Package org.apache.poi.poifs.crypt.dsig

Class SignatureConfig

java.lang.Object
org.apache.poi.poifs.crypt.dsig.SignatureConfig
public class SignatureConfig extends Object
This class bundles the configuration options used for the existing signature facets. Apart from the thread local members (e.g. opc-package) most values will probably be constant, so it might be configured centrally (e.g. by spring)

  • Field Details

  • Constructor Details

    • SignatureConfig

      public SignatureConfig()

  • Method Details

    • addSignatureFacet

      public void addSignatureFacet(SignatureFacet signatureFacet)
      Parameters:
      signatureFacet - the signature facet is appended to facet list

    • getSignatureFacets

      public List<SignatureFacet> getSignatureFacets()
      Returns:
      the list of facets, may be empty when the config object is not initialized

    • setSignatureFacets

      public void setSignatureFacets(List<SignatureFacet> signatureFacets)
      Parameters:
      signatureFacets - the new list of facets

    • getDigestAlgo

      public HashAlgorithm getDigestAlgo()
      Returns:
      the main digest algorithm, defaults to sha256

    • setDigestAlgo

      public void setDigestAlgo(HashAlgorithm digestAlgo)
      Parameters:
      digestAlgo - the main digest algorithm

    • getOpcPackage

      @Deprecated @Removal(version="5.0.0") public OPCPackage getOpcPackage()
      Deprecated.
      in POI 5.0.0 - use SignatureInfo.setOpcPackage(OPCPackage) instead
      Returns:
      the opc package to be used by this thread, stored as thread-local

    • setOpcPackage

      @Deprecated @Removal(version="5.0.0") public void setOpcPackage(OPCPackage opcPackage)
      Deprecated.
      in POI 5.0.0 - use SignatureInfo.setOpcPackage(OPCPackage) instead
      Parameters:
      opcPackage - the opc package to be handled by this thread, stored as thread-local

    • getKey

      public PrivateKey getKey()
      Returns:
      the private key

    • setKey

      public void setKey(PrivateKey key)
      Parameters:
      key - the private key

    • getSigningCertificateChain

      public List<X509Certificate> getSigningCertificateChain()
      Returns:
      the certificate chain, index 0 is usually the certificate matching the private key

    • setSigningCertificateChain

      public void setSigningCertificateChain(List<X509Certificate> signingCertificateChain)
      Parameters:
      signingCertificateChain - the certificate chain, index 0 should be the certificate matching the private key

    • getExecutionTime

      public Date getExecutionTime()
      Returns:
      the time at which the document is signed, also used for the timestamp service. defaults to now

    • setExecutionTime

      public void setExecutionTime(Date executionTime)
      Parameters:
      executionTime - sets the time at which the document ought to be signed

    • formatExecutionTime

      public String formatExecutionTime()
      Returns:
      the formatted execution time (SIGNATURE_TIME_FORMAT)
      Since:
      POI 4.0.0

    • setExecutionTime

      public void setExecutionTime(String executionTime)
      Sets the executionTime which is in standard format (SIGNATURE_TIME_FORMAT)
      Parameters:
      executionTime - the execution time
      Since:
      POI 4.0.0

    • getSignaturePolicyService

      public SignaturePolicyService getSignaturePolicyService()
      Returns:
      the service to be used for XAdES-EPES properties. There's no default implementation

    • setSignaturePolicyService

      public void setSignaturePolicyService(SignaturePolicyService signaturePolicyService)
      Parameters:
      signaturePolicyService - the service to be used for XAdES-EPES properties

    • getUriDereferencer

      @Deprecated @Removal(version="5.0.0") public URIDereferencer getUriDereferencer()
      Deprecated.
      in POI 5.0.0 - use SignatureInfo.getUriDereferencer() instead
      Returns:
      the dereferencer used for Reference/@URI attributes, defaults to OOXMLURIDereferencer

    • setUriDereferencer

      @Deprecated @Removal(version="5.0.0") public void setUriDereferencer(URIDereferencer uriDereferencer)
      Deprecated.
      in POI 5.0.0 - use SignatureInfo.setUriDereferencer(URIDereferencer) instead
      Parameters:
      uriDereferencer - the dereferencer used for Reference/@URI attributes

    • getSignatureDescription

      public String getSignatureDescription()
      Returns:
      Gives back the human-readable description of what the citizen will be signing. The default value is "Office OpenXML Document".

