/**
* Call this method to have LTV information added to the {@link PdfStamper}
* given in the constructor.
*/
public void enable(IOcspClient ocspClient, ICrlClient crlClient)
{
AcroFields fields = pdfStamper.AcroFields;
bool encrypted = pdfStamper.Reader.IsEncrypted();
List <String> names = fields.GetSignatureNames();
foreach (String name in names)
{
PdfPKCS7 pdfPKCS7 = fields.VerifySignature(name);
PdfDictionary signatureDictionary = fields.GetSignatureDictionary(name);
X509Certificate certificate = pdfPKCS7.SigningCertificate;
addLtvForChain(certificate, ocspClient, crlClient, getSignatureHashKey(signatureDictionary, encrypted));
}
outputDss();
}
/// <summary>
///
/// </summary>
/// <param name="src"></param>
/// <param name="dest"></param>
/// <param name="ocsp"></param>
/// <param name="crl"></param>
private static void AddLtv(byte[] src, String dest, IOcspClient ocsp, ICrlClient crl)
{
var r = new PdfReader(src);
var fos = new FileStream(dest, FileMode.Create);
var stp = new PdfStamper(r, fos, '\0', true);
LtvVerification v = stp.LtvVerification;
AcroFields fields = stp.AcroFields;
List<String> names = fields.GetSignatureNames();
String sigName = names[names.Count - 1];
PdfPKCS7 pkcs7 = fields.VerifySignature(sigName);
if (pkcs7.IsTsp)
v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.SIGNING_CERTIFICATE, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
else
foreach (String name in names)
v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
stp.Close();
}
//
// the actual LTV enabling methods
//
void addLtvForChain(X509Certificate certificate, IOcspClient ocspClient, ICrlClient crlClient, PdfName key)
{
if (seenCertificates.Contains(certificate))
{
return;
}
seenCertificates.Add(certificate);
ValidationData validationData = new ValidationData();
while (certificate != null)
{
// Console.WriteLine(certificate.SubjectDN);
X509Certificate issuer = getIssuerCertificate(certificate);
validationData.certs.Add(certificate.GetEncoded());
byte[] ocspResponse = ocspClient.GetEncoded(certificate, issuer, null);
if (ocspResponse != null)
{
// Console.WriteLine(" with OCSP response");
validationData.ocsps.Add(ocspResponse);
X509Certificate ocspSigner = getOcspSignerCertificate(ocspResponse);
////if (ocspSigner != null)
////{
//// Console.WriteLine(" signed by {0}\n", ocspSigner.SubjectDN);
////}
addLtvForChain(ocspSigner, ocspClient, crlClient, getOcspHashKey(ocspResponse));
}
else
{
ICollection <byte[]> crl = crlClient.GetEncoded(certificate, null);
if (crl != null && crl.Count > 0)
{
//Console.WriteLine(" with {0} CRLs\n", crl.Count);
foreach (byte[] crlBytes in crl)
{
validationData.crls.Add(crlBytes);
addLtvForChain(null, ocspClient, crlClient, getCrlHashKey(crlBytes));
}
}
}
certificate = issuer;
}
validated[key] = validationData;
}
/**
* Add verification for a particular signature
* @param signatureName the signature to validate (it may be a timestamp)
* @param ocsp the interface to get the OCSP
* @param crl the interface to get the CRL
* @param certOption
* @param level the validation options to include
* @param certInclude
* @return true if a validation was generated, false otherwise
* @throws Exception
*/
virtual public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude) {
if (used)
throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
PdfPKCS7 pk = acroFields.VerifySignature(signatureName);
LOGGER.Info("Adding verification for " + signatureName);
X509Certificate[] xc = pk.Certificates;
X509Certificate cert;
X509Certificate signingCert = pk.SigningCertificate;
ValidationData vd = new ValidationData();
for (int k = 0; k < xc.Length; ++k) {
cert = xc[k];
LOGGER.Info("Certificate: " + cert.SubjectDN);
if (certOption == CertificateOption.SIGNING_CERTIFICATE
&& !cert.Equals(signingCert)) {
continue;
}
byte[] ocspEnc = null;
if (ocsp != null && level != Level.CRL) {
ocspEnc = ocsp.GetEncoded(cert, GetParent(cert, xc), null);
if (ocspEnc != null) {
vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
LOGGER.Info("OCSP added");
}
}
if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null))) {
ICollection<byte[]> cims = crl.GetEncoded(xc[k], null);
if (cims != null) {
foreach (byte[] cim in cims) {
bool dup = false;
foreach (byte[] b in vd.crls) {
if (Arrays.AreEqual(b, cim)) {
dup = true;
break;
}
}
if (!dup) {
