org.apache.poi.poifs.crypt.dsig

Class SignatureConfig

java.lang.Object

org.apache.poi.poifs.crypt.dsig.SignatureConfig

public class SignatureConfig
extends Object

This class bundles the configuration options used for the existing signature facets. Apart from the thread local members (e.g. opc-package) most values will probably be constant, so it might be configured centrally (e.g. by spring)

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	SignatureConfig.CRLEntry

Field Summary

Fields

Modifier and Type	Field and Description
static String	SIGNATURE_TIME_FORMAT

Constructor Summary

Constructors

Constructor and Description
SignatureConfig()

Method Summary

Modifier and Type	Method and Description
void	addCachedCertificate(String alias, byte[] x509Bytes)
void	addCachedCertificate(String alias, X509Certificate x509) Add certificate into keystore (cache) for further certificate chain lookups
SignatureConfig.CRLEntry	addCRL(String crlURL, String certCN, byte[] crlBytes)
void	addSignatureFacet(SignatureFacet signatureFacet)
String	formatExecutionTime()
X509Certificate	getCachedCertificateByPrinicipal(String principalName)
String	getCanonicalizationMethod()
String	getCommitmentType()
List<SignatureConfig.CRLEntry>	getCrlEntries()
HashAlgorithm	getDigestAlgo()
String	getDigestMethodUri()
static String	getDigestMethodUri(HashAlgorithm digestAlgo) Converts the digest algorithm - currently only sha* and ripemd160 is supported.
Date	getExecutionTime()
PrivateKey	getKey()
KeyStore	getKeyStore()
Map<String,String>	getNamespacePrefixes()
String	getPackageSignatureId()
static String[]	getProviderNames() Determine the possible classes for XMLSEC.
String	getProxyUrl()
RevocationDataService	getRevocationDataService()
String	getSignatureDescription()
List<SignatureFacet>	getSignatureFacets()
byte[]	getSignatureImage()
byte[]	getSignatureImageInvalid()
ClassID	getSignatureImageSetupId()
byte[]	getSignatureImageValid()
SignatureMarshalListener	getSignatureMarshalListener()
String	getSignatureMethodUri()
SignaturePolicyService	getSignaturePolicyService()
List<X509Certificate>	getSigningCertificateChain()
HashAlgorithm	getTspDigestAlgo()
TimeStampHttpClient	getTspHttpClient()
String	getTspPass()
String	getTspRequestPolicy()
TimeStampService	getTspService()
String	getTspUrl()
String	getTspUser()
TimeStampServiceValidator	getTspValidator()
URIDereferencer	getUriDereferencer() Deprecated. in POI 5.0.0 - use SignatureInfo.getUriDereferencer() instead
String	getUserAgent()
String	getXadesCanonicalizationMethod()
HashAlgorithm	getXadesDigestAlgo()
String	getXadesRole()
String	getXadesSignatureId()
boolean	isAllowCRLDownload()
boolean	isAllowMultipleSignatures()
boolean	isIncludeEntireCertificateChain()
boolean	isIncludeIssuerSerial()
boolean	isIncludeKeyValue()
boolean	isSecureValidation()
boolean	isTspOldProtocol()
boolean	isUpdateConfigOnValidate()
boolean	isXadesIssuerNameNoReverseOrder() Make sure the DN is encoded using the same order as present within the certificate.
boolean	isXadesSignaturePolicyImplied()
void	setAllowCRLDownload(boolean allowCRLDownload)
void	setAllowMultipleSignatures(boolean allowMultipleSignatures) Activate multiple signatures
void	setCanonicalizationMethod(String canonicalizationMethod)
void	setCommitmentType(String commitmentType) Set the commitmentType, which is usually one of ...
void	setDigestAlgo(HashAlgorithm digestAlgo)
void	setExecutionTime(Date executionTime)
void	setExecutionTime(String executionTime) Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT)
void	setIncludeEntireCertificateChain(boolean includeEntireCertificateChain)
void	setIncludeIssuerSerial(boolean includeIssuerSerial)
void	setIncludeKeyValue(boolean includeKeyValue)
void	setKey(PrivateKey key)
void	setNamespacePrefixes(Map<String,String> namespacePrefixes)
void	setPackageSignatureId(String packageSignatureId)
void	setProxyUrl(String proxyUrl)
void	setRevocationDataService(RevocationDataService revocationDataService)
void	setSecureValidation(boolean secureValidation) Enable or disable secure validation - default is enabled.
void	setSignatureDescription(String signatureDescription)
void	setSignatureFacets(List<SignatureFacet> signatureFacets)
void	setSignatureImage(byte[] signatureImage)
void	setSignatureImageInvalid(byte[] signatureImageInvalid)
void	setSignatureImageSetupId(ClassID signatureImageSetupId)
void	setSignatureImageValid(byte[] signatureImageValid)
void	setSignatureMarshalListener(SignatureMarshalListener signatureMarshalListener)
void	setSignatureMethodFromUri(String signatureMethodUri) Set the digest algorithm based on the method uri.
void	setSignaturePolicyService(SignaturePolicyService signaturePolicyService)
void	setSigningCertificateChain(List<X509Certificate> signingCertificateChain)
void	setTspDigestAlgo(HashAlgorithm tspDigestAlgo)
void	setTspHttpClient(TimeStampHttpClient tspHttpClient)
void	setTspOldProtocol(boolean tspOldProtocol)
void	setTspPass(String tspPass)
void	setTspRequestPolicy(String tspRequestPolicy)
void	setTspService(TimeStampService tspService)
void	setTspUrl(String tspUrl)
void	setTspUser(String tspUser)
void	setTspValidator(TimeStampServiceValidator tspValidator)
void	setUpdateConfigOnValidate(boolean updateConfigOnValidate) The signature config can be updated if a document is succesful validated.
void	setUriDereferencer(URIDereferencer uriDereferencer) Deprecated. in POI 5.0.0 - use SignatureInfo.setUriDereferencer(URIDereferencer) instead
void	setUserAgent(String userAgent)
void	setXadesCanonicalizationMethod(String xadesCanonicalizationMethod)
void	setXadesDigestAlgo(HashAlgorithm xadesDigestAlgo)
void	setXadesDigestAlgo(String xadesDigestAlgo)
void	setXadesIssuerNameNoReverseOrder(boolean xadesIssuerNameNoReverseOrder)
void	setXadesRole(String xadesRole)
void	setXadesSignatureId(String xadesSignatureId)
void	setXadesSignaturePolicyImplied(boolean xadesSignaturePolicyImplied)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SIGNATURE_TIME_FORMAT

