Package org.apache.poi.poifs.crypt.dsig

Class SignatureConfig

  • public class SignatureConfig
extends java.lang.Object
    This class bundles the configuration options used for the existing signature facets. Apart from the thread local members (e.g. opc-package) most values will probably be constant, so it might be configured centrally (e.g. by spring)

    • Field Detail

      • SIGNATURE_TIME_FORMAT

        public static final java.lang.String SIGNATURE_TIME_FORMAT
        See Also:
        Constant Field Values

    • Constructor Detail

      • SignatureConfig

        public SignatureConfig()

    • Method Detail

      • addSignatureFacet

        public void addSignatureFacet​(SignatureFacet signatureFacet)
        Parameters:
        signatureFacet - the signature facet is appended to facet list

      • getSignatureFacets

        public java.util.List<SignatureFacet> getSignatureFacets()
        Returns:
        the list of facets, may be empty when the config object is not initialized

      • setSignatureFacets

        public void setSignatureFacets​(java.util.List<SignatureFacet> signatureFacets)
        Parameters:
        signatureFacets - the new list of facets

      • getDigestAlgo

        public HashAlgorithm getDigestAlgo()
        Returns:
        the main digest algorithm, defaults to sha256

      • setDigestAlgo

        public void setDigestAlgo​(HashAlgorithm digestAlgo)
        Parameters:
        digestAlgo - the main digest algorithm

      • getKey

        public java.security.PrivateKey getKey()
        Returns:
        the private key

      • setKey

        public void setKey​(java.security.PrivateKey key)
        Parameters:
        key - the private key

      • getSigningCertificateChain

        public java.util.List<java.security.cert.X509Certificate> getSigningCertificateChain()
        Returns:
        the certificate chain, index 0 is usually the certificate matching the private key

      • setSigningCertificateChain

        public void setSigningCertificateChain​(java.util.List<java.security.cert.X509Certificate> signingCertificateChain)
        Parameters:
        signingCertificateChain - the certificate chain, index 0 should be the certificate matching the private key

      • getExecutionTime

        public java.util.Date getExecutionTime()
        Returns:
        the time at which the document is signed, also used for the timestamp service. defaults to now

      • setExecutionTime

        public void setExecutionTime​(java.util.Date executionTime)
        Parameters:
        executionTime - sets the time at which the document ought to be signed

      • formatExecutionTime

        public java.lang.String formatExecutionTime()
        Returns:
        the formatted execution time (SIGNATURE_TIME_FORMAT)
        Since:
        POI 4.0.0

      • setExecutionTime

        public void setExecutionTime​(java.lang.String executionTime)
        Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT)
        Parameters:
        executionTime - the execution time
        Since:
        POI 4.0.0

      • getSignaturePolicyService

        public SignaturePolicyService getSignaturePolicyService()
        Returns:
        the service to be used for XAdES-EPES properties. There's no default implementation

      • setSignaturePolicyService

        public void setSignaturePolicyService​(SignaturePolicyService signaturePolicyService)
        Parameters:
        signaturePolicyService - the service to be used for XAdES-EPES properties

      • getSignatureDescription

        public java.lang.String getSignatureDescription()
        Returns:
        Gives back the human-readable description of what the citizen will be signing. The default value is "Office OpenXML Document".

      • setSignatureDescription

        public void setSignatureDescription​(java.lang.String signatureDescription)
        Parameters:
        signatureDescription - the human-readable description of what the citizen will be signing.

      • getSignatureImage

        public byte[] getSignatureImage()

      • getSignatureImageValid

        public byte[] getSignatureImageValid()

      • getSignatureImageInvalid

        public byte[] getSignatureImageInvalid()

      • getSignatureImageSetupId

        public ClassID getSignatureImageSetupId()

      • setSignatureImageSetupId

        public void setSignatureImageSetupId​(ClassID signatureImageSetupId)

      • setSignatureImage

        public void setSignatureImage​(byte[] signatureImage)

      • setSignatureImageValid

        public void setSignatureImageValid​(byte[] signatureImageValid)

      • setSignatureImageInvalid

        public void setSignatureImageInvalid​(byte[] signatureImageInvalid)

      • getCanonicalizationMethod

        public java.lang.String getCanonicalizationMethod()
        Returns:
        the default canonicalization method, defaults to INCLUSIVE

      • setCanonicalizationMethod

        public void setCanonicalizationMethod​(java.lang.String canonicalizationMethod)
        Parameters:
        canonicalizationMethod - the default canonicalization method

      • getPackageSignatureId

        public java.lang.String getPackageSignatureId()
        Returns:
        The signature Id attribute value used to create the XML signature. Defaults to "idPackageSignature"

      • setPackageSignatureId

        public void setPackageSignatureId​(java.lang.String packageSignatureId)
        Parameters:
        packageSignatureId - The signature Id attribute value used to create the XML signature. A null value will trigger an automatically generated signature Id.

