Similar to the PAdES profiles, several formats are defined for CAdES in the specifications ETSI TS 101 733 and ETSI EN 319 122-1 v1.1.1. This toolkit neither supports the legacy signatures CAdES-C and CAdES-X, nor any older versions of the archive timestamp than archive-time-stamp-v3. The classes CadesSignature and CadesSignatureStream provide methods to create or verify CAdES signatures. Use the appropriate parameter classes (CadesBESParameters, CadesTParameters, CadesLTAParameters) to create a signature compliant to the required format.
The PAdES specifications (ETSI TS 102 778 and ETSI EN 319 142-1 v1.1.1) define the format of an electronic signature, that shall be embedded in the PDF document as signature field. Aside from XML related profiles, all of the described PAdES profiles or signature levels are supported. To sign or verify a PDF document, create a PDFSignatureInstance. Via dedicated parameter classes the intended profile can be selected. If you need a PAdES basic signature, use PadesBasicParameters and choose whether a SHA1-hash of the original data shall be included in the signature (subfilter adbe.pkcs7.sha1) or not (subfilter adbe.pkcs7.detached). For a PAdES BES signature use the PadesBESParameters (subfilter ETSI.CAdES.detached). These parameter classes allow to set revocation information and a timestamp authority, in order to include CRLS, OCSP responses and a signature timestamp. In order to include certificates and revocation information (CRLS, OCSP responses) required for a complete signature validation as specified by the PAdES LTV profile, use PadesLTVParameters. Pass these parameters to the signature instance when protecting the document with a document timestamp (subfilter ETSI.RFC3161).
The IAIK [CP]AdES toolkit uses either the PDF library iText (http://itextpdf.com/) or Apache PDFBox (http://pdfbox.apache.org) for handling and modifying the PDF structure, i.e. for extracting and embedding signatures and related data. These PDF libraries will not be provided within the IAIK [CP]AdES toolkit package and have to be obtained from the respective websites. Please note that for using iText a correctly licensed version 5.3.4 or higher is required and version 2.0 or higher for using Apache PDFBox. The latest versions that had been tested with this toolkit were 2.0 for Apache PDFBox and 5.5.9 for the iText library.
Cryptographic data like signature and hash values, CMS signatures, OCSP responses and timestamps are created by IAIK toolkits. The [CP]AdES toolkit is therefore based on IAIK JCE, IAIK CMS and IAIK TSP. You may further need IAIK ECCelerate or the IAIK PKCS#11 provider when using ECC keys or PKCS#11 token objects.
For detailed information on the toolkit, please have a look at the API documentation.
Class or Package | Bug / Change / New Feature | Description and Examples |
---|---|---|
iaik.pdf.asn1objects.AtsHashIndexv3 | B | Fixed |
Class or Package | Bug / Change / New Feature | Description and Examples |
---|---|---|
iaik.pdf | NF, C | Updated PDFBox version to 2.. |
iaik.pdf.signature.ApprovalSignature | NF | Added method isWholeDocumentCoveredByByteRange() to check for preventing the PDF attacks USF, ISA and SWA (https://www.pdf-insecurity.org/index.html). |
iaik.pdf | NF | Support for parsing and verifying adbe.x509.rsa_sha1 signatures added. |
Class or Package | Bug / Change / New Feature | Description and Examples |
---|---|---|
iaik.pdf | NF | Add parameter classes and methods for supporting the archive timestamp as defined in ETSI EN 319 122-1 v1.1.1. |
iaik.pdf | NF | Add methods and classes to support the content timestamp as defined in ETSI TS 101 733 and ETSI EN 319 122. |
iaik.pdf | NF | Support multiple signature time stamps. |
iaik.pdf.asn1objects | NF | Add dedicated class for the signature-policy-identifier and signature-policy-qualifier-info as required for CAdES-EPES and PAdES-EPES. |
iaik.pdf.cmscades | C | Provide two different methods for encoding the signature object: encodeSignature for new signatures and encodeUpgradedSignature for upgraded signatures. |
iaik.pdf.cmscades.AbstractCadesSignature | NF | Methods to extract time stamps using the signer certificate additionally to using the signer info index. |
iaik.pdf.parameters.CadesBESParameters | NF | Add signing time attribute by default as required by ETSI EN 319 122-1. |
iaik.pdf.pdfbox.PdfSignatureDetailsPdfBox | B | Return correct signature name with getName() – instead of signer’s name. |
iaik.pdf.signature.PdfSignatureInstance | NF | Methods to read from a stream (and write to a stream) to create and verify signatures. |
Class or Package | Bug / Change / New Feature | Description and Examples |
---|---|---|
iaik.pdf.cmscades | B | Javadoc of previously obfuscated methods is now correctly displayed. |
iaik.pdf.cmscades.CadesSignature(Stream) | B | Add certificates to signed data for new signer info instead of replacing existing ones. |
iaik.pdf.cmscades.OcspResponseUtil | NF | Add method for requesting an OCSP response using a signed request. |
iaik.pdf.itext.PdfSignatureInstanceItext | B | Correctly use reason, location and contact as configured in parameter class. Only empty string was previously set. Also allow null values. |
iaik.pdf.parameters | B | Reason, location and contact now default to null instead of empty string. |
iaik.pdf.parameters | NF | OCSP responder URL can be set together with optional key and certificates to sign the OCSP request during signature creation. |
iaik.pdf.parameters | NF | Support multiple OCSP responses to be added to a PAdES signature. |
iaik.pdf.parameters | B | Fixed a bug that prevented signature timestamp creation although TSA URL was set. |
iaik.pdf.pdfbox.PdfSignatureInstancePdfbox | NF | Configure visible signature by providing PdfBox’s PDVisibleSigProperties to ((PdfSignatureInstancePdfbox) sigInst) .setPDVisibleSigProperties. |
iaik.pdf.pdfbox.PdfSignatureInstancePdfbox | B | PdfBox’s method PDDocument.saveIncremental(FileInputStream, OutputStream) was changed to take InputStream instead of FileInputStream in version 1.8.8. This leads to a NoSuchMethodError for previous versions. Use reflection to support also previous versions again. |
iaik.pdf.signature.ApprovalSignature.getOcspRevocationStatus | B | Use the first OCSP response, that was actually requested for the signer’s certificate. In previous version an exception was thrown if the first OCSP response did not include an response for the signer’s certificate (but for an intermediate CA certificate for example). |
Class or Package | Bug / Change / New Feature | Description and Examples |
---|---|---|
iaik.pdf | C | Add Apache PDFBox as possible underlying PDF library. Either iText or PDFBox can now be used. |
iaik.pdf | C | Complete restructuring to provide a general interface independent from underlying PDF libraries. |
iaik.pdf.signature | NF | Adding support for certification signature and document timestamps according to PAdES LTV. |
iaik.pdf.signature | NF | Allow extraction of signatures and signature details from a PDF file. |
iaik.pdf.signature | NF | Add support for CAdES signatures (according to CAdES-BES and CAdES-T). |