此pdf数字签名正确吗? PHP/TCPDF [英] Is this pdf digital signed correctly? PHP/TCPDF

问题描述

我正在为我的公司更新一个项目，在此部分中，我们需要使用我们的证书文件对pdf进行数字签名.在这种情况下，我应该使用PHP的更新库来更改对该pdf进行签名的脚本.

I'm updating a project for my company and there is a section where we need to digitally sign a pdf with our certificate file. In this case, I should change the script that signs this pdf using an updated library from PHP.

在旧代码中，我们使用另一个脚本来实现此目的，并且必须使用.p12文件+字符串.使用此旧脚本，当您使用Acrobat Reader DC打开创建的pdf时，我们将获得下一张图像，其中您可以看到签名且所有签名均有效".

In the old code, we were using another script to make happen that, and we had to use a .p12 file + a string. Using this old script, when you open the created pdf with Acrobat Reader DC we get the next image where you can see that says "Signed and all signatures are valid".

在新脚本中，我使用下一个示例:

In the new script, I'm using the next example:

https://tcpdf.org/examples/example_052/

为了能够将本示例与我的证书一起应用，我必须将pfx文件证书(".p12")转换为2种".pem"，然后使用以下next命令行:

To be able to apply this example with my certificate I had to convert my pfx file certificate (".p12") to 2 kinds of ".pem" throw these nexts commands lines:

openssl pkcs12-在myOldCertificate.p12 -clcerts -nokeys -out publicCert.pem->问我输入导入密码"

openssl pkcs12 -in myOldCertificate.p12 -clcerts -nokeys -out publicCert.pem -> asked me "Enter Import Password"

openssl pkcs12 -in myOldCertificate.p12 -nocerts -out privateKey_cert.pem->问我输入导入密码"以及输入PEM密码"

openssl pkcs12 -in myOldCertificate.p12 -nocerts -out privateKey_cert.pem -> asked me "Enter Import Password" and also for "Enter PEM pass phrase"

所以最后，我只是从下载的示例52中更改了89行.

So finally, I just changed the line 89 from the downloaded example 52.

//设置文档签名

$ pdf-> setSignature('file:///var/www/html/publicCert.pem'，'file:///var/www/html/privateKey_cert.pem'，'xxxxxx'，``， 2，$ info); ->在"xxxxx"中，我写了与导入密码相同的字符串，以防万一，PEM密码也相同.

$pdf->setSignature('file:///var/www/html/publicCert.pem', 'file:///var/www/html/privateKey_cert.pem', 'xxxxxx', '', 2, $info); -> In the 'xxxxx' I wrote the same string as the Import password and, just in case, also the same for PEM pass phrase.

当我创建数字签名的pdf并使用Acrobat Reader DC打开时，您可以看到下一张图片:

And when I create the digital signed pdf and open it with the Acrobat Reader DC you can see the next image:

我的担心是因为我可以看到我的公司认证"字样，并且看起来还可以，但是没有绿色勾号，我不确定它是否完全有效.您必须认为我将需要最安全的方法来验证此pdf文件的真实性和完整性.

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid. You have to think that I will need the most secure way to verify the authenticity and the integrity of this pdf.

推荐答案

PDF格式支持两种类型的用户签名:

The PDF format supports two types of user signatures:

• 批准签名和
• 认证签名.

除了在文档上签名外，证书签名还选择在签名后允许对文档进行哪些更改；批准签名只是签名.

Certification signatures in addition to signing the document also select which changes to the document shall be allowed after signing; approval signatures merely sign.

通常，文档的作者使用证明签名对其进行签名，以表明他是文档的作者，并且仅允许对其进行某些添加(例如，表单填写).然后，将经过如此认证的文档转发给其他各方(可能在表单填写后)，其他各方使用批准签名对文档进行签名，以表明他们批准了文档内容，包括添加的内容.

Usually the author of a document signs it using a certification signature to indicate that he is the author of the document and allows only certain additions to it (e.g. form fill-ins). A so certified document then is forwarded to other parties who (probably after form fill-ins) sign the document using an approval signature to indicate that they approve the document contents including their additions.

您的旧代码应用了批准签名，而新代码则应用了允许仅表单填写，签名和页面添加操作"的认证签名.

Your old code applied an approval signature while your new code applies a certification signature allowing "only form fill-in, signing, and page adding actions".

关于您的担心

我的担心是因为我可以看到上面写着通过公司证书认证"，而且看起来还可以，但是没有绿色勾号，我不确定它是否完全有效.

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid.

除上述差异外，认证签名与批准签名一样有效.作为签名状态栏图标含义的概述，请在此处查看:

Other than the difference described above, the certification signature is just as valid as the approval signature. As an overview of the meanings of the signature status bar icons, have a look here:

(此备忘单适用于Adobe Acrobat和Reader 9；同时，认证功能区的颜色从蓝色变为黑色，但含义仍然相同)

(This cheat sheet is for Adobe Acrobat and Reader 9; meanwhile the color of the certification ribbon has changed from blue to black but its meaning is still the same)

如果您严格要返回批准签名，请尝试延长线段

If you strictly want to go back to an approval signature, try extending the line

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info);

在示例代码中，带有另一个参数

in the example code with another parameter to

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info, 'A');

(乍一看，TCPDF源代码)使代码创建批准签名.

which should (at first glance at the TCPDF sources) cause the code to create approval signatures.

这篇关于此pdf数字签名正确吗? PHP/TCPDF的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！