itext pdf带有无效签名的pdf中的递延签名结果 [英] Itext pdf deferred signing results in pdf with invalid signature
问题描述
作为我对客户端/服务器pdf签名研究的一部分,我测试了itext pdf延迟签名示例.不幸的是,我生成的pdf,即合并的空签名pdf和哈希值的输出显示了无效的签名.
As part of my research for client/server pdf signing , i have tested itext pdf deferred signing example. Unfortunately my resulting pdf ie output of merged empty signature pdf and hash value shows invalid signature.
我的代码段如下
class MyExternalSignatureContainer implements ExternalSignatureContainer {
protected byte[] sig;
protected Certificate[] chain;
public MyExternalSignatureContainer(byte[] sig,Certificate[] chain) {
this.sig = sig;
this.chain=chain;
}
public byte[] sign(InputStream is)throws GeneralSecurityException {
return sig;
}
public byte[] emptySignature_hash(String src, String dest, String fieldname, Certificate[] chain) throws IOException, DocumentException, GeneralSecurityException {
PdfReader reader = new PdfReader(src);
FileOutputStream os = new FileOutputStream(dest);
PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');
PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
appearance.setVisibleSignature(new Rectangle(36, 748, 144, 780), 1, fieldname);
appearance.setCertificate(chain[0]);
ExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
MakeSignature.signExternalContainer(appearance, external, 8192);
InputStream inp = appearance.getRangeStream();
BouncyCastleDigest digest = new BouncyCastleDigest();
PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", null, digest, false);
byte[] hash = DigestAlgorithms.digest(inp, digest.getMessageDigest("SHA256"));
Calendar cal = Calendar.getInstance();
cal1=cal;
System.out.println(cal);
byte[] sh = sgn.getAuthenticatedAttributeBytes(hash, cal, null, null, CryptoStandard.CMS);
return(sh);
}
public byte[] signed_hash(byte[] hash, PrivateKey pk, Certificate[] chain)throws GeneralSecurityException{
PrivateKeySignature signature = new PrivateKeySignature(pk, "SHA256", "SunPKCS11-eToken");
byte[] extSignature = signature.sign(hash);
//return extSignature;
BouncyCastleDigest digest = new BouncyCastleDigest();
Calendar cal = Calendar.getInstance();
String hashAlgorithm = signature.getHashAlgorithm();
System.out.println(hashAlgorithm);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", null, digest, false);
sgn.setExternalDigest(extSignature, null, signature.getEncryptionAlgorithm());
return sgn.getEncodedPKCS7(hash, cal1, null, null, null, CryptoStandard.CMS);
}
public void createSignature(String src, String dest, String fieldname,byte[] hash, PrivateKey pk, Certificate[] chain) throws IOException, DocumentException, GeneralSecurityException {
PdfReader reader = new PdfReader(src);
FileOutputStream os = new FileOutputStream(dest);
ExternalSignatureContainer external = new MyExternalSignatureContainer(hash,chain);
MakeSignature.signDeferred(reader, fieldname, os, external);
}
public static void main(String[] args) throws IOException, GeneralSecurityException, DocumentException {
byte[] hh = app.emptySignature_hash(SRC, TEMP, "sig1", chain);
byte[] hh_sign = (app.signed_hash(hh, pk, chain));
app.createSignature(TEMP, DEST1, "sig1",hh_sign, pk, chain);
}
出了点问题.我不知道.搜索了很多相同的教程.
something went wrong . i could not figure out. searched a lot for tutorials of the same.
我正在使用pkcss11 usb令牌进行签名
I am using pkcss11 usb token for signing
推荐答案
在为MakeSignature.signExternalContainer
运行后使用PdfSignatureAppearance appearance
时,您的体系结构是错误的. MakeSignature
中的signExternalContainer
和signDetached
重载都关闭了基础PdfStamper
,PdfSignatureAppearance
和PdfReader
实例.
Your architecture is wrong insofar as you use the PdfSignatureAppearance appearance
after running MakeSignature.signExternalContainer
for it. Both signExternalContainer
and the signDetached
overloads in MakeSignature
close the underlying PdfStamper
, PdfSignatureAppearance
, and PdfReader
instances.
因此,当您在方法emptySignature_hash
MakeSignature.signExternalContainer(appearance, external, 8192);
InputStream inp = appearance.getRangeStream();
您的inp
不一定包含任何有意义的内容.
your inp
may not necessarily contain anything sensible.
相反,您应该访问字节范围以登录external
对象,它会将该对象作为其sign
方法的参数进行检索.简单地将哈希计算重构为该方法,并将计算出的哈希存储在该容器的成员中,以在emptySignature_hash
中进行检索.
Instead you should access the byte ranges to sign in your external
object, it retrieves it as parameter of its sign
method. Simple refactor your hash calculation into that method and store the calculated hash in a member of that container to retrieve it in emptySignature_hash
.
由于您尚未共享签名代码的示例结果,因此我无法尝试确定您的签名中是否还存在其他问题.
As you have not shared an example result of your signing code, I cannot try to determine whether there also are other issues in your signing.
这篇关于itext pdf带有无效签名的pdf中的递延签名结果的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!