@Override public List<BasicOCSPResp> getContainedOCSPResponses() { final List<BasicOCSPResp> basicOCSPResps = new ArrayList<BasicOCSPResp>(); // Add OCSPs from SignedData addBasicOcspRespFrom_id_pkix_ocsp_basic(basicOCSPResps); addBasicOcspRespFrom_id_ri_ocsp_response(basicOCSPResps); // Adds OCSP responses in -XL id_aa_ets_revocationValues inside SignerInfo attribute if present if (signerInformation != null) { final AttributeTable attributes = signerInformation.getUnsignedAttributes(); if (attributes != null) { final Attribute attribute = attributes.get(PKCSObjectIdentifiers.id_aa_ets_revocationValues); /* ETSI TS 101 733 V2.2.1 (2013-04) page 43 6.3.4 revocation-values Attribute Definition This attribute is used to contain the revocation information required for the following forms of extended electronic signature: CAdES-X Long, ES X-Long Type 1, and CAdES-X Long Type 2, see clause B.1.1 for an illustration of this form of electronic signature. The revocation-values attribute is an unsigned attribute. Only a single instance of this attribute shall occur with an electronic signature. It holds the values of CRLs and OCSP referenced in the complete-revocation-references attribute. RevocationValues ::= SEQUENCE { crlVals [0] SEQUENCE OF CertificateList OPTIONAL, ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL, otherRevVals [2] OtherRevVals OPTIONAL} */ if (attribute != null) { final ASN1Set attrValues = attribute.getAttrValues(); final ASN1Encodable attValue = attrValues.getObjectAt(0); final RevocationValues revocationValues = RevocationValues.getInstance(attValue); for (final BasicOCSPResponse basicOCSPResponse : revocationValues.getOcspVals()) { final BasicOCSPResp basicOCSPResp = new BasicOCSPResp(basicOCSPResponse); addBasicOcspResp(basicOCSPResps, basicOCSPResp); } /* TODO: should add also OtherRevVals, but: "The syntax and semantics of the other revocation values (OtherRevVals) are outside the scope of the present document. The definition of the syntax of the other form of revocation information is as identified by OtherRevRefType." */ } } } /* TODO (pades): Read revocation data from from unsigned attribute 1.2.840.113583.1.1.8 In the PKCS #7 object of a digital signature in a PDF file, identifies a signed attribute that "can include all the revocation information that is necessary to carry out revocation checks for the signer's certificate and its issuer certificates." Defined as adbe-revocationInfoArchival { adbe(1.2.840.113583) acrobat(1) security(1) 8 } in "PDF Reference, fifth edition: Adobe® Portable Document Format, Version 1.6" Adobe Systems Incorporated, 2004. http://partners.adobe.com/public/developer/en/pdf/PDFReference16.pdf page 698 RevocationInfoArchival ::= SEQUENCE { crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL } OtherRevInfo ::= SEQUENCE { Type OBJECT IDENTIFIER Value OCTET STRING } */ return basicOCSPResps; }
private void extract() { // Adds CRLs contained in SignedData final Store<X509CRLHolder> crLs = cmsSignedData.getCRLs(); final Collection<X509CRLHolder> collection = crLs.getMatches(null); for (final X509CRLHolder x509CRLHolder : collection) { addX509CRLHolder(x509CRLHolder); } // Adds CRLs in -XL ... inside SignerInfo attribute if present if (signerInformation != null) { final AttributeTable attributes = signerInformation.getUnsignedAttributes(); if (attributes != null) { /* * ETSI TS 101 733 V2.2.1 (2013-04) page 43 * 6.3.4 revocation-values Attribute Definition * This attribute is used to contain the revocation information required for the following forms of * extended electronic * signature: CAdES-X Long, ES X-Long Type 1, and CAdES-X Long Type 2, see clause B.1.1 for an * illustration of * this form of electronic signature. * The revocation-values attribute is an unsigned attribute. Only a single instance of this attribute * shall occur with * an electronic signature. It holds the values of CRLs and OCSP referenced in the * complete-revocation-references attribute. * * RevocationValues ::= SEQUENCE { * crlVals [0] SEQUENCE OF CertificateList OPTIONAL, * ocspVals [1] SEQUENCE OF BasicOCSPResponse OPTIONAL, * otherRevVals [2] OtherRevVals OPTIONAL} */ final Attribute attribute = attributes.get(PKCSObjectIdentifiers.id_aa_ets_revocationValues); if (attribute != null) { final ASN1Set attrValues = attribute.getAttrValues(); final ASN1Encodable attValue = attrValues.getObjectAt(0); final RevocationValues revValues = RevocationValues.getInstance(attValue); for (final CertificateList revValue : revValues.getCrlVals()) { addX509CRLHolder(new X509CRLHolder(revValue)); } } } /* * TODO (pades): Read revocation data from from unsigned attribute 1.2.840.113583.1.1.8 * In the PKCS #7 object of a digital signature in a PDF file, identifies a signed attribute * that "can include all the revocation information that is necessary to carry out revocation * checks for the signer's certificate and its issuer certificates." * Defined as adbe-revocationInfoArchival { adbe(1.2.840.113583) acrobat(1) security(1) 8 } in * "PDF Reference, fifth edition: Adobe® Portable Document Format, Version 1.6" Adobe Systems Incorporated, * 2004. * http://partners.adobe.com/public/developer/en/pdf/PDFReference16.pdf page 698 * * RevocationInfoArchival ::= SEQUENCE { * crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL * ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL * otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL * } * OtherRevInfo ::= SEQUENCE { * Type OBJECT IDENTIFIER * Value OCTET STRING * } */ // TODO: (Bob: 2013 Dec 03) --> NICOLAS: Is there any other container within the CAdES signature with // revocation data? (ie: timestamp) } }