vd.crls.Add(cim);
LOGGER.Info("CRL added");
}
}
}
}
if (certInclude == CertificateInclusion.YES) {
vd.certs.Add(xc[k].GetEncoded());
}
}
if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
return false;
validated[GetSignatureHashKey(signatureName)] = vd;
return true;
}
/**
* Add verification for a particular signature
* @param signatureName the signature to validate (it may be a timestamp)
* @param ocsp the interface to get the OCSP
* @param crl the interface to get the CRL
* @param certOption
* @param level the validation options to include
* @param certInclude
* @return true if a validation was generated, false otherwise
* @throws Exception
*/
public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude)
{
if (used)
{
throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
}
PdfPKCS7 pk = acroFields.VerifySignature(signatureName);
LOGGER.Info("Adding verification for " + signatureName);
X509Certificate[] xc = pk.Certificates;
X509Certificate cert;
X509Certificate signingCert = pk.SigningCertificate;
ValidationData vd = new ValidationData();
for (int k = 0; k < xc.Length; ++k)
{
cert = xc[k];
LOGGER.Info("Certificate: " + cert.SubjectDN);
if (certOption == CertificateOption.SIGNING_CERTIFICATE &&
!cert.Equals(signingCert))
{
continue;
}
byte[] ocspEnc = null;
if (ocsp != null && level != Level.CRL)
{
ocspEnc = ocsp.GetEncoded(cert, GetParent(cert, xc), null);
if (ocspEnc != null)
{
vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
LOGGER.Info("OCSP added");
}
}
if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null)))
{
ICollection <byte[]> cims = crl.GetEncoded(xc[k], null);
if (cims != null)
{
foreach (byte[] cim in cims)
{
bool dup = false;
foreach (byte[] b in vd.crls)
{
if (Arrays.AreEqual(b, cim))
{
dup = true;
break;
}
}
if (!dup)
{
vd.crls.Add(cim);
LOGGER.Info("CRL added");
}
}
}
}
if (certInclude == CertificateInclusion.YES)
{
vd.certs.Add(xc[k].GetEncoded());
}
}
if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
{
return(false);
}
validated[GetSignatureHashKey(signatureName)] = vd;
return(true);
}
/**
* Add verification for a particular signature
* @param signatureName the signature to validate (it may be a timestamp)
* @param ocsp the interface to get the OCSP
* @param crl the interface to get the CRL
* @param certOption
* @param level the validation options to include
* @param certInclude
* @return true if a validation was generated, false otherwise
* @throws Exception
*/
public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude) {
if (used)
throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
PdfPKCS7 pk = acroFields.VerifySignature(signatureName);
X509Certificate[] xc = pk.SignCertificateChain;
ValidationData vd = new ValidationData();
for (int k = 0; k < xc.Length; ++k) {
byte[] ocspEnc = null;
if (ocsp != null && level != Level.CRL && k < xc.Length - 1) {
ocspEnc = ocsp.GetEncoded(xc[k], xc[k + 1], null);
if (ocspEnc != null)
vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
}
if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null))) {
byte[] cim = crl.GetEncoded(xc[k], null);
if (cim != null) {
bool dup = false;
foreach (byte[] b in vd.crls) {
if (Arrays.AreEqual(b, cim)) {
dup = true;
break;
}
}
if (!dup)
vd.crls.Add(cim);
}
}
if (certOption == CertificateOption.SIGNING_CERTIFICATE)
break;
}
if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
return false;
if (certInclude == CertificateInclusion.YES) {
foreach (X509Certificate c in xc) {
vd.certs.Add(c.GetEncoded());
}
}
validated[GetSignatureHashKey(signatureName)] = vd;
return true;
}
/**
* Add verification for a particular signature
* @param signatureName the signature to validate (it may be a timestamp)
* @param ocsp the interface to get the OCSP
* @param crl the interface to get the CRL
* @param certOption
* @param level the validation options to include
* @param certInclude
* @return true if a validation was generated, false otherwise
* @throws Exception
*/
public bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude)
{
if (used)
{
throw new InvalidOperationException(MessageLocalization.GetComposedMessage("verification.already.output"));
}
PdfPKCS7 pk = acroFields.VerifySignature(signatureName);
X509Certificate[] xc = pk.SignCertificateChain;
ValidationData vd = new ValidationData();
for (int k = 0; k < xc.Length; ++k)
