es.uji.security.crypto.pdf.PdfPKCS7TSA.java Source code

Java tutorial

Introduction

Here is the source code for es.uji.security.crypto.pdf.PdfPKCS7TSA.java

Source

/*                                                                                                  
 * Copyright 2004 by Paulo Soares.                                                                  
 *                                                                                                  
 * The contents of this file are subject to the Mozilla Public License Version 1.1                  
 * (the "License"); you may not use this file except in compliance with the License.                
 * You may obtain a copy of the License at http://www.mozilla.org/MPL/                              
 *                                                                                                  
 * Software distributed under the License is distributed on an "AS IS" basis,                       
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License                         
 * for the specific language governing rights and limitations under the License.                    
 *                                                                                                  
 * The Original Code is 'iText, a free JAVA-PDF library'.                                           
 *                                                                                                  
 * The Initial Developer of the Original Code is Bruno Lowagie. Portions created by                 
 * the Initial Developer are Copyright (C) 1999, 2000, 2001, 2002 by Bruno Lowagie.                 
 * All Rights Reserved.                                                                             
 * Co-Developer of the code is Paulo Soares. Portions created by the Co-Developer                   
 * are Copyright (C) 2000, 2001, 2002 by Paulo Soares. All Rights Reserved.                         
 *                                                                                                  
 * Contributor(s): all the names of the contributors are added in the source code                   
 * where applicable.                                                                                
 *                                                                                                  
 * Alternatively, the contents of this file may be used under the terms of the                      
 * LGPL license (the "GNU LIBRARY GENERAL PUBLIC LICENSE"), in which case the                       
 * provisions of LGPL are applicable instead of those above.  If you wish to                        
 * allow use of your version of this file only under the terms of the LGPL                          
 * License and not to allow others to use your version of this file under                           
 * the MPL, indicate your decision by deleting the provisions above and                             
 * replace them with the notice and other provisions required by the LGPL.                          
 * If you do not delete the provisions above, a recipient may use your version                      
 * of this file under either the MPL or the GNU LIBRARY GENERAL PUBLIC LICENSE.                     
 *                                                                                                  
 * This library is free software; you can redistribute it and/or modify it                          
 * under the terms of the MPL as stated above or under the terms of the GNU                         
 * Library General Public License as published by the Free Software Foundation;                     
 * either version 2 of the License, or any later version.                                           
 *                                                                                                  
 * This library is distributed in the hope that it will be useful, but WITHOUT                      
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS                    
 * FOR A PARTICULAR PURPOSE. See the GNU Library general Public License for more                    
 * details.                                                                                         
 *                                                                                                  
 * If you didn't download this code from the following link, you should check if                    
 * you aren't using an obsolete version:                                                            
 * http://www.lowagie.com/iText/                                                                    
 */

/**
 * 10-11-2009
 * Modified by Paul -> stripped out everything that has not to do with timestamping and pre calculated ocsp. 
 * 
 * */

package es.uji.security.crypto.pdf;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CRL;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;

import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1OutputStream;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DEREnumerated;
import org.bouncycastle.asn1.DERInteger;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DERObject;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DERUTCTime;
import org.bouncycastle.asn1.cms.Attribute;
import org.bouncycastle.asn1.cms.AttributeTable;
import org.bouncycastle.asn1.cms.ContentInfo;
import org.bouncycastle.asn1.ocsp.BasicOCSPResponse;
import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.provider.X509CRLParser;
import org.bouncycastle.jce.provider.X509CertParser;
import org.bouncycastle.ocsp.BasicOCSPResp;
import org.bouncycastle.ocsp.CertificateID;
import org.bouncycastle.ocsp.SingleResp;

import com.lowagie.text.ExceptionConverter;

import es.uji.security.crypto.timestamp.TSResponse;
import es.uji.security.crypto.timestamp.TimeStampFactory;
import es.uji.security.crypto.timestamp.TimestampToken;

/**
 * This class does all the processing related to signing and verifying a PKCS#7
 * signature.                                                                  
 * <p>                                                                         
 * It's based in code found at org.bouncycastle.                               
 */
public class PdfPKCS7TSA {

    private byte sigAttr[];
    private byte digestAttr[];
    private int version, signerversion;
    private Set digestalgos;
    private Collection certs, crls, signCerts;
    private X509Certificate signCert;
    private byte[] digest;
    private MessageDigest messageDigest;
    private String digestAlgorithm, digestEncryptionAlgorithm;
    private Signature sig;
    private transient PrivateKey privKey;
    private byte RSAdata[];
    private boolean verified;
    private boolean verifyResult;
    private byte externalDigest[];
    private byte externalRSAdata[];
    private Provider provider;

    private static final String ID_PKCS7_DATA = "1.2.840.113549.1.7.1";
    private static final String ID_PKCS7_SIGNED_DATA = "1.2.840.113549.1.7.2";
    private static final String ID_RSA = "1.2.840.113549.1.1.1";
    private static final String ID_DSA = "1.2.840.10040.4.1";
    private static final String ID_CONTENT_TYPE = "1.2.840.113549.1.9.3";
    private static final String ID_MESSAGE_DIGEST = "1.2.840.113549.1.9.4";
    private static final String ID_SIGNING_TIME = "1.2.840.113549.1.9.5";
    private static final String ID_ADBE_REVOCATION = "1.2.840.113583.1.1.8";
    /**                                                                       
     * Holds value of property reason.                                        
     */
    private String reason;

    /**                                                                       
     * Holds value of property location.                                      
     */
    private String location;

    /**                                                                       
     * Holds value of property signDate.                                      
     */
    private Calendar signDate;

