[CP]AdES

[CP]AdES 2.4

The IAIK [CP]AdES toolkit abstracts the creation and verification of signed PDF documents and CAdES signatures. The structure of the toolkit is highly similar to a typical signature engine in the JCA/JCE framework and allows you to easily create signatures compliant to the PAdES and CAdES specifications by using dedicated parameter classes. The official ETSI website providing these specifications can be found here.

Main Features

A complete signature validation is not implemented, but the toolkit rather provides various methods that can be used for such a validation. To verify PAdES signatures, they first have to be extracted by using a PDF signature instance. For parsing a CAdES signature it has to be processed by a CadesSignature or CadesSignatureStream. For each signature various checks can be made according to the signature type (e.g. standard signature or document timestamp). This includes digest and signature value verification, as well as extraction of revocation data and timestamps (if included).

Similar to the PAdES profiles, several formats are defined for CAdES in the specifications ETSI TS 101 733 and ETSI EN 319 122-1 v1.1.1. This toolkit neither supports the legacy signatures CAdES-C and CAdES-X, nor any older versions of the archive timestamp than archive-time-stamp-v3. The classes CadesSignature and CadesSignatureStream provide methods to create or verify CAdES signatures. Use the appropriate parameter classes (CadesBESParameters, CadesTParameters, CadesLTAParameters) to create a signature compliant to the required format.

The PAdES specifications (ETSI TS 102 778 and ETSI EN 319 142-1 v1.1.1) define the format of an electronic signature, that shall be embedded in the PDF document as signature field. Aside from XML related profiles, all of the described PAdES profiles or signature levels are supported. To sign or verify a PDF document, create a PDFSignatureInstance. Via dedicated parameter classes the intended profile can be selected. If you need a PAdES basic signature, use PadesBasicParameters and choose whether a SHA1-hash of the original data shall be included in the signature (subfilter adbe.pkcs7.sha1) or not (subfilter adbe.pkcs7.detached). For a PAdES BES signature use the PadesBESParameters (subfilter ETSI.CAdES.detached). These parameter classes allow to set revocation information and a timestamp authority, in order to include CRLS, OCSP responses and a signature timestamp. In order to include certificates and revocation information (CRLS, OCSP responses) required for a complete signature validation as specified by the PAdES LTV profile, use PadesLTVParameters. Pass these parameters to the signature instance when protecting the document with a document timestamp (subfilter ETSI.RFC3161).

The IAIK [CP]AdES toolkit uses either the PDF library iText (http://itextpdf.com/) or Apache PDFBox (http://pdfbox.apache.org) for handling and modifying the PDF structure, i.e. for extracting and embedding signatures and related data. These PDF libraries will not be provided within the IAIK [CP]AdES toolkit package and have to be obtained from the respective websites. Please note that for using iText a correctly licensed version 5.3.4 or higher is required and version 2.0 or higher for using Apache PDFBox. The latest versions that had been tested with this toolkit were 2.0 for Apache PDFBox and 5.5.9 for the iText library.

Cryptographic data like signature and hash values, CMS signatures, OCSP responses and timestamps are created by IAIK toolkits. The [CP]AdES toolkit is therefore based on IAIK JCE, IAIK CMS and IAIK TSP. You may further need IAIK ECCelerate or the IAIK PKCS#11 provider when using ECC keys or PKCS#11 token objects.

For detailed information on the toolkit, please have a look at the API documentation.

IAIK [CP]AdES 2.4 – 6. September 2019
Class or Package Bug / Change / New Feature Description and Examples
iaik.pdf.asn1objects.AtsHashIndexv3 B

Fixed toASN1Object() to include the hashIndAlgorithm component in any case (even if SHA-256 is used; no DEFAULT value anymore).

IAIK [CP]AdES 2.3 – 18. March 2019
Class or Package Bug / Change / New Feature Description and Examples
iaik.pdf NF, C

Updated PDFBox version to 2..

iaik.pdf.signature.ApprovalSignature NF

Added method isWholeDocumentCoveredByByteRange() to check for preventing the PDF attacks USF, ISA and SWA (https://www.pdf-insecurity.org/index.html).

iaik.pdf NF

Support for parsing and verifying adbe.x509.rsa_sha1 signatures added.

IAIK [CP]AdES 2.2 – 2. December 2016
IAIK [CP]AdES 2.1 – 14. August 2015
IAIK [CP]AdES 2.0 – 6. March 2015

Any questions?

Don‘t hestitate to ask us about our products.

Contact us