itext.sign

Access permissions value to be set to certification signature as a part of DocMDP configuration.

Unspecified access permissions value which makes signature "approval" rather than "certification".

Access permissions level 1 which indicates that no changes are permitted except for DSS and DTS creation.

Access permissions level 2 which indicates that permitted changes, with addition to level 1, are: filling in forms, instantiating page templates, and signing.

Access permissions level 3 which indicates that permitted changes, with addition to level 2, are: annotation creation, deletion and modification.

This class allows you to sign with either an RSACryptoServiceProvider/DSACryptoServiceProvider from a X509Certificate2, or from manually created RSACryptoServiceProvider/DSACryptoServiceProvider. Depending on the certificate's CSP, sometimes you will not be able to sign with SHA-256/SHA-512 hash algorithm with RSACryptoServiceProvider taken directly from the certificate. This class allows you to use a workaround in this case and sign with certificate's private key and SHA-256/SHA-512 anyway. An example of a workaround for CSP that does not support SHA-256/SHA-512:


                        if (certificate.PrivateKey is RSACryptoServiceProvider)
                        {                
                            RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)certificate.PrivateKey;
            
                            // Modified by J. Arturo
                            // Workaround for SHA-256 and SHA-512
            
                            if (rsa.CspKeyContainerInfo.ProviderName == "Microsoft Strong Cryptographic Provider" ||
                                            rsa.CspKeyContainerInfo.ProviderName == "Microsoft Enhanced Cryptographic Provider v1.0" ||
                                            rsa.CspKeyContainerInfo.ProviderName == "Microsoft Base Cryptographic Provider v1.0")
                            {
                                string providerName = "Microsoft Enhanced RSA and AES Cryptographic Provider";
                                int providerType = 24;
            
                                Type CspKeyContainerInfo_Type = typeof(CspKeyContainerInfo);
            
                                FieldInfo CspKeyContainerInfo_m_parameters = CspKeyContainerInfo_Type.GetField("m_parameters", BindingFlags.NonPublic | BindingFlags.Instance);
                                CspParameters parameters = (CspParameters)CspKeyContainerInfo_m_parameters.GetValue(rsa.CspKeyContainerInfo);
            
                                var cspparams = new CspParameters(providerType, providerName, rsa.CspKeyContainerInfo.KeyContainerName);
                                cspparams.Flags = parameters.Flags;
            
                                using (var rsaKey = new RSACryptoServiceProvider(cspparams))
                                {
                                    // use rsaKey now
                                }
                            }
                            else
                            {
                                // Use rsa directly
                            }
                        }

The hash algorithm. The encryption algorithm (obtained from the private key)

Implementation for digests accessed directly from the BouncyCastle library.

Class containing static methods that allow you to get information from an X509 Certificate: the issuer and the subject.

Class that holds an X509 name.

Country code - StringType(SIZE(2)).

Organization - StringType(SIZE(1..64)).

Organizational unit name - StringType(SIZE(1..64)).

Title.

Common name - StringType(SIZE(1..64)).

Device serial number name - StringType(SIZE(1..64)).

Locality name - StringType(SIZE(1..64)).

State, or province name - StringType(SIZE(1..64)).

Naming attribute of type X520name.

Email address (RSA PKCS#9 extension) - IA5String.

Email address (RSA PKCS#9 extension) - IA5String. Note: if you're trying to be ultra orthodox, don't use this! It shouldn't be in here.

Email address in Verisign certificates.

Object identifier.

LDAP User id.

A Map with default symbols.

A Map with values.

Constructs an X509 name.

an ASN1 Sequence

Constructs an X509 name.

a directory name

Gets the first entry from the field array retrieved from the values Map.

the field name the (first) field value

Gets a field array from the values Map.

The field name List

Getter for values.

Map with the fields of the X509 name

Class for breaking up an X500 Name into it's component tokens, similar to .

Class for breaking up an X500 Name into it's component tokens, similar to . We need this class as some of the lightweight Java environments don't support classes such as StringTokenizer.

Creates an X509NameTokenizer.

the oid that needs to be parsed

Checks if the tokenizer has any tokens left.

true if there are any tokens left, false if there aren't

Returns the next token.

the next token

Get the issuer fields from an X509 Certificate.

an X509Certificate an X500Name

Get the "issuer" from the TBSCertificate bytes that are passed in.

a TBSCertificate in a byte array an IASN1Primitive

Get the subject fields from an X509 Certificate.

an X509Certificate an X500Name

Get the "subject" from the TBSCertificate bytes that are passed in.

A TBSCertificate in a byte array a IASN1Primitive

This class contains a series of static methods that allow you to retrieve information from a Certificate.

Gets a CRLs from the X509 certificate.

the X509Certificate to extract the CRLs from CRL list or null if there's no CRL available

Gets the list of the Certificate Revocation List URLs for a Certificate.

the Certificate to get CRL URLs for the list of URL strings where you can check if the certificate is revoked.

Gets the Distribution Point from the certificate by name specified in the Issuing Distribution Point from the Certificate Revocation List for a Certificate.

the certificate to retrieve Distribution Points distributionPointName retrieved from the IDP of the CRL distribution point withthe same name as specified in the IDP.

Gets the CRL object using a CRL URL.

the URL where the CRL is located CRL object

Parses a CRL from an InputStream.

the InputStream holding the unparsed CRL the parsed CRL object.

Parses a CRL from bytes.

the bytes holding the unparsed CRL the parsed CRL object.

Retrieves the URL for the issuer certificate for the given CRL.

the CRL response the URL or null.

Retrieves the OCSP URL from the given certificate.

the certificate the URL or null

Retrieves the URL for the issuer lists certificates for the given certificate.

the certificate the URL or null.

Retrieves all URLs locations for issuer certificates for the given CRL.

the CRL response list of URL links

Retrieves all URLs locations representing certificate issuers for the given certificate.

the certificate list of URL links

Gets the URL of the TSA if it's available on the certificate

a certificate a TSA URL

Generates a certificate object and initializes it with the data read from the input stream inStream.

the input stream with the certificates. a certificate object initialized with the data from the input stream.

Try to retrieve CRL and OCSP responses from the signed data crls field.

signed data crls field as . collection to store retrieved CRL responses. collection of wrappers to store retrieved OCSP responses. collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored as .

Creates the revocation info (crls field) for SignedData structure: RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }

RFC 5652 §10.2.1 collection of CRL revocation status information. collection of OCSP revocation status information. collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored as . crls [1] RevocationInfoChoices field of SignedData structure. Null if SignedData has no revocation data.

Checks if the issuer of the provided certID (specified in the OCSP response) and provided issuer of the certificate in question matches, i.e. checks that issuerNameHash and issuerKeyHash fields of the certID is the hash of the issuer's name and public key. SingleResp contains the basic information of the status of the certificate identified by the certID. The issuer name and serial number identify a unique certificate, so if serial numbers of the certificate in question and certID serial number are equals and issuers match, then SingleResp contains the information about the status of the certificate in question. certID specified in the OCSP response the issuer of the certificate in question true if the issuers are the same, false otherwise.

Retrieves certificate extension value by its OID.

to get extension from extension OID to retrieve encoded extension value.

Checks if an OCSP response is genuine.

the OCSP response wrapper the responder certificate true if the OCSP response verifies against the responder certificate.

Checks if the certificate is signed by provided issuer certificate.

a certificate to check an issuer certificate to check true if the first passed certificate is signed by next passed certificate.

Checks if the certificate is self-signed.

a certificate to check true if the certificate is self-signed.

Gets certificate extension value.

the certificate from which we need the ExtensionValue the Object Identifier value for the extension the extension value as an object.

Gets CRL extension value.

the CRL from which we need the ExtensionValue the Object Identifier value for the extension the extension value as an object.

Converts extension value represented as byte array to object.

the extension value as byte array the extension value as an object.

Gets a String from an ASN1Primitive

the primitive wrapper a human-readable String

Retrieves accessLocation value for specified accessMethod from the Authority Information Access extension.

Authority Information Access extension value accessMethod OID; usually id-ad-caIssuers or id-ad-ocsp the location (URI) of the information.

Helper method that creates the object from the response bytes.

response bytes. object.

This class consists of some methods that allow you to verify certificates.

The Logger instance.

Verifies a single certificate for the current date.

the certificate to verify the certificate revocation list or null a String with the error description or null if no error

Verifies a single certificate.

the certificate to verify the certificate revocation list or null the date, shall not be null a String with the error description or null if no error

Verifies a certificate chain against a KeyStore for the current date.

the certificate chain the KeyStore the certificate revocation list or null empty list if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message

Verifies a certificate chain against a KeyStore.

the certificate chain the KeyStore the certificate revocation list or null the date, shall not be null empty list if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message

Verifies a certificate chain against a KeyStore for the current date.

the certificate chain the KeyStore null if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message

Verifies a certificate chain against a KeyStore.

the certificate chain the KeyStore the date, shall not be null null if the certificate chain could be validated or a Object[]{cert,error} where cert is the failed certificate and error is the error message

Verifies an OCSP response against a KeyStore.

the OCSP response the KeyStore true is a certificate was found

Verifies a time stamp against a KeyStore.

the time stamp the KeyStore true is a certificate was found

Check if the provided certificate has a critical extension that iText doesn't support.

X509Certificate instance to check if there are unsupported critical extensions, false if there are none

Superclass for a series of certificate verifiers that will typically be used in a chain.

Superclass for a series of certificate verifiers that will typically be used in a chain. It wraps another CertificateVerifier that is the next element in the chain of which the verify() method will be called.

The previous CertificateVerifier in the chain of verifiers.

Indicates if going online to verify a certificate is allowed.

Creates the final CertificateVerifier in a chain of verifiers.

the previous verifier in the chain

Decide whether or not online checking is allowed.

a boolean indicating whether the certificate can be verified using online verification results.

Checks the validity of the certificate, and calls the next verifier in the chain, if any.

the certificate that needs to be checked its issuer the date the certificate needs to be valid a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

This class represents algorithm identifier structure.

Creates an Algorithm identifier structure without parameters.

the Object id of the algorithm

Creates an Algorithm identifier structure with parameters.

the Object id of the algorithm the algorithm parameters as an ASN1 structure

Creates an Algorithm identifier structure with parameters.

asn1 encodable to retrieve algorithm identifier

Return the OID of the algorithm.

the OID of the algorithm.

Return the parameters for the algorithm.

the parameters for the algorithm.

This class represents Attribute structure.

Creates an attribute.

the type of the attribute the value

Returns the type of the attribute.

the type of the attribute.

Returns the value of the attribute.

the value of the attribute.

The CMS container which represents SignedData structure from rfc5652 Cryptographic Message Syntax (CMS)

Collection to store revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response.

Optional.

Optional. It is a collection of CRL revocation status information.

Optional.

Optional. It is a collection of CRL revocation status information.

This represents the signed content.

This represents the signed content. In the case of a signed PDF document this will of type data with no content.

Optional.

Optional. It is intended to add all certificates to be able to validate the entire chain.

This class only supports one signer per signature field.

Creates an empty SignedData structure.

Creates a SignedData structure from a serialized ASN1 structure.

the serialized CMS container

This class only supports one signer per signature field.

the singerInfo

This class only supports one signer per signature field.

the singerInfo

When all fields except for signer.signedAttributes.digest and signer.signature are completed it is possible to calculate the eventual size of the signature by serializing except for the signature (that depends on the digest and cypher but is set at 1024 bytes) and later added unsigned attributes like timestamps.

the estimated size of the complete CMS container before signature is added, size for the signature is added, size for other attributes like timestamps is not.

The version of the CMS container.

version of the CMS container

The digest algorithm OID and parameters used by the signer.

The digest algorithm OID and parameters used by the signer. This class only supports one signer for use in pdf signatures, so only one digest algorithm is supported. This field is set when adding the signerInfo. digest algorithm.

This represents the signed content.

This represents the signed content. In the case of a signed PDF document this will be of type data with no content. a representation of the data to be signed.

This represents the signed content.

This represents the signed content. In the case of a signed PDF document this will be of type data with no content. Defaults to 1.2.840.113549.1.7.1 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-7(7) id-data(1)} a representation of the data to be signed.

Adds a certificate.

the certificate to be added

Adds a set of certificates.

the certificates to be added

Retrieves a copy of the list of certificates.

the list of certificates to be used for signing and certificate validation

Retrieves a copy of the list of CRLs.

the list of CRL revocation info.

Adds a CRL response to the CMS container.

the CRL response to be added.

Retrieves a copy of the list of OCSPs.

the list of OCSP revocation info.

Adds an OCSP response to the CMS container.

the OCSP response to be added.

Sets the Signed Attributes of the signer info to this serialized version.

Sets the Signed Attributes of the signer info to this serialized version. The signed attributes will become read-only. the serialized Signed Attributes

Retrieves the encoded signed attributes of the signer info.

Retrieves the encoded signed attributes of the signer info. This makes the signed attributes read only. the encoded signed attributes of the signer info.

Serializes the SignedData structure and makes the signer infos signed attributes read only.

the encoded DignedData structure.

This class represents the signed content.

Object identifier of the content field

Optional.

Optional. The actual content as an octet string. Does not have to be DER encoded.

Creates an EncapsulatedContentInfo with contenttype and content.

the content type Oid (object id) the content

Creates an EncapsulatedContentInfo with contenttype.

the content type Oid (object id)

Creates a default EncapsulatedContentInfo.

Returns the contenttype oid.

the contenttype oid.

Returns the content.

the content.

This class represents the SignerInfo structure from rfc5652 Cryptographic Message Syntax (CMS)

Creates an empty SignerInfo structure.

Creates a SignerInfo structure from an ASN1 structure.

the ASN1 structure containing signerInfo the certificates of the CMS, it should contain the signing certificate

Returns the algorithmId to create the digest of the data to sign.

the OID of the digest algorithm.

Sets the algorithmId to create the digest of the data to sign.

the OID of the algorithm

Adds or replaces the message digest signed attribute.

ASN.1 type MessageDigest

Sets the certificate that is used to sign.

the certificate that is used to sign

Gets the certificate that is used to sign.

the certificate that is used to sign.

Gets the signature data.

the signature data.

Sets the certificate that is used to sign a document and adds it to the signed attributes.

the certificate that is used to sign the oid of the digest algorithm to be added to the signed attributes

Adds a set of OCSP responses as signed attributes.

a set of binary representations of OCSP responses.

Adds a set of CRL responses as signed attributes.

a set of binary representations of CRL responses.

Adds the signer certificate to the signed attributes as a SigningCertificateV2 structure.

the certificate to add the digest algorithm oid that will be used

Sets the actual signature.

a byte array containing the signature

Optional.

Optional. Sets the OID and parameters of the algorithm that will be used to create the signature. This will be overwritten when setting the signing certificate. The OID and parameters of the algorithm that will be used to create the signature.

Value 0 when no signerIdentifier is available.

Value 0 when no signerIdentifier is available. Value 1 when signerIdentifier is of type issuerAndSerialNumber. Value 3 when signerIdentifier is of type subjectKeyIdentifier. CMS version.

Optional.

Optional. Attributes that should be part of the signed content optional, but it MUST be present if the content type of the EncapsulatedContentInfo value being signed is not id-data. In that case it must at least contain the following two attributes: A content-type attribute having as its value the content type of the EncapsulatedContentInfo value being signed. Section 11.1 defines the content-type attribute. However, the content-type attribute MUST NOT be used as part of a countersignature unsigned attribute as defined in Section 11.4. A message-digest attribute, having as its value the message digest of the content. Section 11.2 defines the message-digest attribute. collection of the signed attributes.

Adds a new attribute to the signed attributes.

Adds a new attribute to the signed attributes. This become readonly after retrieving the serialized version . the attribute to add

Retrieves the optional unsigned attributes.

the optional unsigned attributes.

Optional.

Optional. Adds attribute that should not or can not be part of the signed content. the attribute to add

Removes unsigned attribute from signer info object based on attribute type.

attribute type

Retrieves the encoded signed attributes of the signer info.

Retrieves the encoded signed attributes of the signer info. This makes the signed attributes read only. the encoded signed attributes of the signer info.

Sets the signed attributes from a serialized version.

Sets the signed attributes from a serialized version. This makes the signed attributes read only. the encoded signed attributes.

Calculates an estimate size for the SignerInfo structure.

Calculates an estimate size for the SignerInfo structure. This takes into account the values added including the signature, but does not account for unset items like a timestamp response added after actual signing. the estimated size of the structure.

Serializes the SignerInfo structure and makes the signed attributes readonly.

the encoded SignerInfo structure.

Serializes the SignerInfo structure and makes the signed attributes readonly.

Serializes the SignerInfo structure and makes the signed attributes readonly. With the possibility to skip making the signed attributes read only for estimation purposes. set to true to not make signed attributes read only the encoded SignerInfo structure.

An implementation of the CrlClient that handles offline Certificate Revocation Lists.

The CRL as a byte array.

Creates an instance of a CrlClient in case you have a local cache of the Certificate Revocation List.

the CRL bytes

Creates an instance of a CrlClient in case you have a local cache of the Certificate Revocation List.

a CRL object

Returns the CRL bytes (the parameters are ignored).

An implementation of the CrlClient that fetches the CRL bytes from an URL.

The Logger instance.

The URLs of the CRLs.

Creates a CrlClientOnline instance that will try to find a single CRL by walking through the certificate chain.

Creates a CrlClientOnline instance using one or more URLs.

the CRLs as Strings

Creates a CrlClientOnline instance using one or more URLs.

the CRLs as URLs

Creates a CrlClientOnline instance using a certificate chain.

a certificate chain

Fetches the CRL bytes from an URL.

Fetches the CRL bytes from an URL. If no url is passed as parameter, the url will be obtained from the certificate. If you want to load a CRL from a local file, subclass this method and pass an URL with the path to the local file to this method. An other option is to use the CrlClientOffline class.