    /**                                                                       
     * Holds value of property signName.                                      
     */
    private String signName;

    private TimestampToken timeStampToken;

    private static final HashMap digestNames = new HashMap();
    private static final HashMap algorithmNames = new HashMap();
    private static final HashMap allowedDigests = new HashMap();

    static {

        digestNames.put("1.3.14.3.2.26", "SHA1");
        digestNames.put("2.16.840.1.101.3.4.2.4", "SHA224");
        digestNames.put("2.16.840.1.101.3.4.2.1", "SHA256");
        digestNames.put("2.16.840.1.101.3.4.2.2", "SHA384");
        digestNames.put("2.16.840.1.101.3.4.2.3", "SHA512");

        digestNames.put("1.2.840.113549.1.1.5", "SHA1");
        digestNames.put("1.2.840.113549.1.1.14", "SHA224");
        digestNames.put("1.2.840.113549.1.1.11", "SHA256");
        digestNames.put("1.2.840.113549.1.1.12", "SHA384");
        digestNames.put("1.2.840.113549.1.1.13", "SHA512");

        digestNames.put("1.2.840.10040.4.3", "SHA1");
        digestNames.put("2.16.840.1.101.3.4.3.1", "SHA224");
        digestNames.put("2.16.840.1.101.3.4.3.2", "SHA256");
        digestNames.put("2.16.840.1.101.3.4.3.3", "SHA384");
        digestNames.put("2.16.840.1.101.3.4.3.4", "SHA512");

        algorithmNames.put("1.2.840.113549.1.1.1", "RSA");

        algorithmNames.put("1.2.840.113549.1.1.2", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.4", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.5", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.14", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.11", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.12", "RSA");
        algorithmNames.put("1.2.840.113549.1.1.13", "RSA");

        algorithmNames.put("1.3.36.3.3.1.3", "RSA");
        algorithmNames.put("1.3.36.3.3.1.2", "RSA");
        algorithmNames.put("1.3.36.3.3.1.4", "RSA");

        allowedDigests.put("SHA1", "1.3.14.3.2.26");
        allowedDigests.put("SHA224", "2.16.840.1.101.3.4.2.4");
        allowedDigests.put("SHA256", "2.16.840.1.101.3.4.2.1");
        allowedDigests.put("SHA384", "2.16.840.1.101.3.4.2.2");
        allowedDigests.put("SHA512", "2.16.840.1.101.3.4.2.3");
        allowedDigests.put("SHA-1", "1.3.14.3.2.26");
        allowedDigests.put("SHA-224", "2.16.840.1.101.3.4.2.4");
        allowedDigests.put("SHA-256", "2.16.840.1.101.3.4.2.1");
        allowedDigests.put("SHA-384", "2.16.840.1.101.3.4.2.2");
        allowedDigests.put("SHA-512", "2.16.840.1.101.3.4.2.3");
    }

    /**                                                                       
     * Gets the digest name for a certain id                                  
     * @param oid       an id (for instance "1.2.840.113549.2.5")             
     * @return  a digest name (for instance "MD5")                            
     * @since   2.1.6                                                         
     */
    public static String getDigest(String oid) {
        String ret = (String) digestNames.get(oid);
        if (ret == null)
            return oid;
        else
            return ret;
    }

    /**                                                                       
     * Gets the algorithm name for a certain id.                              
     * @param oid       an id (for instance "1.2.840.113549.1.1.1")           
     * @return  an algorithm name (for instance "RSA")                        
     * @since   2.1.6                                                         
     */
    public static String getAlgorithm(String oid) {
        String ret = (String) algorithmNames.get(oid);
        if (ret == null)
            return oid;
        else
            return ret;
    }

    /**                                                                       
     * Gets the timestamp token if there is one.                              
     * @return the timestamp token or null                                    
     * @since   2.1.6                                                         
     */
    public TimestampToken getTimeStampToken() {
        return timeStampToken;
    }

    /**                                                                       
     * Gets the timestamp date                                                
     * @return  a date                                                        
     * @since   2.1.6                                                         
     */
    public Calendar getTimeStampDate() {
        if (timeStampToken == null)
            return null;
        Calendar cal = new GregorianCalendar();
        Date date = timeStampToken.getDate();
        cal.setTime(date);
        return cal;
    }

    /**                                                                       
     * Verifies a signature using the sub-filter adbe.x509.rsa_sha1.          
     * @param contentsKey the /Contents key                                   
     * @param certsKey the /Cert key                                          
     * @param provider the provider or <code>null</code> for the default provider
     */
    public PdfPKCS7TSA(byte[] contentsKey, byte[] certsKey, Provider provider) {
        try {
            this.provider = provider;
            X509CertParser cr = new X509CertParser();
            cr.engineInit(new ByteArrayInputStream(certsKey));
            certs = cr.engineReadAll();
            signCerts = certs;
            signCert = (X509Certificate) certs.iterator().next();
            crls = new ArrayList();
            ASN1InputStream in = new ASN1InputStream(new ByteArrayInputStream(contentsKey));
            digest = ((DEROctetString) in.readObject()).getOctets();
            if (provider == null)
                sig = Signature.getInstance("SHA1withRSA");
            else
                sig = Signature.getInstance("SHA1withRSA", provider);
            sig.initVerify(signCert.getPublicKey());
        } catch (Exception e) {
            throw new ExceptionConverter(e);
        }
    }

    private BasicOCSPResp basicResp;

    /**                                                                                     
     * Gets the OCSP basic response if there is one.                                        
     * @return the OCSP basic response or null                                              
     * @since   2.1.6                                                                       
     */
    public BasicOCSPResp getOcsp() {
        return basicResp;
    }

    private void findOcsp(ASN1Sequence seq) throws IOException {
        basicResp = null;
        boolean ret = false;
        while (true) {
            if ((seq.getObjectAt(0) instanceof DERObjectIdentifier) && ((DERObjectIdentifier) seq.getObjectAt(0))
                    .getId().equals(OCSPObjectIdentifiers.id_pkix_ocsp_basic.getId())) {
                break;
            }
            ret = true;
            for (int k = 0; k < seq.size(); ++k) {
                if (seq.getObjectAt(k) instanceof ASN1Sequence) {
                    seq = (ASN1Sequence) seq.getObjectAt(0);
                    ret = false;
                    break;
                }
                if (seq.getObjectAt(k) instanceof ASN1TaggedObject) {
                    ASN1TaggedObject tag = (ASN1TaggedObject) seq.getObjectAt(k);
                    if (tag.getObject() instanceof ASN1Sequence) {
                        seq = (ASN1Sequence) tag.getObject();
                        ret = false;
                        break;
                    } else
                        return;
                }
            }
            if (ret)
                return;
        }
        DEROctetString os = (DEROctetString) seq.getObjectAt(1);
        ASN1InputStream inp = new ASN1InputStream(os.getOctets());
        BasicOCSPResponse resp = BasicOCSPResponse.getInstance(inp.readObject());
        basicResp = new BasicOCSPResp(resp);
    }