{
byte[] ocspEnc = null;
if (ocsp != null && level != Level.CRL && k < xc.Length - 1)
{
ocspEnc = ocsp.GetEncoded(xc[k], xc[k + 1], null);
if (ocspEnc != null)
{
vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
}
}
if (crl != null && (level == Level.CRL || level == Level.OCSP_CRL || (level == Level.OCSP_OPTIONAL_CRL && ocspEnc == null)))
{
ICollection <byte[]> cims = crl.GetEncoded((X509Certificate)xc[k], null);
if (cims != null)
{
foreach (byte[] cim in cims)
{
bool dup = false;
foreach (byte[] b in vd.crls)
{
if (Arrays.AreEqual(b, cim))
{
dup = true;
break;
}
}
if (!dup)
{
vd.crls.Add(cim);
}
}
}
}
if (certOption == CertificateOption.SIGNING_CERTIFICATE)
{
break;
}
}
if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
{
return(false);
}
if (certInclude == CertificateInclusion.YES)
{
foreach (X509Certificate c in xc)
{
vd.certs.Add(c.GetEncoded());
}
}
validated[GetSignatureHashKey(signatureName)] = vd;
return(true);
}
/// <summary>Add verification for a particular signature.</summary>
/// <param name="signatureName">the signature to validate (it may be a timestamp)</param>
/// <param name="ocsp">the interface to get the OCSP</param>
/// <param name="crl">the interface to get the CRL</param>
/// <param name="certOption">options as to how many certificates to include</param>
/// <param name="level">the validation options to include</param>
/// <param name="certInclude">certificate inclusion options</param>
/// <returns>true if a validation was generated, false otherwise</returns>
/// <exception cref="Org.BouncyCastle.Security.GeneralSecurityException"/>
/// <exception cref="System.IO.IOException"/>
public virtual bool AddVerification(String signatureName, IOcspClient ocsp, ICrlClient crl, LtvVerification.CertificateOption
certOption, LtvVerification.Level level, LtvVerification.CertificateInclusion certInclude)
{
if (used)
{
throw new InvalidOperationException(PdfException.VerificationAlreadyOutput);
}
PdfPKCS7 pk = sgnUtil.VerifySignature(signatureName);
LOGGER.Info("Adding verification for " + signatureName);
X509Certificate[] xc = pk.GetCertificates();
X509Certificate cert;
X509Certificate signingCert = pk.GetSigningCertificate();
LtvVerification.ValidationData vd = new LtvVerification.ValidationData();
for (int k = 0; k < xc.Length; ++k)
{
cert = (X509Certificate)xc[k];
LOGGER.Info("Certificate: " + cert.SubjectDN);
if (certOption == LtvVerification.CertificateOption.SIGNING_CERTIFICATE && !cert.Equals(signingCert))
{
continue;
}
byte[] ocspEnc = null;
if (ocsp != null && level != LtvVerification.Level.CRL)
{
ocspEnc = ocsp.GetEncoded(cert, GetParent(cert, xc), null);
if (ocspEnc != null)
{
vd.ocsps.Add(BuildOCSPResponse(ocspEnc));
LOGGER.Info("OCSP added");
}
}
if (crl != null && (level == LtvVerification.Level.CRL || level == LtvVerification.Level.OCSP_CRL || (level
== LtvVerification.Level.OCSP_OPTIONAL_CRL && ocspEnc == null)))
{
ICollection <byte[]> cims = crl.GetEncoded(cert, null);
if (cims != null)
{
foreach (byte[] cim in cims)
{
bool dup = false;
foreach (byte[] b in vd.crls)
{
if (JavaUtil.ArraysEquals(b, cim))
{
dup = true;
break;
}
}
if (!dup)
{
vd.crls.Add(cim);
LOGGER.Info("CRL added");
}
}
}
}
if (certInclude == LtvVerification.CertificateInclusion.YES)
{
vd.certs.Add(cert.GetEncoded());
}
}
if (vd.crls.Count == 0 && vd.ocsps.Count == 0)
{
return(false);
}
validated.Put(GetSignatureHashKey(signatureName), vd);
return(true);
}
static void addLTVToStream(Stream source, Stream destination, IOcspClient ocsp, ICrlClient crl,
LtvVerification.Level timestampLevel, LtvVerification.Level signatureLevel)
{
PdfDocument pdfDoc = new PdfDocument(new PdfReader(source),
new PdfWriter(destination),
new StampingProperties().UseAppendMode());
LtvVerification v = new LtvVerification(pdfDoc);
SignatureUtil signatureUtil = new SignatureUtil(pdfDoc);
IList <string> names = signatureUtil.GetSignatureNames();
String sigName = names[(names.Count - 1)];
PdfPKCS7 pkcs7 = signatureUtil.ReadSignatureData(sigName);
if (pkcs7.IsTsp())
{
v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
timestampLevel, LtvVerification.CertificateInclusion.YES);
}
else
{
foreach (String name in names)
{
v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
signatureLevel, LtvVerification.CertificateInclusion.YES);
}
}
v.Merge();
pdfDoc.Close();
}