Sets the connection timeout for the http client

the timeout in milliseconds, a negative number means using the system connection timeout

Sets a resource retriever for this CRL client.

Sets a resource retriever for this CRL client. This method allows you to provide a custom implementation of to be used for fetching CRL responses. By default, is used. the custom resource retriever to be used for fetching CRL responses the current instance of

Gets the resource retriever currently being used in this CRL client.

resource retriever

Get CRL response represented as .

certificate to get CRL response for link, which is expected to be used to get CRL response from CRL response bytes, represented as

Adds an URL to the list of CRL URLs

an URL in the form of a String

Adds an URL to the list of CRL URLs

an URL object

Get an amount of URLs provided for this CRL.

int number of URLs

Class that allows you to verify a certificate against one or more Certificate Revocation Lists.

The Logger instance

The list of CRLs to check for revocation date.

Creates a CRLVerifier instance.

the next verifier in the chain a list of CRLs

Verifies whether a valid CRL is found for the certificate.

Verifies whether a valid CRL is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any CRL that was available. the certificate that needs to be checked its issuer a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Verifies a certificate against a single CRL.

the Certificate Revocation List a certificate that needs to be verified its issuer the sign date true if the verification succeeded

Fetches a CRL for a specific certificate online (without further checking).

the certificate its issuer left for backwards compatibility an X509CRL object.

Checks if a CRL verifies against the issuer certificate or a trusted anchor.

the CRL the trusted anchor true if the CRL can be trusted

Empty implementation for compatibility with the older code.

Creates instance.

Class that bundles all the error message templates as constants.

Produces a blank (or empty) signature.

Produces a blank (or empty) signature. Useful for deferred signing with MakeSignature.signExternalContainer().

Creates an ExternalBlankSignatureContainer.

PdfDictionary containing signature iformation. /SubFilter and /Filter aren't set in this constructor.

Creates an ExternalBlankSignatureContainer.

Creates an ExternalBlankSignatureContainer. This constructor will create the PdfDictionary for the signature information and will insert the /Filter and /SubFilter values into this dictionary. PdfName of the signature handler to use when validating this signature PdfName that describes the encoding of the signature

This class is responsible for providing signature creator for PdfSignaer class.

Creates a new instance of the GetSignatureCreatorEvent.

document in which the signature creator is required

Provides signature creator string, which can be accessed via .

Gets signature creator.

String with a signature creator

Extension interface of that also supports applying the parameters to a .

Apply the parameters to a .

an uninitialised object

Interface that needs to be implemented if you want to embed Certificate Revocation Lists (CRL) into your PDF.

Gets an encoded byte array.

The certificate which a CRL URL can be obtained from. A CRL url if you don't want to obtain it from the certificate. A collection of byte array each representing a crl. It may return null or an empty collection.

ExternalDigest allows the use of implementations of other than .

Returns the MessageDigest associated with the provided hashing algorithm.

String value representing the hashing algorithm MessageDigest MessageDigest object

Interface that needs to be implemented to do the actual signing.

Interface that needs to be implemented to do the actual signing. For instance: you'll have to implement this interface if you want to sign a PDF using a smart card.

Returns the digest algorithm.

The digest algorithm (e.g. "SHA-1", "SHA-256,...").

Returns the signature algorithm used for signing, disregarding the digest function.

The signature algorithm ("RSA", "DSA", "ECDSA", "Ed25519" or "Ed448").

Return the algorithm parameters that need to be encoded together with the signature mechanism identifier.

Return the algorithm parameters that need to be encoded together with the signature mechanism identifier. If there are no parameters, return `null`. A non-null value is required for RSASSA-PSS; see . algorithm parameters

Signs the given message using the encryption algorithm in combination with the hash algorithm.

The message you want to be hashed and signed. A signed message digest.

Interface to sign a document.

Interface to sign a document. The signing is fully done externally, including the container composition.

Produces the container with the signature.

the data to sign a container with the signature and other objects, like CRL and OCSP. The container will generally be a PKCS7 one.

Modifies the signature dictionary to suit the container.

Modifies the signature dictionary to suit the container. At least the keys and will have to be set. the signature dictionary

Interface helper to support retrieving CAIssuers certificates from Authority Information Access (AIA) Extension in order to support certificate chains with missing certificates and getting CRL response issuer certificates.

Retrieves all possible chains using certificate Authority Information Access (AIA) Extension, known certificates and trust anchors.

certificate chain to restore with at least signing certificate. all possible chains of trust or maximum chains that could be restored in case missing certificates cannot be retrieved from AIA extension, known certificates and trust anchors.

Retrieves the certificate chain for the certificate that should be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.

CRL response to retrieve issuer for. certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.

Retrieves the certificate chaind for the certificates that could be used to verify the signature on the CRL response using CRL Authority Information Access (AIA) Extension and known certificates.

CRL response to retrieve issuer for. certificates retrieved from CRL AIA extension or an empty list in case certificates cannot be retrieved.

Sets trusted certificate list to be used for the missing certificates retrieving by the issuer name.

certificate list for getting missing certificates in chain or CRL response issuer certificates.

Interface for the Online Certificate Status Protocol (OCSP) Client.

Fetch a DER-encoded BasicOCSPResponse from an OCSP responder.

Fetch a DER-encoded BasicOCSPResponse from an OCSP responder. The method should not throw an exception. Note: do not pass in the full DER-encoded OCSPResponse object obtained from the responder, only the DER-encoded BasicOCSPResponse value contained in the response data. Certificate to check. The parent certificate. The URL of the OCSP responder endpoint. If null, implementations can attempt to obtain a URL from the AuthorityInformationAccess extension of the certificate, or from another implementation-specific source. a byte array containing a DER-encoded BasicOCSPResponse structure or null if one could not be obtained RFC 6960 § 4.2.1

Interface for the Online Certificate Status Protocol (OCSP) Client.

Interface for the Online Certificate Status Protocol (OCSP) Client. With a method returning parsed IBasicOCSPResp instead of encoded response.

Gets OCSP response.

Gets OCSP response. If required, can be checked using class. the certificate to check parent certificate to get the verification an OCSP response wrapper

Interface to encode the parameters to a signature algorithm for inclusion in a signature object.

Interface to encode the parameters to a signature algorithm for inclusion in a signature object. See for an example.

Represent the parameters as an for inclusion in a signature object.

an object

default implementation.

Creates instance.

an @{link com.itextpdf.styledxmlparser.resolver.resource.IResourceRetriever} instance to use for performing http requests.

This method tries to rebuild certificate issuer chain.

This method tries to rebuild certificate issuer chain. The result contains all possible chains starting with the given certificate based on issuer names and public keys. for which issuer chains shall be built all possible issuer chains

This method tries to rebuild certificate issuer chain.

This method tries to rebuild certificate issuer chain. The result contains all possible chains starting with the given certificate array based on issuer names and public keys. array for which issuer chains shall be built all possible issuer chains

Sets a resource retriever for this CA issuer certificates retriever.

Sets a resource retriever for this CA issuer certificates retriever. This method allows you to provide a custom implementation of to be used for fetching CA issuer certificates. By default, is used. the custom resource retriever to be used for fetching CA issuer certificates the current instance of

Gets the resource retriever currently being used in this CA issuer certificates retriever.

resource retriever

Retrieve issuer certificate for the provided certificate.

for which issuer certificate shall be retrieved issuer certificate. if there is no issuer certificate, or it cannot be retrieved.

Retrieves OCSP responder certificate candidates either from the response certs or trusted store in case responder certificate isn't found in /Certs.

basic OCSP response to get responder certificate for retrieved OCSP responder candidates or an empty set in case none were found.

Sets trusted certificate list to be used as certificates trusted for any possible usage.

Sets trusted certificate list to be used as certificates trusted for any possible usage. In case more specific trusted is desired to be configured method is expected to be used. certificate list to be used as certificates trusted for any possible usage.

Add trusted certificates collection to trusted certificates storage.

certificates to be added

Adds certificates collection to known certificates storage, which is used for issuer certificates retrieval.

certificates to be added

Adds certificates collection to known certificates storage, which is used for issuer certificates retrieval.

Adds certificates collection to known certificates storage, which is used for issuer certificates retrieval. Additionally, adds stores the provided origin for all these certificates. certificates to be added from which these certificates come from

Gets certificate origin for provided .

for which origin is requested for the certificate

Gets to be used to provide more complex trusted certificates configuration.

storage

Check if provided certificate is present in trusted certificates storage.

to be checked if certificate is present in trusted certificates storage, otherwise

Get CA issuers certificates represented as .

URI, which is expected to be used to get issuer certificates from. Usually CA Issuers value from Authority Information Access (AIA) certificate extension. CA issuer certificate (or chain) bytes, represented as .

Parses certificates represented as byte array.

stream which contains one or more X509 certificates. a (possibly empty) collection of the certificates read from the given byte array.

Time Stamp Authority client (caller) interface.

Time Stamp Authority client (caller) interface. Interface used by the PdfPKCS7 digital signature builder to call Time Stamp Authority providing RFC 3161 compliant time stamp token.

Get the time stamp estimated token size.

Get the time stamp estimated token size. Implementation must return value large enough to accommodate the entire token returned by prior to actual call. an estimate of the token size

Returns the to digest the data imprint

The object.

Returns RFC 3161 timeStampToken.

byte[] - data imprint to be time-stamped byte[] - encoded, TSA signed data of the timeStampToken

Interface you can implement and pass to TSAClientBouncyCastle in case you want to do something with the information returned

When a timestamp is created using TSAClientBouncyCastle, this method is triggered passing an object that contains info about the timestamp and the time stamping authority.

a ITimeStampTokenInfo object

Class which contains constants to be used in logging inside sign module.

Add verification according to PAdES-LTV (part 4).

What type of verification to include.

Include only OCSP.

Include only CRL.

Include both OCSP and CRL.

Include CRL only if OCSP can't be read.

Options for how many certificates to include.

Include verification just for the signing certificate.

Include verification for the whole chain of certificates.

Include verification for the whole certificates chain, certificates used to create OCSP responses, CRL response certificates and timestamp certificates included in the signatures.

Certificate inclusion in the DSS and VRI dictionaries in the CERT and CERTS keys.

Include certificates in the DSS and VRI dictionaries.

Do not include certificates in the DSS and VRI dictionaries.

Option to determine whether revocation information is required for the signing certificate.

Require revocation information for the signing certificate.

Revocation data for the signing certificate may be optional.

The verification constructor.

The verification constructor. This class should only be created with PdfStamper.getLtvVerification() otherwise the information will not be added to the Pdf. The to apply the validation to.

Sets option to specify the necessity of revocation data.

Sets option to specify the necessity of revocation data. Default value is . value to set this instance.

Sets instance needed to get CRL issuer certificates (using AIA extension).

Sets instance needed to get CRL issuer certificates (using AIA extension). Default value is . instance to set this instance.

Add verification for a particular signature.

the signature to validate (it may be a timestamp) the interface to get the OCSP the interface to get the CRL options as to how many certificates to include the validation options to include certificate inclusion options true if a validation was generated, false otherwise

Adds verification to the signature.

name of the signature collection of DER-encoded BasicOCSPResponses collection of DER-encoded CRLs collection of DER-encoded certificates boolean

Merges the validation with any validation already in the document or creates a new one.

Converts an array of bytes to a String of hexadecimal values

a byte array the same bytes expressed as hexadecimal values

Get the issuing certificate for a child certificate.

the certificate for which we search the parent an array with certificates that contains the parent the parent certificate

Sets the crls byte array.

crls

Retrieves Crls byte array.

crls

Sets the ocsps array.

ocsps

Retrieves ocsps byte array.

ocsps

Sets the certs byte array.

certs

Retrieves cert byte array.

cert

Verifies the signatures in an LTV document.

The Logger instance

Option to specify level of verification; signing certificate only or the entire chain.

Verify root.

A document object for the revision that is being verified.

The fields in the revision that is being verified.

The date the revision was signed, or null for the highest revision.

The signature that covers the revision.

The PdfPKCS7 object for the signature.

Indicates if we're working with the latest revision.

The document security store for the revision that is being verified

The meta info

Creates a VerificationData object for a PdfReader

The document we want to verify.

Sets an extra verifier.

the verifier to set

Sets the certificate option.

Either CertificateOption.SIGNING_CERTIFICATE (default) or CertificateOption.WHOLE_CHAIN

Set the verifyRootCertificate to false if you can't verify the root certificate.

false if you can't verify the root certificate, otherwise true

Sets the that will be used during creation.

meta info to set

Verifies all the document-level timestamps and all the signatures in the document.

a list of objects a list of all objects after verification

Verifies a document level timestamp.

a list of objects

Checks the certificates in a certificate chain: are they valid on a specific date, and do they chain up correctly?

the certificate chain

Verifies certificates against a list of CRLs and OCSP responses.

the signing certificate the issuer's certificate a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Switches to the previous revision.

Gets a list of X509CRL objects from a Document Security Store.

a list of CRLs

Gets OCSP responses from the Document Security Store.

a list of IBasicOCSPResp objects

Initialize object by using provided document.

Initialize object by using provided document. This method reads all the existing signatures and mathematically validates the last one. instance to be verified

Checks if the signature covers the whole document and throws an exception if the document was altered

a PdfPKCS7 object

Represents an event firing before creating signature container.

Creates an event firing before creating the signature container.

unsigned signature attributes byte[] signature value containing document bytes considering byte range

Gets unsigned signature attributes.

unsigned signature attributes

Gets byte[] signature value.

byte[] signature value

Gets containing document bytes considering byte range.

containing document bytes considering byte range

Represents an event firing before embedding the signature into the document.

Creates an event firing before embedding the signature into the document.

Creates an event firing before embedding the signature into the document. It contains the reference to the signature object. to the signature object

Gets to the signature object.

to the signature object

strategy, which should be used specifically in case of signature creation.

strategy, which should be used specifically in case of signature creation. This strategy locates MAC container in signature unsigned attributes.

Class responsible for integrity protection in encrypted documents which uses MAC container in the signature mode.

OcspClient implementation using BouncyCastle.

The Logger instance.

Creates new instance.

Sets a resource retriever for this OCSP client.

Sets a resource retriever for this OCSP client. This method allows you to provide a custom implementation of to be used for fetching OCSP responses. By default, is used. the custom resource retriever to be used for fetching OCSP responses the current instance of

Gets the resource retriever currently being used in this OCSP client.

resource retriever

Generates an OCSP request using BouncyCastle.

certificate of the issues serial number an OCSP request wrapper

Retrieves certificate status from the OCSP response.

encoded basic OCSP response good, revoked or unknown certificate status retrieved from the OCSP response, or null if an error occurs.

Create OCSP request and get the response for this request, represented as .

certificate to get OCSP response for root certificate from which OCSP request will be built link, which is expected to be used to get OCSP response from OCSP response bytes, represented as

Gets an OCSP response object using BouncyCastle.

to certificate to check the parent certificate to get the verification. If it's null it will be taken from the check cert or from other implementation specific source an OCSP response wrapper

Class that allows you to verify a certificate against one or more OCSP responses.

The Logger instance

The list of OCSP response wrappers.

Ocsp client to check OCSP Authorized Responder's revocation data.

Creates an OCSPVerifier instance.

the next verifier in the chain a list of OCSP response wrappers for the certificate verification

Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder).

Sets OCSP client to provide OCSP responses for verifying of the OCSP signer's certificate (an Authorized Responder). Also, should be used in case responder's certificate doesn't have any method of revocation checking. See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder. Optional. Default one is . to provide an Authorized Responder revocation data.

Sets CRL client to provide CRL responses for verifying of the OCSP signer's certificate (an Authorized Responder) that also should be used in case responder's certificate doesn't have any method of revocation checking. See RFC6960 4.2.2.2.1. Revocation Checking of an Authorized Responder. Optional. Default one is . to provide an Authorized Responder revocation data.

Verifies if a valid OCSP response is found for the certificate.

Verifies if a valid OCSP response is found for the certificate. If this method returns false, it doesn't mean the certificate isn't valid. It means we couldn't verify it against any OCSP response that was available. the certificate that needs to be checked issuer of the certificate to be checked the date the certificate needs to be valid a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Verifies a certificate against a single OCSP response.

the OCSP response wrapper for a certificate verification the certificate that needs to be checked the certificate that issued signCert – immediate parent. This certificate is considered trusted and valid by this method. sign date (or the date the certificate needs to be valid) in case check is successful, false otherwise.

Verifies if an OCSP response is genuine.

Verifies if an OCSP response is genuine. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert. the OCSP response wrapper the issuer certificate. This certificate is considered trusted and valid by this method. sign date for backwards compatibility

Checks if an OCSP response is genuine.

the OCSP response wrapper the responder certificate true if the OCSP response verifies against the responder certificate.

Gets an OCSP response online and returns it without further checking.

the signing certificate the issuer certificate an OCSP response wrapper.

Helper class to perform signing operation in two steps.

Helper class to perform signing operation in two steps. Firstly prepares document and placeholder for future signature without actual signing process. Secondly follow-up step signs prepared document with corresponding PAdES Baseline profile.

Create instance of .

Create instance of . Same instance shall not be used for different signing operations, but can be used for both and follow-up signing.

Set to be used for LTV Verification.

Set to be used for LTV Verification. This setter is only relevant if Baseline-LT Profile level or higher is used. If none is set, there will be an attempt to create default OCSP Client instance using the certificate chain. instance to be used for LTV Verification same instance of

Set certificate list to be used by the to retrieve missing certificates.

certificate list for getting missing certificates in chain or CRL response issuer certificates. same instance of .

Set to be used for LTV Verification.

Set to be used for LTV Verification. This setter is only relevant if Baseline-LT Profile level or higher is used. If none is set, there will be an attempt to create default CRL Client instance using the certificate chain. instance to be used for LTV Verification same instance of

Set to be used for timestamp signature creation.

Set to be used for timestamp signature creation. This client has to be set for Baseline-T Profile level and higher. instance to be used for timestamp signature creation. same instance of

Set to be used before main signing operation.