      • getTspUrl

        public java.lang.String getTspUrl()
        Returns:
        the url of the timestamp provider (TSP)

      • setTspUrl

        public void setTspUrl​(java.lang.String tspUrl)
        Parameters:
        tspUrl - the url of the timestamp provider (TSP)

      • isTspOldProtocol

        public boolean isTspOldProtocol()
        Returns:
        if true, uses timestamp-request/response mimetype, if false, timestamp-query/reply mimetype

      • setTspOldProtocol

        public void setTspOldProtocol​(boolean tspOldProtocol)
        Parameters:
        tspOldProtocol - defines the timestamp-protocol mimetype
        See Also:
        isTspOldProtocol()

      • getTspDigestAlgo

        public HashAlgorithm getTspDigestAlgo()
        Returns:
        the hash algorithm to be used for the timestamp entry. Defaults to the hash algorithm of the main entry

      • setTspDigestAlgo

        public void setTspDigestAlgo​(HashAlgorithm tspDigestAlgo)
        Parameters:
        tspDigestAlgo - the algorithm to be used for the timestamp entry. if null, the hash algorithm of the main entry

      • getProxyUrl

        public java.lang.String getProxyUrl()
        Returns:
        the proxy url to be used for all communications. Currently this affects the timestamp service

      • setProxyUrl

        public void setProxyUrl​(java.lang.String proxyUrl)
        Parameters:
        proxyUrl - the proxy url to be used for all communications. Currently this affects the timestamp service

      • setTspService

        public void setTspService​(TimeStampService tspService)
        Parameters:
        tspService - the timestamp service

      • getTspHttpClient

        public TimeStampHttpClient getTspHttpClient()
        Returns:
        the http client used for timestamp server connections
        Since:
        POI 5.2.1

      • setTspHttpClient

        public void setTspHttpClient​(TimeStampHttpClient tspHttpClient)
        Parameters:
        tspHttpClient - the http client used for timestamp server connections
        Since:
        POI 5.2.1

      • getTspUser

        public java.lang.String getTspUser()
        Returns:
        the user id for the timestamp service - currently only basic authorization is supported

      • setTspUser

        public void setTspUser​(java.lang.String tspUser)
        Parameters:
        tspUser - the user id for the timestamp service - currently only basic authorization is supported

      • getTspPass

        public java.lang.String getTspPass()
        Returns:
        the password for the timestamp service

      • setTspPass

        public void setTspPass​(java.lang.String tspPass)
        Parameters:
        tspPass - the password for the timestamp service

      • getTspValidator

        public TimeStampServiceValidator getTspValidator()
        Returns:
        the validator for the timestamp service (certificate)

      • setTspValidator

        public void setTspValidator​(TimeStampServiceValidator tspValidator)
        Parameters:
        tspValidator - the validator for the timestamp service (certificate)

      • getRevocationDataService

        public RevocationDataService getRevocationDataService()
        Returns:
        the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

      • setRevocationDataService

        public void setRevocationDataService​(RevocationDataService revocationDataService)
        Parameters:
        revocationDataService - the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

      • setXadesDigestAlgo

        public void setXadesDigestAlgo​(HashAlgorithm xadesDigestAlgo)
        Parameters:
        xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()

      • setXadesDigestAlgo

        public void setXadesDigestAlgo​(java.lang.String xadesDigestAlgo)
        Parameters:
        xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()
        Since:
        POI 4.0.0

      • getUserAgent

        public java.lang.String getUserAgent()
        Returns:
        the user agent used for http communication (e.g. to the TSP)

      • setUserAgent

        public void setUserAgent​(java.lang.String userAgent)
        Parameters:
        userAgent - the user agent used for http communication (e.g. to the TSP)

      • getTspRequestPolicy

        public java.lang.String getTspRequestPolicy()
        Returns:
        the asn.1 object id for the tsp request policy. Defaults to 1.3.6.1.4.1.13762.3

      • setTspRequestPolicy

        public void setTspRequestPolicy​(java.lang.String tspRequestPolicy)
        Parameters:
        tspRequestPolicy - the asn.1 object id for the tsp request policy.

