org.apache.poi.poifs.crypt.dsig

Class SignatureConfig

java.lang.Object

org.apache.poi.poifs.crypt.dsig.SignatureConfig

public class SignatureConfig
extends java.lang.Object

This class bundles the configuration options used for the existing signature facets. Apart of the thread local members (e.g. opc-package) most values will probably be constant, so it might be configured centrally (e.g. by spring)

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static interface	SignatureConfig.SignatureConfigurable

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	SIGNATURE_TIME_FORMAT

Constructor Summary

Constructors

Constructor and Description
SignatureConfig()

Method Summary

Modifier and Type	Method and Description
void	addSignatureFacet(SignatureFacet signatureFacet)
java.lang.String	formatExecutionTime()
java.lang.String	getCanonicalizationMethod()
HashAlgorithm	getDigestAlgo()
java.lang.String	getDigestMethodUri()
static java.lang.String	getDigestMethodUri(HashAlgorithm digestAlgo) Converts the digest algorithm - currently only sha* and ripemd160 is supported.
java.util.Date	getExecutionTime()
java.security.PrivateKey	getKey()
javax.xml.crypto.dsig.keyinfo.KeyInfoFactory	getKeyInfoFactory()
java.util.Map<java.lang.String,java.lang.String>	getNamespacePrefixes()
OPCPackage	getOpcPackage()
java.lang.String	getPackageSignatureId()
java.security.Provider	getProvider() This method tests the existence of xml signature provider in the following order: the class pointed to by the system property "jsr105Provider" the Santuario xmlsec provider the JDK xmlsec provider For signing the classes are linked against the Santuario xmlsec, so this might only work for validation (not tested).
java.lang.String	getProxyUrl()
RevocationDataService	getRevocationDataService()
java.lang.String	getSignatureDescription()
java.util.List<SignatureFacet>	getSignatureFacets()
javax.xml.crypto.dsig.XMLSignatureFactory	getSignatureFactory()
org.w3c.dom.events.EventListener	getSignatureMarshalListener()
java.lang.String	getSignatureMethodUri()
SignaturePolicyService	getSignaturePolicyService()
java.util.List<java.security.cert.X509Certificate>	getSigningCertificateChain()
HashAlgorithm	getTspDigestAlgo()
java.lang.String	getTspPass()
java.lang.String	getTspRequestPolicy()
TimeStampService	getTspService()
java.lang.String	getTspUrl()
java.lang.String	getTspUser()
TimeStampServiceValidator	getTspValidator()
javax.xml.crypto.URIDereferencer	getUriDereferencer()
java.lang.String	getUserAgent()
java.lang.String	getXadesCanonicalizationMethod()
HashAlgorithm	getXadesDigestAlgo()
java.lang.String	getXadesRole()
java.lang.String	getXadesSignatureId()
protected void	init(boolean onlyValidation) Inits and checks the config object.
boolean	isAllowMultipleSignatures()
boolean	isIncludeEntireCertificateChain()
boolean	isIncludeIssuerSerial()
boolean	isIncludeKeyValue()
boolean	isTspOldProtocol()
boolean	isUpdateConfigOnValidate()
boolean	isXadesIssuerNameNoReverseOrder() Make sure the DN is encoded using the same order as present within the certificate.
boolean	isXadesSignaturePolicyImplied()
void	setAllowMultipleSignatures(boolean allowMultipleSignatures) Activate multiple signatures
void	setCanonicalizationMethod(java.lang.String canonicalizationMethod)
void	setDigestAlgo(HashAlgorithm digestAlgo)
void	setExecutionTime(java.util.Date executionTime)
void	setExecutionTime(java.lang.String executionTime) Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT)
void	setIncludeEntireCertificateChain(boolean includeEntireCertificateChain)
void	setIncludeIssuerSerial(boolean includeIssuerSerial)
void	setIncludeKeyValue(boolean includeKeyValue)
void	setKey(java.security.PrivateKey key)
void	setKeyInfoFactory(javax.xml.crypto.dsig.keyinfo.KeyInfoFactory keyInfoFactory)
void	setNamespacePrefixes(java.util.Map<java.lang.String,java.lang.String> namespacePrefixes)
void	setOpcPackage(OPCPackage opcPackage)
void	setPackageSignatureId(java.lang.String packageSignatureId)
void	setProxyUrl(java.lang.String proxyUrl)
void	setRevocationDataService(RevocationDataService revocationDataService)
void	setSignatureDescription(java.lang.String signatureDescription)
void	setSignatureFacets(java.util.List<SignatureFacet> signatureFacets)
void	setSignatureFactory(javax.xml.crypto.dsig.XMLSignatureFactory signatureFactory)
void	setSignatureMarshalListener(org.w3c.dom.events.EventListener signatureMarshalListener)
void	setSignatureMethodFromUri(java.lang.String signatureMethodUri) Set the digest algorithm based on the method uri.
void	setSignaturePolicyService(SignaturePolicyService signaturePolicyService)
void	setSigningCertificateChain(java.util.List<java.security.cert.X509Certificate> signingCertificateChain)
void	setTspDigestAlgo(HashAlgorithm tspDigestAlgo)
void	setTspOldProtocol(boolean tspOldProtocol)
void	setTspPass(java.lang.String tspPass)
void	setTspRequestPolicy(java.lang.String tspRequestPolicy)
void	setTspService(TimeStampService tspService)
void	setTspUrl(java.lang.String tspUrl)
void	setTspUser(java.lang.String tspUser)
void	setTspValidator(TimeStampServiceValidator tspValidator)
void	setUpdateConfigOnValidate(boolean updateConfigOnValidate) The signature config can be updated if a document is succesful validated.
void	setUriDereferencer(javax.xml.crypto.URIDereferencer uriDereferencer)
void	setUserAgent(java.lang.String userAgent)
void	setXadesCanonicalizationMethod(java.lang.String xadesCanonicalizationMethod)
void	setXadesDigestAlgo(HashAlgorithm xadesDigestAlgo)
void	setXadesDigestAlgo(java.lang.String xadesDigestAlgo)
void	setXadesIssuerNameNoReverseOrder(boolean xadesIssuerNameNoReverseOrder)
void	setXadesRole(java.lang.String xadesRole)
void	setXadesSignatureId(java.lang.String xadesSignatureId)
void	setXadesSignaturePolicyImplied(boolean xadesSignaturePolicyImplied)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SIGNATURE_TIME_FORMAT