    /**                                                                                                                        
     * Verifies a signature using the sub-filter adbe.pkcs7.detached or                                                        
     * adbe.pkcs7.sha1.                                                                                                        
     * @param contentsKey the /Contents key                                                                                    
     * @param provider the provider or <code>null</code> for the default provider                                              
     */
    public PdfPKCS7TSA(byte[] contentsKey, Provider provider) {
        try {
            this.provider = provider;
            ASN1InputStream din = new ASN1InputStream(new ByteArrayInputStream(contentsKey));

            //
            // Basic checks to make sure it's a PKCS#7 SignedData Object
            //                                                          
            DERObject pkcs;

            try {
                pkcs = din.readObject();
            } catch (IOException e) {
                throw new IllegalArgumentException("can't decode PKCS7SignedData object");
            }
            if (!(pkcs instanceof ASN1Sequence)) {
                throw new IllegalArgumentException("Not a valid PKCS#7 object - not a sequence");
            }
            ASN1Sequence signedData = (ASN1Sequence) pkcs;
            DERObjectIdentifier objId = (DERObjectIdentifier) signedData.getObjectAt(0);
            if (!objId.getId().equals(ID_PKCS7_SIGNED_DATA))
                throw new IllegalArgumentException("Not a valid PKCS#7 object - not signed data");
            ASN1Sequence content = (ASN1Sequence) ((DERTaggedObject) signedData.getObjectAt(1)).getObject();
            // the positions that we care are:                                                            
            //     0 - version                                                                            
            //     1 - digestAlgorithms                                                                   
            //     2 - possible ID_PKCS7_DATA                                                             
            //     (the certificates and crls are taken out by other means)                               
            //     last - signerInfos                                                                     

            // the version
            version = ((DERInteger) content.getObjectAt(0)).getValue().intValue();

            // the digestAlgorithms
            digestalgos = new HashSet();
            Enumeration e = ((ASN1Set) content.getObjectAt(1)).getObjects();
            while (e.hasMoreElements()) {
                ASN1Sequence s = (ASN1Sequence) e.nextElement();
                DERObjectIdentifier o = (DERObjectIdentifier) s.getObjectAt(0);
                digestalgos.add(o.getId());
            }

            // the certificates and crls
            X509CertParser cr = new X509CertParser();
            cr.engineInit(new ByteArrayInputStream(contentsKey));
            certs = cr.engineReadAll();
            X509CRLParser cl = new X509CRLParser();
            cl.engineInit(new ByteArrayInputStream(contentsKey));
            crls = cl.engineReadAll();

            // the possible ID_PKCS7_DATA
            ASN1Sequence rsaData = (ASN1Sequence) content.getObjectAt(2);
            if (rsaData.size() > 1) {
                DEROctetString rsaDataContent = (DEROctetString) ((DERTaggedObject) rsaData.getObjectAt(1))
                        .getObject();
                RSAdata = rsaDataContent.getOctets();
            }

            // the signerInfos
            int next = 3;
            while (content.getObjectAt(next) instanceof DERTaggedObject)
                ++next;
            ASN1Set signerInfos = (ASN1Set) content.getObjectAt(next);
            if (signerInfos.size() != 1)
                throw new IllegalArgumentException(
                        "This PKCS#7 object has multiple SignerInfos - only one is supported at this time");
            ASN1Sequence signerInfo = (ASN1Sequence) signerInfos.getObjectAt(0);
            // the positions that we care are                                                                                  
            //     0 - version                                                                                                 
            //     1 - the signing certificate serial number                                                                   
            //     2 - the digest algorithm                                                                                    
            //     3 or 4 - digestEncryptionAlgorithm                                                                          
            //     4 or 5 - encryptedDigest                                                                                    
            signerversion = ((DERInteger) signerInfo.getObjectAt(0)).getValue().intValue();
            // Get the signing certificate                                                                                     
            ASN1Sequence issuerAndSerialNumber = (ASN1Sequence) signerInfo.getObjectAt(1);
            BigInteger serialNumber = ((DERInteger) issuerAndSerialNumber.getObjectAt(1)).getValue();
            for (Iterator i = certs.iterator(); i.hasNext();) {
                X509Certificate cert = (X509Certificate) i.next();
                if (serialNumber.equals(cert.getSerialNumber())) {
                    signCert = cert;
                    break;
                }
            }
            if (signCert == null) {
                throw new IllegalArgumentException(
                        "Can't find signing certificate with serial " + serialNumber.toString(16));
            }
            signCertificateChain();
            digestAlgorithm = ((DERObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(2)).getObjectAt(0))
                    .getId();
            next = 3;
            if (signerInfo.getObjectAt(next) instanceof ASN1TaggedObject) {
                ASN1TaggedObject tagsig = (ASN1TaggedObject) signerInfo.getObjectAt(next);
                ASN1Set sseq = ASN1Set.getInstance(tagsig, false);
                sigAttr = sseq.getEncoded(ASN1Encodable.DER);