      • isIncludeEntireCertificateChain

        public boolean isIncludeEntireCertificateChain()
        Returns:
        true, if the whole certificate chain is included in the signature. When false, only the signer cert will be included

      • setIncludeEntireCertificateChain

        public void setIncludeEntireCertificateChain​(boolean includeEntireCertificateChain)
        Parameters:
        includeEntireCertificateChain - if true, include the whole certificate chain. If false, only include the signer cert

      • isIncludeIssuerSerial

        public boolean isIncludeIssuerSerial()
        Returns:
        if true, issuer serial number is included

      • setIncludeIssuerSerial

        public void setIncludeIssuerSerial​(boolean includeIssuerSerial)
        Parameters:
        includeIssuerSerial - if true, issuer serial number is included

      • isIncludeKeyValue

        public boolean isIncludeKeyValue()
        Returns:
        if true, the key value of the public key (certificate) is included

      • setIncludeKeyValue

        public void setIncludeKeyValue​(boolean includeKeyValue)
        Parameters:
        includeKeyValue - if true, the key value of the public key (certificate) is included

      • getXadesRole

        public java.lang.String getXadesRole()
        Returns:
        the xades role element. If null the claimed role element is omitted. Defaults to null

      • setXadesRole

        public void setXadesRole​(java.lang.String xadesRole)
        Parameters:
        xadesRole - the xades role element. If null the claimed role element is omitted.

      • getXadesSignatureId

        public java.lang.String getXadesSignatureId()
        Returns:
        the Id for the XAdES SignedProperties element. Defaults to idSignedProperties

      • setXadesSignatureId

        public void setXadesSignatureId​(java.lang.String xadesSignatureId)
        Parameters:
        xadesSignatureId - the Id for the XAdES SignedProperties element. When null defaults to idSignedProperties

      • isXadesSignaturePolicyImplied

        public boolean isXadesSignaturePolicyImplied()
        Returns:
        when true, include the policy-implied block. Defaults to true

      • setXadesSignaturePolicyImplied

        public void setXadesSignaturePolicyImplied​(boolean xadesSignaturePolicyImplied)
        Parameters:
        xadesSignaturePolicyImplied - when true, include the policy-implied block

      • isXadesIssuerNameNoReverseOrder

        public boolean isXadesIssuerNameNoReverseOrder()
        Make sure the DN is encoded using the same order as present within the certificate. This is an Office2010 work-around. Should be reverted back. XXX: not correct according to RFC 4514.
        Returns:
        when true, the issuer DN is used instead of the issuer X500 principal

      • setXadesIssuerNameNoReverseOrder

        public void setXadesIssuerNameNoReverseOrder​(boolean xadesIssuerNameNoReverseOrder)
        Parameters:
        xadesIssuerNameNoReverseOrder - when true, the issuer DN instead of the issuer X500 prinicpal is used

      • setSignatureMarshalListener

        public void setSignatureMarshalListener​(SignatureMarshalListener signatureMarshalListener)
        Parameters:
        signatureMarshalListener - the event listener watching the xml structure generation for the signature

      • getNamespacePrefixes

        public java.util.Map<java.lang.String,​java.lang.String> getNamespacePrefixes()
        Returns:
        the map of namespace uri (key) to prefix (value)

      • setNamespacePrefixes

        public void setNamespacePrefixes​(java.util.Map<java.lang.String,​java.lang.String> namespacePrefixes)
        Parameters:
        namespacePrefixes - the map of namespace uri (key) to prefix (value)

      • getSignatureMethodUri

        public java.lang.String getSignatureMethodUri()
        Returns:
        the uri for the signature method, i.e. currently only rsa is supported, so it's the rsa variant of the main digest

      • getDigestMethodUri

        public java.lang.String getDigestMethodUri()
        Returns:
        the uri for the main digest

      • getDigestMethodUri

        public static java.lang.String getDigestMethodUri​(HashAlgorithm digestAlgo)
        Converts the digest algorithm - currently only sha* and ripemd160 is supported. MS Office only supports sha1, sha256, sha384, sha512.
        Parameters:
        digestAlgo - the digest algorithm
        Returns:
        the uri for the given digest

      • setSignatureMethodFromUri

        public void setSignatureMethodFromUri​(java.lang.String signatureMethodUri)
        Set the digest algorithm based on the method uri. This is used when a signature was successful validated and the signature configuration is updated
        Parameters:
        signatureMethodUri - the method uri
        Since:
        POI 4.0.0

      • getSignatureFactory

        @Deprecated
@Removal(version="5.0.0")
public javax.xml.crypto.dsig.XMLSignatureFactory getSignatureFactory()
        Deprecated.
        in POI 5.0.0 - will be handled by SignatureInfo internally
        Returns:
        the xml signature factory (thread-local)

      • getKeyInfoFactory

        @Deprecated
@Removal(version="5.0.0")
public javax.xml.crypto.dsig.keyinfo.KeyInfoFactory getKeyInfoFactory()
        Deprecated.
        in POI 5.0.0 - will be handled by SignatureInfo internally
        Returns:
        the key factory (thread-local)

