com.itextpdf.signatures.SignUtils Maven / Gradle / Ivy
/*
This file is part of the iText (R) project.
Copyright (c) 1998-2024 Apryse Group NV
Authors: Apryse Software.
This program is offered under a commercial and under the AGPL license.
For commercial licensing, contact us at https://itextpdf.com/sales. For AGPL licensing, see below.
AGPL licensing:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see getCertsFromOcspResponse(IBasicOCSPResp ocspResp) {
List certs = new ArrayList<>();
IX509CertificateHolder[] certHolders = ocspResp.getCerts();
IJcaX509CertificateConverter converter = FACTORY.createJcaX509CertificateConverter();
for (IX509CertificateHolder certHolder : certHolders) {
try {
certs.add(converter.getCertificate(certHolder));
} catch (Exception ex) {
// do nothing
}
}
return certs;
}
static Collection readAllCerts(byte[] contentsKey) throws CertificateException {
return SignUtils.readAllCerts(new ByteArrayInputStream(contentsKey), FACTORY.getProvider());
}
static Collection readAllCerts(InputStream contentsKey, Provider provider)
throws CertificateException {
final CertificateFactory factory = provider == null ? CertificateFactory.getInstance("X509") :
CertificateFactory.getInstance("X509", provider);
return new ArrayList<>(factory.generateCertificates(contentsKey));
}
static Certificate generateCertificate(InputStream data, Provider provider) throws CertificateException {
final CertificateFactory factory = provider == null ? CertificateFactory.getInstance("X509") :
CertificateFactory.getInstance("X509", provider);
return factory.generateCertificate(data);
}
static Collection readAllCRLs(byte[] contentsKey) throws CertificateException, CRLException {
final CertificateFactory factory = CertificateFactory.getInstance("X509", FACTORY.getProvider());
return new ArrayList<>(factory.generateCRLs(new ByteArrayInputStream(contentsKey)));
}
static T getFirstElement(Iterable iterable) {
return iterable.iterator().next();
}
static X500Principal getIssuerX500Principal(IASN1Sequence issuerAndSerialNumber) throws IOException {
return new X500Principal(issuerAndSerialNumber.getObjectAt(0).toASN1Primitive().getEncoded());
}
static class TsaResponse {
String encoding;
InputStream tsaResponseStream;
}
static TsaResponse getTsaResponseForUserRequest(String tsaUrl, byte[] requestBytes, String tsaUsername,
String tsaPassword) throws IOException {
URL url = new URL(tsaUrl);
URLConnection tsaConnection;
try {
tsaConnection = url.openConnection();
} catch (IOException ioe) {
throw new PdfException(SignExceptionMessageConstant.FAILED_TO_GET_TSA_RESPONSE).setMessageParams(tsaUrl);
}
tsaConnection.setDoInput(true);
tsaConnection.setDoOutput(true);
tsaConnection.setUseCaches(false);
tsaConnection.setRequestProperty("Content-Type", "application/timestamp-query");
//tsaConnection.setRequestProperty("Content-Transfer-Encoding", "base64");
tsaConnection.setRequestProperty("Content-Transfer-Encoding", "binary");
if ((tsaUsername != null) && !tsaUsername.equals("")) {
String userPassword = tsaUsername + ":" + tsaPassword;
tsaConnection.setRequestProperty("Authorization", "Basic " +
Base64.encodeBytes(userPassword.getBytes(StandardCharsets.UTF_8), Base64.DONT_BREAK_LINES));
}
OutputStream out = tsaConnection.getOutputStream();
out.write(requestBytes);
out.close();
TsaResponse response = new TsaResponse();
response.tsaResponseStream = tsaConnection.getInputStream();
response.encoding = tsaConnection.getContentEncoding();
return response;
}
/**
* Check if the provided certificate has a critical extension that iText doesn't support.
*
* @param cert X509Certificate instance to check
* @return true if there are unsupported critical extensions, false if there are none
* @deprecated this behavior is different in Java and .NET, because in Java we use this
* two-step check: first via #hasUnsupportedCriticalExtension method, and then additionally allowing
* standard critical extensions; in .NET there's only second step. However, removing
* first step in Java can be a breaking change for some users and moreover we don't
* have any means of providing customization for unsupported extensions check as of right now.
*
* During major release I'd suggest changing java unsupported extensions check logic to the same as in .NET,
* but only if it is possible to customize this logic.
*/
// TODO DEVSIX-2634
@Deprecated
static boolean hasUnsupportedCriticalExtension(X509Certificate cert) {
if (cert == null) {
throw new IllegalArgumentException("X509Certificate can't be null.");
}
if (cert.hasUnsupportedCriticalExtension()) {
for (String oid : cert.getCriticalExtensionOIDs()) {
if (OID.X509Extensions.SUPPORTED_CRITICAL_EXTENSIONS.contains(oid)) {
continue;
}
return true;
}
}
return false;
}
static Calendar getTimeStampDate(ITSTInfo timeStampTokenInfo) {
GregorianCalendar calendar = new GregorianCalendar();
try {
calendar.setTime(timeStampTokenInfo.getGenTime());
} catch (ParseException ignored) {
// Do nothing.
}
return calendar;
}
static Signature getSignatureHelper(String algorithm, String provider)
throws NoSuchProviderException, NoSuchAlgorithmException {
return provider == null
? Signature.getInstance(algorithm)
: Signature.getInstance(algorithm, provider);
}
static void setRSASSAPSSParamsWithMGF1(Signature signature, String digestAlgoName, int saltLen, int trailerField)
throws InvalidAlgorithmParameterException {
MGF1ParameterSpec mgf1Spec = new MGF1ParameterSpec(digestAlgoName);
PSSParameterSpec spec = new PSSParameterSpec(digestAlgoName, "MGF1", mgf1Spec, saltLen, trailerField);
signature.setParameter(spec);
}
public static void updateVerifier(Signature signature, byte[] attr) throws SignatureException {
signature.update(attr);
}
static boolean verifyCertificateSignature(X509Certificate certificate, PublicKey issuerPublicKey, String provider) {
boolean res = false;
try {
if (provider == null) {
certificate.verify(issuerPublicKey);
} else {
certificate.verify(issuerPublicKey, provider);
}
res = true;
} catch (Exception ignored) {
}
return res;
}
static Iterable getCertificates(final KeyStore keyStore) throws KeyStoreException {
final Enumeration keyStoreAliases = keyStore.aliases();
return new Iterable() {
@Override
public Iterator iterator() {
return new Iterator() {
private X509Certificate nextCert;
@Override
public boolean hasNext() {
if (nextCert == null) {
tryToGetNextCertificate();
}
return nextCert != null;
}
@Override
public X509Certificate next() {
if (!hasNext()) {
throw new NoSuchElementException();
}
X509Certificate cert = nextCert;
nextCert = null;
return cert;
}
private void tryToGetNextCertificate() {
while (keyStoreAliases.hasMoreElements()) {
try {
String alias = keyStoreAliases.nextElement();
if (keyStore.isCertificateEntry(alias) || keyStore.isKeyEntry(alias)) {
nextCert = (X509Certificate) keyStore.getCertificate(alias);
break;
}
} catch (KeyStoreException e) {
// do nothing and continue
}
}
}
@Override
public void remove() {
throw new UnsupportedOperationException("remove");
}
};
}
};
}
}