public static final String SIGNATURE_TIME_FORMAT

See Also:

Constant Field Values

Constructor Detail

SignatureConfig

public SignatureConfig()

Method Detail

addSignatureFacet

public void addSignatureFacet(SignatureFacet signatureFacet)

Parameters:

signatureFacet - the signature facet is appended to facet list

getSignatureFacets

public List<SignatureFacet> getSignatureFacets()

Returns:

the list of facets, may be empty when the config object is not initialized

setSignatureFacets

public void setSignatureFacets(List<SignatureFacet> signatureFacets)

Parameters:

signatureFacets - the new list of facets

getDigestAlgo

public HashAlgorithm getDigestAlgo()

Returns:

the main digest algorithm, defaults to sha256

setDigestAlgo

public void setDigestAlgo(HashAlgorithm digestAlgo)

Parameters:

digestAlgo - the main digest algorithm

getKey

public PrivateKey getKey()

Returns:

the private key

setKey

public void setKey(PrivateKey key)

Parameters:

key - the private key

getSigningCertificateChain

public List<X509Certificate> getSigningCertificateChain()

Returns:

the certificate chain, index 0 is usually the certificate matching the private key

setSigningCertificateChain

public void setSigningCertificateChain(List<X509Certificate> signingCertificateChain)

Parameters:

signingCertificateChain - the certificate chain, index 0 should be the certificate matching the private key

getExecutionTime

public Date getExecutionTime()

Returns:

the time at which the document is signed, also used for the timestamp service. defaults to now

setExecutionTime

public void setExecutionTime(Date executionTime)

Parameters:

executionTime - sets the time at which the document ought to be signed

formatExecutionTime

public String formatExecutionTime()

Returns:

the formatted execution time (SIGNATURE_TIME_FORMAT)

Since:

POI 4.0.0

setExecutionTime

public void setExecutionTime(String executionTime)

Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT)

Parameters:

executionTime - the execution time

Since:

POI 4.0.0

getSignaturePolicyService

public SignaturePolicyService getSignaturePolicyService()

Returns:

the service to be used for XAdES-EPES properties. There's no default implementation

setSignaturePolicyService

public void setSignaturePolicyService(SignaturePolicyService signaturePolicyService)

Parameters:

signaturePolicyService - the service to be used for XAdES-EPES properties

getUriDereferencer

@Deprecated
 @Removal(version="5.0.0")
public URIDereferencer getUriDereferencer()