    • setSignatureDescription

      public void setSignatureDescription(String signatureDescription)
      Parameters:
      signatureDescription - the human-readable description of what the citizen will be signing.

    • getSignatureImage

      public byte[] getSignatureImage()

    • getSignatureImageValid

      public byte[] getSignatureImageValid()

    • getSignatureImageInvalid

      public byte[] getSignatureImageInvalid()

    • getSignatureImageSetupId

      public ClassID getSignatureImageSetupId()

    • setSignatureImageSetupId

      public void setSignatureImageSetupId(ClassID signatureImageSetupId)

    • setSignatureImage

      public void setSignatureImage(byte[] signatureImage)

    • setSignatureImageValid

      public void setSignatureImageValid(byte[] signatureImageValid)

    • setSignatureImageInvalid

      public void setSignatureImageInvalid(byte[] signatureImageInvalid)

    • getCanonicalizationMethod

      public String getCanonicalizationMethod()
      Returns:
      the default canonicalization method, defaults to INCLUSIVE

    • setCanonicalizationMethod

      public void setCanonicalizationMethod(String canonicalizationMethod)
      Parameters:
      canonicalizationMethod - the default canonicalization method

    • getPackageSignatureId

      public String getPackageSignatureId()
      Returns:
      The signature Id attribute value used to create the XML signature. Defaults to "idPackageSignature"

    • setPackageSignatureId

      public void setPackageSignatureId(String packageSignatureId)
      Parameters:
      packageSignatureId - The signature Id attribute value used to create the XML signature. A null value will trigger an automatically generated signature Id.

    • getTspUrl

      public String getTspUrl()
      Returns:
      the url of the timestamp provider (TSP)

    • setTspUrl

      public void setTspUrl(String tspUrl)
      Parameters:
      tspUrl - the url of the timestamp provider (TSP)

    • isTspOldProtocol

      public boolean isTspOldProtocol()
      Returns:
      if true, uses timestamp-request/response mimetype, if false, timestamp-query/reply mimetype

    • setTspOldProtocol

      public void setTspOldProtocol(boolean tspOldProtocol)
      Parameters:
      tspOldProtocol - defines the timestamp-protocol mimetype
      See Also:

    • getTspDigestAlgo

      public HashAlgorithm getTspDigestAlgo()
      Returns:
      the hash algorithm to be used for the timestamp entry. Defaults to the hash algorithm of the main entry

    • setTspDigestAlgo

      public void setTspDigestAlgo(HashAlgorithm tspDigestAlgo)
      Parameters:
      tspDigestAlgo - the algorithm to be used for the timestamp entry. if null, the hash algorithm of the main entry

    • getProxyUrl

      public String getProxyUrl()
      Returns:
      the proxy url to be used for all communications. Currently this affects the timestamp service

    • setProxyUrl

      public void setProxyUrl(String proxyUrl)
      Parameters:
      proxyUrl - the proxy url to be used for all communications. Currently this affects the timestamp service

    • getTspService

      public TimeStampService getTspService()
      Returns:
      the timestamp service. Defaults to TSPTimeStampService

    • setTspService

      public void setTspService(TimeStampService tspService)
      Parameters:
      tspService - the timestamp service

    • getTspHttpClient

      public TimeStampHttpClient getTspHttpClient()
      Returns:
      the http client used for timestamp server connections
      Since:
      POI 5.2.1

    • setTspHttpClient

      public void setTspHttpClient(TimeStampHttpClient tspHttpClient)
      Parameters:
      tspHttpClient - the http client used for timestamp server connections
      Since:
      POI 5.2.1

    • getTspUser

      public String getTspUser()
      Returns:
      the user id for the timestamp service - currently only basic authorization is supported

    • setTspUser

      public void setTspUser(String tspUser)
      Parameters:
      tspUser - the user id for the timestamp service - currently only basic authorization is supported

    • getTspPass

      public String getTspPass()
      Returns:
      the password for the timestamp service

