io.InputStream in) throws java.io.IOException, java.security.GeneralSecurityException
Load an X.509 certificate from an "Adobe Key File" keystore, the type exported from the Adobe Self-Sign signature handler in Acrobat 4.0. The file (which typically has a
.akf
suffix) contains a self-signed X.509 certificate, which can be used to verify (but not sign) documents created with the Adobe Self-Sign signature handler.The returned KeyStore has a single X.509 certificate, and can be passed to the
verifyCertificates
method to fully validate a document signed with the "self-sign" signature handler, acting as the Java equivalent of the "Personal Address Book" in Acrobat 4 terminology.Acrobat 5.0 keystores are saved in a different format - the filename is usually "
CertExchangeName.fdf
", where Name is the name of the user. These keystores can be loaded via theloadFDFKeyStore(java.io.InputStream)
method.Please note the InputStream is not closed by this method.
- Throws:
java.io.IOException
- if the keystore cannot be parsed or loaded properlyjava.security.GeneralSecurityException
- if the keystore's contents are cryptographically wrong- See Also:
HANDLER_SELFSIGN
,verifyCertificates(java.security.cert.X509Certificate[], java.security.KeyStore, java.security.cert.CRL, java.util.Calendar)
,loadFDFKeyStore(java.io.InputStream)
-
loadFDFKeyStore
public static java.security.KeyStore loadFDFKeyStore(java.io.InputStream in) throws java.io.IOException, java.security.GeneralSecurityException
Load an X.509 certificate from an "Adobe Self-Sign Key" keystore, the type exported from the Adobe Self-Sign signature handler in Acrobat 5.0. The file (which is exported with a
.fdf
suffix) contains a self-signed X.509 certificate, which can be used to verify (but not sign) documents created with the Adobe Self-Sign signature handler.The returned KeyStore has a single X.509 certificate, and can be passed to the
verifyCertificates
method to fully validate a document signed with the "self-sign" signature handler, acting as the Java equivalent of the "Trusted Certificates" in Acrobat 5 terminology.Acrobat 4.0 keystores are saved in a different format - the filename has a suffix of "
.akf
". These keystores can be loaded via theloadAKFKeyStore(java.io.InputStream)
method. Acrobat 5.0 can also save keys in a PKCS#7 format, which can be loaded using theloadPKCS7KeyStore(java.io.InputStream)
method.Please note the InputStream is not closed by this method.
- Throws:
java.io.IOException
- if the keystore cannot be parsed or loaded properlyjava.security.GeneralSecurityException
- if the keystore's contents are cryptographically wrong- Since:
- 1.2.1
- See Also:
HANDLER_SELFSIGN
,verifyCertificates(java.security.cert.X509Certificate[], java.security.KeyStore, java.security.cert.CRL, java.util.Calendar)
,loadAKFKeyStore(java.io.InputStream)
-
loadPKCS7KeyStore
public static java.security.KeyStore loadPKCS7KeyStore(java.io.InputStream in) throws java.io.IOException, java.security.GeneralSecurityException
Load a list of one or more X.509 certificates from a PKCS#7 file.
The returned KeyStore contains X.509 certificates and can be passed to the
verifyCertificates
method to verify (but not sign) the certificates used to sign a PDF document.Note that we provide this method for convenience only. If you're working heavily with PKCS format files, we recommend obtaining a JCE implementation that supports them fully. One that we have tested with some success is provided by The Legion of the Bouncy Castle.
Please note the InputStream is not closed by this method.
- Throws:
java.io.IOException
- if the keystore cannot be parsed or loaded properlyjava.security.GeneralSecurityException
- if the keystore's contents are cryptographically wrong- See Also:
HANDLER_VERISIGN
,verifyCertificates(java.security.cert.X509Certificate[], java.security.KeyStore, java.security.cert.CRL, java.util.Calendar)
-
getIssuerField
public static java.lang.String getIssuerField(java.security.cert.X509Certificate cert, java.lang.String field) throws java.security.cert.CertificateException
Return the specified X.500 field from the specified X.509 certificates Issuer.