                for (int k = 0; k < sseq.size(); ++k) {
                    ASN1Sequence seq2 = (ASN1Sequence) sseq.getObjectAt(k);
                    if (((DERObjectIdentifier) seq2.getObjectAt(0)).getId().equals(ID_MESSAGE_DIGEST)) {
                        ASN1Set set = (ASN1Set) seq2.getObjectAt(1);
                        digestAttr = ((DEROctetString) set.getObjectAt(0)).getOctets();
                    } else if (((DERObjectIdentifier) seq2.getObjectAt(0)).getId().equals(ID_ADBE_REVOCATION)) {
                        ASN1Set setout = (ASN1Set) seq2.getObjectAt(1);
                        ASN1Sequence seqout = (ASN1Sequence) setout.getObjectAt(0);
                        for (int j = 0; j < seqout.size(); ++j) {
                            ASN1TaggedObject tg = (ASN1TaggedObject) seqout.getObjectAt(j);
                            if (tg.getTagNo() != 1)
                                continue;
                            ASN1Sequence seqin = (ASN1Sequence) tg.getObject();
                            findOcsp(seqin);
                        }
                    }
                }
                if (digestAttr == null)
                    throw new IllegalArgumentException("Authenticated attribute is missing the digest.");
                ++next;
            }
            digestEncryptionAlgorithm = ((DERObjectIdentifier) ((ASN1Sequence) signerInfo.getObjectAt(next++))
                    .getObjectAt(0)).getId();
            digest = ((DEROctetString) signerInfo.getObjectAt(next++)).getOctets();
            if (next < signerInfo.size() && (signerInfo.getObjectAt(next) instanceof DERTaggedObject)) {
                DERTaggedObject taggedObject = (DERTaggedObject) signerInfo.getObjectAt(next);
                ASN1Set unat = ASN1Set.getInstance(taggedObject, false);
                AttributeTable attble = new AttributeTable(unat);
                Attribute ts = attble.get(PKCSObjectIdentifiers.id_aa_signatureTimeStampToken);
                if (ts != null) {
                    ASN1Set attributeValues = ts.getAttrValues();
                    ASN1Sequence tokenSequence = ASN1Sequence.getInstance(attributeValues.getObjectAt(0));
                    ContentInfo contentInfo = new ContentInfo(tokenSequence);
                    this.timeStampToken = new TimestampToken(contentInfo.getEncoded());
                }
            }
            if (RSAdata != null || digestAttr != null) {
                if (provider == null || provider.getName().startsWith("SunPKCS11"))
                    messageDigest = MessageDigest.getInstance(getHashAlgorithm());
                else
                    messageDigest = MessageDigest.getInstance(getHashAlgorithm(), provider);
            }
            if (provider == null)
                sig = Signature.getInstance(getDigestAlgorithm());
            else
                sig = Signature.getInstance(getDigestAlgorithm(), provider);
            sig.initVerify(signCert.getPublicKey());
        } catch (Exception e) {
            throw new ExceptionConverter(e);
        }
    }

    /**
     * Generates a signature.
     * @param privKey the private key
     * @param certChain the certificate chain
     * @param crlList the certificate revocation list
     * @param hashAlgorithm the hash algorithm       
     * @param provider the provider or <code>null</code> for the default provider
     * @param hasRSAdata <CODE>true</CODE> if the sub-filter is adbe.pkcs7.sha1  
     * @throws InvalidKeyException on error                                      
     * @throws NoSuchProviderException on error                                  
     * @throws NoSuchAlgorithmException on error                                 
     */
    public PdfPKCS7TSA(PrivateKey privKey, Certificate[] certChain, CRL[] crlList, String hashAlgorithm,
            Provider provider, boolean hasRSAdata)
            throws InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException {
        this.privKey = privKey;
        this.provider = provider;

        digestAlgorithm = (String) allowedDigests.get(hashAlgorithm.toUpperCase());
        if (digestAlgorithm == null)
            throw new NoSuchAlgorithmException("Unknown Hash Algorithm " + hashAlgorithm);

        version = signerversion = 1;
        certs = new ArrayList();
        crls = new ArrayList();
        digestalgos = new HashSet();
        digestalgos.add(digestAlgorithm);

        //                                                                              
        // Copy in the certificates and crls used to sign the private key.              
        //                                                                              
        signCert = (X509Certificate) certChain[0];
        for (int i = 0; i < certChain.length; i++) {
            certs.add(certChain[i]);
        }

        if (crlList != null) {
            for (int i = 0; i < crlList.length; i++) {
                crls.add(crlList[i]);
            }
        }

        if (privKey != null) {
            //                                                                          
            // Now we have private key, find out what the digestEncryptionAlgorithm is. 
            //                                                                          
            digestEncryptionAlgorithm = privKey.getAlgorithm();
            if (digestEncryptionAlgorithm.equals("RSA")) {
                digestEncryptionAlgorithm = ID_RSA;
            } else if (digestEncryptionAlgorithm.equals("DSA")) {
                digestEncryptionAlgorithm = ID_DSA;
            } else {
                throw new NoSuchAlgorithmException("Unknown Key Algorithm " + digestEncryptionAlgorithm);
            }
        }
        if (hasRSAdata) {
            RSAdata = new byte[0];
            if (provider == null || provider.getName().startsWith("SunPKCS11"))
                messageDigest = MessageDigest.getInstance(getHashAlgorithm());
            else
                messageDigest = MessageDigest.getInstance(getHashAlgorithm(), provider);
        }

        if (privKey != null) {
            if (provider == null)
                sig = Signature.getInstance(getDigestAlgorithm());
            else
                sig = Signature.getInstance(getDigestAlgorithm(), provider);

            sig.initSign(privKey);
        }
    }

    /**
     * Update the digest with the specified bytes. This method is used both for signing and verifying
     * @param buf the data buffer                                                                    
     * @param off the offset in the data buffer                                                      
     * @param len the data length                                                                    
     * @throws SignatureException on error                                                           
     */
    public void update(byte[] buf, int off, int len) throws SignatureException {
        if (RSAdata != null || digestAttr != null)
            messageDigest.update(buf, off, len);
        else
            sig.update(buf, off, len);
    }

    /**                                                                                              
     * Verify the digest.                                                                            
     * @throws SignatureException on error                                                           
     * @return <CODE>true</CODE> if the signature checks out, <CODE>false</CODE> otherwise           
     */
    public boolean verify() throws SignatureException {
        if (verified)
            return verifyResult;
        if (sigAttr != null) {
            sig.update(sigAttr);
            if (RSAdata != null) {
                byte msd[] = messageDigest.digest();
                messageDigest.update(msd);
            }
            verifyResult = (Arrays.equals(messageDigest.digest(), digestAttr) && sig.verify(digest));
        } else {
            if (RSAdata != null)
                sig.update(messageDigest.digest());
            verifyResult = sig.verify(digest);
        }
        verified = true;
        return verifyResult;
    }

    /**                                                                                              
     * Get all the X.509 certificates associated with this PKCS#7 object in no particular order.     
     * Other certificates, from OCSP for example, will also be included.                             
     * @return the X.509 certificates associated with this PKCS#7 object                             
     */
    public Certificate[] getCertificates() {
        return (X509Certificate[]) certs.toArray(new X509Certificate[certs.size()]);
    }