    • setTspPass

      public void setTspPass(String tspPass)
      Parameters:
      tspPass - the password for the timestamp service

    • getTspValidator

      public TimeStampServiceValidator getTspValidator()
      Returns:
      the validator for the timestamp service (certificate)

    • setTspValidator

      public void setTspValidator(TimeStampServiceValidator tspValidator)
      Parameters:
      tspValidator - the validator for the timestamp service (certificate)

    • getRevocationDataService

      public RevocationDataService getRevocationDataService()
      Returns:
      the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

    • setRevocationDataService

      public void setRevocationDataService(RevocationDataService revocationDataService)
      Parameters:
      revocationDataService - the optional revocation data service used for XAdES-C and XAdES-X-L. When null the signature will be limited to XAdES-T only.

    • getXadesDigestAlgo

      public HashAlgorithm getXadesDigestAlgo()
      Returns:
      hash algorithm used for XAdES. Defaults to the getDigestAlgo()

    • setXadesDigestAlgo

      public void setXadesDigestAlgo(HashAlgorithm xadesDigestAlgo)
      Parameters:
      xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()

    • setXadesDigestAlgo

      public void setXadesDigestAlgo(String xadesDigestAlgo)
      Parameters:
      xadesDigestAlgo - hash algorithm used for XAdES. When null, defaults to getDigestAlgo()
      Since:
      POI 4.0.0

    • getUserAgent

      public String getUserAgent()
      Returns:
      the user agent used for http communication (e.g. to the TSP)

    • setUserAgent

      public void setUserAgent(String userAgent)
      Parameters:
      userAgent - the user agent used for http communication (e.g. to the TSP)

    • getTspRequestPolicy

      public String getTspRequestPolicy()
      Returns:
      the asn.1 object id for the tsp request policy. Defaults to 1.3.6.1.4.1.13762.3

    • setTspRequestPolicy

      public void setTspRequestPolicy(String tspRequestPolicy)
      Parameters:
      tspRequestPolicy - the asn.1 object id for the tsp request policy.

    • isIncludeEntireCertificateChain

      public boolean isIncludeEntireCertificateChain()
      Returns:
      true, if the whole certificate chain is included in the signature. When false, only the signer cert will be included

    • setIncludeEntireCertificateChain

      public void setIncludeEntireCertificateChain(boolean includeEntireCertificateChain)
      Parameters:
      includeEntireCertificateChain - if true, include the whole certificate chain. If false, only include the signer cert

    • isIncludeIssuerSerial

      public boolean isIncludeIssuerSerial()
      Returns:
      if true, issuer serial number is included

    • setIncludeIssuerSerial

      public void setIncludeIssuerSerial(boolean includeIssuerSerial)
      Parameters:
      includeIssuerSerial - if true, issuer serial number is included

    • isIncludeKeyValue

      public boolean isIncludeKeyValue()
      Returns:
      if true, the key value of the public key (certificate) is included

    • setIncludeKeyValue

      public void setIncludeKeyValue(boolean includeKeyValue)
      Parameters:
      includeKeyValue - if true, the key value of the public key (certificate) is included

    • getXadesRole

      public String getXadesRole()
      Returns:
      the xades role element. If null the claimed role element is omitted. Defaults to null

    • setXadesRole

      public void setXadesRole(String xadesRole)
      Parameters:
      xadesRole - the xades role element. If null the claimed role element is omitted.

    • getXadesSignatureId

      public String getXadesSignatureId()
      Returns:
      the Id for the XAdES SignedProperties element. Defaults to idSignedProperties

    • setXadesSignatureId

      public void setXadesSignatureId(String xadesSignatureId)
      Parameters:
      xadesSignatureId - the Id for the XAdES SignedProperties element. When null defaults to idSignedProperties

    • isXadesSignaturePolicyImplied

      public boolean isXadesSignaturePolicyImplied()
      Returns:
      when true, include the policy-implied block. Defaults to true

    • setXadesSignaturePolicyImplied

      public void setXadesSignaturePolicyImplied(boolean xadesSignaturePolicyImplied)
      Parameters:
      xadesSignaturePolicyImplied - when true, include the policy-implied block