public static final java.lang.String SIGNATURE_TIME_FORMAT

See Also:

Constant Field Values

Constructor Detail

SignatureConfig

public SignatureConfig()

Method Detail

init

protected void init(boolean onlyValidation)

Inits and checks the config object. If not set previously, complex configuration properties also get created/initialized via this initialization call.

Parameters:

onlyValidation - if true, only a subset of the properties is initialized, which are necessary for validation. If false, also the other properties needed for signing are been taken care of

addSignatureFacet

public void addSignatureFacet(SignatureFacet signatureFacet)

Parameters:

signatureFacet - the signature facet is appended to facet list

getSignatureFacets

public java.util.List<SignatureFacet> getSignatureFacets()

Returns:

the list of facets, may be empty when the config object is not initialized

setSignatureFacets

public void setSignatureFacets(java.util.List<SignatureFacet> signatureFacets)

Parameters:

signatureFacets - the new list of facets

getDigestAlgo

public HashAlgorithm getDigestAlgo()

Returns:

the main digest algorithm, defaults to sha256

setDigestAlgo

public void setDigestAlgo(HashAlgorithm digestAlgo)

Parameters:

digestAlgo - the main digest algorithm

getOpcPackage

public OPCPackage getOpcPackage()

Returns:

the opc package to be used by this thread, stored as thread-local

setOpcPackage

public void setOpcPackage(OPCPackage opcPackage)

Parameters:

opcPackage - the opc package to be handled by this thread, stored as thread-local

getKey

public java.security.PrivateKey getKey()

Returns:

the private key

setKey

public void setKey(java.security.PrivateKey key)

Parameters:

key - the private key

getSigningCertificateChain

public java.util.List<java.security.cert.X509Certificate> getSigningCertificateChain()

Returns:

the certificate chain, index 0 is usually the certificate matching the private key

setSigningCertificateChain

public void setSigningCertificateChain(java.util.List<java.security.cert.X509Certificate> signingCertificateChain)

Parameters:

signingCertificateChain - the certificate chain, index 0 should be the certificate matching the private key

getExecutionTime

public java.util.Date getExecutionTime()