Deprecated. in POI 5.0.0 - use SignatureInfo.getUriDereferencer() instead

Returns:

the dereferencer used for Reference/@URI attributes, defaults to OOXMLURIDereferencer

setUriDereferencer

@Deprecated
 @Removal(version="5.0.0")
public void setUriDereferencer(URIDereferencer uriDereferencer)

Deprecated. in POI 5.0.0 - use SignatureInfo.setUriDereferencer(URIDereferencer) instead

Parameters:

uriDereferencer - the dereferencer used for Reference/@URI attributes

getSignatureDescription

public String getSignatureDescription()

Returns:

Gives back the human-readable description of what the citizen will be signing. The default value is "Office OpenXML Document".

setSignatureDescription

public void setSignatureDescription(String signatureDescription)

Parameters:

signatureDescription - the human-readable description of what the citizen will be signing.

getSignatureImage

public byte[] getSignatureImage()

getSignatureImageValid

public byte[] getSignatureImageValid()

getSignatureImageInvalid

public byte[] getSignatureImageInvalid()

getSignatureImageSetupId

public ClassID getSignatureImageSetupId()

setSignatureImageSetupId

public void setSignatureImageSetupId(ClassID signatureImageSetupId)

setSignatureImage

public void setSignatureImage(byte[] signatureImage)

setSignatureImageValid

public void setSignatureImageValid(byte[] signatureImageValid)

setSignatureImageInvalid

public void setSignatureImageInvalid(byte[] signatureImageInvalid)

getCanonicalizationMethod

public String getCanonicalizationMethod()

Returns:

the default canonicalization method, defaults to INCLUSIVE

setCanonicalizationMethod

public void setCanonicalizationMethod(String canonicalizationMethod)

Parameters:

canonicalizationMethod - the default canonicalization method

getPackageSignatureId

public String getPackageSignatureId()

Returns:

The signature Id attribute value used to create the XML signature. Defaults to "idPackageSignature"

setPackageSignatureId

public void setPackageSignatureId(String packageSignatureId)

Parameters:

packageSignatureId - The signature Id attribute value used to create the XML signature. A null value will trigger an automatically generated signature Id.

getTspUrl

public String getTspUrl()

Returns:

the url of the timestamp provider (TSP)

setTspUrl

public void setTspUrl(String tspUrl)

Parameters:

tspUrl - the url of the timestamp provider (TSP)

isTspOldProtocol

public boolean isTspOldProtocol()

Returns:

if true, uses timestamp-request/response mimetype, if false, timestamp-query/reply mimetype

setTspOldProtocol

public void setTspOldProtocol(boolean tspOldProtocol)

Parameters:

tspOldProtocol - defines the timestamp-protocol mimetype

See Also:

isTspOldProtocol()

getTspDigestAlgo

public HashAlgorithm getTspDigestAlgo()

Returns:

the hash algorithm to be used for the timestamp entry. Defaults to the hash algorithm of the main entry

setTspDigestAlgo

public void setTspDigestAlgo(HashAlgorithm tspDigestAlgo)

Parameters:

tspDigestAlgo - the algorithm to be used for the timestamp entry. if null, the hash algorithm of the main entry

getProxyUrl

public String getProxyUrl()

Returns:

the proxy url to be used for all communications. Currently this affects the timestamp service

setProxyUrl

public void setProxyUrl(String proxyUrl)

Parameters:

proxyUrl - the proxy url to be used for all communications. Currently this affects the timestamp service

getTspService

public TimeStampService getTspService()

Returns:

the timestamp service. Defaults to TSPTimeStampService

setTspService

public void setTspService(TimeStampService tspService)

Parameters:

tspService - the timestamp service

getTspHttpClient

public TimeStampHttpClient getTspHttpClient()

Returns:

the http client used for timestamp server connections

Since:

POI 5.2.1

setTspHttpClient

public void setTspHttpClient(TimeStampHttpClient tspHttpClient)

Parameters:

tspHttpClient - the http client used for timestamp server connections

Since:

POI 5.2.1

getTspUser

public String getTspUser()

Returns:

the user id for the timestamp service - currently only basic authorization is supported

setTspUser

public void setTspUser(String tspUser)

Parameters:

tspUser - the user id for the timestamp service - currently only basic authorization is supported

getTspPass

public String getTspPass()

Returns:

the password for the timestamp service

setTspPass

public void setTspPass(String tspPass)

Parameters:

tspPass - the password for the timestamp service

getTspValidator

public TimeStampServiceValidator getTspValidator()

Returns:

the validator for the timestamp service (certificate)

setTspValidator

public void setTspValidator(TimeStampServiceValidator tspValidator)

Parameters:

tspValidator - the validator for the timestamp service (certificate)

getRevocationDataService

public RevocationDataService getRevocationDataService()