    /**                                                                                              
     * Get the X.509 sign certificate chain associated with this PKCS#7 object.                      
     * Only the certificates used for the main signature will be returned, with                      
     * the signing certificate first.                                                                
     * @return the X.509 certificates associated with this PKCS#7 object                             
     * @since   2.1.6                                                                                
     */
    public Certificate[] getSignCertificateChain() {
        return (X509Certificate[]) signCerts.toArray(new X509Certificate[signCerts.size()]);
    }

    private void signCertificateChain() {
        ArrayList cc = new ArrayList();
        cc.add(signCert);
        ArrayList oc = new ArrayList(certs);
        for (int k = 0; k < oc.size(); ++k) {
            if (signCert.getSerialNumber().equals(((X509Certificate) oc.get(k)).getSerialNumber())) {
                oc.remove(k);
                --k;
                continue;
            }
        }
        boolean found = true;
        while (found) {
            X509Certificate v = (X509Certificate) cc.get(cc.size() - 1);
            found = false;
            for (int k = 0; k < oc.size(); ++k) {
                try {
                    if (provider == null)
                        v.verify(((X509Certificate) oc.get(k)).getPublicKey());
                    else
                        v.verify(((X509Certificate) oc.get(k)).getPublicKey(), provider.getName());
                    found = true;
                    cc.add(oc.get(k));
                    oc.remove(k);
                    break;
                } catch (Exception e) {
                }
            }
        }
        signCerts = cc;
    }

    /**                                                                                              
     * Get the X.509 certificate revocation lists associated with this PKCS#7 object                 
     * @return the X.509 certificate revocation lists associated with this PKCS#7 object             
     */
    public Collection getCRLs() {
        return crls;
    }

    /**                                                                                              
     * Get the X.509 certificate actually used to sign the digest.                                   
     * @return the X.509 certificate actually used to sign the digest                                
     */
    public X509Certificate getSigningCertificate() {
        return signCert;
    }

    /**                                                                                              
     * Get the version of the PKCS#7 object. Always 1                                                
     * @return the version of the PKCS#7 object. Always 1                                            
     */
    public int getVersion() {
        return version;
    }

    /**                                                                                              
     * Get the version of the PKCS#7 "SignerInfo" object. Always 1                                   
     * @return the version of the PKCS#7 "SignerInfo" object. Always 1                               
     */
    public int getSigningInfoVersion() {
        return signerversion;
    }

    /**                                                                                              
     * Get the algorithm used to calculate the message digest                                        
     * @return the algorithm used to calculate the message digest                                    
     */
    public String getDigestAlgorithm() {
        String dea = getAlgorithm(digestEncryptionAlgorithm);
        if (dea == null)
            dea = digestEncryptionAlgorithm;

        return getHashAlgorithm() + "with" + dea;
    }

    /**
     * Returns the algorithm.
     * @return the digest algorithm
     */
    public String getHashAlgorithm() {
        return getDigest(digestAlgorithm);
    }

    /**
     * Loads the default root certificates at &lt;java.home&gt;/lib/security/cacerts
     * with the default provider.                                                   
     * @return a <CODE>KeyStore</CODE>                                              
     */
    public static KeyStore loadCacertsKeyStore() {
        return loadCacertsKeyStore(null);
    }

    /**
     * Loads the default root certificates at &lt;java.home&gt;/lib/security/cacerts.
     * @param provider the provider or <code>null</code> for the default provider    
     * @return a <CODE>KeyStore</CODE>                                               
     */
    public static KeyStore loadCacertsKeyStore(String provider) {
        File file = new File(System.getProperty("java.home"), "lib");
        file = new File(file, "security");
        file = new File(file, "cacerts");
        FileInputStream fin = null;
        try {
            fin = new FileInputStream(file);
            KeyStore k;
            if (provider == null)
                k = KeyStore.getInstance("JKS");
            else
                k = KeyStore.getInstance("JKS", provider);
            k.load(fin, null);
            return k;
        } catch (Exception e) {
            throw new ExceptionConverter(e);
        } finally {
            try {
                if (fin != null) {
                    fin.close();
                }
            } catch (Exception ex) {
            }
        }
    }

    /**                                                                              
     * Verifies a single certificate.                                                
     * @param cert the certificate to verify                                         
     * @param crls the certificate revocation list or <CODE>null</CODE>              
     * @param calendar the date or <CODE>null</CODE> for the current date            
     * @return a <CODE>String</CODE> with the error description or <CODE>null</CODE> 
     * if no error                                                                   
     */
    public static String verifyCertificate(X509Certificate cert, Collection crls, Calendar calendar) {
        if (calendar == null)
            calendar = new GregorianCalendar();
        if (cert.hasUnsupportedCriticalExtension())
            return "Has unsupported critical extension";
        try {
            cert.checkValidity(calendar.getTime());
        } catch (Exception e) {
            return e.getMessage();
        }
        if (crls != null) {
            for (Iterator it = crls.iterator(); it.hasNext();) {
                if (((CRL) it.next()).isRevoked(cert))
                    return "Certificate revoked";
            }
        }
        return null;
    }

    /**                                                                                                       
     * Retrieves the OCSP URL from the given certificate.                                                     
     * @param certificate the certificate                                                                     
     * @return the URL or null                                                                                
     * @throws CertificateParsingException on error                                                           
     * @since   2.1.6                                                                                         
     */
    public static String getOCSPURL(X509Certificate certificate) throws CertificateParsingException {
        try {
            DERObject obj = getExtensionValue(certificate, X509Extensions.AuthorityInfoAccess.getId());
            if (obj == null) {
                return null;
            }

            ASN1Sequence AccessDescriptions = (ASN1Sequence) obj;
            for (int i = 0; i < AccessDescriptions.size(); i++) {
                ASN1Sequence AccessDescription = (ASN1Sequence) AccessDescriptions.getObjectAt(i);
                if (AccessDescription.size() != 2) {
                    continue;
                } else {
                    if ((AccessDescription.getObjectAt(0) instanceof DERObjectIdentifier)
                            && ((DERObjectIdentifier) AccessDescription.getObjectAt(0)).getId()
                                    .equals("1.3.6.1.5.5.7.48.1")) {
                        String AccessLocation = getStringFromGeneralName(
                                (DERObject) AccessDescription.getObjectAt(1));
                        if (AccessLocation == null) {
                            return "";
                        } else {
                            return AccessLocation;
                        }
                    }
                }
            }
        } catch (Exception e) {
        }
        return null;
    }

