Package org.apache.poi.poifs.crypt.dsig
Class SignatureConfig
- java.lang.Object
-
- org.apache.poi.poifs.crypt.dsig.SignatureConfig
-
public class SignatureConfig extends java.lang.Object
This class bundles the configuration options used for the existing signature facets. Apart from the thread local members (e.g. opc-package) most values will probably be constant, so it might be configured centrally (e.g. by spring)
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
SignatureConfig.CRLEntry
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
SIGNATURE_TIME_FORMAT
-
Constructor Summary
Constructors Constructor Description SignatureConfig()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
addCachedCertificate(java.lang.String alias, byte[] x509Bytes)
void
addCachedCertificate(java.lang.String alias, java.security.cert.X509Certificate x509)
Add certificate into keystore (cache) for further certificate chain lookupsSignatureConfig.CRLEntry
addCRL(java.lang.String crlURL, java.lang.String certCN, byte[] crlBytes)
void
addSignatureFacet(SignatureFacet signatureFacet)
java.lang.String
formatExecutionTime()
java.security.cert.X509Certificate
getCachedCertificateByPrinicipal(java.lang.String principalName)
java.lang.String
getCanonicalizationMethod()
java.lang.String
getCommitmentType()
java.util.List<SignatureConfig.CRLEntry>
getCrlEntries()
HashAlgorithm
getDigestAlgo()
java.lang.String
getDigestMethodUri()
static java.lang.String
getDigestMethodUri(HashAlgorithm digestAlgo)
Converts the digest algorithm - currently only sha* and ripemd160 is supported.java.util.Date
getExecutionTime()
java.security.PrivateKey
getKey()
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory
getKeyInfoFactory()
Deprecated.in POI 5.0.0 - will be handled by SignatureInfo internallyjava.security.KeyStore
getKeyStore()
java.util.Map<java.lang.String,java.lang.String>
getNamespacePrefixes()
OPCPackage
getOpcPackage()
Deprecated.in POI 5.0.0 - useSignatureInfo.setOpcPackage(OPCPackage)
insteadjava.lang.String
getPackageSignatureId()
java.security.Provider
getProvider()
Deprecated.in POI 5.0.0 - will be handled by SignatureInfo internallystatic java.lang.String[]
getProviderNames()
Determine the possible classes for XMLSEC.java.lang.String
getProxyUrl()
RevocationDataService
getRevocationDataService()
java.lang.String
getSignatureDescription()
java.util.List<SignatureFacet>
getSignatureFacets()
javax.xml.crypto.dsig.XMLSignatureFactory
getSignatureFactory()
Deprecated.in POI 5.0.0 - will be handled by SignatureInfo internallybyte[]
getSignatureImage()
byte[]
getSignatureImageInvalid()
ClassID
getSignatureImageSetupId()
byte[]
getSignatureImageValid()
SignatureMarshalListener
getSignatureMarshalListener()
java.lang.String
getSignatureMethodUri()
SignaturePolicyService
getSignaturePolicyService()
java.util.List<java.security.cert.X509Certificate>
getSigningCertificateChain()
HashAlgorithm
getTspDigestAlgo()
TimeStampHttpClient
getTspHttpClient()
java.lang.String
getTspPass()
java.lang.String
getTspRequestPolicy()
TimeStampService
getTspService()
java.lang.String
getTspUrl()
java.lang.String
getTspUser()
TimeStampServiceValidator
getTspValidator()
javax.xml.crypto.URIDereferencer
getUriDereferencer()
Deprecated.in POI 5.0.0 - useSignatureInfo.getUriDereferencer()
insteadjava.lang.String
getUserAgent()
java.lang.String
getXadesCanonicalizationMethod()
HashAlgorithm
getXadesDigestAlgo()
java.lang.String
getXadesRole()
java.lang.String
getXadesSignatureId()
boolean
isAllowCRLDownload()
boolean
isAllowMultipleSignatures()
boolean
isIncludeEntireCertificateChain()
boolean
isIncludeIssuerSerial()
boolean
isIncludeKeyValue()
boolean
isSecureValidation()
boolean
isTspOldProtocol()
boolean
isUpdateConfigOnValidate()
boolean
isXadesIssuerNameNoReverseOrder()
Make sure the DN is encoded using the same order as present within the certificate.boolean