Returns:

the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

setRevocationDataService

public void setRevocationDataService(RevocationDataService revocationDataService)

Parameters:

revocationDataService - the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

getXadesDigestAlgo

public HashAlgorithm getXadesDigestAlgo()

Returns:

hash algorithm used for XAdES. Defaults to the getDigestAlgo()

setXadesDigestAlgo

public void setXadesDigestAlgo(HashAlgorithm xadesDigestAlgo)

Parameters:

xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()

setXadesDigestAlgo

public void setXadesDigestAlgo(String xadesDigestAlgo)

Parameters:

xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()

Since:

POI 4.0.0

getUserAgent

public String getUserAgent()

Returns:

the user agent used for http communication (e.g. to the TSP)

setUserAgent

public void setUserAgent(String userAgent)

Parameters:

userAgent - the user agent used for http communication (e.g. to the TSP)

getTspRequestPolicy

public String getTspRequestPolicy()

Returns:

the asn.1 object id for the tsp request policy. Defaults to 1.3.6.1.4.1.13762.3

setTspRequestPolicy

public void setTspRequestPolicy(String tspRequestPolicy)

Parameters:

tspRequestPolicy - the asn.1 object id for the tsp request policy.

isIncludeEntireCertificateChain

public boolean isIncludeEntireCertificateChain()

Returns:

true, if the whole certificate chain is included in the signature. When false, only the signer cert will be included

setIncludeEntireCertificateChain

public void setIncludeEntireCertificateChain(boolean includeEntireCertificateChain)

Parameters:

includeEntireCertificateChain - if true, include the whole certificate chain. If false, only include the signer cert

isIncludeIssuerSerial

public boolean isIncludeIssuerSerial()

Returns:

if true, issuer serial number is included

setIncludeIssuerSerial

public void setIncludeIssuerSerial(boolean includeIssuerSerial)

Parameters:

includeIssuerSerial - if true, issuer serial number is included

isIncludeKeyValue

public boolean isIncludeKeyValue()

Returns:

if true, the key value of the public key (certificate) is included

setIncludeKeyValue

public void setIncludeKeyValue(boolean includeKeyValue)

Parameters:

includeKeyValue - if true, the key value of the public key (certificate) is included

getXadesRole

public String getXadesRole()

Returns:

the xades role element. If null the claimed role element is omitted. Defaults to null

setXadesRole

public void setXadesRole(String xadesRole)

Parameters:

xadesRole - the xades role element. If null the claimed role element is omitted.

getXadesSignatureId

public String getXadesSignatureId()

Returns:

the Id for the XAdES SignedProperties element. Defaults to idSignedProperties

setXadesSignatureId

public void setXadesSignatureId(String xadesSignatureId)

Parameters:

xadesSignatureId - the Id for the XAdES SignedProperties element. When null defaults to idSignedProperties

isXadesSignaturePolicyImplied

public boolean isXadesSignaturePolicyImplied()

Returns:

when true, include the policy-implied block. Defaults to true

setXadesSignaturePolicyImplied

public void setXadesSignaturePolicyImplied(boolean xadesSignaturePolicyImplied)

Parameters:

xadesSignaturePolicyImplied - when true, include the policy-implied block

isXadesIssuerNameNoReverseOrder

public boolean isXadesIssuerNameNoReverseOrder()

Make sure the DN is encoded using the same order as present within the certificate. This is an Office2010 work-around. Should be reverted back. XXX: not correct according to RFC 4514.

Returns:

when true, the issuer DN is used instead of the issuer X500 principal

setXadesIssuerNameNoReverseOrder

public void setXadesIssuerNameNoReverseOrder(boolean xadesIssuerNameNoReverseOrder)

Parameters:

xadesIssuerNameNoReverseOrder - when true, the issuer DN instead of the issuer X500 principal is used

getSignatureMarshalListener

public SignatureMarshalListener getSignatureMarshalListener()

Returns:

the event listener which is active while xml structure for the signature is created. Defaults to SignatureMarshalListener

setSignatureMarshalListener

public void setSignatureMarshalListener(SignatureMarshalListener signatureMarshalListener)

Parameters:

signatureMarshalListener - the event listener watching the xml structure generation for the signature

getNamespacePrefixes

public Map<String,String> getNamespacePrefixes()

Returns:

the map of namespace uri (key) to prefix (value)

setNamespacePrefixes

public void setNamespacePrefixes(Map<String,String> namespacePrefixes)

Parameters:

namespacePrefixes - the map of namespace uri (key) to prefix (value)

getSignatureMethodUri

public String getSignatureMethodUri()

Returns:

the uri for the signature method, i.e. currently only rsa is supported, so it's the rsa variant of the main digest

getDigestMethodUri

public String getDigestMethodUri()

Returns:

the uri for the main digest

getDigestMethodUri

public static String getDigestMethodUri(HashAlgorithm digestAlgo)

Converts the digest algorithm - currently only sha* and ripemd160 is supported. MS Office only supports sha1, sha256, sha384, sha512.