Each X.509 certificate has two entities - a subject and an issuer. These are represented in java by the
Principal
class, but unfortunately that class doesn't allow for extraction of the various elements from the entity - elements like Common Name, Country, Organization etc.The
getIssuerField(java.security.cert.X509Certificate, java.lang.String)
andgetSubjectField(java.security.cert.X509Certificate, java.lang.String)
methods aren't specific to digital signatures or PKCS#7, but are useful "utility" methods that fill that gap in functionality.- Parameters:
cert
- the X.509 certificate to extract the Issuer fromfield
- the field to return. Can be one of "C" (country), "CN" (common name), "O" (organization"), "OU" (organization unit), "L" (locale), "ST" (state or province) or "Email" (email address - although technically not part of X.500 this is sometimes included)- Returns:
- the requested field, or
null
if the field is not part of the X.500 name. - Throws:
java.security.cert.CertificateException
-
getSubjectField
public static java.lang.String getSubjectField(java.security.cert.X509Certificate cert, java.lang.String field) throws java.security.cert.CertificateException
Return the specified X.500 field from the specified X.509 certificates Subject. See the
getIssuerField(java.security.cert.X509Certificate, java.lang.String)
method for more information.- Parameters:
cert
- the X.509 certificate to extract the Issuer fromfield
- the field to return. Can be one of "C" (country), "CN" (common name), "O" (organization"), "OU" (organization unit), "L" (locale), "ST" (state or province) or "Email" (email address - although technically not part of X.500 this is sometimes included)- Returns:
- the requested field, or
null
if the field is not part of the X.500 name. - Throws:
java.security.cert.CertificateException
-
rebuild
public void rebuild()
Description copied from class:FormElement
Cause the annotation list to be rebuilt. Unless you're rendering the annotation using the viewer, it's not necessary to call this method.- Overrides:
rebuild
in classFormElement
-
setRequiredTimestampServer
public void setRequiredTimestampServer(java.net.URI uri)
Set the URI of the TimeStamp server that must be used when this (blank) signature is eventually signed.- Parameters:
uri
- the URI of the TimeStamp server to contact, ornull
if none is required.- Since:
- 2.11.14
-
setRequiredReasons
public void setRequiredReasons(java.lang.String[] validreasons)
Set the list of Reasons from which the user must choose when this (blank) signature is eventually signed.- Parameters:
validreasons
- an array of reasons that the user will have to choose from, ornull
to not require a reason to be specified.- Since:
- 2.11.14
-
setRequiredCertificateIssuers
public void setRequiredCertificateIssuers(java.security.cert.X509Certificate[] certs)
Set restrictions on which X.509 Certificates can be used when this (blank) signature is eventually signed. This method can be used to ensure that the identity used when signing was issued by a particular Certification Authority.
For example, to ensure that a user was signing the PDF with an identity from your own in-house Certification Authority, you could use code like the following. The file "myca.cer" contains the X.509 Certificate of your CA.
