使用iText从PCKS7签名的PDF文件中获取哈希/摘要 [英] Obtaining the hash/digest from a PCKS7 signed PDF file with iText

问题描述

我正在编写一个Java Web服务，该服务使用来自网络中某些客户端的iText签署PDF文档。文档正确签名，可以使用外部工具进行验证。但是，由于为了将此文档存储在官方文档库中而存在一些法律限制，我必须提供签名中的哈希/摘要消息。

I'm writing a Java web service that signs PDF documents with iText from some clients in the network. Documents are being signed correctly, and can be verified with external tools. However, due to some legal restrictions in order to store this document in an official documentary repository I have to provide the hash/digest message from the signature.

我几乎已经尝试过得到那个哈希的任何东西，但我能得到的最接近的是获得整个签名（CERT + HASH / DIGEST + TIMESTAMP）作为一个字符串与这段代码片段（原谅字符串和[1]，因为我只是测试该怎么做）：

I have tried almost anything to get to that hash, but the closest that I can get is to obtain the whole signature (CERT+HASH/DIGEST+TIMESTAMP) as a string with this code snippet (forgive the strings and [1] since I'm just testing how to do it):

    PdfReader reader = new PdfReader(path);
    File temp = TempFileManager.createTempFile("aasd2sd", "asdasda222cff");
    PdfStamper stamper = new PdfStamper(reader, new FileOutputStream(temp));
    stamper.setRotateContents(false);
    PdfString firma = (PdfString) stamper.getAcroFields().getSignatureDictionary("Signature1").get((PdfName)stamper.getAcroFields().getSignatureDictionary("Signature1").getKeys().toArray()[1]);

据我所知，我获得了一个DER-enconded PKCS7签名。但是，我不知道如何解读/读取这些信息以便达到目的。

With that I get a DER-enconded PKCS7 Signature, as far as I know. But, I don't know how to decode/read this info in order to get to the hast.

任何想法？

谢谢，
Cris。

Thanks, Cris.

推荐答案

首先，不一定 <来自签名的哈希/摘要消息，在PKCS＃7 / CMS签名的情况下，通常涉及多个哈希，参见回答数字签名中的pdf消息摘要 。

First of all, there is not necessarily the hash/digest message from the signature, in case of PKCS#7 / CMS signatures usually multiple hashes are involved, cf. this answer to Message digest of pdf in digital signature.

考虑到您需要摘要来实现某些法律限制，但我认为您是在签名属性的值 MessageDigest ETSI.CAdES.detached 或 adbe.pkcs7.detached 类型（如果存在）类型PDF签名是签名字节范围的摘要。

Considering that you need the digest to fulfill some legal restrictions, though, I assume you are after the value of the signed attribute MessageDigest which (if it is present) for ETSI.CAdES.detached or adbe.pkcs7.detached type PDF signatures is the digest of the signed byte ranges.

如果你想使用iText类（即不是安全提供程序类）这样做，你有克服你所追求的价值存储在私人会员中的小问题（ PdfPKCS7.digestAttr ）。但是有些反射允许你访问它：

If you want to do that using iText classes (i.e. not security provider classes), you have to overcome the small issue that the value you are after is stored in a private member (PdfPKCS7.digestAttr). Some reflection allows you to access it, though:

void extractHashes(PdfReader reader) throws Exception
{
    AcroFields acroFields = reader.getAcroFields();
    List<String> names = acroFields.getSignatureNames();

    for (String name: names)
    {
        PdfPKCS7 pdfPkcs7 = acroFields.verifySignature(name);
        pdfPkcs7.verify();

        Field digestAttrField = PdfPKCS7.class.getDeclaredField("digestAttr");
        digestAttrField.setAccessible(true);
        byte[] digestAttr = (byte[]) digestAttrField.get(pdfPkcs7);

        // process the digest value in digestAttr 
    }
}

您可以在更完整的示例中找到使用的方法 ExtractHash.java ，它输出PDF文档中签名字段的gigest算法和摘要值，例如：

You can find the method used in a more complete example ExtractHash.java which outputs gigest algorithm and digest value of signature fields in a PDF document, e.g.:

FirstPage11P0022AD_20150202164018_307494.pdf
  Signature1
    Digest algorithm: SHA1
    Hash: 4ac0ed7c2ec611d491f37b5ca74598237b85dbab

这篇关于使用iText从PCKS7签名的PDF文件中获取哈希/摘要的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！