[CP]AdES 2.4

The IAIK [CP]AdES toolkit abstracts the creation and verification of signed PDF documents and CAdES signatures. The structure of the toolkit is highly similar to a typical signature engine in the JCA/JCE framework and allows you to easily create signatures compliant to the PAdES and CAdES specifications by using dedicated parameter classes. The official ETSI website providing these specifications can be found here.

Main Features

A complete signature validation is not implemented, but the toolkit rather provides various methods that can be used for such a validation. To verify PAdES signatures, they first have to be extracted by using a PDF signature instance. For parsing a CAdES signature it has to be processed by a CadesSignature or CadesSignatureStream. For each signature various checks can be made according to the signature type (e.g. standard signature or document timestamp). This includes digest and signature value verification, as well as extraction of revocation data and timestamps (if included).

Similar to the PAdES profiles, several formats are defined for CAdES in the specifications ETSI TS 101 733 and ETSI EN 319 122-1 v1.1.1. This toolkit neither supports the legacy signatures CAdES-C and CAdES-X, nor any older versions of the archive timestamp than archive-time-stamp-v3. The classes CadesSignature and CadesSignatureStream provide methods to create or verify CAdES signatures. Use the appropriate parameter classes (CadesBESParameters, CadesTParameters, CadesLTAParameters) to create a signature compliant to the required format.

The PAdES specifications (ETSI TS 102 778 and ETSI EN 319 142-1 v1.1.1) define the format of an electronic signature, that shall be embedded in the PDF document as signature field. Aside from XML related profiles, all of the described PAdES profiles or signature levels are supported. To sign or verify a PDF document, create a PDFSignatureInstance. Via dedicated parameter classes the intended profile can be selected. If you need a PAdES basic signature, use PadesBasicParameters and choose whether a SHA1-hash of the original data shall be included in the signature (subfilter adbe.pkcs7.sha1) or not (subfilter adbe.pkcs7.detached). For a PAdES BES signature use the PadesBESParameters (subfilter ETSI.CAdES.detached). These parameter classes allow to set revocation information and a timestamp authority, in order to include CRLS, OCSP responses and a signature timestamp. In order to include certificates and revocation information (CRLS, OCSP responses) required for a complete signature validation as specified by the PAdES LTV profile, use PadesLTVParameters. Pass these parameters to the signature instance when protecting the document with a document timestamp (subfilter ETSI.RFC3161).

The IAIK [CP]AdES toolkit uses either the PDF library iText (http://itextpdf.com/) or Apache PDFBox (http://pdfbox.apache.org) for handling and modifying the PDF structure, i.e. for extracting and embedding signatures and related data. These PDF libraries will not be provided within the IAIK [CP]AdES toolkit package and have to be obtained from the respective websites. Please note that for using iText a correctly licensed version 5.3.4 or higher is required and version 2.0 or higher for using Apache PDFBox. The latest versions that had been tested with this toolkit were 2.0 for Apache PDFBox and 5.5.9 for the iText library.

Cryptographic data like signature and hash values, CMS signatures, OCSP responses and timestamps are created by IAIK toolkits. The [CP]AdES toolkit is therefore based on IAIK JCE, IAIK CMS and IAIK TSP. You may further need IAIK ECCelerate or the IAIK PKCS#11 provider when using ECC keys or PKCS#11 token objects.

For detailed information on the toolkit, please have a look at the API documentation.

IAIK [CP]AdES 2.4 – 6. September 2019
Class or Package Bug / Change / New Feature Description and Examples
iaik.pdf.asn1objects.AtsHashIndexv3 B

Fixed toASN1Object() to include the hashIndAlgorithm component in any case (even if SHA-256 is used; no DEFAULT value anymore).

IAIK [CP]AdES 2.3 – 18. March 2019
Class or Package Bug / Change / New Feature Description and Examples
iaik.pdf NF, C

Updated PDFBox version to 2..

iaik.pdf.signature.ApprovalSignature NF

Added method isWholeDocumentCoveredByByteRange() to check for preventing the PDF attacks USF, ISA and SWA (https://www.pdf-insecurity.org/index.html).

iaik.pdf NF

Support for parsing and verifying adbe.x509.rsa_sha1 signatures added.