isXadesSignaturePolicyImplied()
void
setAllowCRLDownload(boolean allowCRLDownload)
void
setAllowMultipleSignatures(boolean allowMultipleSignatures)
Activate multiple signaturesvoid
setCanonicalizationMethod(java.lang.String canonicalizationMethod)
void
setCommitmentType(java.lang.String commitmentType)
Set the commitmentType, which is usually one of ...void
setDigestAlgo(HashAlgorithm digestAlgo)
void
setExecutionTime(java.lang.String executionTime)
Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT
)void
setExecutionTime(java.util.Date executionTime)
void
setIncludeEntireCertificateChain(boolean includeEntireCertificateChain)
void
setIncludeIssuerSerial(boolean includeIssuerSerial)
void
setIncludeKeyValue(boolean includeKeyValue)
void
setKey(java.security.PrivateKey key)
void
setKeyInfoFactory(javax.xml.crypto.dsig.keyinfo.KeyInfoFactory keyInfoFactory)
Deprecated.in POI 5.0.0 - useSignatureInfo.setKeyInfoFactory(KeyInfoFactory)
void
setNamespacePrefixes(java.util.Map<java.lang.String,java.lang.String> namespacePrefixes)
void
setOpcPackage(OPCPackage opcPackage)
Deprecated.in POI 5.0.0 - useSignatureInfo.setOpcPackage(OPCPackage)
insteadvoid
setPackageSignatureId(java.lang.String packageSignatureId)
void
setProvider(java.security.Provider provider)
Deprecated.in POI 5.0.0 - useSignatureInfo.setProvider(Provider)
void
setProxyUrl(java.lang.String proxyUrl)
void
setRevocationDataService(RevocationDataService revocationDataService)
void
setSecureValidation(boolean secureValidation)
Enable or disable secure validation - default is enabled.void
setSignatureDescription(java.lang.String signatureDescription)
void
setSignatureFacets(java.util.List<SignatureFacet> signatureFacets)
void
setSignatureFactory(javax.xml.crypto.dsig.XMLSignatureFactory signatureFactory)
Deprecated.in POI 5.0.0 - useSignatureInfo.setSignatureFactory(XMLSignatureFactory)
void
setSignatureImage(byte[] signatureImage)
void
setSignatureImageInvalid(byte[] signatureImageInvalid)
void
setSignatureImageSetupId(ClassID signatureImageSetupId)
void
setSignatureImageValid(byte[] signatureImageValid)
void
setSignatureMarshalListener(SignatureMarshalListener signatureMarshalListener)
void
setSignatureMethodFromUri(java.lang.String signatureMethodUri)
Set the digest algorithm based on the method uri.void
setSignaturePolicyService(SignaturePolicyService signaturePolicyService)
void
setSigningCertificateChain(java.util.List<java.security.cert.X509Certificate> signingCertificateChain)
void
setTspDigestAlgo(HashAlgorithm tspDigestAlgo)
void
setTspHttpClient(TimeStampHttpClient tspHttpClient)
void
setTspOldProtocol(boolean tspOldProtocol)
void
setTspPass(java.lang.String tspPass)
void
setTspRequestPolicy(java.lang.String tspRequestPolicy)
void
setTspService(TimeStampService tspService)
void
setTspUrl(java.lang.String tspUrl)
void
setTspUser(java.lang.String tspUser)
void
setTspValidator(TimeStampServiceValidator tspValidator)
void
setUpdateConfigOnValidate(boolean updateConfigOnValidate)
The signature config can be updated if a document is succesful validated.void
setUriDereferencer(javax.xml.crypto.URIDereferencer uriDereferencer)
Deprecated.in POI 5.0.0 - useSignatureInfo.setUriDereferencer(URIDereferencer)
insteadvoid
setUserAgent(java.lang.String userAgent)
void
setXadesCanonicalizationMethod(java.lang.String xadesCanonicalizationMethod)
void
setXadesDigestAlgo(java.lang.String xadesDigestAlgo)
void
setXadesDigestAlgo(HashAlgorithm xadesDigestAlgo)
void
setXadesIssuerNameNoReverseOrder(boolean xadesIssuerNameNoReverseOrder)
void
setXadesRole(java.lang.String xadesRole)
void
setXadesSignatureId(java.lang.String xadesSignatureId)
void
setXadesSignaturePolicyImplied(boolean xadesSignaturePolicyImplied)
-
-
-
Field Detail
-
SIGNATURE_TIME_FORMAT
public static final java.lang.String SIGNATURE_TIME_FORMAT