    • isXadesIssuerNameNoReverseOrder

      public boolean isXadesIssuerNameNoReverseOrder()
      Make sure the DN is encoded using the same order as present within the certificate. This is an Office2010 work-around. Should be reverted back. XXX: not correct according to RFC 4514.
      Returns:
      when true, the issuer DN is used instead of the issuer X500 principal

    • setXadesIssuerNameNoReverseOrder

      public void setXadesIssuerNameNoReverseOrder(boolean xadesIssuerNameNoReverseOrder)
      Parameters:
      xadesIssuerNameNoReverseOrder - when true, the issuer DN instead of the issuer X500 prinicpal is used

    • getSignatureMarshalListener

      public SignatureMarshalListener getSignatureMarshalListener()
      Returns:
      the event listener which is active while xml structure for the signature is created. Defaults to SignatureMarshalListener

    • setSignatureMarshalListener

      public void setSignatureMarshalListener(SignatureMarshalListener signatureMarshalListener)
      Parameters:
      signatureMarshalListener - the event listener watching the xml structure generation for the signature

    • getNamespacePrefixes

      public Map<String,String> getNamespacePrefixes()
      Returns:
      the map of namespace uri (key) to prefix (value)

    • setNamespacePrefixes

      public void setNamespacePrefixes(Map<String,String> namespacePrefixes)
      Parameters:
      namespacePrefixes - the map of namespace uri (key) to prefix (value)

    • getSignatureMethodUri

      public String getSignatureMethodUri()
      Returns:
      the uri for the signature method, i.e. currently only rsa is supported, so it's the rsa variant of the main digest

    • getDigestMethodUri

      public String getDigestMethodUri()
      Returns:
      the uri for the main digest

    • getDigestMethodUri

      public static String getDigestMethodUri(HashAlgorithm digestAlgo)
      Converts the digest algorithm - currently only sha* and ripemd160 is supported. MS Office only supports sha1, sha256, sha384, sha512.
      Parameters:
      digestAlgo - the digest algorithm
      Returns:
      the uri for the given digest

    • setSignatureMethodFromUri

      public void setSignatureMethodFromUri(String signatureMethodUri)
      Set the digest algorithm based on the method uri. This is used when a signature was successful validated and the signature configuration is updated
      Parameters:
      signatureMethodUri - the method uri
      Since:
      POI 4.0.0

    • setSignatureFactory

      @Deprecated @Removal(version="5.0.0") public void setSignatureFactory(XMLSignatureFactory signatureFactory)
      Deprecated.
      in POI 5.0.0 - use SignatureInfo.setSignatureFactory(XMLSignatureFactory)
      Parameters:
      signatureFactory - the xml signature factory, saved as thread-local

    • getSignatureFactory

      @Deprecated @Removal(version="5.0.0") public XMLSignatureFactory getSignatureFactory()
      Deprecated.
      in POI 5.0.0 - will be handled by SignatureInfo internally
      Returns:
      the xml signature factory (thread-local)

    • setKeyInfoFactory

      @Deprecated @Removal(version="5.0.0") public void setKeyInfoFactory(KeyInfoFactory keyInfoFactory)
      Deprecated.
      in POI 5.0.0 - use SignatureInfo.setKeyInfoFactory(KeyInfoFactory)
      Parameters:
      keyInfoFactory - the key factory, saved as thread-local

    • getKeyInfoFactory

      @Deprecated @Removal(version="5.0.0") public KeyInfoFactory getKeyInfoFactory()
      Deprecated.
      in POI 5.0.0 - will be handled by SignatureInfo internally
      Returns:
      the key factory (thread-local)

    • setProvider

      @Internal @Deprecated @Removal(version="5.0.0") public void setProvider(Provider provider)
      Deprecated.
      in POI 5.0.0 - use SignatureInfo.setProvider(Provider)
      Helper method to set provider
      Parameters:
      provider - the provider

    • getProvider

      @Deprecated @Removal(version="5.0.0") public Provider getProvider()
      Deprecated.
      in POI 5.0.0 - will be handled by SignatureInfo internally
      Returns:
      the cached provider or null if not set before