Set to be used before main signing operation. If none is set, instance will be used instead. instance to be used for getting missing certificates in chain or CRL response issuer certificates. same instance of .

Set estimated size of a signature to be applied.

Set estimated size of a signature to be applied. This parameter represents estimated amount of bytes to be preserved for the signature. If none is set, 0 will be used and the required space will be calculated during the signing. amount of bytes to be used as estimated value same instance of

Set temporary directory to be used for temporary files creation.

Set temporary directory to be used for temporary files creation. If none is set, temporary documents will be created in memory. representing relative or absolute path to the directory same instance of

Set the name to be used for timestamp signature creation.

Set the name to be used for timestamp signature creation. This setter is only relevant if or methods are used. If none is set, randomly generated signature name will be used. representing the name of a timestamp signature to be applied same instance of

Set stamping properties to be used during main signing operation.

Set stamping properties to be used during main signing operation. If none is set, stamping properties with append mode enabled will be used instance to be used during main signing operation same instance of

Creates CMS container compliant with PAdES level.

Creates CMS container compliant with PAdES level. Prepares document and placeholder for the future signature without actual signing process. certificates to be added to the CMS container the algorithm to generate the digest with reader instance to read original PDF file output stream to write the resulting PDF file into properties to be used in the signing operations prepared CMS container without signature.

Follow-up step that signs prepared document with PAdES Baseline-B profile.

external signature to do the actual signing reader instance to read prepared document the output PDF the field to sign the finalized CMS container (e.g. created in the first step)

Follow-up step that signs prepared document with PAdES Baseline-T profile.

external signature to do the actual signing reader instance to read prepared document the output PDF the field to sign the finalized CMS container (e.g. created in the first step)

Follow-up step that signs prepared document with PAdES Baseline-LT profile.

external signature to do the actual signing reader instance to read prepared document the output PDF the field to sign the finalized CMS container (e.g. created in the first step)

Follow-up step that signs prepared document with PAdES Baseline-LTA profile.

external signature to do the actual signing reader instance to read prepared document the output PDF the field to sign the finalized CMS container (e.g. created in the first step)

Represents the DSS dictionary.

Creates new instance.

to create new instance from

Returns certificates stored in DSS dictionary.

certificates stored in DSS dictionary

Returns OCSP responses stored in DSS dictionary.

OCSP responses stored in DSS dictionary

Returns CRL responses stored in DSS dictionary.

CRL responses stored in DSS dictionary

This class performs signing with PaDES related profiles using provided parameters.

Create an instance of PdfPadesSigner class.

Create an instance of PdfPadesSigner class. One instance shall be used for one signing operation. instance to read original PDF file output stream to write the resulting PDF file into

Sign the document provided in instance with PaDES Baseline-B Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation

Sign the document provided in instance with PaDES Baseline-B Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation

Sign the document provided in instance with PaDES Baseline-T Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation instance to be used for timestamp creation

Sign the document provided in instance with PaDES Baseline-T Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation instance to be used for timestamp creation

Sign the document provided in instance with PaDES Baseline-LT Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation instance to be used for timestamp creation

Sign the document provided in instance with PaDES Baseline-LT Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation instance to be used for timestamp creation

Sign the document provided in instance with PaDES Baseline-LTA Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation instance to be used for timestamp creation

Sign the document provided in instance with PaDES Baseline-LTA Profile.

properties to be used for main signing operation the chain of certificates to be used for signing operation instance to be used for main signing operation instance to be used for timestamp creation

Add revocation information for all the signatures which could be found in the provided document.

Add revocation information for all the signatures which could be found in the provided document. Also add timestamp signature on top of that. TSA Client to be used for timestamp signature creation

Add revocation information for all the signatures which could be found in the provided document.

Set temporary directory to be used for temporary files creation.

Set the name to be used for timestamp signature creation.

Set stamping properties to be used during main signing operation.

Set estimated size of a signature to be applied.

Set to be used for LTV Verification.

Set to be used for main signing operation.

Set to be used for main signing operation. If none is set, instance will be used instead. to be used for main signing operation. same instance of

Set to be used before main signing operation.

Set certificate list to be used by the to retrieve missing certificates.

certificate list for getting missing certificates in chain or CRL response issuer certificates. same instance of .

This class does all the processing related to signing and verifying a PKCS#7 / CMS signature.

Holds value of property signName.

Holds value of property reason.

Holds value of property location.

Holds value of property signDate.

Collection to store revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response.

Assembles all the elements needed to create a signature, except for the data.

the private key the certificate chain the interface digest the hash algorithm the provider or null for the default provider true if the sub-filter is adbe.pkcs7.sha1

Assembles all the elements needed to create a signature, except for the data.

the private key the certificate chain the hash algorithm the provider or null for the default provider true if the sub-filter is adbe.pkcs7.sha1

Use this constructor if you want to verify a signature using the sub-filter adbe.x509.rsa_sha1.

the /Contents key the /Cert key the provider or null for the default provider

Use this constructor if you want to verify a signature.

the /Contents key the filtersubtype the provider or null for the default provider

Get unsigned attributes associated with this PKCS7 signature container.

unsigned attributes as

Set signature policy identifier to be used during signature creation.

to be used during signature creation

Set signature policy identifier to be used during signature creation.

to be used during signature creation

Getter for property sigName.

Value of property sigName.

Setter for property sigName.

New value of property sigName.

Getter for property reason.

Value of property reason.

Setter for property reason.

New value of property reason.

Getter for property location.

Value of property location.

Setter for property location.

New value of property location.

Getter for property signDate.

Value of property signDate.

Setter for property signDate.

New value of property signDate.

Version of the PKCS#7 object

Version of the PKCS#7 "SignerInfo" object.

Get the version of the PKCS#7 object.

the version of the PKCS#7 object.

Get the version of the PKCS#7 "SignerInfo" object.

the version of the PKCS#7 "SignerInfo" object.

The ID of the digest algorithm, e.g. "2.16.840.1.101.3.4.2.1".

The object that will create the digest

The digest algorithms

The digest attributes

The signature algorithm.

Getter for the ID of the digest algorithm, e.g. "2.16.840.1.101.3.4.2.1".

Getter for the ID of the digest algorithm, e.g. "2.16.840.1.101.3.4.2.1". See ISO-32000-1, section 12.8.3.3 PKCS#7 Signatures as used in ISO 32000 the ID of the digest algorithm

Returns the name of the digest algorithm, e.g. "SHA256".

the digest algorithm name, e.g. "SHA256"

Getter for the signature algorithm OID.

Getter for the signature algorithm OID. See ISO-32000-1, section 12.8.3.3 PKCS#7 Signatures as used in ISO 32000 the signature algorithm OID

Get the signature mechanism identifier, including both the digest function and the signature algorithm, e.g. "SHA1withRSA".

Get the signature mechanism identifier, including both the digest function and the signature algorithm, e.g. "SHA1withRSA". See ISO-32000-1, section 12.8.3.3 PKCS#7 Signatures as used in ISO 32000 the algorithm used to calculate the signature

Returns the name of the signature algorithm only (disregarding the digest function, if any).

the name of an encryption algorithm

The signature value or signed digest, if created outside this class

Externally specified encapsulated message content.

Sets the signature to an externally calculated value.

the signature value the extra data that goes into the data tag in PKCS#7 the signature algorithm. It must be null if the signatureValue is also null. If the signatureValue is not null, possible values include "RSA", "DSA", "ECDSA", "Ed25519" and "Ed448".

Sets the signature to an externally calculated value.

Class from the Java SDK that provides the functionality of a digital signature algorithm.

The raw signature value as calculated by this class (or extracted from an existing PDF)

The content to which the signature applies, if encapsulated in the PKCS #7 payload.

Update the digest with the specified bytes.

Update the digest with the specified bytes. This method is used both for signing and verifying the data buffer the offset in the data buffer the data length

Gets the bytes for the PKCS#1 object.

a byte array

Gets the bytes for the PKCS7SignedData object.

the bytes for the PKCS7SignedData object

Gets the bytes for the PKCS7SignedData object.

Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set. If either of the parameters is null, none will be used. the digest in the authenticatedAttributes the bytes for the PKCS7SignedData object

Gets the bytes for the PKCS7SignedData object.

Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes in the signerInfo can also be set, and/or a time-stamp-authority client may be provided. the digest in the authenticatedAttributes specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES TSAClient - null or an optional time stamp authority client collection of DER-encoded BasicOCSPResponses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added. collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. byte[] the bytes for the PKCS7SignedData object RFC 6960 § 4.2.1

Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2).

Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007 to start with the timeStampToken (signedData 1.2.840.113549.1.7.2). Token is the TSA response without response status, which is usually handled by the (vendor supplied) TSA request/response interface). byte[] - time stamp token, DER encoded signedData

When using authenticatedAttributes the authentication process is different.

When using authenticatedAttributes the authentication process is different. The document digest is generated and put inside the attribute. The signing is done over the DER encoded authenticatedAttributes. This method provides that encoding and the parameters must be exactly the same as in . Note: do not pass in the full DER-encoded OCSPResponse object obtained from the responder, only the DER-encoded IBasicOCSPResponse value contained in the response data. A simple example:

            Calendar cal = Calendar.getInstance();
            PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);
            MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
            byte[] buf = new byte[8192];
            int n;
            InputStream inp = sap.getRangeStream();
            while ((n = inp.read(buf)) > 0) {
            messageDigest.update(buf, 0, n);
            }
            byte[] hash = messageDigest.digest();
            byte[] sh = pk7.getAuthenticatedAttributeBytes(hash, cal);
            pk7.update(sh, 0, sh.length);
            byte[] sg = pk7.getEncodedPKCS7(hash, cal);

the content digest specifies the PKCS7 standard flavor to which created PKCS7SignedData object will adhere: either basic CMS or CAdES collection of DER-encoded BasicOCSPResponses for the certificate in the signature certificates chain, or null if OCSP revocation data is not to be added. collection of DER-encoded CRL for certificates from the signature certificates chain, or null if CRL revocation data is not to be added. the byte array representation of the authenticatedAttributes ready to be signed RFC 6960 § 4.2.1

This method provides that encoding and the parameters must be exactly the same as in .

the content digest the byte array representation of the authenticatedAttributes ready to be signed

Signature attributes

Signature attributes (maybe not necessary, but we use it as fallback)

encrypted digest

Indicates if a signature has already been verified

The result of the verification

Verifies that signature integrity is intact (or in other words that signed data wasn't modified) by checking that embedded data digest corresponds to the calculated one.

Verifies that signature integrity is intact (or in other words that signed data wasn't modified) by checking that embedded data digest corresponds to the calculated one. Also ensures that signature is genuine and is created by the owner of private key that corresponds to the declared public certificate. Even though signature can be authentic and signed data integrity can be intact, one shall also always check that signed data is not only a part of PDF contents but is actually a complete PDF file. In order to check that given signature covers the current please use method. true if the signature checks out, false otherwise

Checks if the timestamp refers to this document.

true if it checks false otherwise

All the X.509 certificates in no particular order.

All the X.509 certificates used for the main signature.

The X.509 certificate that is used to sign the digest.

Get all the X.509 certificates associated with this PKCS#7 object in no particular order.

Get all the X.509 certificates associated with this PKCS#7 object in no particular order. Other certificates, from OCSP for example, will also be included. the X.509 certificates associated with this PKCS#7 object

Get all X.509 certificates associated with this PKCS#7 object timestamp in no particular order.

Certificate[] array

Get the X.509 sign certificate chain associated with this PKCS#7 object.

Get the X.509 sign certificate chain associated with this PKCS#7 object. Only the certificates used for the main signature will be returned, with the signing certificate first. the X.509 certificates associated with this PKCS#7 object

Get the X.509 certificate actually used to sign the digest.

the X.509 certificate actually used to sign the digest

Helper method that creates the collection of certificates used for the main signature based on the complete list of certificates and the sign certificate.

Get the X.509 certificate revocation lists associated with this PKCS#7 object (stored in Signer Info).

the X.509 certificate revocation lists associated with this PKCS#7 object.

Get the X.509 certificate revocation lists associated with this PKCS#7 Signed Data object.

the X.509 certificate revocation lists associated with this PKCS#7 Signed Data object.

Helper method that tries to construct the CRLs.

BouncyCastle IBasicOCSPResponse

Gets the OCSP basic response collection retrieved from SignedData structure.

the OCSP basic response collection.

Gets the OCSP basic response from the SignerInfo if there is one.

the OCSP basic response or null.

Checks if OCSP revocation refers to the document signing certificate.

true if it checks, false otherwise

Helper method that creates the IBasicOCSPResp object.

wrapper

True if there's a PAdES LTV time stamp.

True if it's a CAdES signature type.

Inner timestamp signature container.

BouncyCastle TSTInfo.

Check if it's a PAdES-LTV time stamp.

true if it's a PAdES-LTV time stamp, false otherwise

Retrieves inner timestamp signature container if there is one.

timestamp signature container or null.

Gets the timestamp token info if there is one.

the timestamp token info or null

Gets the timestamp date.

Gets the timestamp date. In case the signed document doesn't contain timestamp, will be returned. the timestamp date

Getter for the filter subtype.

the filter subtype

Represents the signature dictionary.

Creates new PdfSignature.

PdfName of the signature handler to use when validating this signature PdfName that describes the encoding of the signature

Creates new instance from the provided .

to create new instance from

A name that describes the encoding of the signature value and key information in the signature dictionary.

a which usually has a value either or .

The type of PDF object that the wrapped dictionary describes; if present, shall be for a signature dictionary or for a timestamp signature dictionary.

The type of PDF object that the wrapped dictionary describes; if present, shall be for a signature dictionary or for a timestamp signature dictionary. Shall be not null if it's value is . The default value is: . a that identifies type of the wrapped dictionary, returns null if it is not explicitly specified.

Sets the /ByteRange.

an array of pairs of integers that specifies the byte range used in the digest calculation. A pair consists of the starting byte offset and the length

Gets the /ByteRange.

an array of pairs of integers that specifies the byte range used in the digest calculation. A pair consists of the starting byte offset and the length.

Sets the /Contents value to the specified byte[].

a byte[] representing the digest

Gets the /Contents entry value.

Gets the /Contents entry value. See ISO 32000-1 12.8.1, Table 252 – Entries in a signature dictionary. the signature content

Sets the /Cert value of this signature.

the byte[] representing the certificate chain

Gets the /Cert entry value of this signature.

Gets the /Cert entry value of this signature. See ISO 32000-1 12.8.1, Table 252 – Entries in a signature dictionary. the signature cert

Gets the /Cert entry value of this signature.

Gets the /Cert entry value of this signature. /Cert entry required when SubFilter is adbe.x509.rsa_sha1. May be array or byte string. the signature cert value

Sets the /Name of the person signing the document.

name of the person signing the document

gets the /Name of the person signing the document.

name of the person signing the document.

Sets the /M value.

Sets the /M value. Should only be used if the time of signing is not available in the signature. time of signing

Gets the /M value.

Gets the /M value. Should only be used if the time of signing is not available in the signature. which denotes time of signing.

Sets the /Location value.

physical location of signing

Gets the /Location entry value.

physical location of signing.

Sets the /Reason value.

reason for signing

Gets the /Reason value.

reason for signing

Sets the signature creator name in the dictionary.

name of the signature creator

Sets the /ContactInfo value.

information to contact the person who signed this document

Add new key-value pair to the signature dictionary.

to be added as a key to be added as a value the same instance

Gets the instance if it exists, if not it adds a new one and returns this.

A dictionary that stores the name of the application that signs the PDF.

Creates a new PdfSignatureApp

Creates a new PdfSignatureApp.

PdfDictionary containing initial values

Sets the signature created property in the Prop_Build dictionary's App dictionary.

String name of the application creating the signature

Dictionary that stores signature build properties.

Creates new PdfSignatureBuildProperties.

Creates new PdfSignatureBuildProperties with preset values.

PdfDictionary containing preset values

Sets the signatureCreator property in the underlying dictionary.

the signature creator's name to be set

Gets the from this dictionary.

Gets the from this dictionary. If it does not exist, it adds a new and returns this instance.

Takes care of the cryptographic options and appearances that form a signature.

Enum containing the Cryptographic Standards.

Enum containing the Cryptographic Standards. Possible values are "CMS" and "CADES".

Cryptographic Message Syntax.

CMS Advanced Electronic Signatures.

The file right before the signature is added (can be null).

The bytes of the file right before the signature is added (if raf is null).

Array containing the byte positions of the bytes that need to be hashed.

The PdfDocument.

The crypto dictionary.

Holds value of property signatureEvent.

OutputStream for the bytes of the document.

Outputstream that temporarily holds the output in memory.

Tempfile to hold the output temporarily.

Name and content of keys that can only be added in the close() method.

Indicates if the pdf document has already been pre-closed.

Boolean to check if this PdfSigner instance has been closed already or not.

AcroForm for the PdfDocument.

The name of the signer extracted from the signing certificate.

Properties to be used in signing operations.

Creates a PdfSigner instance.

Creates a PdfSigner instance. Uses a instead of a temporary file. PdfReader that reads the PDF file OutputStream to write the signed PDF file for the signing document. Note that encryption will be preserved regardless of what is set in properties.

Creates a PdfSigner instance.

Creates a PdfSigner instance. Uses a instead of a temporary file. PdfReader that reads the PDF file OutputStream to write the signed PDF file File to which the output is temporarily written for the signing document. Note that encryption will be preserved regardless of what is set in properties. bundled properties to be used in signing operations.

Creates a PdfSigner instance.

Initialize new instance by using provided parameters.

to be used as a reader in the new document to be used as a writer in the new document to be provided in the new document new instance

Sets the properties to be used in signing operations.

the signer properties this instance to support fluent interface

Gets the properties to be used in signing operations.

the signer properties

Returns the user made signature dictionary.

