A document is digitally signed. A timestamp token is embedded as signature timestamp attribute while signing the document. How can we find the certificate information of that timestamp token using pdfbox
PDFBox allows you to extract the signature container embedded in the PDF. To analyze that signature container you use a different library. The PDFBox examples use BouncyCastle. Would that also be your choice?
If it is, simply look into the PDFBox example ShowSignature:
showSignature loads the PDF, identifies the signature dictionaries, and extracts the embedded signature containers and the signed data; andverifyPKCS7 analyzes the signature container using BouncyCastle and validates the signature itself and (if present) the signature time stamp.The relevant code in verifyPKCS7 to find the certificate information of that timestamp token would be:
private void verifyPKCS7(InputStream signedContentAsStream, byte[] contents, PDSignature sig) throws ...
{
CMSProcessable signedContent = new CMSProcessableInputStream(signedContentAsStream);
CMSSignedData signedData = new CMSSignedData(signedContent, contents);
...
Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners();
SignerInformation signerInformation = signers.iterator().next();
...
TimeStampToken timeStampToken = SigUtils.extractTimeStampTokenFromSignerInformation(signerInformation);
X509Certificate certFromTimeStamp = SigUtils.getCertificateFromTimeStampToken(timeStampToken);
certFromTimeStamp is the certificate you're looking for.
Beware, though, depending on how the time stamp has been requested from its TSA, the certificate may not be embedded in the time stamp. In that case the code above cannot find it and you are expected to already have the certificate. (For details see the description of the certReq field of the TimeStampReq structure in RFC 3161.)