Parameters:

digestAlgo - the digest algorithm

Returns:

the uri for the given digest

setSignatureMethodFromUri

public void setSignatureMethodFromUri(String signatureMethodUri)

Set the digest algorithm based on the method uri. This is used when a signature was successful validated and the signature configuration is updated

Parameters:

signatureMethodUri - the method uri

Since:

POI 4.0.0

getProviderNames

public static String[] getProviderNames()

Determine the possible classes for XMLSEC. The order is

1. the class pointed to by the system property "jsr105Provider"
2. the Santuario xmlsec provider
3. the JDK xmlsec provider

Returns:

an array of possible XMLSEC provider class names

getXadesCanonicalizationMethod

public String getXadesCanonicalizationMethod()

Returns:

the canonicalization method for XAdES-XL signing. Defaults to EXCLUSIVE

See Also:

javax.xml.crypto.dsig.CanonicalizationMethod

setXadesCanonicalizationMethod

public void setXadesCanonicalizationMethod(String xadesCanonicalizationMethod)

Parameters:

xadesCanonicalizationMethod - the canonicalization method for XAdES-XL signing

See Also:

javax.xml.crypto.dsig.CanonicalizationMethod

isUpdateConfigOnValidate

public boolean isUpdateConfigOnValidate()

Returns:

true, if the signature config is to be updated based on the successful validated document

Since:

POI 4.0.0

setUpdateConfigOnValidate

public void setUpdateConfigOnValidate(boolean updateConfigOnValidate)

The signature config can be updated if a document is succesful validated. This flag is used for activating these modifications. Defaults to false

Parameters:

updateConfigOnValidate - if true, update config on validate

Since:

POI 4.0.0

isAllowMultipleSignatures

public boolean isAllowMultipleSignatures()

Returns:

true, if multiple signatures can be attached

Since:

POI 4.1.0

setAllowMultipleSignatures

public void setAllowMultipleSignatures(boolean allowMultipleSignatures)

Activate multiple signatures

Parameters:

allowMultipleSignatures - if true, the signature will be added, otherwise all existing signatures will be replaced by the current

Since:

POI 4.1.0

isSecureValidation

public boolean isSecureValidation()

Returns:

is secure validation enabled?

Since:

POI 5.2.0

setSecureValidation

public void setSecureValidation(boolean secureValidation)

Enable or disable secure validation - default is enabled.

Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail, because a maximum of 30 references were hard-coded allowed for secure validation to succeed.

Secure validation has the following features:

• Limits the number of Transforms per Reference to a maximum of 5.
• Does not allow XSLT transforms.
• Does not allow a RetrievalMethod to reference another RetrievalMethod.
• Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
• Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
• MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
• Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
• Does not allow DTDs

Since:

POI 5.2.0

See Also:

XmlSec SecureValidation

getCommitmentType

public String getCommitmentType()

setCommitmentType

public void setCommitmentType(String commitmentType)

Set the commitmentType, which is usually one of ...

• "Created and approved this document"
• "Approved this document"
• "Created this document"
• ... or any other important sounding statement

addCRL

public SignatureConfig.CRLEntry addCRL(String crlURL,
                                       String certCN,
                                       byte[] crlBytes)

getCrlEntries

public List<SignatureConfig.CRLEntry> getCrlEntries()

isAllowCRLDownload

public boolean isAllowCRLDownload()

setAllowCRLDownload

public void setAllowCRLDownload(boolean allowCRLDownload)

getKeyStore

public KeyStore getKeyStore()

Returns:

keystore with cached certificates

addCachedCertificate

public void addCachedCertificate(String alias,
                                 X509Certificate x509)
                          throws KeyStoreException

Add certificate into keystore (cache) for further certificate chain lookups

Parameters:

alias - the alias, or null if alias is taken from common name attribute of certificate

x509 - the x509 certificate

Throws:

KeyStoreException

addCachedCertificate

public void addCachedCertificate(String alias,
                                 byte[] x509Bytes)
                          throws KeyStoreException,
                                 CertificateException

Throws:

KeyStoreException

CertificateException

getCachedCertificateByPrinicipal

public X509Certificate getCachedCertificateByPrinicipal(String principalName)