      • getProvider

        @Deprecated
@Removal(version="5.0.0")
public java.security.Provider getProvider()
        Deprecated.
        in POI 5.0.0 - will be handled by SignatureInfo internally
        Returns:
        the cached provider or null if not set before

      • getProviderNames

        public static java.lang.String[] getProviderNames()
        Determine the possible classes for XMLSEC. The order is
        1. the class pointed to by the system property "jsr105Provider"
        2. the Santuario xmlsec provider
        3. the JDK xmlsec provider
        Returns:
        a list of possible XMLSEC provider class names

      • getXadesCanonicalizationMethod

        public java.lang.String getXadesCanonicalizationMethod()
        Returns:
        the cannonicalization method for XAdES-XL signing. Defaults to EXCLUSIVE
        See Also:
        javax.xml.crypto.dsig.CanonicalizationMethod

      • setXadesCanonicalizationMethod

        public void setXadesCanonicalizationMethod​(java.lang.String xadesCanonicalizationMethod)
        Parameters:
        xadesCanonicalizationMethod - the cannonicalization method for XAdES-XL signing
        See Also:
        javax.xml.crypto.dsig.CanonicalizationMethod

      • isUpdateConfigOnValidate

        public boolean isUpdateConfigOnValidate()
        Returns:
        true, if the signature config is to be updated based on the successful validated document
        Since:
        POI 4.0.0

      • setUpdateConfigOnValidate

        public void setUpdateConfigOnValidate​(boolean updateConfigOnValidate)
        The signature config can be updated if a document is succesful validated. This flag is used for activating this modifications. Defaults to false
        Parameters:
        updateConfigOnValidate - if true, update config on validate
        Since:
        POI 4.0.0

      • isAllowMultipleSignatures

        public boolean isAllowMultipleSignatures()
        Returns:
        true, if multiple signatures can be attached
        Since:
        POI 4.1.0

      • setAllowMultipleSignatures

        public void setAllowMultipleSignatures​(boolean allowMultipleSignatures)
        Activate multiple signatures
        Parameters:
        allowMultipleSignatures - if true, the signature will be added, otherwise all existing signatures will be replaced by the current
        Since:
        POI 4.1.0

      • isSecureValidation

        public boolean isSecureValidation()
        Returns:
        is secure validation enabled?
        Since:
        POI 5.2.0

      • setSecureValidation

        public void setSecureValidation​(boolean secureValidation)
        Enable or disable secure validation - default is enabled.

        Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail, because a maximum of 30 references were hard-coded allowed for secure validation to succeed.

        Secure validation has the following features:

        • Limits the number of Transforms per Reference to a maximum of 5.
        • Does not allow XSLT transforms.
        • Does not allow a RetrievalMethod to reference another RetrievalMethod.
        • Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
        • Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
        • MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
        • Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
        • Does not allow DTDs
        Since:
        POI 5.2.0
        See Also:
        XmlSec SecureValidation

      • getCommitmentType

        public java.lang.String getCommitmentType()

      • setCommitmentType

        public void setCommitmentType​(java.lang.String commitmentType)
        Set the commitmentType, which is usually one of ...
        • "Created and approved this document"
        • "Approved this document"
        • "Created this document"
        • ... or any other important sounding statement

      • addCRL

        public SignatureConfig.CRLEntry addCRL​(java.lang.String crlURL,
                                       java.lang.String certCN,
                                       byte[] crlBytes)

      • isAllowCRLDownload

        public boolean isAllowCRLDownload()

      • setAllowCRLDownload

        public void setAllowCRLDownload​(boolean allowCRLDownload)

      • getKeyStore

        public java.security.KeyStore getKeyStore()
        Returns:
        keystore with cached certificates

      • addCachedCertificate

        public void addCachedCertificate​(java.lang.String alias,
                                 java.security.cert.X509Certificate x509)
                          throws java.security.KeyStoreException
        Add certificate into keystore (cache) for further certificate chain lookups
        Parameters:
        alias - the alias, or null if alias is taken from common name attribute of certificate
        x509 - the x509 certificate
        Throws:
        java.security.KeyStoreException

      • addCachedCertificate

        public void addCachedCertificate​(java.lang.String alias,
                                 byte[] x509Bytes)
                          throws java.security.KeyStoreException,
                                 java.security.cert.CertificateException
        Throws:
        java.security.KeyStoreException
        java.security.cert.CertificateException

      • getCachedCertificateByPrinicipal

        public java.security.cert.X509Certificate getCachedCertificateByPrinicipal​(java.lang.String principalName)