- See Also:
- Constant Field Values
-
-
Method Detail
-
addSignatureFacet
public void addSignatureFacet(SignatureFacet signatureFacet)
- Parameters:
signatureFacet
- the signature facet is appended to facet list
-
getSignatureFacets
public java.util.List<SignatureFacet> getSignatureFacets()
- Returns:
- the list of facets, may be empty when the config object is not initialized
-
setSignatureFacets
public void setSignatureFacets(java.util.List<SignatureFacet> signatureFacets)
- Parameters:
signatureFacets
- the new list of facets
-
getDigestAlgo
public HashAlgorithm getDigestAlgo()
- Returns:
- the main digest algorithm, defaults to sha256
-
setDigestAlgo
public void setDigestAlgo(HashAlgorithm digestAlgo)
- Parameters:
digestAlgo
- the main digest algorithm
-
getOpcPackage
@Deprecated @Removal(version="5.0.0") public OPCPackage getOpcPackage()
Deprecated.in POI 5.0.0 - useSignatureInfo.setOpcPackage(OPCPackage)
instead- Returns:
- the opc package to be used by this thread, stored as thread-local
-
setOpcPackage
@Deprecated @Removal(version="5.0.0") public void setOpcPackage(OPCPackage opcPackage)
Deprecated.in POI 5.0.0 - useSignatureInfo.setOpcPackage(OPCPackage)
instead- Parameters:
opcPackage
- the opc package to be handled by this thread, stored as thread-local
-
getKey
public java.security.PrivateKey getKey()
- Returns:
- the private key
-
setKey
public void setKey(java.security.PrivateKey key)
- Parameters:
key
- the private key
-
getSigningCertificateChain
public java.util.List<java.security.cert.X509Certificate> getSigningCertificateChain()
- Returns:
- the certificate chain, index 0 is usually the certificate matching the private key
-
setSigningCertificateChain
public void setSigningCertificateChain(java.util.List<java.security.cert.X509Certificate> signingCertificateChain)
- Parameters:
signingCertificateChain
- the certificate chain, index 0 should be the certificate matching the private key
-
getExecutionTime
public java.util.Date getExecutionTime()
- Returns:
- the time at which the document is signed, also used for the timestamp service. defaults to now
-
setExecutionTime
public void setExecutionTime(java.util.Date executionTime)
- Parameters:
executionTime
- sets the time at which the document ought to be signed
-
formatExecutionTime
public java.lang.String formatExecutionTime()
- Returns:
- the formatted execution time (
SIGNATURE_TIME_FORMAT
) - Since:
- POI 4.0.0
-
setExecutionTime
public void setExecutionTime(java.lang.String executionTime)
Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT
)- Parameters:
executionTime
- the execution time- Since:
- POI 4.0.0
-
getSignaturePolicyService
public SignaturePolicyService getSignaturePolicyService()
- Returns:
- the service to be used for XAdES-EPES properties. There's no default implementation
-
setSignaturePolicyService
public void setSignaturePolicyService(SignaturePolicyService signaturePolicyService)
- Parameters:
signaturePolicyService
- the service to be used for XAdES-EPES properties
-
getUriDereferencer
@Deprecated @Removal(version="5.0.0") public javax.xml.crypto.URIDereferencer getUriDereferencer()
Deprecated.in POI 5.0.0 - useSignatureInfo.getUriDereferencer()
instead- Returns:
- the dereferencer used for Reference/@URI attributes, defaults to
OOXMLURIDereferencer
-
setUriDereferencer
@Deprecated @Removal(version="5.0.0") public void setUriDereferencer(javax.xml.crypto.URIDereferencer uriDereferencer)
Deprecated.in POI 5.0.0 - useSignatureInfo.setUriDereferencer(URIDereferencer)
instead- Parameters:
uriDereferencer
- the dereferencer used for Reference/@URI attributes
-
getSignatureDescription
public java.lang.String getSignatureDescription()
- Returns:
- Gives back the human-readable description of what the citizen will be signing. The default value is "Office OpenXML Document".