Returns the user made signature dictionary. This is the dictionary at the /V key of the signature field. the user made signature dictionary

Getter for property signatureEvent.

value of property signatureEvent

Sets the signature event to allow modification of the signature dictionary.

the signature event

Gets a new signature field name that doesn't clash with any existing name.

A new signature field name.

Gets the PdfDocument associated with this instance.

the PdfDocument associated with this instance

Sets the PdfDocument.

The PdfDocument

Setter for the OutputStream.

OutputStream for the bytes of the document

Gets the signature field to be signed.

Gets the signature field to be signed. The field can already be presented in the document. If the field is not presented in the document, it will be created. This field instance is expected to be used for setting appearance related properties such as , and . Note that for the new signature field and should be called before this method. the instance

Signs the document using the detached mode, CMS or CAdES equivalent.

Signs the document using the detached mode, CMS or CAdES equivalent.

NOTE: This method closes the underlying pdf document. This means, that current instance of PdfSigner cannot be used after this method call. the interface providing the actual signing the certificate chain the CRL list the OCSP client the Timestamp client an implementation that provides the digest the reserved size for the signature. It will be estimated if 0 Either Signature.CMS or Signature.CADES

Signs the document using the detached mode, CMS or CAdES equivalent.

Signs the document using the detached mode, CMS or CAdES equivalent.

NOTE: This method closes the underlying pdf document. This means, that current instance of PdfSigner cannot be used after this method call. the interface providing the actual signing the certificate chain the CRL list the OCSP client the Timestamp client the reserved size for the signature. It will be estimated if 0 Either Signature.CMS or Signature.CADES

Signs the document using the detached mode, CMS or CAdES equivalent.

Signs the document using the detached mode, CMS or CAdES equivalent.

NOTE: This method closes the underlying pdf document. This means, that current instance of PdfSigner cannot be used after this method call. the interface providing the actual signing the certificate chain the CRL list the OCSP client the Timestamp client the reserved size for the signature. It will be estimated if 0 Either Signature.CMS or Signature.CADES the signature policy (for EPES signatures)

Signs the document using the detached mode, CMS or CAdES equivalent.

Signs the document using the detached mode, CMS or CAdES equivalent.

NOTE: This method closes the underlying pdf document. This means, that current instance of PdfSigner cannot be used after this method call. the interface providing the actual signing the certificate chain the CRL list the OCSP client the Timestamp client the reserved size for the signature. It will be estimated if 0 Either Signature.CMS or Signature.CADES the signature policy (for EPES signatures)

Signs the document using the detached mode, CMS or CAdES equivalent.

Sign the document using an external container, usually a PKCS7.

Sign the document using an external container, usually a PKCS7. The signature is fully composed externally, iText will just put the container inside the document.

NOTE: This method closes the underlying pdf document. This means, that current instance of PdfSigner cannot be used after this method call. the interface providing the actual signing the reserved size for the signature

Signs a document with a PAdES-LTV Timestamp.

Signs a document with a PAdES-LTV Timestamp. The document is closed at the end.

NOTE: This method closes the underlying pdf document. This means, that current instance of PdfSigner cannot be used after this method call. the timestamp generator the signature name or null to have a name generated automatically

Signs a PDF where space was already reserved.

the original PDF the field to sign. It must be the last field the output PDF the signature container doing the actual signing. Only the method ExternalSignatureContainer.sign is used

Signs a PDF where space was already reserved.

that reads the PDF file the field to sign. It must be the last field the output PDF the signature container doing the actual signing. Only the method ExternalSignatureContainer.sign is used

Processes a CRL list.

a Certificate if one of the CrlList implementations needs to retrieve the CRL URL from it. a list of CrlClient implementations a collection of CRL bytes that can be embedded in a PDF

Add developer extension to the current .

to be added

Checks if the document is in the process of closing.

true if the document is in the process of closing, false otherwise

This is the first method to be called when using external signatures.

This is the first method to be called when using external signatures. The general sequence is: preClose(), getDocumentBytes() and close(). exclusionSizes must contain at least the PdfName.CONTENTS key with the size that it will take in the document. Note that due to the hex string coding this size should be byte_size*2+2. Map with names and sizes to be excluded in the signature calculation. The key is a PdfName and the value an Integer. At least the /Contents must be present

Returns final signature appearance object set by and customized using properties such as signing date, reason, location and signer name in case they weren't specified by the user, or, if none was set, returns a new one with default appearance. To customize the appearance of the signature, create new object and set it using . Note that in case you create new signature field (either use with the name that doesn't exist in the document or don't specify it at all) then the signature is invisible by default. It is possible to set other appearance related properties such as , (n0 layer) and (n2 layer) for the signature field using . Page, rectangle and other properties could be set up via . object representing signature appearance

Populates already existing signature form field in the acroForm object.

Populates already existing signature form field in the acroForm object. This method is called during the method if the signature field already exists. object in which the signature field will be populated signature field lock dictionary

Creates new signature form field and adds it to the acroForm object.

Creates new signature form field and adds it to the acroForm object. This method is called during the method if the signature field doesn't exist. object in which new signature field will be added the name of the field signature field lock dictionary

Gets the document bytes that are hashable when using external signatures.

Gets the document bytes that are hashable when using external signatures. The general sequence is: , and . the of bytes to be signed

This is the last method to be called when using external signatures.

This is the last method to be called when using external signatures. The general sequence is: preClose(), getDocumentBytes() and close(). update is a PdfDictionary that must have exactly the same keys as the ones provided in . a PdfDictionary with the key/value that will fill the holes defined in

Returns the underlying source.

the underlying source

Adds keys to the signature dictionary that define the certification level and the permissions.

Adds keys to the signature dictionary that define the certification level and the permissions. This method is only used for Certifying signatures. the signature dictionary

Adds keys to the signature dictionary that define the field permissions.

Adds keys to the signature dictionary that define the field permissions. This method is only used for signatures that lock fields. the signature dictionary the instance specified the field lock to be set

Check if current document instance already contains certification or approval signatures.

if document contains certification or approval signatures, otherwise

Get the rectangle associated to the provided widget.

PdfWidgetAnnotation to extract the rectangle from Rectangle

Get the page number associated to the provided widget.

PdfWidgetAnnotation from which to extract the page number page number

Applies for provided signature field.

the form field to which the accessibility properties should be applied the form field layout element with accessibility properties the document to which the form field belongs

An interface to retrieve the signature dictionary for modification.

Allows modification of the signature dictionary.

The signature dictionary

Class that prepares document and adds the signature to it while performing signing operation in two steps (see for more info).

Class that prepares document and adds the signature to it while performing signing operation in two steps (see for more info). Firstly, this class allows to prepare the document for signing and calculate the document digest to sign. Secondly, it adds an existing signature to a PDF where space was already reserved.

Creates new instance.

instance to read the original PDF file output stream to write the resulting PDF file into

Prepares document for signing, calculates the document digest to sign and closes the document.

properties to be used for main signing operation the algorithm to generate the digest with PdfName of the signature handler to use when validating this signature PdfName that describes the encoding of the signature the estimated size of the signature, this is the size of the space reserved for the Cryptographic Message Container specifies if the signing date should be set to the signature dictionary the message digest of the prepared document.

Adds an existing signature to a PDF where space was already reserved.

the original PDF the field to sign. It must be the last field the output PDF the finalized CMS container

Adds an existing signature to a PDF where space was already reserved.

that reads the PDF file the field to sign. It must be the last field the output PDF the finalized CMS container

Adds an existing signature to a PDF where space was already reserved.

the original PDF the field to sign. It must be the last field the output PDF the bytes for the signed data

Adds an existing signature to a PDF where space was already reserved.

that reads the PDF file the field to sign. It must be the last field the output PDF the bytes for the signed data

Use the external digest to inject specific digest implementations

the IExternalDigest instance to use to generate Digests same instance of

Set stamping properties to be used during main signing operation.

Implementation class for .

Implementation class for . This external signature container is implemented based on PCS7 standard and class.

Creates an instance of PKCS7ExternalSignatureContainer

The private key to sign with The certificate chain The hash algorithm to use

Set the OcspClient if you want revocation data collected trough Ocsp to be added to the signature

the client to be used

Set the CrlClient if you want revocation data collected trough Crl to be added to the signature

the client to be used

Set the TsaClient if you want a TSA timestamp added to the signature

the client to use

Set the signature policy if you want it to be added to the signature

the signature to be set.

Set a custom signature type, default value

the type of signature to be created

Implementation of the interface that can be used when you have a object.

The private key object.

The hash algorithm.

The encryption algorithm (obtained from the private key)

The algorithm parameters.

Creates a instance.

A object. A hash algorithm (e.g. "SHA-1", "SHA-256",...). A security provider (e.g. "BC").

Creates a instance.

A object. A hash algorithm (e.g. "SHA-1", "SHA-256",...). A signiture algorithm (e.g. "RSASSA-PSS", "id-signedData", "sha256WithRSAEncryption", ...) A security provider (e.g. "BC"). Parameters for using RSASSA-PSS or other algorithms requiring them.

Verifies a certificate against a KeyStore containing trusted anchors.

A key store against which certificates can be verified.

Creates a RootStoreVerifier in a chain of verifiers.

the next verifier in the chain

Sets the Key Store against which a certificate can be checked.

a root store

Verifies a single certificate against a key store (if present).

the certificate to verify the issuer certificate the date the certificate needs to be valid a list of VerificationOK objects. The list will be empty if the certificate couldn't be verified.

Encode the signer's parameters for producing an RSASSA-PSS signature.

Encode the signer's parameters for producing an RSASSA-PSS signature. Note that this class is intended for use in the signing process only, so it does not need to be able to represent all possible parameter configurations; only the ones we consider reasonable. For the purposes of this class, the mask generation function is always MGF1, and the associated digest function is the same as the digest function used in the signing process.

Default value of the trailer field parameter.

Instantiate RSASSA-PSS parameters with MGF1 for a given digest algorithm OID, salt length and trailer field value.

the digest algorithm OID that will be used for both the digest and MGF the salt length the trailer field

Instantiate RSASSA-PSS parameters with MGF1 for the given algorithm name.

the name of the digest algorithm

Class that contains OID mappings to extract a signature algorithm name from a signature mechanism OID, and conversely, to retrieve the appropriate signature mechanism OID given a signature algorithm and a digest function.

Maps IDs of signature algorithms with its human-readable name.

Attempt to look up the most specific OID for a given signature-digest combination.

the name of the signature algorithm the name of the digest algorithm, if any an OID string, or if none was found.

Gets the algorithm name for a certain id.

an id (for instance "1.2.840.113549.1.1.1") an algorithm name (for instance "RSA")

Get the signing mechanism name for a certain id and digest.

an id of an algorithm digest of an algorithm name of the mechanism

A helper class that tells you more about the type of signature (certification or approval) and the signature's DMP settings.

Class that contains a field lock action and an array of the fields that are involved.

Can be /All, /Exclude or /Include

An array of PdfString values with fieldnames

Creates a FieldLock instance.

indicates the set of fields that should be locked an array of text strings containing field names

Getter for the field lock action.

the action of field lock dictionary

Getter for the fields involved in the lock action.

the fields of field lock dictionary

toString method

Is the signature a cerification signature (true) or an approval signature (false)?

Is form filling allowed by this signature?

Is adding annotations allowed by this signature?

Does this signature lock specific fields?

Creates an object that can inform you about the type of signature in a signature dictionary as well as some of the permissions defined by the signature.

the signature dictionary the signature permissions

Getter to find out if the signature is a certification signature.

true if the signature is a certification signature, false for an approval signature.

Getter to find out if filling out fields is allowed after signing.

true if filling out fields is allowed

Getter to find out if adding annotations is allowed after signing.

true if adding annotations is allowed

Getter for the field lock actions, and fields that are impacted by the action

an Array with field names

Class that encapsulates the signature policy information

Class that encapsulates the signature policy information Sample: SignaturePolicyInfo spi = new SignaturePolicyInfo("2.16.724.1.3.1.1.2.1.9", "G7roucf600+f03r/o0bAOQ6WAs0=", "SHA-1", "https://sede.060.gob.es/politica_de_firma_anexo_1.pdf");

Constructs a new instance

the id of the signature policy the hash of the signature policy the digestion algorithm of the signature policy the uri of the full policy description

Constructs a new instance

the id of the signature policy the Base64 presentation of the hash of the signature policy the digestion algorithm of the signature policy the uri of the full policy description

Get the ID of the signature policy.

the ID of the signature policy

Get the hash of the signature policy.

the hash of the signature policy

Get the digestion algorithm of the signature policy.

the digestion algorithm of the signature policy

Get the uri of the full policy description.

the uri of the full policy description

Utility class that provides several convenience methods concerning digital signatures.

Creates a SignatureUtil instance.

Creates a SignatureUtil instance. Sets the acroForm field to the acroForm in the PdfDocument. iText will create a new AcroForm if the PdfDocument doesn't contain one. PdfDocument to be inspected

Prepares an instance for the given signature.

Prepares an instance for the given signature. This method handles signature parsing and might throw an exception if signature is malformed. The returned can be used to fetch additional info about the signature and also to perform integrity check of data signed by the given signature field. Prepared instance calculates digest based on signature's /ByteRange entry. In order to check that /ByteRange is properly defined and given signature indeed covers the current PDF document revision please use method. the signature field name a instance which can be used to fetch additional info about the signature and also to perform integrity check of data signed by the given signature field.

Get dictionary based on the provided name.

signature name instance corresponding to the provided name. otherwise

Gets the signature dictionary, the one keyed by /V.

the field name the signature dictionary keyed by /V or null if the field is not a signature

Gets the field names that have signatures and are signed.

List containing the field names that have signatures and are signed

Gets the field names that have blank signatures.

List containing the field names that have blank signatures

Get the amount of signed document revisions.

int amount of signed document revisions

Get signed document revision number, which corresponds to the provided signature name.

signature name int revision number

Get field name, translated using XFA, if any present in the document.

field name to be translated translated field name if XFA is present, original name otherwise

Extracts a revision from the document.

the signature field name an InputStream covering the revision. Returns null if it's not a signature field

Checks if the signature covers the entire document (except for signature's Contents) or just a part of it.

Checks if the signature covers the entire document (except for signature's Contents) or just a part of it. If this method does not return it means that signature in question does not cover the entire contents of current . Such signatures cannot be considered as verifying the PDF document, because content that is not covered by signature might have been modified since the signature creation. the signature field name true if the signature covers the entire document, false if it doesn't

Checks whether a name exists as a signature field or not.

Checks whether a name exists as a signature field or not. It checks both signed fields and blank signatures. name of the field boolean does the signature field exist

Properties to be used in signing operations.

This string could be used to create the instance which will be used for signing since its ID will be ignored anyway in that case, and specified ID won't override the field name.

Create instance of .

Gets the signature date.

calendar set to the signature date

Sets the signature date.

the signature date this instance to support fluent interface

Sets the signature field layout element to customize the appearance of the signature.

Sets the signature field layout element to customize the appearance of the signature. ID specified for will be ignored and won't override field name, so could be used. To specify signature name use . Note that if was set as the content (or part of the content) for object, properties such as signing date, reason, location and signer name could be set automatically. In case you create new signature field (either using with the name that doesn't exist in the document or do not specifying it at all) then the signature is invisible by default. Use and to provide the rectangle that represent the position and dimension of the signature field in the specified page. It is possible to set other appearance related properties such as , (n0 layer) and (n2 layer) for the signature field using . Page, rectangle and other properties could be also set up via . the layout element representing signature appearance this instance to support fluent interface

Gets signature field appearance object representing the appearance of the signature.

Gets signature field appearance object representing the appearance of the signature. To customize the signature appearance, create new object and set it using . object representing signature appearance

Returns the document's certification level.

Returns the document's certification level. For possible values see . enum which specifies which certification level shall be used

Sets the document's certification level.

enum which specifies which certification level shall be used this instance to support fluent interface

Gets the field name.

the field name

Sets the name indicating the field to be signed.

Sets the name indicating the field to be signed. The field can already be presented in the document but shall not be signed. If the field is not presented in the document, it will be created. Note that ID specified for set by will be ignored and won't override the field name. the name indicating the field to be signed this instance to support fluent interface

Provides the page number of the signature field which this signature appearance is associated with.

the page number of the signature field which this signature appearance is associated with

Sets the page number of the signature field which this signature appearance is associated with.

the page number of the signature field which this signature appearance is associated with this instance to support fluent interface

Provides the rectangle that represent the position and dimension of the signature field in the page.

the rectangle that represent the position and dimension of the signature field in the page

Sets the rectangle that represent the position and dimension of the signature field in the page.

the rectangle that represents the position and dimension of the signature field in the page this instance to support fluent interface

Getter for the field lock dictionary.

field lock dictionary

Setter for the field lock dictionary.

Setter for the field lock dictionary. Be aware: if a signature is created on an existing signature field, then its /Lock dictionary takes the precedence (if it exists). field lock dictionary this instance to support fluent interface

Returns the signature creator.

the signature creator

Sets the name of the application used to create the signature.

A new name of the application signing a document. this instance to support fluent interface.

Returns the signing contact.

the signing contact

Sets the signing contact.

a new signing contact this instance to support fluent interface

Returns the signing reason.

the signing reason

Sets the signing reason.

a new signing reason this instance to support fluent interface

Returns the signing location.

the signing location

Sets the signing location.

a new signing location this instance to support fluent interface

Helper class for JSON AST serialization/deserialization.

Serializes object to JSON AST.

object to serialize serialized certificate as JSON AST

Deserializes JSON AST object into certificate.

JSON AST to deserialize deserialized certificate

Serializes object to JSON AST.

to serialize serialized as JSON AST

Deserializes JSON AST object in .

to create from deserialized

Parses a CRL from an input Stream.

The input Stream holding the unparsed CRL. The parsed CRL object.

Timestamp constants util class for internal usage only.

The timestamp which is returned in case the signed document doesn't contain timestamp.