    /**                                                                                                                        
     * Checks if OCSP revocation refers to the document signing certificate.                                                   
     * @return true if it checks false otherwise                                                                               
     * @since   2.1.6                                                                                                          
     */
    public boolean isRevocationValid() {
        if (basicResp == null)
            return false;
        if (signCerts.size() < 2)
            return false;
        try {
            X509Certificate[] cs = (X509Certificate[]) getSignCertificateChain();
            SingleResp sr = basicResp.getResponses()[0];
            CertificateID cid = sr.getCertID();
            X509Certificate sigcer = getSigningCertificate();
            X509Certificate isscer = cs[1];
            CertificateID tis = new CertificateID(CertificateID.HASH_SHA1, isscer, sigcer.getSerialNumber());
            return tis.equals(cid);
        } catch (Exception ex) {
        }
        return false;
    }

    private static DERObject getExtensionValue(X509Certificate cert, String oid) throws IOException {
        byte[] bytes = cert.getExtensionValue(oid);
        if (bytes == null) {
            return null;
        }
        ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(bytes));
        ASN1OctetString octs = (ASN1OctetString) aIn.readObject();
        aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets()));
        return aIn.readObject();
    }

    private static String getStringFromGeneralName(DERObject names) throws IOException {
        DERTaggedObject taggedObject = (DERTaggedObject) names;
        return new String(ASN1OctetString.getInstance(taggedObject, false).getOctets(), "ISO-8859-1");
    }

    /**
     * Get the "issuer" from the TBSCertificate bytes that are passed in
     * @param enc a TBSCertificate in a byte array                      
     * @return a DERObject                                              
     */
    private static DERObject getIssuer(byte[] enc) {
        try {
            ASN1InputStream in = new ASN1InputStream(new ByteArrayInputStream(enc));
            ASN1Sequence seq = (ASN1Sequence) in.readObject();
            return (DERObject) seq.getObjectAt(seq.getObjectAt(0) instanceof DERTaggedObject ? 3 : 2);
        } catch (IOException e) {
            throw new ExceptionConverter(e);
        }
    }

    /**
     * Get the "subject" from the TBSCertificate bytes that are passed in
     * @param enc A TBSCertificate in a byte array                       
     * @return a DERObject                                               
     */
    private static DERObject getSubject(byte[] enc) {
        try {
            ASN1InputStream in = new ASN1InputStream(new ByteArrayInputStream(enc));
            ASN1Sequence seq = (ASN1Sequence) in.readObject();
            return (DERObject) seq.getObjectAt(seq.getObjectAt(0) instanceof DERTaggedObject ? 5 : 4);
        } catch (IOException e) {
            throw new ExceptionConverter(e);
        }
    }

    /**                                                                             
     * Gets the bytes for the PKCS#1 object.                                        
     * @return a byte array                                                         
     */
    public byte[] getEncodedPKCS1() {
        try {
            if (externalDigest != null)
                digest = externalDigest;
            else
                digest = sig.sign();
            ByteArrayOutputStream bOut = new ByteArrayOutputStream();

            ASN1OutputStream dout = new ASN1OutputStream(bOut);
            dout.writeObject(new DEROctetString(digest));
            dout.close();

            return bOut.toByteArray();
        } catch (Exception e) {
            throw new ExceptionConverter(e);
        }
    }

    /**                                                                             
     * Sets the digest/signature to an external calculated value.                   
     * @param digest the digest. This is the actual signature                       
     * @param RSAdata the extra data that goes into the data tag in PKCS#7          
     * @param digestEncryptionAlgorithm the encryption algorithm. It may must be <CODE>null</CODE> if the <CODE>digest</CODE>
     * is also <CODE>null</CODE>. If the <CODE>digest</CODE> is not <CODE>null</CODE>                                        
     * then it may be "RSA" or "DSA"                                                                                         
     */
    public void setExternalDigest(byte digest[], byte RSAdata[], String digestEncryptionAlgorithm) {
        externalDigest = digest;
        externalRSAdata = RSAdata;
        if (digestEncryptionAlgorithm != null) {
            if (digestEncryptionAlgorithm.equals("RSA")) {
                this.digestEncryptionAlgorithm = ID_RSA;
            } else if (digestEncryptionAlgorithm.equals("DSA")) {
                this.digestEncryptionAlgorithm = ID_DSA;
            } else
                throw new ExceptionConverter(
                        new NoSuchAlgorithmException("Unknown Key Algorithm " + digestEncryptionAlgorithm));
        }
    }

    /**                                                                                                                        
     * Gets the bytes for the PKCS7SignedData object.                                                                          
     * @return the bytes for the PKCS7SignedData object                                                                        
     */
    public byte[] getEncodedPKCS7() {
        return getEncodedPKCS7(null, null, null, null);
    }

    /**                                                                                                                        
     * Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes                                   
     * in the signerInfo can also be set. If either of the parameters is <CODE>null</CODE>, none will be used.                 
     * @param secondDigest the digest in the authenticatedAttributes                                                           
     * @param signingTime the signing time in the authenticatedAttributes                                                      
     * @return the bytes for the PKCS7SignedData object                                                                        
     */
    public byte[] getEncodedPKCS7(byte secondDigest[], Calendar signingTime) {
        return getEncodedPKCS7(secondDigest, signingTime, null, null);
    }

    /**
     * Gets the bytes for the PKCS7SignedData object. Optionally the authenticatedAttributes
     * in the signerInfo can also be set, OR a time-stamp-authority client                  
     * may be provided.                                                                     
     * @param secondDigest the digest in the authenticatedAttributes                        
     * @param signingTime the signing time in the authenticatedAttributes                   
     * @param tsaUrl TSAClient - null or an optional time stamp authority client
     * @return byte[] the bytes for the PKCS7SignedData object                              
     * @since   2.1.6                                                                       
     */
    public byte[] getEncodedPKCS7(byte secondDigest[], Calendar signingTime, String tsaUrl, byte[] ocsp) {
        try {
            if (externalDigest != null) {
                digest = externalDigest;
                if (RSAdata != null)
                    RSAdata = externalRSAdata;
            } else if (externalRSAdata != null && RSAdata != null) {
                RSAdata = externalRSAdata;
                sig.update(RSAdata);
                digest = sig.sign();
            } else {
                if (RSAdata != null) {
                    RSAdata = messageDigest.digest();
                    sig.update(RSAdata);
                }
                digest = sig.sign();
            }

