Class PKCS7SignatureHandler.ValidationInformation
- java.lang.Object
-
- org.faceless.pdf2.PKCS7SignatureHandler.ValidationInformation
-
- Enclosing class:
- PKCS7SignatureHandler
public class PKCS7SignatureHandler.ValidationInformation extends java.lang.Object
This class represents long-term validation information, as described in PAdES part 4. It may be added in one of two ways:-
At time of signing. This is done by verifying the Certificates used
(via OCSP or CRL) and timestamping the Signature. With our API, this
can be done by calling the
AcrobatSignatureHandlerFactory.setTimeStampServer(java.net.URL)
andAcrobatSignatureHandlerFactory.setValidateCertificatesOnSigning(boolean)
methods on the SignatureHandlerFactory before signing. We call this an initial validation. -
At some later date. This is done in Acrobat by "adding validation information" to the PDF and saving
the file, or in our API by calling the
PKCS7SignatureHandler.addValidationInformation(java.security.KeyStore)
method. The Certificates used in the original signing are verified, and if they have not been revoked an additional revision is added to the file with the same information (the OCSP and CRL responses).
Either of these validations may be complete, which means it contains all the OCSP and CRL responses required to verify the entire certificate chain up to self-signed root. A complete signature is the equivalent of an "LTV enabled" signature in Acrobat.
-
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description java.util.List<java.security.cert.X509Certificate>
getCertificates()
Return the full list of Certificates included with the long-term validation.java.util.List<java.security.cert.X509CRL>
getCRLs()
Return the full list of CRLs used to validate this signature, or an empty list if there are none.PKCS7SignatureHandler
getHandler()
Return the PKCS7SignatureHandler object this class is associated withjava.util.List<PKCS7SignatureHandler.OCSPResponse>
getOCSPResponses()
Return the full list of OCSP responses used to validate this signature, or an empty list if there are none.java.util.Calendar
getTime()
Return the time the validation was performed at.boolean
isComplete(java.security.KeyStore keystore)
Verify the validation information as correct, and return true if it includes all the information to validate the signature.boolean
isInitial()
Return true if this Validation was added at the time of signing (technically, if it was included as part of the id-adbe-revocationInfoArchival attribute in the PKCS#7 object).java.lang.String
toString()
-
-
-
Method Detail
-
getCRLs
public java.util.List<java.security.cert.X509CRL> getCRLs()
Return the full list of CRLs used to validate this signature, or an empty list if there are none.
-
getOCSPResponses
public java.util.List<PKCS7SignatureHandler.OCSPResponse> getOCSPResponses()
Return the full list of OCSP responses used to validate this signature, or an empty list if there are none.
-
getCertificates
public java.util.List<java.security.cert.X509Certificate> getCertificates()
Return the full list of Certificates included with the long-term validation. For aninitial
Validation, this is the same asPKCS7SignatureHandler.getCertificates()
-
getTime
public java.util.Calendar getTime()
Return the time the validation was performed at. For aninitial
Validation, this is the same asFormSignature.getSignDate()
. For any subsequent validations, this time is not usually asserted in any cryptographically assured way, so this value is just an indication.
-
isInitial
public boolean isInitial()
Return true if this Validation was added at the time of signing (technically, if it was included as part of the id-adbe-revocationInfoArchival attribute in the PKCS#7 object). If it is, it will automatically be verified as part of the signature verification
-
isComplete
public boolean isComplete(java.security.KeyStore keystore) throws java.security.GeneralSecurityException
Verify the validation information as correct, and return true if it includes all the information to validate the signature. If a KeyStore is supplied, it is presumed to contain the list of trusted roots: the certificate chains in the PDF must be validated to one of those roots to be trusted. If keystore is
null
, then any self-signed root is presumed to be trusted.The validation process confirms that the Certicates used during signing were not revoked at the time of signing. This method presumes that the timestamp of the signature is valid, which is not something that can be asserted unless the signature was timestamped by a trusted TimeStamp server: the
PKCS7SignatureHandler.getTimeStampCertificates()
should be used to confirm this.- Returns:
- true if the certificate chain up to a trusted root can be verified using only information contained in the PDF, or false if the chain cannot be verified without further information
- Throws:
java.security.GeneralSecurityException
- if the signature chain cannot be validated, either due to a signature failing to verify, or because one of the certificates has been revoked.
-
getHandler
public PKCS7SignatureHandler getHandler()
Return the PKCS7SignatureHandler object this class is associated with
-
toString
public java.lang.String toString()
- Overrides:
toString
in classjava.lang.Object
-
-