Returns:

the time at which the document is signed, also used for the timestamp service. defaults to now

setExecutionTime

public void setExecutionTime(java.util.Date executionTime)

Parameters:

executionTime - sets the time at which the document ought to be signed

formatExecutionTime

public java.lang.String formatExecutionTime()

Returns:

the formatted execution time (SIGNATURE_TIME_FORMAT)

Since:

POI 4.0.0

setExecutionTime

public void setExecutionTime(java.lang.String executionTime)

Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT)

Parameters:

executionTime - the execution time

Since:

POI 4.0.0

getSignaturePolicyService

public SignaturePolicyService getSignaturePolicyService()

Returns:

the service to be used for XAdES-EPES properties. There's no default implementation

setSignaturePolicyService

public void setSignaturePolicyService(SignaturePolicyService signaturePolicyService)

Parameters:

signaturePolicyService - the service to be used for XAdES-EPES properties

getUriDereferencer

public javax.xml.crypto.URIDereferencer getUriDereferencer()

Returns:

the dereferencer used for Reference/@URI attributes, defaults to OOXMLURIDereferencer

setUriDereferencer

public void setUriDereferencer(javax.xml.crypto.URIDereferencer uriDereferencer)

Parameters:

uriDereferencer - the dereferencer used for Reference/@URI attributes

getSignatureDescription

public java.lang.String getSignatureDescription()

Returns:

Gives back the human-readable description of what the citizen will be signing. The default value is "Office OpenXML Document".

setSignatureDescription

public void setSignatureDescription(java.lang.String signatureDescription)

Parameters:

signatureDescription - the human-readable description of what the citizen will be signing.

getCanonicalizationMethod

public java.lang.String getCanonicalizationMethod()

Returns:

the default canonicalization method, defaults to INCLUSIVE

setCanonicalizationMethod

public void setCanonicalizationMethod(java.lang.String canonicalizationMethod)

Parameters:

canonicalizationMethod - the default canonicalization method

getPackageSignatureId

public java.lang.String getPackageSignatureId()

Returns:

The signature Id attribute value used to create the XML signature. Defaults to "idPackageSignature"

setPackageSignatureId

public void setPackageSignatureId(java.lang.String packageSignatureId)

Parameters:

packageSignatureId - The signature Id attribute value used to create the XML signature. A null value will trigger an automatically generated signature Id.

getTspUrl

public java.lang.String getTspUrl()

Returns:

the url of the timestamp provider (TSP)

setTspUrl

public void setTspUrl(java.lang.String tspUrl)

Parameters:

tspUrl - the url of the timestamp provider (TSP)

isTspOldProtocol

public boolean isTspOldProtocol()

Returns:

if true, uses timestamp-request/response mimetype, if false, timestamp-query/reply mimetype

setTspOldProtocol

public void setTspOldProtocol(boolean tspOldProtocol)

Parameters:

tspOldProtocol - defines the timestamp-protocol mimetype

See Also:

isTspOldProtocol()

getTspDigestAlgo

public HashAlgorithm getTspDigestAlgo()

Returns:

the hash algorithm to be used for the timestamp entry. Defaults to the hash algorithm of the main entry

setTspDigestAlgo

public void setTspDigestAlgo(HashAlgorithm tspDigestAlgo)

Parameters:

tspDigestAlgo - the algorithm to be used for the timestamp entry. if null, the hash algorithm of the main entry

getProxyUrl

public java.lang.String getProxyUrl()

Returns:

the proxy url to be used for all communications. Currently this affects the timestamp service

setProxyUrl

public void setProxyUrl(java.lang.String proxyUrl)

Parameters:

proxyUrl - the proxy url to be used for all communications. Currently this affects the timestamp service

getTspService

public TimeStampService getTspService()

Returns:

the timestamp service. Defaults to TSPTimeStampService

setTspService

public void setTspService(TimeStampService tspService)

Parameters:

tspService - the timestamp service

getTspUser

public java.lang.String getTspUser()

Returns:

the user id for the timestamp service - currently only basic authorization is supported

setTspUser

public void setTspUser(java.lang.String tspUser)

Parameters:

tspUser - the user id for the timestamp service - currently only basic authorization is supported

getTspPass

public java.lang.String getTspPass()

Returns:

the password for the timestamp service

setTspPass

public void setTspPass(java.lang.String tspPass)