            // Create the set of Hash algorithms                                                                
            ASN1EncodableVector digestAlgorithms = new ASN1EncodableVector();
            for (Iterator it = digestalgos.iterator(); it.hasNext();) {
                ASN1EncodableVector algos = new ASN1EncodableVector();
                algos.add(new DERObjectIdentifier((String) it.next()));
                algos.add(DERNull.INSTANCE);
                digestAlgorithms.add(new DERSequence(algos));
            }

            // Create the contentInfo.                                                                          
            ASN1EncodableVector v = new ASN1EncodableVector();
            v.add(new DERObjectIdentifier(ID_PKCS7_DATA));
            if (RSAdata != null)
                v.add(new DERTaggedObject(0, new DEROctetString(RSAdata)));
            DERSequence contentinfo = new DERSequence(v);

            // Get all the certificates                                                                         
            //                                                                                                  
            v = new ASN1EncodableVector();
            for (Iterator i = certs.iterator(); i.hasNext();) {
                ASN1InputStream tempstream = new ASN1InputStream(
                        new ByteArrayInputStream(((X509Certificate) i.next()).getEncoded()));
                v.add(tempstream.readObject());
            }

            DERSet dercertificates = new DERSet(v);

            // Create signerinfo structure.                                                                                    
            //                                                                                                                 
            ASN1EncodableVector signerinfo = new ASN1EncodableVector();

            // Add the signerInfo version                                                                                      
            //                                                                                                                 
            signerinfo.add(new DERInteger(signerversion));

            v = new ASN1EncodableVector();
            v.add(getIssuer(signCert.getTBSCertificate()));
            v.add(new DERInteger(signCert.getSerialNumber()));
            signerinfo.add(new DERSequence(v));

            // Add the digestAlgorithm                                                                                         
            v = new ASN1EncodableVector();
            v.add(new DERObjectIdentifier(digestAlgorithm));
            v.add(new DERNull());
            signerinfo.add(new DERSequence(v));

            // add the authenticated attribute if present                                                                      
            if (secondDigest != null && signingTime != null) {
                signerinfo.add(new DERTaggedObject(false, 0,
                        getAuthenticatedAttributeSet(secondDigest, signingTime, ocsp)));
            }
            // Add the digestEncryptionAlgorithm                                                                               
            v = new ASN1EncodableVector();
            v.add(new DERObjectIdentifier(digestEncryptionAlgorithm));
            v.add(new DERNull());
            signerinfo.add(new DERSequence(v));

            // Add the digest                                                                                                  
            signerinfo.add(new DEROctetString(digest));

            // When requested, go get and add the timestamp. May throw an exception.                                           
            // Added by Martin Brunecky, 07/12/2007 folowing Aiken Sam, 2006-11-15                                             
            // Sam found Adobe expects time-stamped SHA1-1 of the encrypted digest                                             
            if (tsaUrl != null) {
                byte[] tsImprint = MessageDigest.getInstance("SHA-1").digest(digest);

                TSResponse response = TimeStampFactory.getTimeStampResponse(tsaUrl, tsImprint, false);
                byte[] tsToken = response.getEncodedToken();

                //Strip the status code out of the response, the adobe validator requieres it. 
                //TODO: Research about this.
                byte[] status = { 0x30, (byte) 0x82, 0x03, (byte) 0xA7, 0x30, 0x03, 0x02, 0x01, 0x00 };
                byte[] modTsToken = new byte[tsToken.length - status.length];
                System.arraycopy(tsToken, status.length, modTsToken, 0, tsToken.length - status.length);

                if (modTsToken != null) {
                    ASN1EncodableVector unauthAttributes = buildUnauthenticatedAttributes(modTsToken);
                    if (unauthAttributes != null) {
                        signerinfo.add(new DERTaggedObject(false, 1, new DERSet(unauthAttributes)));
                    }
                }
            }

            // Finally build the body out of all the components above                                                          
            ASN1EncodableVector body = new ASN1EncodableVector();
            body.add(new DERInteger(version));
            body.add(new DERSet(digestAlgorithms));
            body.add(contentinfo);
            body.add(new DERTaggedObject(false, 0, dercertificates));

            if (!crls.isEmpty()) {
                v = new ASN1EncodableVector();
                for (Iterator i = crls.iterator(); i.hasNext();) {
                    ASN1InputStream t = new ASN1InputStream(
                            new ByteArrayInputStream(((X509CRL) i.next()).getEncoded()));
                    v.add(t.readObject());
                }
                DERSet dercrls = new DERSet(v);
                body.add(new DERTaggedObject(false, 1, dercrls));
            }

            // Only allow one signerInfo                                                                                       
            body.add(new DERSet(new DERSequence(signerinfo)));

            // Now we have the body, wrap it in it's PKCS7Signed shell                                                         
            // and return it                                                                                                   
            //                                                                                                                 
            ASN1EncodableVector whole = new ASN1EncodableVector();
            whole.add(new DERObjectIdentifier(ID_PKCS7_SIGNED_DATA));
            whole.add(new DERTaggedObject(0, new DERSequence(body)));

            ByteArrayOutputStream bOut = new ByteArrayOutputStream();

            ASN1OutputStream dout = new ASN1OutputStream(bOut);
            dout.writeObject(new DERSequence(whole));
            dout.close();

            return bOut.toByteArray();
        } catch (Exception e) {
            throw new ExceptionConverter(e);
        }
    }

    /**                                                                                                                        
     * Added by Aiken Sam, 2006-11-15, modifed by Martin Brunecky 07/12/2007                                                   
     * to start with the timeStampToken (signedData 1.2.840.113549.1.7.2).                                                     
     * Token is the TSA response without response status, which is usually                                                     
     * handled by the (vendor supplied) TSA request/response interface).                                                       
     * @param timeStampToken byte[] - time stamp token, DER encoded signedData                                                 
     * @return ASN1EncodableVector                                                                                             
     * @throws IOException                                                                                                     
     */
    private ASN1EncodableVector buildUnauthenticatedAttributes(byte[] timeStampToken) throws IOException {
        if (timeStampToken == null)
            return null;

        // @todo: move this together with the rest of the defintions
        String ID_TIME_STAMP_TOKEN = "1.2.840.113549.1.9.16.2.14"; // RFC 3161 id-aa-timeStampToken

        ASN1InputStream tempstream = new ASN1InputStream(new ByteArrayInputStream(timeStampToken));
        ASN1EncodableVector unauthAttributes = new ASN1EncodableVector();

