![[CP]AdES](https://sic.tech/wp-content/uploads/2018/11/Document-Security.png)
Similar to the PAdES profiles, several formats are defined for CAdES in the specifications ETSI TS 101 733 and ETSI EN 319 122-1 v1.1.1. This toolkit neither supports the legacy signatures CAdES-C and CAdES-X, nor any older versions of the archive timestamp than archive-time-stamp-v3. The classes CadesSignature and CadesSignatureStream provide methods to create or verify CAdES signatures. Use the appropriate parameter classes (CadesBESParameters, CadesTParameters, CadesLTAParameters) to create a signature compliant to the required format.
The PAdES specifications (ETSI TS 102 778 and ETSI EN 319 142-1 v1.1.1) define the format of an electronic signature, that shall be embedded in the PDF document as signature field. Aside from XML related profiles, all of the described PAdES profiles or signature levels are supported. To sign or verify a PDF document, create a PDFSignatureInstance. Via dedicated parameter classes the intended profile can be selected. If you need a PAdES basic signature, use PadesBasicParameters and choose whether a SHA1-hash of the original data shall be included in the signature (subfilter adbe.pkcs7.sha1) or not (subfilter adbe.pkcs7.detached). For a PAdES BES signature use the PadesBESParameters (subfilter ETSI.CAdES.detached). These parameter classes allow to set revocation information and a timestamp authority, in order to include CRLS, OCSP responses and a signature timestamp. In order to include certificates and revocation information (CRLS, OCSP responses) required for a complete signature validation as specified by the PAdES LTV profile, use PadesLTVParameters. Pass these parameters to the signature instance when protecting the document with a document timestamp (subfilter ETSI.RFC3161).
The IAIK [CP]AdES toolkit uses either the PDF library iText (http://itextpdf.com/) or Apache PDFBox (http://pdfbox.apache.org) for handling and modifying the PDF structure, i.e. for extracting and embedding signatures and related data. These PDF libraries will not be provided within the IAIK [CP]AdES toolkit package and have to be obtained from the respective websites. Please note that for using iText a correctly licensed version 5.3.4 or higher is required and version 2.0 or higher for using Apache PDFBox. The latest versions that had been tested with this toolkit were 2.0 for Apache PDFBox and 5.5.9 for the iText library.
Cryptographic data like signature and hash values, CMS signatures, OCSP responses and timestamps are created by IAIK toolkits. The [CP]AdES toolkit is therefore based on IAIK JCE, IAIK CMS and IAIK TSP. You may further need IAIK ECCelerate or the IAIK PKCS#11 provider when using ECC keys or PKCS#11 token objects.
For detailed information on the toolkit, please have a look at the API documentation.
| Class or Package | Bug / Change / New Feature | Description and Examples |
|---|---|---|
| iaik.pdf.asn1objects.AtsHashIndexv3 | B | Fixed |
| Class or Package | Bug / Change / New Feature | Description and Examples |
|---|---|---|
| iaik.pdf | NF, C | Updated PDFBox version to 2.. |
| iaik.pdf.signature.ApprovalSignature | NF | Added method isWholeDocumentCoveredByByteRange() to check for preventing the PDF attacks USF, ISA and SWA (https://www.pdf-insecurity.org/index.html). |
| iaik.pdf | NF | Support for parsing and verifying adbe.x509.rsa_sha1 signatures added. |