-
setSignatureDescription
public void setSignatureDescription(java.lang.String signatureDescription)
- Parameters:
signatureDescription
- the human-readable description of what the citizen will be signing.
-
getSignatureImage
public byte[] getSignatureImage()
-
getSignatureImageValid
public byte[] getSignatureImageValid()
-
getSignatureImageInvalid
public byte[] getSignatureImageInvalid()
-
getSignatureImageSetupId
public ClassID getSignatureImageSetupId()
-
setSignatureImageSetupId
public void setSignatureImageSetupId(ClassID signatureImageSetupId)
-
setSignatureImage
public void setSignatureImage(byte[] signatureImage)
-
setSignatureImageValid
public void setSignatureImageValid(byte[] signatureImageValid)
-
setSignatureImageInvalid
public void setSignatureImageInvalid(byte[] signatureImageInvalid)
-
getCanonicalizationMethod
public java.lang.String getCanonicalizationMethod()
- Returns:
- the default canonicalization method, defaults to INCLUSIVE
-
setCanonicalizationMethod
public void setCanonicalizationMethod(java.lang.String canonicalizationMethod)
- Parameters:
canonicalizationMethod
- the default canonicalization method
-
getPackageSignatureId
public java.lang.String getPackageSignatureId()
- Returns:
- The signature Id attribute value used to create the XML signature. Defaults to "idPackageSignature"
-
setPackageSignatureId
public void setPackageSignatureId(java.lang.String packageSignatureId)
- Parameters:
packageSignatureId
- The signature Id attribute value used to create the XML signature. Anull
value will trigger an automatically generated signature Id.
-
getTspUrl
public java.lang.String getTspUrl()
- Returns:
- the url of the timestamp provider (TSP)
-
setTspUrl
public void setTspUrl(java.lang.String tspUrl)
- Parameters:
tspUrl
- the url of the timestamp provider (TSP)
-
isTspOldProtocol
public boolean isTspOldProtocol()
- Returns:
- if true, uses timestamp-request/response mimetype, if false, timestamp-query/reply mimetype
-
setTspOldProtocol
public void setTspOldProtocol(boolean tspOldProtocol)
- Parameters:
tspOldProtocol
- defines the timestamp-protocol mimetype- See Also:
isTspOldProtocol()
-
getTspDigestAlgo
public HashAlgorithm getTspDigestAlgo()
- Returns:
- the hash algorithm to be used for the timestamp entry. Defaults to the hash algorithm of the main entry
-
setTspDigestAlgo
public void setTspDigestAlgo(HashAlgorithm tspDigestAlgo)
- Parameters:
tspDigestAlgo
- the algorithm to be used for the timestamp entry. ifnull
, the hash algorithm of the main entry
-
getProxyUrl
public java.lang.String getProxyUrl()
- Returns:
- the proxy url to be used for all communications. Currently this affects the timestamp service
-
setProxyUrl
public void setProxyUrl(java.lang.String proxyUrl)
- Parameters:
proxyUrl
- the proxy url to be used for all communications. Currently this affects the timestamp service
-
getTspService
public TimeStampService getTspService()
- Returns:
- the timestamp service. Defaults to
TSPTimeStampService
-
setTspService
public void setTspService(TimeStampService tspService)
- Parameters:
tspService
- the timestamp service
-
getTspHttpClient
public TimeStampHttpClient getTspHttpClient()
- Returns:
- the http client used for timestamp server connections
- Since:
- POI 5.2.1
-
setTspHttpClient
public void setTspHttpClient(TimeStampHttpClient tspHttpClient)
- Parameters:
tspHttpClient
- the http client used for timestamp server connections- Since:
- POI 5.2.1
-
getTspUser
public java.lang.String getTspUser()
- Returns:
- the user id for the timestamp service - currently only basic authorization is supported
-
setTspUser
public void setTspUser(java.lang.String tspUser)
- Parameters:
tspUser
- the user id for the timestamp service - currently only basic authorization is supported
-
getTspPass
public java.lang.String getTspPass()
- Returns:
- the password for the timestamp service
-
setTspPass
public void setTspPass(java.lang.String tspPass)
- Parameters:
tspPass
- the password for the timestamp service
-
getTspValidator
public TimeStampServiceValidator getTspValidator()
- Returns:
- the validator for the timestamp service (certificate)
-
setTspValidator
public void setTspValidator(TimeStampServiceValidator tspValidator)
- Parameters:
tspValidator
- the validator for the timestamp service (certificate)
-
getRevocationDataService
public RevocationDataService getRevocationDataService()
- Returns:
- the optional revocation data service used for XAdES-C and XAdES-X-L.