        ASN1EncodableVector v = new ASN1EncodableVector();
        v.add(new DERObjectIdentifier(ID_TIME_STAMP_TOKEN)); // id-aa-timeStampToken
        ASN1Sequence seq = (ASN1Sequence) tempstream.readObject();
        v.add(new DERSet(seq));

        unauthAttributes.add(new DERSequence(v));
        return unauthAttributes;
    }

    /**
     * When using authenticatedAttributes the authentication process is different.
     * The document digest is generated and put inside the attribute. The signing is done over the DER encoded
     * authenticatedAttributes. This method provides that encoding and the parameters must be                 
     * exactly the same as in {@link #getEncodedPKCS7(byte[],Calendar)}.                                      
     * <p>                                                                                                    
     * A simple example:                                                                                      
     * <p>                                                                                                    
     * <pre>                                                                                                  
     * Calendar cal = Calendar.getInstance();                                                                 
     * PdfPKCS7 pk7 = new PdfPKCS7(key, chain, null, "SHA1", null, false);                                    
     * MessageDigest messageDigest = MessageDigest.getInstance("SHA1");                                       
     * byte buf[] = new byte[8192];                                                                           
     * int n;                                                                                                 
     * InputStream inp = sap.getRangeStream();                                                                
     * while ((n = inp.read(buf)) &gt; 0) {                                                                   
     *    messageDigest.update(buf, 0, n);                                                                    
     * }                                                                                                      
     * byte hash[] = messageDigest.digest();                                                                  
     * byte sh[] = pk7.getAuthenticatedAttributeBytes(hash, cal);                                             
     * pk7.update(sh, 0, sh.length);                                                                          
     * byte sg[] = pk7.getEncodedPKCS7(hash, cal);                                                            
     * </pre>                                                                                                 
     * @param secondDigest the content digest                                                                 
     * @param signingTime the signing time                                                                    
     * @return the byte array representation of the authenticatedAttributes ready to be signed                
     */
    public byte[] getAuthenticatedAttributeBytes(byte secondDigest[], Calendar signingTime, byte[] ocsp) {
        try {
            return getAuthenticatedAttributeSet(secondDigest, signingTime, ocsp).getEncoded(ASN1Encodable.DER);
        } catch (Exception e) {
            throw new ExceptionConverter(e);
        }
    }

    private DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar signingTime, byte[] ocsp) {
        try {
            ASN1EncodableVector attribute = new ASN1EncodableVector();
            ASN1EncodableVector v = new ASN1EncodableVector();
            v.add(new DERObjectIdentifier(ID_CONTENT_TYPE));
            v.add(new DERSet(new DERObjectIdentifier(ID_PKCS7_DATA)));
            attribute.add(new DERSequence(v));
            v = new ASN1EncodableVector();
            v.add(new DERObjectIdentifier(ID_SIGNING_TIME));
            v.add(new DERSet(new DERUTCTime(signingTime.getTime())));
            attribute.add(new DERSequence(v));
            v = new ASN1EncodableVector();
            v.add(new DERObjectIdentifier(ID_MESSAGE_DIGEST));
            v.add(new DERSet(new DEROctetString(secondDigest)));
            attribute.add(new DERSequence(v));
            if (ocsp != null) {
                v = new ASN1EncodableVector();
                v.add(new DERObjectIdentifier(ID_ADBE_REVOCATION));
                DEROctetString doctet = new DEROctetString(ocsp);
                ASN1EncodableVector vo1 = new ASN1EncodableVector();
                ASN1EncodableVector v2 = new ASN1EncodableVector();
                v2.add(OCSPObjectIdentifiers.id_pkix_ocsp_basic);
                v2.add(doctet);
                DEREnumerated den = new DEREnumerated(0);
                ASN1EncodableVector v3 = new ASN1EncodableVector();
                v3.add(den);
                v3.add(new DERTaggedObject(true, 0, new DERSequence(v2)));
                vo1.add(new DERSequence(v3));
                v.add(new DERSet(new DERSequence(new DERTaggedObject(true, 1, new DERSequence(vo1)))));
                attribute.add(new DERSequence(v));
            } else if (!crls.isEmpty()) {
                v = new ASN1EncodableVector();
                v.add(new DERObjectIdentifier(ID_ADBE_REVOCATION));
                ASN1EncodableVector v2 = new ASN1EncodableVector();
                for (Iterator i = crls.iterator(); i.hasNext();) {
                    ASN1InputStream t = new ASN1InputStream(
                            new ByteArrayInputStream(((X509CRL) i.next()).getEncoded()));
                    v2.add(t.readObject());
                }
                v.add(new DERSet(new DERSequence(new DERTaggedObject(true, 0, new DERSequence(v2)))));
                attribute.add(new DERSequence(v));
            }
            return new DERSet(attribute);
        } catch (Exception e) {
            throw new ExceptionConverter(e);
        }
    }

    /**                                                                                                                 
     * Getter for property reason.                                                                                      
     * @return Value of property reason.                                                                                
     */
    public String getReason() {
        return this.reason;
    }

    /**                                                                                                                 
     * Setter for property reason.                                                                                      
     * @param reason New value of property reason.                                                                      
     */
    public void setReason(String reason) {
        this.reason = reason;
    }

    /**                                                                                                                 
     * Getter for property location.                                                                                    
     * @return Value of property location.                                                                              
     */
    public String getLocation() {
        return this.location;
    }

    /**                                                                                                                 
     * Setter for property location.                                                                                    
     * @param location New value of property location.                                                                  
     */
    public void setLocation(String location) {
        this.location = location;
    }

    /**                                                                                                                 
     * Getter for property signDate.                                                                                    
     * @return Value of property signDate.                                                                              
     */
    public Calendar getSignDate() {
        return this.signDate;
    }

    /**                                                                                                                 
     * Setter for property signDate.                                                                                    
     * @param signDate New value of property signDate.                                                                  
     */
    public void setSignDate(Calendar signDate) {
        this.signDate = signDate;
    }

    /**                                                                                                                 
     * Getter for property sigName.                                                                                     
     * @return Value of property sigName.                                                                               
     */
    public String getSignName() {
        return this.signName;
    }

    /**                                                                                                                 
     * Setter for property sigName.                                                                                     
     * @param signName New value of property sigName.                                                                   
     */
    public void setSignName(String signName) {
        this.signName = signName;
    }
}