IAIK [CP]AdES 2.2 – 2. December 2016
Class or Package Bug / Change / New Feature Description and Examples
iaik.pdf NF

Add parameter classes and methods for supporting the archive timestamp as defined in ETSI EN 319 122-1 v1.1.1.

iaik.pdf NF

Add methods and classes to support the content timestamp as defined in ETSI TS 101 733 and ETSI EN 319 122.

iaik.pdf NF

Support multiple signature time stamps.

iaik.pdf.asn1objects NF

Add dedicated class for the signature-policy-identifier and signature-policy-qualifier-info as required for CAdES-EPES and PAdES-EPES.

iaik.pdf.cmscades C

Provide two different methods for encoding the signature object: encodeSignature for new signatures and encodeUpgradedSignature for upgraded signatures.

iaik.pdf.cmscades.AbstractCadesSignature NF

Methods to extract time stamps using the signer certificate additionally to using the signer info index.

iaik.pdf.parameters.CadesBESParameters NF

Add signing time attribute by default as required by ETSI EN 319 122-1.

iaik.pdf.pdfbox.PdfSignatureDetailsPdfBox B

Return correct signature name with getName() – instead of signer’s name.

iaik.pdf.signature.PdfSignatureInstance NF

Methods to read from a stream (and write to a stream) to create and verify signatures.

IAIK [CP]AdES 2.1 – 14. August 2015
Class or Package Bug / Change / New Feature Description and Examples
iaik.pdf.cmscades B

Javadoc of previously obfuscated methods is now correctly displayed.

iaik.pdf.cmscades.CadesSignature(Stream) B

Add certificates to signed data for new signer info instead of replacing existing ones.

iaik.pdf.cmscades.OcspResponseUtil NF

Add method for requesting an OCSP response using a signed request.

iaik.pdf.itext.PdfSignatureInstanceItext B

Correctly use reason, location and contact as configured in parameter class. Only empty string was previously set. Also allow null values.

iaik.pdf.parameters B

Reason, location and contact now default to null instead of empty string.

iaik.pdf.parameters NF

OCSP responder URL can be set together with optional key and certificates to sign the OCSP request during signature creation.

iaik.pdf.parameters NF

Support multiple OCSP responses to be added to a PAdES signature.

iaik.pdf.parameters B

Fixed a bug that prevented signature timestamp creation although TSA URL was set.

iaik.pdf.pdfbox.PdfSignatureInstancePdfbox NF

Configure visible signature by providing PdfBox’s PDVisibleSigProperties to ((PdfSignatureInstancePdfbox) sigInst) .setPDVisibleSigProperties.

iaik.pdf.pdfbox.PdfSignatureInstancePdfbox B

PdfBox’s method PDDocument.saveIncremental(FileInputStream, OutputStream) was changed to take InputStream instead of FileInputStream in version 1.8.8. This leads to a NoSuchMethodError for previous versions. Use reflection to support also previous versions again.

iaik.pdf.signature.ApprovalSignature.getOcspRevocationStatus B

Use the first OCSP response, that was actually requested for the signer’s certificate. In previous version an exception was thrown if the first OCSP response did not include an response for the signer’s certificate (but for an intermediate CA certificate for example).

IAIK [CP]AdES 2.0 – 6. March 2015
Class or Package Bug / Change / New Feature Description and Examples
iaik.pdf C

Add Apache PDFBox as possible underlying PDF library. Either iText or PDFBox can now be used.

iaik.pdf C

Complete restructuring to provide a general interface independent from underlying PDF libraries.

iaik.pdf.signature NF

Adding support for certification signature and document timestamps according to PAdES LTV.

iaik.pdf.signature NF

Allow extraction of signatures and signature details from a PDF file.

iaik.pdf.signature NF

Add support for CAdES signatures (according to CAdES-BES and CAdES-T).

Any questions?

Don‘t hestitate to ask us about our products.

Contact us