The timestamp which is returned in case the signed document doesn't contain timestamp. The constant's value is different in Java and .NET.

Time Stamp Authority Client interface implementation using Bouncy Castle org.bouncycastle.tsp package.

Time Stamp Authority Client interface implementation using Bouncy Castle org.bouncycastle.tsp package. Created by Aiken Sam, 2006-11-15, refactored by Martin Brunecky, 07/15/2007 for ease of subclassing.

The default value for the hash algorithm

The default value for token size estimation.

The Logger instance.

URL of the Time Stamp Authority

TSA Username

TSA password

An interface that allows you to inspect the timestamp info.

Estimate of the received time stamp token

Hash algorithm

TSA request policy

Creates an instance of a TSAClient that will use BouncyCastle.

String - Time Stamp Authority URL (i.e. "http://tsatest1.digistamp.com/TSA")

Creates an instance of a TSAClient that will use BouncyCastle.

String - Time Stamp Authority URL (i.e. "http://tsatest1.digistamp.com/TSA") String - user(account) name String - password

Constructor.

Constructor. Note the token size estimate is updated by each call, as the token size is not likely to change (as long as we call the same TSA using the same imprint length). Time Stamp Authority URL (i.e. "http://tsatest1.digistamp.com/TSA") user(account) name, optional password, optional if used in combination with username, the credentials will be used in basic authentication. Use only in combination with a https url to ensure encryption estimated size of received time stamp token (DER encoded) is a hash algorithm the tsaInfo to set

Get the token size estimate.

Get the token size estimate. Returned value reflects the result of the last succesfull call, padded an estimate of the token size

Gets the TSA request policy that will be used when retrieving timestamp token.

policy id, or null if not set

Sets the TSA request policy that will be used when retrieving timestamp token.

policy id

Gets the MessageDigest to digest the data imprint

the digest algorithm name

Get RFC 3161 timeStampToken.

Get RFC 3161 timeStampToken. Method may return null indicating that timestamp should be skipped. data imprint to be time-stamped encoded, TSA signed data of the timeStampToken

Get timestamp token - communications layer

is a byte representation of TSA request - byte[] - TSA response, raw bytes (RFC 3161 encoded)

Validator class, which is expected to be used for certificates chain validation.

Create new instance of .

See

Validate given certificate using provided validation date and required extensions.

the validation context in which to validate the certificate chain to be validated against which certificate is expected to be validated. Usually signing date which contains detailed validation results.

Validate given certificate using provided validation date and required extensions.

Validate given certificate using provided validation date and required extensions. Result is added into provided report. which is populated with detailed validation results the context in which to perform the validation to be validated against which certificate is expected to be validated. Usually signing date which contains both provided and new validation results.

Validates name constraint extension for complete certificate chain.

which is populated with detailed validation results of , which represent a complete chain, without a trusted root. List starts with a signing certificate. trusted root of this chain

This enum lists all possible contexts related to the certificate origin in which a validation may take place

The context while validating a CRL issuer certificate.

The context while validating a OCSP issuer certificate that is neither trusted nor CA.

The context while validating a certificate issuer certificate.

The context while validating a signer certificate.

A certificate that is on a trusted list.

The context while validating a timestamp issuer certificate.

A certificate, which is used to sign List of Trusted Lists.

Container class, which contains set of single values.

Creates container from several values.

an element that the set is to contain initially the remaining elements the set is to contain container, containing provided elements

Creates containing all values.

container containing all values

Creates containing all the elements of this type that are not contained in the specified set.

another from whose complement to initialize this container the complement of the specified .

Gets encapsulated containing elements.

encapsulated containing elements

This enum is used for giving a perspective on a time period at which validation is happening.

The date used lies in the past.

The date used lies in the present or there is no date.

Container class, which contains set of single values.

Creates container from several values.

an element that the set is to contain initially the remaining elements the set is to contain container, containing provided elements

Creates containing all values.

container containing all values

Creates containing all the elements of this type that are not contained in the specified set.

another from whose complement to initialize this container the complement of the specified .

Gets encapsulated containing elements.

encapsulated containing elements

Validation context class, which encapsulates specific context values, related to validation process.

Create instance using provided context values.

value value value

Get previous validation context instance, from which this instance was created.

previous instance

Get specific certificate source context value.

context value

Create new instance with the provided certificate source context value.

value new instance

Get specific time-based context value.

context value

Create new instance with the provided certificate source context value.

value new instance

Get specific validator context value.

context value

Create new instance with the provided certificate source context value.

value new instance

Check if validation contexts chain contains specific value.

instance to start the check from value to check if validation contexts chain contains provided certificate source, otherwise

Return string representation of this .

Return string representation of this . Previous validation context is not a part of this representation. a string representation of the

Check if the provided object is equal to this one.

Check if the provided object is equal to this one. Previous validation context field is not taken into account during this comparison. the reference object with which to compare if provided object is equal to this one, otherwise

Return a hash code value for this validation context.

Return a hash code value for this validation context. Previous validation context field is not taken into account during hash code calculation. a hash code value for this validation context

This enum lists all possible contexts related to the validator in which the validation is taking place.

This value is expected to be used in context.

This value is expected to be used in XmlSignatureValidator context.

Container class, which contains set of single values.

Creates container from several values.

an element that the set is to contain initially the remaining elements the set is to contain container, containing provided elements

Creates containing all values.

container containing all values

Creates containing all the elements of this type that are not contained in the specified set.

another from whose complement to initialize this container the complement of the specified .

Gets encapsulated containing elements.

encapsulated containing elements

Class that allows you to validate a certificate against a Certificate Revocation List (CRL) Response.

Creates new instance.

See

Validates a certificate against Certificate Revocation List (CRL) Responses.

to store all the chain verification results the context in which to perform the validation the certificate to check against CRL response the crl response to be validated validation date to check for trusted date at which response is generated

Enum representing an origin from where certificates come from.

Latest DSS dictionary in a PDF document.

DSS dictionary, corresponding to previous PDF document revisions.

Signature CMS container.

OCSP response object.

Other possible sources.

Enum representing an origin from where the revocation data comes from.

Latest DSS dictionary in a PDF document.

DSS dictionary, corresponding to previous PDF document revisions.

Signature CMS container.

Other possible sources.

Utility class for comparing PDF objects, used in .

Validator, which is responsible for document revisions validation according to doc-MDP and field-MDP rules.

Creates new instance of .

See

Sets the that will be used during new creations.

meta info to set the same instance.

Set access permissions to be used during docMDP validation.

Set access permissions to be used during docMDP validation. If value is provided, access permission related signature parameters will be ignored during the validation. docMDP validation level the same instance.

Set the status to be used for the report items produced during docMDP validation in case revision contains unexpected changes in the XREF table.

Set the status to be used for the report items produced during docMDP validation in case revision contains unexpected changes in the XREF table. Default value is . to be used in case of unexpected changes in the XREF table the same instance.

Validate all document revisions according to docMDP and fieldMDP transform methods.

the validation context in which to validate document revisions the document to be validated which contains detailed validation results.

Validate all document revisions according to docMDP and fieldMDP transform methods and collect validation report related to the single signature field checks if specified.

the validation context in which to validate document revisions the document to be validated signature field to collect validation result for. If null, all signatures will be checked which contains detailed validation results.

DocMDP level >= 2 allows setting values of the fields and accordingly update the widget appearances of them.

DocMDP level >= 2 allows setting values of the fields and accordingly update the widget appearances of them. But you cannot change the form structure, so it is not allowed to add, remove or rename fields, change most of their properties. field from the previous revision to check field from the current revision to check validation report if the changes of the field are allowed, otherwise.

DocMDP level <=2 allows adding new fields in the following cases: docMDP level 1: allows adding only DocTimeStamp signature fields; docMDP level 2: same as level 1 and also adding and then signing signature fields, so signature dictionary shouldn't be null.

newly added field entry validation report true if newly added field is allowed to be added, false otherwise.

Loads the certificates as published as part of the european journal publication "Information related to data on Member States' trusted lists as notified under Commission Implementing Decision (EU) 2015/1505"

Creates a new instance of

Loads the certificates from the European Trusted List configuration.

Loads the certificates from the European Trusted List configuration. And verifies if they match the expected SHA-256 hash. A list of X509Certificates.

Abstract factory class for configuring and retrieving European Trusted List configurations.

Abstract factory class for configuring and retrieving European Trusted List configurations. This class provides methods to get and set the factory implementation, as well as abstract methods to retrieve trusted list-related information.

Supplier for the current factory implementation.

Supplier for the current factory implementation. By default, it uses .

Retrieves the current factory supplier.

the current factory supplier

Sets the factory supplier.

the new factory supplier to set

Retrieves the URI of the trusted list.

the trusted list URI

Retrieves the currently supported publication of the trusted list.

the currently supported publication

Retrieves the list of certificates from the trusted list.

a list of certificates

A parent for all events issued during certificate chain validation

Create a new instance.

the certificate that is being validated

Returns the certificate for which the event was fired.

the certificate for which the event was fired

This event triggers everytime an algorithm is used during signature validation.

Instantiates a new event.

the algorithm name the algorithm oid the location the algorithm was used

Returns whether the algorithm is allowed according to ETSI TS 119 312.

whether the algorithm is allowed according to ETSI TS 119 312

Returns whether the algorithm is allowed according to ETSI TS 319 142-1.

whether the algorithm is allowed according to ETSI TS 319 142-1

Returns the name of the algorithm if known.

the name of the algorithm if known

Returns the location where or purpose the algorithm us uses for.

the location where or purpose the algorithm us uses for

Returns the OID of the algorithm if known.

the OID of the algorithm if known

This event is triggered when a certificates chain validation fails.

Creates a new event instance.

the validated certificate whether the validation result was conclusive the reason the validation failed

Returns the validated certificate.

the validated certificate

Returns whether the validation result was conclusive.

whether the validation result was conclusive

Returns the reason the validation failed.

the reason the validation failed

This event is triggered after certificate chain validation success for the current signature.

Creates a new event instance.

the certificate that was tested

returns the validated certificate.

the validated certificate

This event is triggered when a certificate issues was retrieved from the internet.

Creates a new event instance.

the certificate for which the issuer was retrieved externally

This event is triggered when a certificate issuer is retrieved from a document resource outside of the last DSS.

Creates a new event instance,

the certificate for which the issuer was retrieved externally

This event triggered when revocation data from a timestamped DSS is not enough to perform signature validation.

Creates a new event instance.

the certificate for which there is no timestamped DSS

This event is triggered after the most recent DSS is being read.

Creates a new instance.

This enumeration alleviates the need for instanceof on all IValidationEvents.

Event triggered for every signature validation being started.

Event triggered for every validation success, including timestamp validation.

Event triggered for every validation failure, including timestamp validation.

Event triggered for every timestamp validation started.

Event triggered for every certificate issuer that is retrieved via Authority Information Access extension, or any other external source.

Event triggered for every certificate issuer available in the document that was not in the most recent DSS.

Event triggered when revocation data coming not from the latest DSS is needed to perform signature validation.

Event triggered when revocation data from a timestamped DSS is not enough to perform signature validation.

Event triggered when the most recent DSS has been processed.

Event triggered when the certificate chain was validated successfully.

Event triggered when the certificate chain validated failed.

Event triggered when a certificate is proven not te be revoked by a CRL response.

Event triggered when a certificate is revoked by a CRL response.

Event triggered when a certificate is proven not te be revoked by a OCSP response.

Event triggered when a certificate is revoked by a OCSP response.

Event triggered for every algorithm being used during signature validation.

This interface represents events registered during signature validation.

Returns the event type of the event, this fields is used to avoid instanceof usage.

the event type of the event

This event is triggered when a timestamp signature is encountered.

Creates a new event instance for a document timestamp.

the PdfSignature containing the timestamp signature, only applicable for document signatures signature name, only applicable for document signatures

Creates a new event instance for a signature timestamp.

timestamp container as a byte[]

Returns the encoded timestamp signature.

the encoded timestamp signature

Returns whether this is a document timestamp.

whether this is a document timestamp

Returns the PdfSignature containing the timestamp signature.

the PdfSignature containing the timestamp signature

This event is triggered when revocation data is retrieved from anywhere except for latest DSS entry.

Creates a new event instance,

the certificate for which there is not revocation data in the DSS

This event is triggered after signature validation failed for the current signature.

Create a new event instance.

when validation is neither valid nor invalid, when it is invalid the failure reason

Returns whether the result was inconclusive.

whether the result was inconclusive

Returns the reason of the failure.

the reason of the failure

This event is triggered after a successful validation of the current signature.

Creates an instance of .

This event is triggered at the start of a signature validation, after successfully parsing the signature.

Creates a new event instance.

the PdfSignature containing the signature signature name the signing date

Returns the PdfSignature containing the signature.

the PdfSignature containing the signature

Returns the signature name.

the signature name

Returns the claimed signing date.

the claimed signing date

Class representing certificate extension with all the information required for validation.

Create new instance of using provided extension OID and value.

, which represents extension OID , which represents extension value

Get extension value

, which represents extension value

Get extension OID

, which represents extension OID

Returns a message with extra information about the check.

a message with extra information about the check.

Check if this extension is present in the provided certificate.

Check if this extension is present in the provided certificate. This method doesn't always require complete extension value equality, instead whenever possible it checks that this extension is present in the certificate. in which this extension shall be present if extension if present, otherwise

Class representing "Basic Constraints" certificate extension, which uses provided amount of certificates in chain during the comparison.

Create new instance of .

Check if this extension is present in the provided certificate.

Check if this extension is present in the provided certificate. In case of , check if path length for this extension is less or equal to the path length, specified in the certificate. in which this extension shall be present if this path length is less or equal to a one from the certificate, otherwise

Certificate extension which is populated with additional dynamically changing validation related information.

Create new instance of using provided extension OID and value.

, which represents extension OID , which represents extension value

Sets amount of certificates currently present in the chain.

amount of certificates currently present in the chain this instance

Gets amount of certificates currently present in the chain.

amount of certificates currently present in the chain

Class representing "Extended Key Usage" extension.

Check if this extension is present in the provided certificate.

Check if this extension is present in the provided certificate. In case of , check if this extended key usage OIDs are present. Other values may be present as well. in which this extension shall be present if all OIDs are present in certificate extension, otherwise

Enum representing possible "Key Usage" extension values.

"Digital Signature" key usage value

"Non Repudiation" key usage value

"Key Encipherment" key usage value

"Data Encipherment" key usage value

"Key Agreement" key usage value

"Key Cert Sign" key usage value

"CRL Sign" key usage value

"Encipher Only" key usage value

"Decipher Only" key usage value

Class representing "Key Usage" extenstion.

Create new instance using provided int flag.

int flag which represents bit values for key usage value bit strings are stored with the big-endian byte order and padding on the end, the big endian notation causes a shift in actual integer values for bits 1-8 becoming 0-7 and bit 1 the 7 bits padding makes for bit 0 to become bit 7 of the first byte

Create new instance using provided int flag.

Create new instance using provided key usage enum list.

key usages which represents key usage values

Create new instance using provided key usage enum list.

key usages which represents key usage values parameter which represents return value for method in case of the extension not being present in a certificate

Create new instance using provided single key usage enum value.

which represents single key usage enum value

Create new instance using provided single key usage enum value.

which represents single key usage enum value parameter which represents return value for method in case of the extension not being present in a certificate

Check if this extension is present in the provided certificate.

Check if this extension is present in the provided certificate. In case of , check if this key usage bit values are present in certificate. Other values may be present as well. in which this extension shall be present if this key usage bit values are present in certificate, otherwise

Wrapper class for additional service information extension.

Creates empty instance of .

Gets URI representing a value of .

URI representing a value of

Deserializes into .

to deserialize deserialized

Class representing TSPService entry in a country specific Trusted List.

Gets list of objects corresponding to this country service context.

list of objects

Gets service type corresponding to this country service context.

service type

Gets corresponding to this country service context and DateTime in milliseconds.

DateTime in milliseconds corresponding instance

Gets corresponding to this country service context and .

date time corresponding instance

Gets the latest instance.

the latest instance

Deserializes into .

to deserialize deserialized

This class represents a country-specific TSL (Trusted List) location.

This class represents a country-specific TSL (Trusted List) location. It contains the scheme territory, the TSL location URL and MIME type.

Creates an instance of country specific LOTL location representation.

scheme territory of this country-specific TSL TSL location URL of this country-specific TSL MIME type of the TSL location

Creates an empty instance of .

Returns the scheme territory of this country-specific TSL.

the scheme territory

Returns the TSL location URL of this country-specific TSL.

the TSL location URL

Returns the MIME type of the TSL location.

the MIME type of the TSL location

Deserializes into .

to deserialize deserialized

This class fetches and validates country-specific List of Trusted Lists (LOTLs).

Creates a new instance of .

the used to retrieve resources

Fetches and validates country-specific LOTLs from the provided LOTL XML.

the byte array of the LOTL XML the used to build this fetcher a map of results containing validated country-specific LOTLs and their contexts

Creates an ExecutorService for downloading country-specific LOTLs.

Creates an ExecutorService for downloading country-specific LOTLs. By default, it creates a fixed thread pool with a number of threads equal to the number of available processors or the number of files to download, whichever is smaller. If you require a different configuration with other executor services, you can override this method. the list of tasks to be executed an ExecutorService instance configured for downloading LOTLs

Fetches and validates country-specific LOTLs from the provided .

certificates used for validation a list of to retrieve the used to build this fetcher a map of results containing validated country-specific LOTLs and their contexts

Represents the result of fetching and validating country-specific LOTLs.

Constructs a new Result object.

Constructs a new Result object. Initializes the report items list, local report, and contexts list.