When
null
the signature will be limited to XAdES-T only.
-
setRevocationDataService
public void setRevocationDataService(RevocationDataService revocationDataService)
- Parameters:
revocationDataService
- the optional revocation data service used for XAdES-C and XAdES-X-L. Whennull
the signature will be limited to XAdES-T only.
-
getXadesDigestAlgo
public HashAlgorithm getXadesDigestAlgo()
- Returns:
- hash algorithm used for XAdES. Defaults to the
getDigestAlgo()
-
setXadesDigestAlgo
public void setXadesDigestAlgo(HashAlgorithm xadesDigestAlgo)
- Parameters:
xadesDigestAlgo
- hash algorithm used for XAdES. Whennull
, defaults togetDigestAlgo()
-
setXadesDigestAlgo
public void setXadesDigestAlgo(java.lang.String xadesDigestAlgo)
- Parameters:
xadesDigestAlgo
- hash algorithm used for XAdES. Whennull
, defaults togetDigestAlgo()
- Since:
- POI 4.0.0
-
getUserAgent
public java.lang.String getUserAgent()
- Returns:
- the user agent used for http communication (e.g. to the TSP)
-
setUserAgent
public void setUserAgent(java.lang.String userAgent)
- Parameters:
userAgent
- the user agent used for http communication (e.g. to the TSP)
-
getTspRequestPolicy
public java.lang.String getTspRequestPolicy()
- Returns:
- the asn.1 object id for the tsp request policy.
Defaults to
1.3.6.1.4.1.13762.3
-
setTspRequestPolicy
public void setTspRequestPolicy(java.lang.String tspRequestPolicy)
- Parameters:
tspRequestPolicy
- the asn.1 object id for the tsp request policy.
-
isIncludeEntireCertificateChain
public boolean isIncludeEntireCertificateChain()
- Returns:
- true, if the whole certificate chain is included in the signature. When false, only the signer cert will be included
-
setIncludeEntireCertificateChain
public void setIncludeEntireCertificateChain(boolean includeEntireCertificateChain)
- Parameters:
includeEntireCertificateChain
- if true, include the whole certificate chain. If false, only include the signer cert
-
isIncludeIssuerSerial
public boolean isIncludeIssuerSerial()
- Returns:
- if true, issuer serial number is included
-
setIncludeIssuerSerial
public void setIncludeIssuerSerial(boolean includeIssuerSerial)
- Parameters:
includeIssuerSerial
- if true, issuer serial number is included
-
isIncludeKeyValue
public boolean isIncludeKeyValue()
- Returns:
- if true, the key value of the public key (certificate) is included
-
setIncludeKeyValue
public void setIncludeKeyValue(boolean includeKeyValue)
- Parameters:
includeKeyValue
- if true, the key value of the public key (certificate) is included
-
getXadesRole
public java.lang.String getXadesRole()
- Returns:
- the xades role element. If
null
the claimed role element is omitted. Defaults tonull
-
setXadesRole
public void setXadesRole(java.lang.String xadesRole)
- Parameters:
xadesRole
- the xades role element. Ifnull
the claimed role element is omitted.
-
getXadesSignatureId
public java.lang.String getXadesSignatureId()
- Returns:
- the Id for the XAdES SignedProperties element.
Defaults to
idSignedProperties
-
setXadesSignatureId
public void setXadesSignatureId(java.lang.String xadesSignatureId)
- Parameters:
xadesSignatureId
- the Id for the XAdES SignedProperties element. Whennull
defaults toidSignedProperties
-
isXadesSignaturePolicyImplied
public boolean isXadesSignaturePolicyImplied()
- Returns:
- when true, include the policy-implied block.