Parameters:

tspPass - the password for the timestamp service

getTspValidator

public TimeStampServiceValidator getTspValidator()

Returns:

the validator for the timestamp service (certificate)

setTspValidator

public void setTspValidator(TimeStampServiceValidator tspValidator)

Parameters:

tspValidator - the validator for the timestamp service (certificate)

getRevocationDataService

public RevocationDataService getRevocationDataService()

Returns:

the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

setRevocationDataService

public void setRevocationDataService(RevocationDataService revocationDataService)

Parameters:

revocationDataService - the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

getXadesDigestAlgo

public HashAlgorithm getXadesDigestAlgo()

Returns:

hash algorithm used for XAdES. Defaults to the getDigestAlgo()

setXadesDigestAlgo

public void setXadesDigestAlgo(HashAlgorithm xadesDigestAlgo)

Parameters:

xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()

setXadesDigestAlgo

public void setXadesDigestAlgo(java.lang.String xadesDigestAlgo)

Parameters:

xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()

Since:

POI 4.0.0

getUserAgent

public java.lang.String getUserAgent()

Returns:

the user agent used for http communication (e.g. to the TSP)

setUserAgent

public void setUserAgent(java.lang.String userAgent)

Parameters:

userAgent - the user agent used for http communication (e.g. to the TSP)

getTspRequestPolicy

public java.lang.String getTspRequestPolicy()

Returns:

the asn.1 object id for the tsp request policy. Defaults to 1.3.6.1.4.1.13762.3

setTspRequestPolicy

public void setTspRequestPolicy(java.lang.String tspRequestPolicy)

Parameters:

tspRequestPolicy - the asn.1 object id for the tsp request policy.

isIncludeEntireCertificateChain

public boolean isIncludeEntireCertificateChain()

Returns:

true, if the whole certificate chain is included in the signature. When false, only the signer cert will be included

setIncludeEntireCertificateChain

public void setIncludeEntireCertificateChain(boolean includeEntireCertificateChain)

Parameters:

includeEntireCertificateChain - if true, include the whole certificate chain. If false, only include the signer cert

isIncludeIssuerSerial

public boolean isIncludeIssuerSerial()

Returns:

if true, issuer serial number is included

setIncludeIssuerSerial

public void setIncludeIssuerSerial(boolean includeIssuerSerial)

Parameters:

includeIssuerSerial - if true, issuer serial number is included

isIncludeKeyValue

public boolean isIncludeKeyValue()

Returns:

if true, the key value of the public key (certificate) is included

setIncludeKeyValue

public void setIncludeKeyValue(boolean includeKeyValue)

Parameters:

includeKeyValue - if true, the key value of the public key (certificate) is included

getXadesRole

public java.lang.String getXadesRole()

Returns:

the xades role element. If null the claimed role element is omitted. Defaults to null

setXadesRole

public void setXadesRole(java.lang.String xadesRole)

Parameters:

xadesRole - the xades role element. If null the claimed role element is omitted.

getXadesSignatureId

public java.lang.String getXadesSignatureId()

Returns:

the Id for the XAdES SignedProperties element. Defaults to idSignedProperties

setXadesSignatureId

public void setXadesSignatureId(java.lang.String xadesSignatureId)

Parameters:

xadesSignatureId - the Id for the XAdES SignedProperties element. When null defaults to idSignedProperties

isXadesSignaturePolicyImplied

public boolean isXadesSignaturePolicyImplied()

Returns:

when true, include the policy-implied block. Defaults to true

setXadesSignaturePolicyImplied

public void setXadesSignaturePolicyImplied(boolean xadesSignaturePolicyImplied)

Parameters:

xadesSignaturePolicyImplied - when true, include the policy-implied block

isXadesIssuerNameNoReverseOrder

public boolean isXadesIssuerNameNoReverseOrder()

Make sure the DN is encoded using the same order as present within the certificate. This is an Office2010 work-around. Should be reverted back. XXX: not correct according to RFC 4514.