    • getProviderNames

      public static String[] getProviderNames()
      Determine the possible classes for XMLSEC. The order is
      1. the class pointed to by the system property "jsr105Provider"
      2. the Santuario xmlsec provider
      3. the JDK xmlsec provider
      Returns:
      a list of possible XMLSEC provider class names

    • getXadesCanonicalizationMethod

      public String getXadesCanonicalizationMethod()
      Returns:
      the cannonicalization method for XAdES-XL signing. Defaults to EXCLUSIVE
      See Also:

    • setXadesCanonicalizationMethod

      public void setXadesCanonicalizationMethod(String xadesCanonicalizationMethod)
      Parameters:
      xadesCanonicalizationMethod - the cannonicalization method for XAdES-XL signing
      See Also:

    • isUpdateConfigOnValidate

      public boolean isUpdateConfigOnValidate()
      Returns:
      true, if the signature config is to be updated based on the successful validated document
      Since:
      POI 4.0.0

    • setUpdateConfigOnValidate

      public void setUpdateConfigOnValidate(boolean updateConfigOnValidate)
      The signature config can be updated if a document is succesful validated. This flag is used for activating this modifications. Defaults to false
      Parameters:
      updateConfigOnValidate - if true, update config on validate
      Since:
      POI 4.0.0

    • isAllowMultipleSignatures

      public boolean isAllowMultipleSignatures()
      Returns:
      true, if multiple signatures can be attached
      Since:
      POI 4.1.0

    • setAllowMultipleSignatures

      public void setAllowMultipleSignatures(boolean allowMultipleSignatures)
      Activate multiple signatures
      Parameters:
      allowMultipleSignatures - if true, the signature will be added, otherwise all existing signatures will be replaced by the current
      Since:
      POI 4.1.0

    • isSecureValidation

      public boolean isSecureValidation()
      Returns:
      is secure validation enabled?
      Since:
      POI 5.2.0

    • setSecureValidation

      public void setSecureValidation(boolean secureValidation)
      Enable or disable secure validation - default is enabled.

      Starting with xmlsec 2.3.0 larger documents with a lot of document parts started to fail, because a maximum of 30 references were hard-coded allowed for secure validation to succeed.

      Secure validation has the following features:

      • Limits the number of Transforms per Reference to a maximum of 5.
      • Does not allow XSLT transforms.
      • Does not allow a RetrievalMethod to reference another RetrievalMethod.
      • Does not allow a Reference to call the ResolverLocalFilesystem or the ResolverDirectHTTP (references to local files and HTTP resources are forbidden).
      • Limits the number of references per Manifest (SignedInfo) to a maximum of 30.
      • MD5 is not allowed as a SignatureAlgorithm or DigestAlgorithm.
      • Guarantees that the Dereferenced Element returned via Document.getElementById is unique by performing a tree-search.
      • Does not allow DTDs
      Since:
      POI 5.2.0
      See Also:

    • getCommitmentType

      public String getCommitmentType()

    • setCommitmentType

      public void setCommitmentType(String commitmentType)
      Set the commitmentType, which is usually one of ...
      • "Created and approved this document"
      • "Approved this document"
      • "Created this document"
      • ... or any other important sounding statement

    • addCRL

      public SignatureConfig.CRLEntry addCRL(String crlURL, String certCN, byte[] crlBytes)

    • getCrlEntries

      public List<SignatureConfig.CRLEntry> getCrlEntries()

    • isAllowCRLDownload

      public boolean isAllowCRLDownload()

    • setAllowCRLDownload

      public void setAllowCRLDownload(boolean allowCRLDownload)

    • getKeyStore

      public KeyStore getKeyStore()
      Returns:
      keystore with cached certificates

    • addCachedCertificate

      public void addCachedCertificate(String alias, X509Certificate x509) throws KeyStoreException
      Add certificate into keystore (cache) for further certificate chain lookups
      Parameters:
      alias - the alias, or null if alias is taken from common name attribute of certificate
      x509 - the x509 certificate
      Throws:
      KeyStoreException

    • addCachedCertificate

      public void addCachedCertificate(String alias, byte[] x509Bytes) throws KeyStoreException, CertificateException
      Throws:
      KeyStoreException
      CertificateException

    • getCachedCertificateByPrinicipal

      public X509Certificate getCachedCertificateByPrinicipal(String principalName)