Defaults to
true
-
setXadesSignaturePolicyImplied
public void setXadesSignaturePolicyImplied(boolean xadesSignaturePolicyImplied)
- Parameters:
xadesSignaturePolicyImplied
- when true, include the policy-implied block
-
isXadesIssuerNameNoReverseOrder
public boolean isXadesIssuerNameNoReverseOrder()
Make sure the DN is encoded using the same order as present within the certificate. This is an Office2010 work-around. Should be reverted back. XXX: not correct according to RFC 4514.- Returns:
- when true, the issuer DN is used instead of the issuer X500 principal
-
setXadesIssuerNameNoReverseOrder
public void setXadesIssuerNameNoReverseOrder(boolean xadesIssuerNameNoReverseOrder)
- Parameters:
xadesIssuerNameNoReverseOrder
- when true, the issuer DN instead of the issuer X500 prinicpal is used
-
getSignatureMarshalListener
public SignatureMarshalListener getSignatureMarshalListener()
- Returns:
- the event listener which is active while xml structure for the signature is created.
Defaults to
SignatureMarshalListener
-
setSignatureMarshalListener
public void setSignatureMarshalListener(SignatureMarshalListener signatureMarshalListener)
- Parameters:
signatureMarshalListener
- the event listener watching the xml structure generation for the signature
-
getNamespacePrefixes
public java.util.Map<java.lang.String,java.lang.String> getNamespacePrefixes()
- Returns:
- the map of namespace uri (key) to prefix (value)
-
setNamespacePrefixes
public void setNamespacePrefixes(java.util.Map<java.lang.String,java.lang.String> namespacePrefixes)
- Parameters:
namespacePrefixes
- the map of namespace uri (key) to prefix (value)
-
getSignatureMethodUri
public java.lang.String getSignatureMethodUri()
- Returns:
- the uri for the signature method, i.e. currently only rsa is supported, so it's the rsa variant of the main digest
-
getDigestMethodUri
public java.lang.String getDigestMethodUri()
- Returns:
- the uri for the main digest
-
getDigestMethodUri
public static java.lang.String getDigestMethodUri(HashAlgorithm digestAlgo)
Converts the digest algorithm - currently only sha* and ripemd160 is supported. MS Office only supports sha1, sha256, sha384, sha512.- Parameters:
digestAlgo
- the digest algorithm- Returns:
- the uri for the given digest
-
setSignatureMethodFromUri
public void setSignatureMethodFromUri(java.lang.String signatureMethodUri)
Set the digest algorithm based on the method uri. This is used when a signature was successful validated and the signature configuration is updated- Parameters:
signatureMethodUri
- the method uri- Since:
- POI 4.0.0
-
setSignatureFactory
@Deprecated @Removal(version="5.0.0") public void setSignatureFactory(javax.xml.crypto.dsig.XMLSignatureFactory signatureFactory)
Deprecated.in POI 5.0.0 - useSignatureInfo.setSignatureFactory(XMLSignatureFactory)
- Parameters:
signatureFactory
- the xml signature factory, saved as thread-local
-
getSignatureFactory
@Deprecated @Removal(version="5.0.0") public javax.xml.crypto.dsig.XMLSignatureFactory getSignatureFactory()
Deprecated.in POI 5.0.0 - will be handled by SignatureInfo internally- Returns:
- the xml signature factory (thread-local)
-
setKeyInfoFactory
@Deprecated @Removal(version="5.0.0") public void setKeyInfoFactory(javax.xml.crypto.dsig.keyinfo.KeyInfoFactory keyInfoFactory)
Deprecated.in POI 5.0.0 - useSignatureInfo.setKeyInfoFactory(KeyInfoFactory)
- Parameters:
keyInfoFactory
- the key factory, saved as thread-local
-
getKeyInfoFactory
@Deprecated @Removal(version="5.0.0") public javax.xml.crypto.dsig.keyinfo.KeyInfoFactory getKeyInfoFactory()
Deprecated.in POI 5.0.0 - will be handled by SignatureInfo internally- Returns:
- the key factory (thread-local)
-
setProvider
@Internal @Deprecated @Removal(version="5.0.0") public void setProvider(java.security.Provider provider)
Deprecated.in POI 5.0.0 - useSignatureInfo.setProvider(Provider)
Helper method to set provider- Parameters:
provider
- the provider
-
getProvider
@Deprecated @Removal(version="5.0.0") public java.security.Provider getProvider()
Deprecated.in POI 5.0.0 - will be handled by SignatureInfo internally- Returns:
- the cached provider or null if not set before
-
getProviderNames
public static java.lang.String[] getProviderNames()
Determine the possible classes for XMLSEC. The order is- the class pointed to by the system property "jsr105Provider"
- the Santuario xmlsec provider
- the JDK xmlsec provider
- Returns:
- a list of possible XMLSEC provider class names
-
getXadesCanonicalizationMethod
public java.lang.String getXadesCanonicalizationMethod()
- Returns:
- the cannonicalization method for XAdES-XL signing.
