iSaSiLk 5.105 Maintenance release fixes some ECC related issues.
New versions of our CMS based toolkits IAIK-CMS, IAIK-TSP and [CP]AdES are now available for download! [CP]AdES now supports CAdES/PAdES LTA level signatures, Content Time Stamp and Archive Time Stamp (v3) Validation according to the most recent ETSI EN 319 122-1 and TS 101 733 standards.
The IAIK [CP]AdES toolkit abstracts the creation and verification of signed PDF documents and CAdES signatures. The structure of the toolkit is highly similar to a typical signature engine in the JCA/JCE framework and allows you to easily create signatures compliant to the PAdES and CAdES specifications by using dedicated parameter classes. The official ETSI website providing these specifications can be found here.
The PAdES specifications (ETSI TS 102 778 and ETSI EN 319 142-1 v1.1.1) define the format of an electronic signature, that shall be embedded in the PDF document as signature field. Aside from XML related profiles, all of the described PAdES profiles or signature levels are supported. To sign or verify a PDF document, create a PDFSignatureInstance. Via dedicated parameter classes the intended profile can be selected. If you need a PAdES basic signature, use PadesBasicParameters and choose whether a SHA1-hash of the original data shall be included in the signature (subfilter adbe.pkcs7.sha1) or not (subfilter adbe.pkcs7.detached). For a PAdES BES signature use the PadesBESParameters (subfilter ETSI.CAdES.detached). These parameter classes allow to set revocation information and a timestamp authority, in order to include CRLS, OCSP responses and a signature timestamp. In order to include certificates and revocation information (CRLS, OCSP responses) required for a complete signature validation as specified by the PAdES LTV profile, use PadesLTVParameters. Pass these parameters to the signature instance when protecting the document with a document timestamp (subfilter ETSI.RFC3161).
Similar to the PAdES profiles, several formats are defined for CAdES in the specifications ETSI TS 101 733 and ETSI EN 319 122-1 v1.1.1. This toolkit neither supports the legacy signatures CAdES-C and CAdES-X, nor any older versions of the archive timestamp than archive-time-stamp-v3. The classes CadesSignature and CadesSignatureStream provide methods to create or verify CAdES signatures. Use the appropriate parameter classes (CadesBESParameters, CadesTParameters, CadesLTAParameters) to create a signature compliant to the required format.
A complete signature validation is not implemented, but the toolkit rather provides various methods that can be used for such a validation. To verify PAdES signatures, they first have to be extracted by using a PDF signature instance. For parsing a CAdES signature it has to be processed by a CadesSignature or CadesSignatureStream. For each signature various checks can be made according to the signature type (e.g. standard signature or document timestamp). This includes digest and signature value verification, as well as extraction of revocation data and timestamps (if included).
The IAIK [CP]AdES toolkit uses either the PDF library iText (http://itextpdf.com/) or Apache PDFBox (http://pdfbox.apache.org) for handling and modifying the PDF structure, i.e. for extracting and embedding signatures and related data. These PDF libraries will not be provided within the IAIK [CP]AdES toolkit package and have to be obtained from the respective websites. Please note that for using iText a correctly licensed version 5.3.4 or higher is required and version 1.8.0 or higher for using Apache PDFBox. The latest versions that had been tested with this toolkit were 1.8.11 for Apache PDFBox and 5.5.9 for the iText library.
Cryptographic data like signature and hash values, CMS signatures, OCSP responses and timestamps are created by IAIK toolkits. The [CP]AdES toolkit is therefore based on IAIK JCE, IAIK CMS and IAIK TSP. You may further need IAIK ECCelerate or the IAIK PKCS#11 provider when using ECC keys or PKCS#11 token objects.
For detailed information on the toolkit, please have a look at the API documentation.