Package eu.europa.esig.dss.spi.x509

Class CMSSignedDataBuilder

java.lang.Object
eu.europa.esig.dss.spi.x509.CMSSignedDataBuilder
public class CMSSignedDataBuilder extends Object
Builds a CMSSignedData

  • Constructor Details

    • CMSSignedDataBuilder

      public CMSSignedDataBuilder()
      This is the default constructor for CMSSignedDataBuilder.

  • Method Details

    • setSigningCertificate

      public CMSSignedDataBuilder setSigningCertificate(CertificateToken signingCertificate)
      Sets a signing-certificate to be used for CMSSignedData generation
      Parameters:
      signingCertificate - CertificateToken
      Returns:
      this CMSSignedDataBuilder

    • setCertificateChain

      public CMSSignedDataBuilder setCertificateChain(Collection<CertificateToken> certificateChain)
      Sets a collection of certificates to be incorporated within CMSSignedData.certificates field
      Parameters:
      certificateChain - a collection of CertificateTokens
      Returns:
      this CMSSignedDataBuilder

    • setGenerateWithoutCertificates

      public CMSSignedDataBuilder setGenerateWithoutCertificates(boolean generateWithoutCertificates)
      Sets whether CMSSignedData is to be generated without certificates inside. Default : FALSE (an attempt to generate without certificates will result to an exception)
      Parameters:
      generateWithoutCertificates - whether CMSSignedData is to be generated without certificates
      Returns:
      this CMSSignedDataBuilder

    • setTrustedCertificateSource

      public CMSSignedDataBuilder setTrustedCertificateSource(CertificateSource trustedCertificateSource)
      Sets a trusted certificate source. See trustAnchorBPPolicy for more details.
      Parameters:
      trustedCertificateSource - CertificateSource
      Returns:
      this CMSSignedDataBuilder

    • setTrustAnchorBPPolicy

      public CMSSignedDataBuilder setTrustAnchorBPPolicy(boolean trustAnchorBPPolicy)
      Sets whether a B-level trust anchor policy should be used. When enabled, the trust anchor is not included to the generated certificate chain. Otherwise, the chain is generated up to a trust anchor, including the trust anchor itself. Default : TRUE (the certificate chain will be generated up to a trust anchor, excluded)
      Parameters:
      trustAnchorBPPolicy - whether a B-level trust anchor policy should be used
      Returns:
      this CMSSignedDataBuilder

    • setOriginalCMSSignedData

      public CMSSignedDataBuilder setOriginalCMSSignedData(org.bouncycastle.cms.CMSSignedData originalCMSSignedData)
      Sets the original CMSSignedData, which internal field values will be copied to a new CMSSignedData
      Parameters:
      originalCMSSignedData - CMSSignedData
      Returns:
      this CMSSignedDataBuilder

    • setEncapsulate

      public CMSSignedDataBuilder setEncapsulate(boolean encapsulate)
      Sets whether a signer content shall be encapsulated to the CMSSignedData. When enabled creates an enveloping signature, otherwise creates detached signature. Default : TRUE (the signer content is included to the signature)
      Parameters:
      encapsulate - whether signer content shall be encapsulated to the CMSSignedData
      Returns:
      this CMSSignedDataBuilder

    • createCMSSignedData

      public org.bouncycastle.cms.CMSSignedData createCMSSignedData(org.bouncycastle.cms.SignerInfoGenerator signerInfoGenerator, DSSDocument toSignDocument)
      Builds a CMSSignedData
      Parameters:
      signerInfoGenerator - SignerInfoGenerator
      toSignDocument - DSSDocument
      Returns:
      CMSSignedData

    • createCMSSignedDataGenerator

      public org.bouncycastle.cms.CMSSignedDataGenerator createCMSSignedDataGenerator(org.bouncycastle.cms.SignerInfoGenerator signerInfoGenerator)
      Note: Section 5.1 of RFC 3852 [4] requires that, the CMS SignedData version be set to 3 if certificates from SignedData is present AND (any version 1 attribute certificates are present OR any SignerInfo structures are version 3 OR eContentType from encapContentInfo is other than id-data). Otherwise, the CMS SignedData version is required to be set to 1. CMS SignedData Version is handled automatically by BouncyCastle.
      Parameters:
      signerInfoGenerator - the signer info generator
      Returns:
      the bouncycastle signed data generator which signs the document and adds the required signed and unsigned CMS attributes

    • getContentToBeSigned

      protected org.bouncycastle.cms.CMSTypedData getContentToBeSigned(DSSDocument toSignData)
      Returns the content to be signed
      Parameters:
      toSignData - DSSDocument to sign
      Returns:
      CMSTypedData

    • extendCMSSignedData

      public org.bouncycastle.cms.CMSSignedData extendCMSSignedData(Collection<CertificateToken> certificateTokens, Collection<CRLToken> crlTokens, Collection<OCSPToken> ocspTokens)
      Extends the provided cmsSignedData with the required validation data
      Parameters:
      certificateTokens - a collection of CertificateTokens
      crlTokens - a collection of CRLTokens
      ocspTokens - a collection of OCSPTokens
      Returns:
      extended CMSSignedData

    • populateDigestAlgorithmSet

      protected org.bouncycastle.cms.CMSSignedData populateDigestAlgorithmSet(org.bouncycastle.cms.CMSSignedData newCmsSignedData)
      This method is used to ensure the presence of all items from SignedData.digestAlgorithm set from originalCMSSignedData within newCmsSignedData
      Parameters:
      newCmsSignedData - CMSSignedData to be extended with digest algorithms, if required
      Returns:
      extended CMSSignedData

    • addDigestAlgorithm

      protected org.bouncycastle.cms.CMSSignedData addDigestAlgorithm(org.bouncycastle.cms.CMSSignedData cmsSignedData, org.bouncycastle.asn1.x509.AlgorithmIdentifier algorithmIdentifier)
      This method adds a DigestAlgorithm used by an Archive TimeStamp to the SignedData.digestAlgorithms set, when required. See ETSI EN 319 122-1, ch. "5.5.3 The archive-time-stamp-v3 attribute"
      Parameters:
      cmsSignedData - CMSSignedData to extend
      algorithmIdentifier - AlgorithmIdentifier to add
      Returns:
      CMSSignedData