Defaults to
EXCLUSIVE
- See Also:
- javax.xml.crypto.dsig.CanonicalizationMethod
-
setXadesCanonicalizationMethod
public void setXadesCanonicalizationMethod(java.lang.String xadesCanonicalizationMethod)
- Parameters:
xadesCanonicalizationMethod
- the cannonicalization method for XAdES-XL signing- See Also:
- javax.xml.crypto.dsig.CanonicalizationMethod
-
isUpdateConfigOnValidate
public boolean isUpdateConfigOnValidate()
- Returns:
- true, if the signature config is to be updated based on the successful validated document
- Since:
- POI 4.0.0
-
setUpdateConfigOnValidate
public void setUpdateConfigOnValidate(boolean updateConfigOnValidate)
The signature config can be updated if a document is succesful validated. This flag is used for activating this modifications. Defaults tofalse
- Parameters:
updateConfigOnValidate
- if true, update config on validate- Since:
- POI 4.0.0
-
isAllowMultipleSignatures
public boolean isAllowMultipleSignatures()
- Returns:
- true, if multiple signatures can be attached
- Since:
- POI 4.1.0
-
setAllowMultipleSignatures
public void setAllowMultipleSignatures(boolean allowMultipleSignatures)
Activate multiple signatures- Parameters:
allowMultipleSignatures
- if true, the signature will be added, otherwise all existing signatures will be replaced by the current- Since:
- POI 4.1.0
-
isSecureValidation
public boolean isSecureValidation()
- Returns:
- is secure validation enabled?
- Since:
- POI 5.2.0
-
setSecureValidation
public void setSecureValidation(boolean secureValidation)
Enable or disable secure validation - default is enabled.Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail, because a maximum of 30 references were hard-coded allowed for secure validation to succeed.
Secure validation has the following features:
- Limits the number of Transforms per Reference to a maximum of 5.
- Does not allow XSLT transforms.
- Does not allow a RetrievalMethod to reference another RetrievalMethod.
- Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
- Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
- MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
- Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
- Does not allow DTDs
- Since:
- POI 5.2.0
- See Also:
- XmlSec SecureValidation
-
getCommitmentType
public java.lang.String getCommitmentType()
-
setCommitmentType
public void setCommitmentType(java.lang.String commitmentType)
Set the commitmentType, which is usually one of ...- "Created and approved this document"
- "Approved this document"
- "Created this document"
- ... or any other important sounding statement
-
addCRL
public SignatureConfig.CRLEntry addCRL(java.lang.String crlURL, java.lang.String certCN, byte[] crlBytes)
-
getCrlEntries
public java.util.List<SignatureConfig.CRLEntry> getCrlEntries()
-
isAllowCRLDownload
public boolean isAllowCRLDownload()
-
setAllowCRLDownload
public void setAllowCRLDownload(boolean allowCRLDownload)
-
getKeyStore
public java.security.KeyStore getKeyStore()
- Returns:
- keystore with cached certificates
-
addCachedCertificate
public void addCachedCertificate(java.lang.String alias, java.security.cert.X509Certificate x509) throws java.security.KeyStoreException
Add certificate into keystore (cache) for further certificate chain lookups- Parameters:
alias
- the alias, or null if alias is taken from common name attribute of certificatex509
- the x509 certificate- Throws:
java.security.KeyStoreException
-
addCachedCertificate
public void addCachedCertificate(java.lang.String alias, byte[] x509Bytes) throws java.security.KeyStoreException, java.security.cert.CertificateException
- Throws:
java.security.KeyStoreException
java.security.cert.CertificateException
-
getCachedCertificateByPrinicipal
public java.security.cert.X509Certificate getCachedCertificateByPrinicipal(java.lang.String principalName)
-
-