InputStream certstream = new FileInputSteram("myca.cer"); CertificateFactory factory = CertificateFactory.getInstance("X.509"); X509Certificate cert = (X509Certificate)factory.generateCertificate(certstream); sig.setRequiredCertificateIssuers(new X509Certificate[] { cert }); URI uri = new URI("http://security.yourcompany.com/createnewidentity"); sig.setRequiredCertificateFallbackURI(uri);
- Parameters:
certs
- an array of X.509 Certificates of valid Certification Authorities, ornull
to accept any CA.- Since:
- 2.11.14
-
setRequiredCertificateSubjects
public void setRequiredCertificateSubjects(java.security.cert.X509Certificate[] certs)
Set restrictions on which X.509 Certificates can be used when this (blank) signature is eventually signed. This method can be used to ensure that only certain identities can be used when signing.- Parameters:
subjects
- an array of X.509 Certificates which are allowed to sign this signature, ornull
to accept a signature from anyone.- Since:
- 2.11.14
-
setRequiredCertificateFallbackURI
public void setRequiredCertificateFallbackURI(java.net.URI uri)
Set the URI the user is directed to if the conditions set bysetRequiredCertificateIssuers(java.security.cert.X509Certificate[])
andsetRequiredCertificateSubjects(java.security.cert.X509Certificate[])
are not met.- Parameters:
uri
- a URI to redirect the signing user to if the "issuers" and "subjects" conditions are not met, ornull
to disable this option.- Since:
- 2.11.14
-
setRequiredDigestAlgorithms
public void setRequiredDigestAlgorithms(java.lang.String[] algorithms)
Set the list of allowable digest algorithms that can be used to sign this signature, ornull
to remove any existing restrictions.- Parameters:
algorithms
- an array of 1 or more names of digest algorithms, eg "SHA256", "SHA512"- Since:
- 2.20.1
- See Also:
getRequiredDigestAlgorithms()
-
getRequiredDigestAlgorithms
public java.lang.String[] getRequiredDigestAlgorithms()
Return the list of allowable digest algorithms that can be used to sign this signature, ornull
if this is not specified.- Since:
- 2.20.1
- See Also:
setRequiredDigestAlgorithms(java.lang.String[])
-
getRequiredReasons
public java.lang.String[] getRequiredReasons()
Set the list of reasons that must be chosen from when signing, as set bysetRequiredReasons(java.lang.String[])
- Since:
- 2.11.14
-
getRequiredTimestampServer
public java.net.URI getRequiredTimestampServer()
Get the URI of the TimeStamp server that must be used when signing as set bysetRequiredTimestampServer(java.net.URI)
, ornull
if none is specified- Since:
- 2.11.14
-
getRequiredCertificateIssuers
public java.security.cert.X509Certificate[] getRequiredCertificateIssuers()
Return the list of required Issuer certificates as set bysetRequiredCertificateIssuers(java.security.cert.X509Certificate[])
, ornull
if none were specified.- Since:
- 2.11.14
-
getRequiredCertificateSubjects
public java.security.cert.X509Certificate[] getRequiredCertificateSubjects()
Return the list of required Issuer certificates as set bysetRequiredCertificateSubjects(java.security.cert.X509Certificate[])
, ornull
if none were specified.- Since:
- 2.11.14
-
getRequiredCertificateFallbackURI
public java.net.URI getRequiredCertificateFallbackURI()
Return the URI to be used if the "issuers" and "subjects" Certificate restrictions are not met, as set bysetRequiredCertificateFallbackURI(java.net.URI)
, ornull
if none were specified.- Since:
- 2.11.14
-
getValue
public java.lang.String getValue()
As signatures do not have a "value" as such, this method always returns null.- Specified by:
getValue
in classFormElement
-
getCertificationType
public int getCertificationType()
Return the type of "Certification" this signature attests to. One ofCERTIFICATION_UNCERTIFIED
,CERTIFICATION_NOCHANGES
,CERTIFICATION_ALLOWFORMS
orCERTIFICATION_ALLOWCOMMENTS
. Since 2.13 this method returns the value fromSignatureHandler.getCertificationType()
- Since:
- 2.7.4
- See Also:
setCertificationType(int, java.lang.String)
-
setCertificationType
public void setCertificationType(int certificationtype, java.lang.String attestation)
Causes this signatures be "Certifying" signature when it's signed - also known as an "Author" signature.. The parameter must be one ofCERTIFICATION_UNCERTIFIED
(the default),CERTIFICATION_NOCHANGES
,CERTIFICATION_ALLOWFORMS
orCERTIFICATION_ALLOWCOMMENTS
. Certifified signatures require at least Acrobat 7.0 to verify.- Parameters:
certificationtype
- the type of certification to use.attestation
- the Legal Attestation you wish to make about the signature. May be null.- Since:
- 2.7.4
- See Also:
getCertificationType()
-
toString
public java.lang.String toString()
-
putLiteral
public void putLiteral(java.lang.String key, java.lang.String tokens)
Put a literal token sequnce. For debugging- Parameters:
key
- the keytokens
- the token sequence, eg "true" or "/foo" or "[/Foo/Bar]". No refs, just direct objects.
-
clone
protected java.lang.Object clone()
- Overrides:
clone
in classjava.lang.Object
-
-