Returns:

when true, the issuer DN is used instead of the issuer X500 principal

setXadesIssuerNameNoReverseOrder

public void setXadesIssuerNameNoReverseOrder(boolean xadesIssuerNameNoReverseOrder)

Parameters:

xadesIssuerNameNoReverseOrder - when true, the issuer DN instead of the issuer X500 prinicpal is used

getSignatureMarshalListener

public org.w3c.dom.events.EventListener getSignatureMarshalListener()

Returns:

the event listener which is active while xml structure for the signature is created. Defaults to SignatureMarshalListener

setSignatureMarshalListener

public void setSignatureMarshalListener(org.w3c.dom.events.EventListener signatureMarshalListener)

Parameters:

signatureMarshalListener - the event listener watching the xml structure generation for the signature

getNamespacePrefixes

public java.util.Map<java.lang.String,java.lang.String> getNamespacePrefixes()

Returns:

the map of namespace uri (key) to prefix (value)

setNamespacePrefixes

public void setNamespacePrefixes(java.util.Map<java.lang.String,java.lang.String> namespacePrefixes)

Parameters:

namespacePrefixes - the map of namespace uri (key) to prefix (value)

getSignatureMethodUri

public java.lang.String getSignatureMethodUri()

Returns:

the uri for the signature method, i.e. currently only rsa is supported, so it's the rsa variant of the main digest

getDigestMethodUri

public java.lang.String getDigestMethodUri()

Returns:

the uri for the main digest

getDigestMethodUri

public static java.lang.String getDigestMethodUri(HashAlgorithm digestAlgo)

Converts the digest algorithm - currently only sha* and ripemd160 is supported. MS Office only supports sha1, sha256, sha384, sha512.

Parameters:

digestAlgo - the digest algorithm

Returns:

the uri for the given digest

setSignatureMethodFromUri

public void setSignatureMethodFromUri(java.lang.String signatureMethodUri)

Set the digest algorithm based on the method uri. This is used when a signature was successful validated and the signature configuration is updated

Parameters:

signatureMethodUri - the method uri

Since:

POI 4.0.0

setSignatureFactory

public void setSignatureFactory(javax.xml.crypto.dsig.XMLSignatureFactory signatureFactory)

Parameters:

signatureFactory - the xml signature factory, saved as thread-local

getSignatureFactory

public javax.xml.crypto.dsig.XMLSignatureFactory getSignatureFactory()

Returns:

the xml signature factory (thread-local)

setKeyInfoFactory

public void setKeyInfoFactory(javax.xml.crypto.dsig.keyinfo.KeyInfoFactory keyInfoFactory)

Parameters:

keyInfoFactory - the key factory, saved as thread-local

getKeyInfoFactory

public javax.xml.crypto.dsig.keyinfo.KeyInfoFactory getKeyInfoFactory()

Returns:

the key factory (thread-local)

getProvider

public java.security.Provider getProvider()

This method tests the existence of xml signature provider in the following order:

• the class pointed to by the system property "jsr105Provider"
• the Santuario xmlsec provider
• the JDK xmlsec provider

For signing the classes are linked against the Santuario xmlsec, so this might only work for validation (not tested).

Returns:

the xml dsig provider

getXadesCanonicalizationMethod

public java.lang.String getXadesCanonicalizationMethod()

Returns:

the cannonicalization method for XAdES-XL signing. Defaults to EXCLUSIVE

See Also:

javax.xml.crypto.dsig.CanonicalizationMethod

setXadesCanonicalizationMethod

public void setXadesCanonicalizationMethod(java.lang.String xadesCanonicalizationMethod)

Parameters:

xadesCanonicalizationMethod - the cannonicalization method for XAdES-XL signing

See Also:

javax.xml.crypto.dsig.CanonicalizationMethod

isUpdateConfigOnValidate

public boolean isUpdateConfigOnValidate()

Returns:

true, if the signature config is to be updated based on the successful validated document

Since:

POI 4.0.0

setUpdateConfigOnValidate

public void setUpdateConfigOnValidate(boolean updateConfigOnValidate)

The signature config can be updated if a document is succesful validated. This flag is used for activating this modifications. Defaults to false

Parameters:

updateConfigOnValidate - if true, update config on validate

Since:

POI 4.0.0

isAllowMultipleSignatures

public boolean isAllowMultipleSignatures()

Returns:

true, if multiple signatures can be attached

Since:

POI 4.1.0

setAllowMultipleSignatures

public void setAllowMultipleSignatures(boolean allowMultipleSignatures)

Activate multiple signatures

Parameters:

allowMultipleSignatures - if true, the signature will be added, otherwise all existing signatures will be replaced by the current

Since:

POI 4.1.0