Gets the local validation report.

the ValidationReport object containing the results of local validation

Sets the local validation report.

the ValidationReport object to set

Gets the list of service contexts associated with the country-specific LOTL.

a list of IServiceContext objects representing the service contexts

Sets the list of service contexts associated with the country-specific LOTL.

a list of IServiceContext objects to set

Gets the country-specific LOTL that was fetched and validated.

the CountrySpecificLotl object representing the country-specific LOTL

Sets the country-specific LOTL that was fetched and validated.

the CountrySpecificLotl object to set same result instance.

Creates a unique identifier for the country-specific LOTL based on its scheme territory and TSL location.

a string representing the unique identifier for the country-specific LOTL

Deserializes into .

to deserialize deserialized

Class corresponding to CertSubjectDNAttribute criteria in TL.

Creates a new instance of .

Adds required attribute ID into the criteria.

required attribute ID

Gets the required attribute IDs.

required attribute IDs

Interface for Criteria from TL.

Checks the criteria.

to be checked if criteria is met, otherwise

Criteria List which holds other Criteria or other Criteria Lists.

Creates a new instance of a Criteria List with a provided assert value.

assert value. Possible value are "all", "atLeastOne" and "none".

Gets assert value for this Criteria List.

assert value

Adds to this Criteria List.

to be added

Gets Criteria List.

Criteria List

Deserializes into .

to deserialize deserialized

Extended Key Usage Criteria implementation from a TL.

Creates new instance of .

Adds required extended key usage.

required extended key usage.

Gets the required extended key usages.

the required extended key usages

Key Usage Criteria implementation from a TL.

Creates a new instance of .

Adds required key usage bit by its name and value.

name of the required key usage bit. boolean value for a required key usage bit.

Gets required key usage bits.

required key usage bits

Policy Set Criteria implementation from a TL.

Creates new instance of .

Adds required policy id.

required policy id

Gets the required policy IDs.

the required policy IDs

Fetches the European List of Trusted Lists (Lotl) from a predefined URL.

Fetches the European List of Trusted Lists (Lotl) from a predefined URL. This class is used to retrieve the Lotl XML file, which contains information about trusted lists in the European Union.

Constructs a new instance of with the specified LotlService.

the LotlService used to retrieve resources

Loads the List of Trusted Lists (Lotl) from the predefined URL.

the byte array containing the Lotl data.

Represents the result of fetching the List of Trusted Lists (Lotl).

Creates a new instance of with the provided Lotl XML data.

the byte array containing the Lotl XML data

Creates a new instance of with an empty report items list.

Returns the Lotl XML data.

the byte array containing the Lotl XML data

Sets the Lotl XML data.

the byte array containing the Lotl XML data to set

Gets the list of report items generated during the fetching process.

a list of objects containing information about the fetching process

Deserializes into .

to deserialize deserialized

This class provides services for managing the Europian List of Trusted Lists (LOTL) and related resources.

This class provides services for managing the Europian List of Trusted Lists (LOTL) and related resources. It includes methods for fetching, validating, and caching LOTL data, as well as managing the European Resource Fetcher and Country-Specific LOTL Fetcher. It also allows for setting custom resource retrievers and cache timeouts.

Creates a new instance of .

to configure the way in which LOTL will be fetched

Sets the pivot fetcher for the LOTL service.

the pivot fetcher to be used for fetching and validating pivot files the current instance of for method chaining

Sets the country-specific LOTL fetcher for the LOTL service.

the country-specific LOTL fetcher to be used for fetching and validating country-specific LOTLs the current instance of for method chaining

Sets the European List of Trusted Lists (LOTL) byte fetcher for the LOTL service.

the fetcher to be used for fetching the LOTL XML data the current instance of for method chaining

Sets the European Resource Fetcher for the .

the European Resource Fetcher to be used for fetching EU journal certificates the current instance of for method chaining

Serializes the current state of the cache to the provided output stream.

the output stream to which the cache will be serialized.

Loads the cache from the network by fetching the latest LOTL data and related resources.

Loads the cache from the network by fetching the latest LOTL data and related resources. This method fetches the main LOTL file, EU journal certificates, pivot files, and country-specific LOTLs, validates them, and stores them in the cache. If the main LOTL fetch fails, the method will throw a and will not proceed to fetch pivot files or country-specific LOTLs. If a country-specific LOTL fetch fails, the will be used to handle the failure. Note: This method is called during cache initialization and should not be called directly in normal operation.

This method is intended to refresh the cache, it will try to download the latest LOTL data and update the cache accordingly.

This method is intended to refresh the cache, it will try to download the latest LOTL data and update the cache accordingly. The rules taken into account are: Country specific LOTL files will be fetched, validated and updated per country. If country fails to fetch, will be used to perform corresponding action. For the main LOTL file, if the fetch fails, the cache will not be updated. Also, we will NOT proceed to update the pivot files. If the main LOTL file is fetched successfully, the pivot files will be fetched, validated and stored in the cache.

This class fetches the European Union Journal certificates from the trusted list configuration.

This class fetches the European Union Journal certificates from the trusted list configuration. It reads the PEM certificates and returns them in a structured result.

Default constructor for EuropeanResourceFetcher.

Default constructor for EuropeanResourceFetcher. Initializes the fetcher without any specific configuration.

Fetches the European Union Journal certificates.

a Result object containing a list of certificates and any report items

Represents the result of fetching European Union Journal certificates.

Represents the result of fetching European Union Journal certificates. Contains a list of report items and a list of certificates.

Create a new Instance of .

Gets the list of report items.

a ValidationReport object containing report items

Gets the list of certificates.

a list of Certificate objects

Gets string constant representing currently used Official Journal publication.

constant representing currently used Official Journal publication

Sets the list of certificates.

a list of Certificate objects to set

Sets string constant representing currently used Official Journal publication.

constant representing currently used Official Journal publication

Deserializes into .

to deserialize deserialized

This exception is thrown when there is invalid data in the country-specific Lotl (List of Trusted Lists).

This exception is thrown when there is invalid data in the country-specific Lotl (List of Trusted Lists). It extends to indicate that the issue is severe enough to avoid safe calling.

Constructs a new InvalidCountryLotlDataException with the specified detail message.

the detail message

Constructs a new InvalidCountryLotlDataException with the specified detail message and an object for more details.

the detail message an object providing additional context or details about the exception

Interface for handling the failure of fetching a country-specific List of Trusted Lists (Lotl).

Interface for handling the failure of fetching a country-specific List of Trusted Lists (Lotl). Implementations can define custom strategies for dealing with such failures. We provide 2 default implementations out of the box: - - which does nothing and won't throw an exception, but will not add any country-specific certificates to the trust store. - - which will throw an exception if the fetching of a country-specific Lotl fails so that the validation process can be halted.

This method is called when the fetching of a country-specific Lotl fails.

This method is called when the fetching of a country-specific Lotl fails. It allows for custom handling of the failure. If the implementation does not throw an exception, the validation process will continue, and the certificates from the CountrySpecificLotlFetcher.Result will not be added to the trust store. the result of the fetch attempt, which may contain error details

Interface for handling the failure of fetching a country-specific trusted list.

Interface for handling the failure of fetching a country-specific trusted list. Implementations can define custom strategies for dealing with such failures. This strategy is used for the handling of the cases where the connection to the third-party endpoint for fetching the trusted list for a specific country fails. This can happen for various reasons, such as network issues, server downtime, or invalid responses. This strategy will be called per each country-specific EU trusted list that is not available on initialization or when the certificates staleness threshold is reached at the moment of digital signatures validation attempt if it relies on EU trusted lists. See for details about the staleness threshold. We provide 2 default implementations out of the box: - - which will throw an exception if the fetching of a country-specific trusted list fails. In cache initialization this means that initialization will be halted. In cache update this means that unavailable country-specific trusted certificates will not be updated, the validation will continue until the certificate staleness threshold will be reached, but when staleness threshold is reached this strategy will cause the validation attempts to fail with exception if they rely on EU trusted lists. - - which just silently removes not available country-specific certificates from the trust store, thus the validation results might change depending on success of certificates fetching. In cache initialization this means that the country-specific trusted certificates will not be added to the trust store. In cache update this means that unavailable country-specific trusted certificates will not be updated, the validation process will continue until the certificate staleness threshold will be reached, but when the staleness threshold is reached this strategy will silently remove the outdated certificates.

This method is called when the fetching of a country-specific Lotl fails.

Interface for managing service context related to certificates.

Interface for managing service context related to certificates. This interface provides methods to retrieve and add certificates.

Retrieves the list of certificates associated with the service context.

a list of objects

Adds a certificate to the service context.

the certificate to be added

Deserializes into .

to deserialize deserialized

Utility class which stores constants for country specific codes.

Class which stores properties related to LOTL (List of Trusted Lists) fetching and validation process.

Creates an instance of .

Creates an instance of . See for more details. strategy to be used when fetching of a country specific LOTL fails

Adds schema name (usually two letters) of a country which shall be used during LOTL fetching.

Adds schema name (usually two letters) of a country which shall be used during LOTL fetching. This method cannot be used together with . If no schema names are added or ignored, all country specific LOTL files will be used. Most of the country names are present in class. schema names of countries to use this same instance

Adds schema name (usually two letters) of a country which shall be ignored during LOTL fetching.

Adds schema name (usually two letters) of a country which shall be ignored during LOTL fetching. This method cannot be used together with . If no schema names are added or ignored, all country specific LOTL files will be used. Most of the country names are present in class. countries to ignore this same instance

Get the cache staleness threshold value in milliseconds.

a set cache staleness in milliseconds.

Gets the calculation function for the cache refresh interval.

Gets the calculation function for the cache refresh interval. This function will be used to determine the refresh interval based on the staleness time. By default, it takes 23% of the staleness time as the refresh interval. a function that takes the staleness time in milliseconds and returns the refresh interval in milliseconds.

Sets a custom cache refresh timer function.

Sets a custom cache refresh timer function. This function will be used to determine the refresh interval based on the staleness time. By default, it takes 23% of the staleness time as the refresh interval. So if the staleness time is 24 hours, the refresh interval will be set to 5.52 hours. a function that takes the staleness time in milliseconds and returns the refresh interval in milliseconds. this same instance

Gets the strategy to be used when fetching a country specific LOTL fails.

the strategy to be used when fetching a country specific LOTL fails

Adds service type identifier which shall be used during country specific LOTL fetching.

Adds service type identifier which shall be used during country specific LOTL fetching. If no service type identifiers are added, all service types from will be used. Only values supported by this logic are predefined in . service type identifier as a this same instance

Checks if the schema should be processed based on the current configuration.

the country name to use this instance for method chaining

This class provides API for managing the List of Trusted Lists (LOTL) and related resources.

This class provides API for managing the List of Trusted Lists (LOTL) and related resources. It includes API for fetching, validating, and caching LOTL data, as well as managing the European Resource Fetcher and Country-Specific LOTL Fetcher. It also allows for setting custom resource retrievers and cache timeouts.

Creates a new instance of .

to configure the way in which LOTL will be fetched

Initializes the global service with the provided .

Initializes the global service with the provided . This method must be called before using the to ensure that the cache is set up. If you are using a custom implementation of you can use the instance method. the to use for initializing the cache

Gets global static instance of .

global static instance of

Sets the cache for the .

Sets the cache for the . This method allows you to provide a custom implementation of to be used for caching LOTL data, pivot files, and country-specific LOTLs. the custom cache to be used for caching LOTL data the current instance of for method chaining

Sets a custom resource retriever for fetching resources.

Sets a custom resource retriever for fetching resources. This method allows you to provide a custom implementation of to be used for fetching resources such as the LOTL XML, pivot files, and country-specific LOTLs. Multiple LOTL endpoints require a userAgent header to be sent. This should be taken into account when providing a custom . the custom resource retriever to be used for fetching resources the current instance of for method chaining

Initializes the cache with the latest LOTL data and related resources.

Loads the cache from the provided input stream.

Loads the cache from the provided input stream. The input stream should contain serialized cache data, which can be created using the method. the input stream to read the cached data from

Get the validation results for the List of Trusted Lists (LOTL).

a containing the results of the LOTL validation

Retrieves national trusted certificates.

the list of the national trusted certificates

Sets the pivot fetcher for the LOTL service.

the pivot fetcher to be used for fetching and validating pivot files the current instance of for method chaining

Sets the country-specific LOTL fetcher for the LOTL service.

the country-specific LOTL fetcher to be used for fetching and validating country-specific LOTLs the current instance of for method chaining

Sets the European List of Trusted Lists (LOTL) byte fetcher for the LOTL service.

the fetcher to be used for fetching the LOTL XML data the current instance of for method chaining

Sets up factory which is responsible for creation.

factory responsible for creation the current instance of for method chaining

Sets up factory which is responsible for creation.

factory responsible for creation this same instance of

Sets the European Resource Fetcher for the .

the European Resource Fetcher to be used for fetching EU journal certificates the current instance of for method chaining

Serializes the current state of the cache to the provided output stream.

the output stream to which the cache will be serialized

Loads the cache from the network by fetching the latest LOTL data and related resources.

Loads the cache from the network by fetching the latest LOTL data and related resources. This method fetches the main LOTL file, EU journal certificates, pivot files, and country-specific LOTLs, validates them, and stores them in the cache. Note: This method is called during cache initialization and should not be called directly in normal operation.

This method is intended to refresh the cache, it will try to download the latest LOTL data and update the cache accordingly.

Sets up a timer to periodically refresh the LOTL cache.

Sets up a timer to periodically refresh the LOTL cache. The timer will use the refresh interval calculated based on the stale-ness of the cache. If the cache is null, it will create a new instance of .

Cancels timer, if it was already set up.

Gets the resource retriever used by the LOTL service.

the instance used for fetching resources

Retrieves explicitly added or automatically created instance.

explicitly added or automatically created instance.

Retrieves explicitly added or automatically created instance.

explicitly added or automatically created instance

Interface for caching LOTL (List of Trusted Lists) service results.

Interface for caching LOTL (List of Trusted Lists) service results. It provides methods to set and get various LOTL-related data, including European LOTL, country-specific LOTLs, and pivot results. Notice: If you do your own implementation of this interface, you should ensure that the cache is thread-safe and can handle concurrent access. This is important because LOTL data can be accessed and modified by multiple threads simultaneously. You should also ensure that all the values are set atomically using method to maintain consistency, So that you are not using outdated pivot results or country-specific LOTLs with a changed European LOTL.

Sets all values related to LOTL, including European LOTL, EU Journal certificates, pivot results, and country-specific LOTLs.

Sets all values related to LOTL, including European LOTL, EU Journal certificates, pivot results, and country-specific LOTLs. This extra method is used for syncronized updates to the cache, ensuring that all related data is set at once. This is useful in multithreaded environments where you want to ensure that all related data is consistent. the European LOTL result the EU Journal certificates the pivot fetcher result a map of country-specific LOTL results

Gets the European LOTL result.

the European LOTL result

Sets the pivot result.

the new pivot result to set

Gets the country-specific LOTL results.

a map of country-specific LOTL results

Sets the country-specific LOTL result for a specific country.

the country-specific LOTL result to set

Gets the European LOTL result.

the European LOTL result

Sets the European LOTL result.

the European LOTL result to set

Sets the result of the European Resource Fetcher.

Sets the result of the European Resource Fetcher. This method is used to update the cache with the result the result of the European Resource Fetcher

Gets the result of the European Resource Fetcher.

the result of the European Resource Fetcher

Trusted certificates storage class for country specific Lotl trusted certificates.

Creates new instance of .

Creates new instance of . This constructor shall not be used directly. Instead, in order to create such instance shall be used. which was responsible for creation

Gets all the certificates stored in this trusted store.

stored

Sets the certificate chain, corresponding to the certificate we are about to check.

list of certificates same instance of

Checks if given certificate is trusted according to context and time in which it is used.

which stores check results in which certificate is used certificate to be checked date time in which certificate is validated if certificate is trusted, otherwise

Gets lotl validation report.

validation report regarding trusted lists accessibility.

Gets set of items based on service type identifier of a given certificate in LOTL file.

Gets set of items based on service type identifier of a given certificate in LOTL file. Certificate source defines in which context this certificate is supposed to be trusted. representing service type identifier field in LOTL file. set of representing contexts, in which certificate is supposed to be trusted.

Checks if scope specified by extensions contains valid types.

which is populated with detailed validation results to be validated that specify scope false if extensions specify scope only with invalid types.

Find corresponding to provided date.

Find corresponding to provided date. If Service wasn't operating at that date report item will be added and null will be returned. which is populated with detailed validation results to be validated which contains statuses and their starting time against which certificate is expected to be validated. Usually signing date which contains time specific service information.

LotlValidator is responsible for validating the List of Trusted Lists (Lotl) and managing the trusted certificates.

LotlValidator is responsible for validating the List of Trusted Lists (Lotl) and managing the trusted certificates. It fetches the Lotl, validates it, and retrieves country-specific entries.

Constructs a LotlValidator with the specified ValidatorChainBuilder.

from which this instance was created.

Validates the List of Trusted Lists (Lotl) and retrieves national trusted certificates.

a containing the results of the LOTL validation

Retrieves national trusted certificates.

the list of the national trusted certificates

This class fetches and validates pivot files from a List of Trusted Lists (Lotl) XML.

Constructs a PivotFetcher with the specified LotlService and ValidatorChainBuilder.

the LotlService used to retrieve resources

Sets constant representing currently used Official Journal publication.

constant representing currently used Official Journal publication

Fetches and validates pivot files from the provided Lotl XML.

the byte array of the Lotl XML the list of trusted certificates a Result object containing the validation result and report items

Gets list of pivots xml files, including OJ entries.

byte array representing main LOTL file list of pivots xml files, including OJ entries

Result class encapsulates the result of the pivot fetching and validation process.

Creates a new instance of for .

Gets the local validation report.

the local ValidationReport

Sets the local validation report.

the ValidationReport to set

Gets the list of pivot URLs.

a list of pivot URLs

Gets the list of pivot URLs.

a list of pivot URLs

Generates a unique identifier based on the pivot URLs.

a string representing the unique identifier

Deserializes into .

to deserialize deserialized

Validator class which performs qualification validation for signatures.

Creates a new instance of .

Gets and removes qualification validation results for requested signature.

signature name, for which the results are obtained representing qualification validation result

Gets and removes qualification validation results for all the signatures being validated.

qualification validation results for all the signatures being validated

Starts new validation iteration for a given signature.

Starts new validation iteration for a given signature. Called automatically when signature validation starts. the name of a signature to be validated

Ensures that the same instance of was not used twice for different documents without the results being obtained.

Checks signature qualification status for a provided set of parameters corresponding to an entry in a TL.

list of objects in the validated chain corresponding to this entry in a TL trusted certificate from this TL entry at which validation happens corresponding to the provided certificates chain

Qualification validation data containing and .

Gets for this .

Enum representing possible signature qualification conclusions.

Electronic Signature with Qualified Signing Certificate, which private key resides in Qualified Signature Creation Device.

Electronic Seal with Qualified Signing Certificate, which private key resides in Qualified Signature Creation Device.

Electronic Signature with Qualified Signing Certificate.

Electronic Seal with Qualified Signing Certificate.

Not qualified Electronic Signature.

Not qualified Electronic Seal.

Signature of an unknown type with Qualified Signing Certificate, which private key resides in Qualified Signature Creation Device.

Signature of an unknown type with Qualified Signing Certificate.

Signature of an unknown type.

Signature, which properties cannot be established, because the corresponding values contradict.

Signature, for which qualification status is not applicable.

Signature, for which there is not corresponding TL entry.

Not qualified signature.

Class representing Qualifications entry from a country specific Trusted List.

Gets list of qualifiers from this extension.

list of qualifiers

Checks criteria for this Qualifier extension.

for which criteria shall be meet if criteria were meet, otherwise

Deserializes into .

to deserialize deserialized

This class implements the interface and provides a strategy for handling failures when fetching country-specific Lotl (List of Trusted Lists) files.

This class implements the interface and provides a strategy for handling failures when fetching country-specific Lotl (List of Trusted Lists) files. It ignores the failure of the specific country, and converts all report items to INFO status. This way the country-specific Lotl is not used and the validation report is not invalid but can be indeterminate.

Constructs an instance of .

Class representing ServiceHistory entry in a country specific Trusted List.

Gets service status corresponding to this Service Chronological Info instance.

service status

Gets service status starting time corresponding to this Service Chronological Info instance.

service status starting time

Gets list of corresponding to this Service Chronological Info.

list of

Gets list of corresponding to this Service Chronological Info.

list of

Deserializes into .

to deserialize deserialized

Utility class which stores possible values for service type identifiers in LOTL files, which are supported by iText.

Gets all the constant values of service type identifiers.

set of all service type identifiers defined in this class.

Deserializes into .

to deserialize deserialized

This class provides services for managing the single country List of Trusted Lists (LOTL) and related resources.

This class provides services for managing the single country List of Trusted Lists (LOTL) and related resources. It includes methods for fetching, validating, and caching LOTL data. You should use this service if you have only a country specific LOTL file with certificates you trust. First, you create an instance of and then pass it to the constructor of together with fetching properties and the certificates to validate LOTL file. Then this instance can be passed to so that the certificates from the LOTL file are used for signature validation.

Creates a new instance of .

to configure the way in which LOTL will be fetched for a LOTL file to serve a list of certificates to validate LOTL file

This class implements the interface and provides a strategy for handling failures when fetching country-specific trusted list .

This class implements the interface and provides a strategy for handling failures when fetching country-specific trusted list . It throws an if the specific country fetch or the trusted lists validation fails.

Creates an instance of .

This class is used to retrieve the list of countries and their corresponding TSL (Trusted List) locations from an XML file.

Default constructor for XmlCountryRetriever.

Default constructor for XmlCountryRetriever. Creates an instance of XmlCountryRetriever.

This method reads an XML file containing country-specific TSL locations and returns a list of CountrySpecificLotl objects.

the InputStream of the XML data containing country-specific TSL locations a list of CountrySpecificLotl objects, each containing the scheme territory and TSL location.

Validator class responsible for XML signature validation.

Validator class responsible for XML signature validation. This class is not intended to be used to validate anything besides Lotl files.

Creates instance.

Creates instance. This constructor shall not be used directly. which contains trusted certificates

Validates provided XML Lotl file.

representing XML Lotl file to be validated containing all validation related information

Interface for handling XML elements during SAX processing.

Called when a start element is encountered in the XML document.

the namespace URI of the element the local name of the element the qualified name of the element a map of attributes associated with the element

Called when an end element is encountered in the XML document.

the namespace URI of the element the local name of the element the qualified name of the element

Called when character data is encountered within an element.

the character array containing the data the start index of the data in the array the length of the data

Class that allows you to validate a single OCSP response.

Creates new instance.

See

Validates a certificate against single OCSP Response.

to store all the chain verification results the context in which to perform the validation the certificate to check for single response to check basic OCSP response which contains single response to check validation date to check for trusted date at which response is generated

Verifies if an OCSP response is genuine.

Verifies if an OCSP response is genuine. If it doesn't verify against the issuer certificate and response's certificates, it may verify using a trusted anchor or cert. to store all the chain verification results the context in which to perform the validation the OCSP response wrapper the issuer of the certificate for which the OCSP is checked the certificate for which the OCSP is checked trusted date at which response is generated

Report item to be used for single certificate related failure or log message.

Create instance.

processing which report item occurred , which represents a check name during which report item occurred with the exact report item message report item status that determines validation result

Create instance.

processing which report item occurred , which represents a check name during which report item occurred with the exact report item message , which caused this report item report item status that determines validation result

Get the certificate related to this report item.

related to this report item.

Deserializes into .

to deserialize deserialized

This class gathers all information needed to establish the achieved PAdES level of a signature.

This class gathers all information needed to establish the achieved PAdES level of a signature. It also holds the rules in common for both common signatures and document timestamps. Specific rules are delegated to implementors of this class. It also executes all those rules to define the achieved level.

Returns the signature name.

the signature name

Calculates the highest achieved PAdES level for the signature being checked.

PAdES level reports for already checked timestamp signatures the highest achieved level

Adds a message about a non-approved algorithm, according to ETSI TS 119 312, being used.

a message about a non-approved, according to ETSI TS 119 312, algorithm being used

Adds a message about a forbidden algorithm, according to ETSI TS 319 142, being used.

a message about a forbidden, according to ETSI TS 319 142, algorithm being used

Sets whether the signatures container contains the certificate entry.

whether the signatures container contains the certificate entry

Sets whether the signatures container contains the certificate chain includes the signing certificate.

whether the signatures container contains the certificate chain includes the signing certificate

Sets whether the signatures container contains the certificate chain.

whether the signatures container contains the certificate chain

Sets whether the signatures container contains the certificate chain includes the CA.

whether the signatures containers contains the certificate chain includes the CA

Sets whether the signatures container contains the certificate path.

whether the signatures container contains the certificate path

Sets whether the CMS signed attributes contain the content type and whether that content type is IdData.

whether the CMS signed attributes contain the content type and whether that content type is IdData.

Sets whether the CMS signed attributes contain the MessageDigest.

whether the CMS signed attributes contain the MessageDigest

Sets whether the CMS signed attributes contain the commitment type indication.

whether the CMS signed attributes contain the commitment type indication

Sets whether the CMS signed attributes contain the signing certificate in V1 format.

whether the CMS signed attributes contain the signing certificate in V1 format

Sets whether the CMS signed attributes contain the signing certificate in Vs format.

whether the CMS signed attributes contain the signing certificate in V2 format

Sets whether the signature dictionary contains the M entry.

whether the signature dictionary contains the M entry

Sets whether the signature dictionary entry M is correctly formatted.

whether the signature dictionary entry M is correctly formatted

Sets whether the CMS signed attributes contains the signing time attribute.

whether the CMS signed attributes contains the signing time attribute

Sets whether the signature dictionary contains the Contents entry.

whether the signature dictionary contains the Contents entry

Sets whether the signature dictionary contains the Filter entry.

whether the signature dictionary contains the Filter entry

Sets whether the signature dictionary contains the Byte range entry.

whether the signature dictionary contains the byte range entry

Sets whether the signature dictionary contains the Subfilter entry.

whether the signature dictionary contains the Subfilter entry

Sets whether the signature dictionary entry SubFilter has value ETSI.CAdES.detached.

whether the signature dictionary entry SubFilter has value ETSI.CAdES.detached

Sets whether the signature dictionary entry SubFilter has value ETSI.RFC3161.

whether the signature dictionary entry SubFilter has value ETSI.RFC3161

Sets whether the signature dictionary contains the entry Reason.

whether the signature dictionary contains the entry Reason

Sets whether the signature dictionary contains the entry Cert.

whether the signature dictionary contains the entry Cert

Sets whether there is a Proof of existence covering the signature.

whether there is a Proof of existence covering the signature

Sets whether there is a document timestamp covering the signature.

whether there is a document timestamp covering the signature

Sets whether there is a DSS covering the signature.

whether there is a DSS covering the signature

Adds a certificate for which the issuer missing in the DSS.

a certificate for which the issuer missing in the DSS

Adds a certificate for which the issuer missing in the DSS.

a certificate for which the issuer missing in the DSS

Adds a certificate for which no revocation data was available in the DSS.

a certificate for which no revocation data was available in the DSS

Sets whether there is a Proof of Existence covering the DSS.

whether there is a Proof of Existence covering the DSS

Adds a certificate for which no revocation data was available in a timestamped DSS.

a certificate for which no revocation data was available in the DSS

Sets whether the signature validation was successful.

whether the signature validation was successful

Returns all non conformaties per level, the SHALL HAVE rules that were broken, per PAdES level.

all non conformaties per level, the SHALL HAVE rules that were broken, per PAdES level

Returns all warnings, the SHOULD HAVE rules that were broken, per PAdES level.

all warnings, the SHOULD HAVE rules that were broken, per PAdES level

Abstract method to retrieve the specific rules sets from the implementors.

the specific rules sets from the implementors

A class to hold all rules for a level

A class containing a check executor and message generator

Instantiates a new check with a static message.

the check executor, taking in the AbstractPadesLevelRequirements holding the information the static message for when the rule check failed

Instantiates a new check with a message generator.

the check executor, taking in the AbstractPadesLevelRequirements holding the information the message generator for when the rule check failed, taking the AbstractPadesLevelRequirements holding the information

Returns the message generator.

the message generator

Returns the check executor.

the check executor

This report gathers PAdES level information about all signatures in a document as well as an overall PAdES level.

Creates a new instance.

Adds a signature validation report.

a signature validation report

Returns the overall document PAdES level, the lowest level off all signatures.

the overall document PAdES level

Returns the individual PAdES level report for a signature by name.

the signature name to retrieve the report for the individual PAdES level report for the signature

Returns a map for all signatures PAdES reports.

a map for all signatures PAdES reports

This class contains the rules specific for a document timestamp signature.

Creates a new instance.

This enumeration holds all possible PAdES levels plus none and indeterminate, needed for when none if the levels is reached or a signature is invalid.

None of the levels criteria where met

Unable to establish the PAdES level

B-B level provides requirements for the incorporation of signed and some unsigned attributes when the signature is generated.

B-T level provides requirements for the generation and inclusion, for an existing signature, of a trusted token proving that the signature itself actually existed at a certain date and time.

B-LT level provides requirements for the incorporation of all the material required for validating the signature in the signature document.

B-LT level provides requirements for the incorporation of all the material required for validating the signature in the signature document. This level aims to tackle the long term availability of the validation material.

B-LTA level provides requirements for the incorporation of electronic timestamps that allow validation of the signature long time after its generation.

B-LTA level provides requirements for the incorporation of electronic timestamps that allow validation of the signature long time after its generation. This level aims to tackle the long term availability and integrity of the validation material.

This report gathers PAdES level information one signature.

Creates new instance.

the requirements gathered for this signature the timestamp reports gathered before for this signature

Returns the signature name for the signature this report is about.

the signature name for the signature this report is about

Returns the highest achieved PAdES level for this signature.

the highest achieved PAdES level for this signature

Returns non-conformaties, violated must have rules, per PAdES level.

non-conformaties, violated must have rules, per PAdES level

Returns warnings, violated should have rules, per PAdES level.

warnings, violated should have rules, per PAdES level

This class generates a PAdES level report for a document based upon the IValidation events triggered during validation.

Creates a new instance.

Executes the rules and created the individual signature reports.

the DocumentPAdESLevelReport

This class contains the rules specific for signature.

Creates a new instance.

the signature name

Report item to be used for single failure or log message.

Create instance.

, which represents a check name during which report item occurred with the exact report item message report item status that determines validation result

Create instance.

, which represents a check name during which report item occurred with the exact report item message , which caused this report item report item status that determines validation result

Create report item from another report item.

from which new one will be created

Get the check name related to this report item.

check name related to this report item.

Get the message related to this report item.

message related to this report item.

Get the exception, which caused this report item.

, which cause this report item.

Get report item status that determines validation result this report item corresponds to.

report item status that determines validation result.

Set report item status that determines validation result this report item corresponds to.

report item status that determines validation result this instance.

Deserializes into .

to deserialize deserialized

Enum representing possible report item statuses that determine validation result.

Report item status for info messages.

Report item status that leads to invalid validation result.

Report item status that leads to indeterminate validation result.

Validation report, which contains detailed validation results.

Create new instance of .

Create a copy of another validation report.

to be copied

Get the result of a validation process.

, which represents the result of a validation

Get all failures recognized during a validation process.

report items , which contains all recognized failures

Get list of failures, which are related to certificate validation.

report items , which contains only failures

Get all log messages reported during a validation process.

report items , which contains all reported log messages, related to validation

Get list of log messages, which are related to certificate validation.

report items , which contains only log messages

Add new report item to the overall validation result.

to be added

Merge all objects from sub report into this one.

report from which items will be merged the same updated validation report instance.

Deserializes into .

to deserialize deserialized

Merge all objects from sub report into this one with different status.

report from which items will be merged which will be used instead of provided ones the same updated validation report instance.

Enum representing possible validation results.

Valid validation result.

Invalid validation result.

Indeterminate validation result.

The interface for AdES reports aggregator implementations.

Called at the start of a signature validation

signature container as a byte[] signature name the signing date

Called when a timestamp is encountered

timestamp container as a byte[] true when the timestamp is document level, false for a signature timestamp

Called after a successful validation of the current signature

Called after signature validation failed for the current signature

when validation is neither valid nor invalid, when it is invalid the failure reason

Retrieves the generated report

the generated report

Use this implementation when an xml report has to be created

Instantiates a new DefaultAdESReportAggregator instance

This class is for internal usage.

This class is for internal usage. It bridges the gap between the new event driven system of collecting validation meta info and the previous interface driven system.

Creates a new instance of the convertor, wrapping an AdESReportAggregator implementation.

an AdESReportAggregator implementation to be wrapped

Implementations must override hashvalue and equals, the hashvalue must be stable

Use this implementation when no xml report has to be created

Creates a new instance of NullAdESReportAggregator.

This class holds all parts needed to create an xml AdES report.

Class which represents signature validation status.

Creates an empty instance.

Sets the main status indication.

value

Gets the main status indication.

Gets URI representation of the validation status (see ETSI TS 119 102 4.3.4.2).

validation status as string

Sets sub-indication that shall clearly identify the reason for the main status indication.

value

Gets sub-indication that shall clearly identify the reason for the main status indication.

value

Gets sub-indication that shall clearly identify the reason for the main status indication.

sub-indication value as string

Adds message for validation report data.

message reason as string

Gets all reported messages.

Collection of reported messages

This enum holds all possible MainIndication values

This enum holds all possible SubIndication values

The signature is not conformant to one of the base standards to the extent that the cryptographic verification building block is unable to process it.

The signature is not conformant to one of the base standards to the extent that the cryptographic verification building block is unable to process it. The validation process shall provide any information available why parsing of the signature failed.

The signature validation process results into TOTAL-FAILED because at least one hash of a signed data object(s) that has been included in the signing process does not match the corresponding hash value in the signature. The validation process shall provide: An identifier (s) (e.g. a URI or OID) uniquely identifying the element within the signed data object (such as the signature attributes, or the SD) that caused the failure.

The signature validation process results into TOTAL-FAILED because the signature value in the signature could not be verified using the signer's public key in the signing certificate.

The signature validation process results into TOTAL-FAILED because the signature value in the signature could not be verified using the signer's public key in the signing certificate. The validation process shall output: The signing certificate used in the validation process.

The signature validation process results into TOTAL-FAILED because: • the signing certificate has been revoked; and • there is proof that the signature has been created after the revocation time.

The signature validation process results into TOTAL-FAILED because: • the signing certificate has been revoked; and • there is proof that the signature has been created after the revocation time. The validation process shall provide the following: • The certificate chain used in the validation process. • The time and, if available, the reason of revocation of the signing certificate.

The signature validation process results into TOTAL-FAILED because there is proof that the signature has been created after the expiration date (notAfter) of the signing certificate.

The signature validation process results into TOTAL-FAILED because there is proof that the signature has been created after the expiration date (notAfter) of the signing certificate. The process shall output: The validated certificate chain.

The signature validation process results into TOTAL-FAILED because there is proof that the signature was created before the issuance date (notBefore) of the signing certificate.

The signature validation process results into INDETERMINATE because one or more attributes of the signature do not match the validation constraints.

The signature validation process results into INDETERMINATE because one or more attributes of the signature do not match the validation constraints. The validation process shall provide: The set of constraints that have not been met by the signature.

The signature validation process results into INDETERMINATE because the certificate chain used in the validation process does not match the validation constraints related to the certificate.

The signature validation process results into INDETERMINATE because the certificate chain used in the validation process does not match the validation constraints related to the certificate. The validation process shall output: • The certificate chain used in the validation process. • The set of constraints that have not been met by the chain.

The signature validation process results into INDETERMINATE because the set of certificates available for chain validation produced an error for an unspecified reason.

The signature validation process results into INDETERMINATE because the set of certificates available for chain validation produced an error for an unspecified reason. The process shall output: Additional information regarding the reason.

The signature validation process results into INDETERMINATE because at least one of the algorithms that have been used in material (e.g. the signature value, a certificate...) involved in validating the signature, or the size of a key used with such an algorithm, is below the required cryptographic security level, and: • this material was produced after the time up to which this algorithm/key was considered secure (if such a time is known); and • the material is not protected by a sufficiently strong time-stamp applied before the time up to which the algorithm/key was considered secure (if such a time is known). The process shall output: • Identification of the material (signature, certificate) that is produced using an algorithm or key size below the required cryptographic security level. • If known, the time up to which the algorithm or key size were considered secure.

The signature validation process results into INDETERMINATE because a given formal policy file could not be processed for any reason (e.g. not accessible, not parseable, digest mismatch, etc.).

The signature validation process results into INDETERMINATE because a given formal policy file could not be processed for any reason (e.g. not accessible, not parseable, digest mismatch, etc.). The validation process shall provide additional information on the problem.

The signature validation process results into INDETERMINATE because the electronic document containing the details of the policy is not available.

The signature validation process results into INDETERMINATE because some constraints on the order of signature time-stamps and/or signed data object(s) time-stamps are not respected.

The signature validation process results into INDETERMINATE because some constraints on the order of signature time-stamps and/or signed data object(s) time-stamps are not respected. The validation process shall output the list of time-stamps that do no respect the ordering constraints.

The signature validation process results into INDETERMINATE because the signing certificate cannot be identified.

The signature validation process results into INDETERMINATE because no certificate chain has been found for the identified signing certificate.

The signature validation process results into INDETERMINATE because the signing certificate was revoked at the validation date/time.

The signature validation process results into INDETERMINATE because the signing certificate was revoked at the validation date/time. However, the Signature Validation Algorithm cannot ascertain that the signing time lies before or after the revocation time. The validation process shall provide the following: • The certificate chain used in the validation process. • The time and the reason of revocation of the signing certificate.

The signature validation process results into INDETERMINATE because at least one certificate chain was found but an intermediate CA certificate is revoked.

The signature validation process results into INDETERMINATE because at least one certificate chain was found but an intermediate CA certificate is revoked. The validation process shall provide the following: • The certificate chain which includes the revoked CA certificate. • The time and the reason of revocation of the certificate.

The signature validation process results into INDETERMINATE because the signing certificate is expired or not yet valid at the validation date/time and the Signature Validation Algorithm cannot ascertain that the signing time lies within the validity interval of the signing certificate.

The signature validation process results into INDETERMINATE because at least one of the algorithms that have been used in objects (e.g. the signature value, a certificate, etc.) involved in validating the signature, or the size of a key used with such an algorithm, is below the required cryptographic security level, and there is no proof that this material was produced before the time up to which this algorithm/key was considered secure. The process shall output: • Identification of the material (signature, certificate) that is produced using an algorithm or key size below the required cryptographic security level. If known, the time up to which the algorithm or key size were consider secure.

The signature validation process results into INDETERMINATE because a proof of existence is missing to ascertain that a signed object has been produced before some compromising even

The signature validation process results into INDETERMINATE because a proof of existence is missing to ascertain that a signed object has been produced before some compromising even The validation process shall identify at least the signed objects for which the POEs are missing. • The validation process should provide additional information on the problem.

The signature validation process results into INDETERMINATE because not all constraints can be fulfilled using available information.

The signature validation process results into INDETERMINATE because not all constraints can be fulfilled using available information. However, it may be possible to do so using additional revocation information that will be available at a later point of time. The validation process shall output the point of time, where the necessary revocation information is expected to become available.

The signature validation processresults into INDETERMINATE because signed data cannot beobtained.

The signature validation processresults into INDETERMINATE because signed data cannot beobtained. The process should output when available: The identifier(s) (e.g. a URI) of the signed data that caused the failure.

This enum holds the possible message type values

Use this implementation when an xml report has to be created.

Instantiates a new AdESReportEventListener instance.

Returns the generated PadesValidationReport.

the generated PadesValidationReport

This class will convert a to its xml representation.

Instantiate a new instance of XmlReportGenerator.

the conversion options to use

Generate xlm representation of a .

the report to transform the writer instance to write the resulting xml to

Manages the options for converting a into its xml representation

Create a new instance of XmlReportOptions

Class that allows you to fetch and validate revocation data for the certificate.

Creates new instance to validate certificate revocation data.

See

Add to be used for CRL responses receiving.

Add to be used for CRL responses receiving. These clients will be used regardless of the settings to be used for CRL responses receiving same instance of .

Add to be used for OCSP responses receiving.

Add to be used for OCSP responses receiving. These clients will be used regardless of the settings to be used for OCSP responses receiving same instance of .

Validates revocation data (Certificate Revocation List (CRL) Responses and OCSP Responses) of the certificate.

to store all the verification results the context the certificate to check revocation data for validation date to check for

Class which contains validation related information about single OCSP response.

Creates validation related information about single OCSP response.

single response to be validated basic OCSP response which contains this single response trusted date at which response was generated time based context which corresponds to generation date

Creates validation related information about single OCSP response.

single response to be validated basic OCSP response which contains this single response trusted date at which response was generated time based context which corresponds to generation date representing an origin, from which this OCSP response comes from

Class which contains validation related information about CRL response.

Creates validation related information about CRL response.

CRL to be validated trusted date at which response was generated time based context which corresponds to generation date

Creates validation related information about CRL response.

CRL to be validated trusted date at which response was generated time based context which corresponds to generation date representing an origin, from which this CRL response comes from

Utility class to handle exceptions and generate validation report items instead.

Adds a report item to the report when an exception is thrown in the action.

The action to perform The report to add the ReportItem to A callback to generate a ReportItem

Adds a report item to the report when an exception is thrown in the action.

The action to perform The value to return when an exception is thrown The report to add the ReportItem to A callback to generate a ReportItem type of return value The returned value from the action

Adds a report item to the report when an exception is thrown in the action.

The action to perform The report to add the ReportItem to A callback to generate a ReportItem

Adds a report item to the report when an exception is thrown in the action.

The action to perform The value to return when an exception is thrown The report to add the ReportItem to A callback to generate a ReportItem type of return value The returned value from the action

In some cases we need to propagate the exception without @{link SafeCalling} mechanism converting it to report items.

In some cases we need to propagate the exception without @{link SafeCalling} mechanism converting it to report items. This exception is used to indicate that something actually went wrong and not only the validation report is Invalid, but an underlying process might be affected.

Creates a new instance of with the specified detail message.

the detail message

Creates a new instance of with the specified underlying cause.

which caused the exception

Creates a new instance of with the specified detail message

the detail message. an object for more details.

Class which stores properties, which are related to signature validation process.

Create with default values.

Returns the freshness setting for the provided validation context or the default context in milliseconds.

the validation context for which to retrieve the freshness setting the freshness setting for the provided validation context or the default context in milliseconds

Sets the freshness setting for the specified validator, time based and certificate source contexts in milliseconds. This parameter specifies how old revocation data can be, compared to validation time, in order to be trustworthy.

the validators for which to apply the setting the certificate sources to the date comparison context for which to apply the setting the settings value in milliseconds this same instance.

Returns the Continue after failure setting for the provided context or the default context.

the context for which to retrieve the Continue after failure setting the Continue after failure setting for the provided context or the default context

Sets the Continue after failure setting for the provided context. This parameter specifies if validation is expected to continue after first failure is encountered. Only is considered to be a failure.

the validators for which to set the Continue after failure setting the certificateSources for which to set the Continue after failure setting the Continue after failure setting this same instance.

Sets the onlineFetching property representing possible online fetching permissions.

the context for which to retrieve the online fetching setting the online fetching setting.

Sets the onlineFetching property representing possible online fetching permissions.

the validators for which to set this value the certificate source for which to set this value time perspective context, at which validation is happening onlineFetching property value to set this same instance.

Returns required extension for the provided validation context.

the validation context for which to retrieve required extensions required extensions for the provided validation context

Sets list of extensions which are required to be set to a certificate depending on certificate source. By default, required extensions are set to be compliant with common validation norms. Changing those can result in falsely positive validation result.

for extensions to be present list of required this same instance

Gets all ICrlClient instances which will be used to retrieve CRL responses during the validation.

all ICrlClient instances which will be used to retrieve CRL responses during the validation

Adds new ICrlClient instance which will be used to retrieve CRL responses during the validation.

ICrlClient instance which will be used to retrieve CRL responses during the validation this same SignatureValidationProperties instance

Gets all IOcspClient instances which will be used to retrieve OCSP responses during the validation.

all IOcspClient instances which will be used to retrieve OCSP responses during the validation

Adds new IOcspClient instance which will be used to retrieve OCSP response during the validation.

IOcspClient instance which will be used to retrieve OCSP response during the validation this same SignatureValidationProperties instance

This method executes the setter method for every combination of selected validators and certificateSources

the validators to execute the setter on the certificate sources to execute the setter on the setter to execute

This method executes the getter method to the most granular parameters set down until the getter returns a non-null value

the validator for which the value is to be retrieved the certificate source for which the value is to be retrieved the getter to get the value from the parameters set the type of the return value of this method and the getter method the first non-null value returned.

Enum representing possible online fetching permissions.

Permission to always fetch revocation data online.

Permission to fetch revocation data online if no other revocation data available.

Forbids fetching revocation data online.

Validator class, which is expected to be used for signatures validation.

Creates new instance of .

instance which will be validated see

Sets the that will be used during new creations.

meta info to set the same instance

Validate all signatures in the document.

which contains detailed validation results

Validate single signature in the document.

name of the signature to validate which contains detailed validation results.

Trusted certificates storage class to be used to configure trusted certificates in a particular way.

Add collection of certificates to be trusted for any possible usage.

of instances

Add collection of certificates to be trusted for OCSP response signing.

Add collection of certificates to be trusted for OCSP response signing. These certificates are considered to be valid trust anchors for arbitrarily long certificate chain responsible for OCSP response generation. of instances

Add collection of certificates to be trusted for CRL signing.

Add collection of certificates to be trusted for CRL signing. These certificates are considered to be valid trust anchors for arbitrarily long certificate chain responsible for CRL generation. of instances

Add collection of certificates to be trusted for timestamping.

Add collection of certificates to be trusted for timestamping. These certificates are considered to be valid trust anchors for arbitrarily long certificate chain responsible for timestamp generation. of instances

Add collection of certificates to be trusted to be CA certificates.

Add collection of certificates to be trusted to be CA certificates. These certificates are considered to be valid trust anchors for certificate generation. of instances

Check if provided certificate is configured to be trusted for any purpose.

to be checked is provided certificate is generally trusted, otherwise

Check if provided certificate is configured to be trusted for OCSP response generation.

to be checked is provided certificate is trusted for OCSP generation, otherwise

Check if provided certificate is configured to be trusted for CRL generation.

to be checked is provided certificate is trusted for CRL generation, otherwise

Check if provided certificate is configured to be trusted for timestamp generation.

to be checked is provided certificate is trusted for timestamp generation, otherwise

Check if provided certificate is configured to be trusted to be CA.

to be checked is provided certificate is trusted for certificates generation, otherwise

Get certificates, if any, which is trusted for any usage, which corresponds to the provided certificate name.

certificate name set of which correspond to the provided certificate name

Get certificates, if any, which is trusted for OCSP response generation, which corresponds to the provided certificate name.

certificate name set of which correspond to the provided certificate name

Get certificates, if any, which is trusted for CRL generation, which corresponds to the provided certificate name.

certificate name set of which correspond to the provided certificate name

Get certificate, if any, which is trusted for timestamp generation, which corresponds to the provided certificate name.

certificate name set of which correspond to the provided certificate name

Get certificates, if any, which is trusted to be a CA, which corresponds to the provided certificate name.

certificate name set of which correspond to the provided certificate name

Get certificates, if any, which corresponds to the provided certificate name.

certificate name set of which correspond to the provided certificate name

Get all the certificates, which where provided to this storage as trusted certificate.

of instances

Get all the certificates having name as subject, which where provided to this storage as trusted certificate.

the subject name value for which to retrieve all trusted certificate set of which correspond to the provided certificate name

CRL client which is expected to be used in case CRL responses shall be linked with generation date.

Create new instance.

Add CRL response which is linked with generation date.

response to be added to be linked with the response time based context which corresponds to generation date

Add CRL response which is linked with generation date.

response to be added to be linked with the response time based context which corresponds to generation date representing an origin from which CRL comes from

Get all the CRL responses linked with generation dates.

all the CRL responses linked with generation dates

OCSP client which is expected to be used in case OCSP responses shall be linked with generation date.

Create new instance.

Add OCSP response which is linked with generation date.

response to be added to be linked with the response time based context which corresponds to generation date

Add OCSP response which is linked with generation date.

response to be added to be linked with the response time based context which corresponds to generation date representing an origin from which OCSP comes from

Get all the OCSP responses linked with generation dates.

all the OCSP responses linked with generation dates

A builder class to construct all necessary parts of a validation chain.

A builder class to construct all necessary parts of a validation chain. The builder can be reused to create multiple instances of a validator. Same instance of shall not be used in multithreaded environment.

This set is used to catch recursions while CRL/OCSP responses validation.

This set is used to catch recursions while CRL/OCSP responses validation. There might be loops when Revocation data for cert 0 is signed by cert 0. Or Revocation data for cert 0 is signed by cert 1 and revocation data for cert 1 is signed by cert 0. Some more complex loops are possible, and they all are supposed to be caught by this set and the methods to manipulate this set.

Creates a ValidatorChainBuilder using default implementations

Establishes trust in European Union List of Trusted Lists.

Establishes trust in European Union List of Trusted Lists. This feature by default relies on remote resource fetching and third-party EU trusted lists posted online. iText has no influence over these resources maintained by third-party authorities. If this feature is enabled, is created and used to retrieve, validate and establish trust in EU List of Trusted Lists. In order to properly work, apart from enabling it, user needs to call method, which performs initial initialization. Additionally, in order to successfully use this feature, a user needs to provide a source for trusted certificates which will be used for LOTL files validation. One can either add an explicit dependency to "eu-trusted-lists-resources" iText module or configure own source of trusted certificates. When iText dependency is used it is required to make sure that the newest version of the dependency is selected, otherwise LOTL validation will fail. The required certificates for LOTL files validations are published in the Official Journal of the European Union. Your own source of trusted certificates can be configured by using . if European Union LOTLs are expected to be trusted, otherwise the current

Checks if European Union List of Trusted Lists is supposed to be trusted.

if European Union LOTLs are expected to be trusted, otherwise

Create a new instance with the current configuration.

Create a new instance with the current configuration. This method can be used to create multiple validators. instance which will be validated a new instance of a signature validator.

Create a bew instance with the current configuration.

Create a bew instance with the current configuration. This method can be used to create multiple validators. a new instance of a document revisions validator.

Create a new instance.

Create a new instance. This method can be used to create multiple validators. a new instance of a CertificateChainValidator.

Create a new instance This method can be used to create multiple validators.

a new instance of a RevocationDataValidator.

Create a new instance.

Create a new instance. This method can be used to create multiple validators. a new instance of a OCSPValidator.

Create a new instance.

Create a new instance. This method can be used to create multiple validators. a new instance of a CRLValidator.

Use this factory method to create instances of for use in the validation chain.

the document revisions validator factory method to use the current

Use this factory method to create instances of for use in the validation chain.

the CRLValidatorFactory method to use the current

Use this factory method to create instances of for use in the validation chain.

the ResourceRetrieverFactory method to use the current

Use this factory method to create instances of for use in the validation chain.

Use this factory method to create instances of for use in the validation chain. Resource retriever created by this factory will be automatically used in the default CRL client, default OCSP client and default CA issuer certificate retriever. If some custom client is set and one needs to use their custom resource retriever for it, it's their responsibility to pass custom resource retriever to their custom client. Note that resource retriever created by this factory will not be used for because the global instance of is used by default. If one needs to use their custom resource retriever for , they can pass it using method. the resource retriever factory method to use the current

Use this factory method to create instances of for use in the validation chain.

the OCSPValidatorFactory method to use the current

Use this factory method to create instances of for use in the validation chain.

the RevocationDataValidator factory method to use the current

Use this factory method to create instances of for use in the validation chain.

the CertificateChainValidator factory method to use the current

Use this instance of a in the validation chain.

the SignatureValidationProperties instance to use the current

Use this factory method to create instances of for use in the validation chain.

the IssuingCertificateRetriever factory method to use the current

Use this factory to create instances of for use in the validation chain.

the IOcspClient factory method to use the current

Use this factory to create instances of for use in the validation chain.

the ICrlClient factory method to use the current

Adds known certificates to the .

the list of known certificates to add the current

Sets the trusted certificates to the .

the list of trusted certificates to set the current

Use this AdES report aggregator to enable AdES compliant report generation.

Use this AdES report aggregator to enable AdES compliant report generation. Generated report could be provided to . the report aggregator to use the current

Use this reportEventListener to generate an AdES xml report.

Use this reportEventListener to generate an AdES xml report. Generated report could be provided to . the AdESReportEventListener to use the current

Use this PAdES level report generator to generate PAdES report.

Use this PAdES level report generator to generate PAdES report. If called multiple times, multiple objects will be registered. the PAdESLevelReportGenerator to use the current

Checks whether PAdES compliance validation was requested.

if PAdES compliance validation was requested, otherwise

Sets instance to be used during signature qualification validation.

Sets instance to be used during signature qualification validation. The results of this validation can be obtained from this same instance. The feature is only executed if European LOTL is used. See . This validator needs to be updated per each document validation, or the results need to be obtained. Otherwise, the exception will be thrown. If no instance is provided, the qualification validation is not executed. instance which performs the validation the current