itext pdf带有无效签名的pdf中的递延签名结果 [英] Itext pdf deferred signing results in pdf with invalid signature

问题描述

作为我对客户端/服务器pdf签名研究的一部分，我测试了itext pdf延迟签名示例.不幸的是，我生成的pdf，即合并的空签名pdf和哈希值的输出显示了无效的签名.

As part of my research for client/server pdf signing , i have tested itext pdf deferred signing example. Unfortunately my resulting pdf ie output of merged empty signature pdf and hash value shows invalid signature.

我的代码段如下

 class MyExternalSignatureContainer implements ExternalSignatureContainer {
    protected byte[] sig;
    protected Certificate[] chain;
    public MyExternalSignatureContainer(byte[] sig,Certificate[] chain) {
        this.sig = sig;
        this.chain=chain;
    }
    public byte[] sign(InputStream is)throws GeneralSecurityException  {

        return sig;
    }


public byte[] emptySignature_hash(String src, String dest, String fieldname, Certificate[] chain) throws IOException, DocumentException, GeneralSecurityException {
        PdfReader reader = new PdfReader(src);
        FileOutputStream os = new FileOutputStream(dest);
        PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');
        PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
        appearance.setVisibleSignature(new Rectangle(36, 748, 144, 780), 1, fieldname);
        appearance.setCertificate(chain[0]);
        ExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
        MakeSignature.signExternalContainer(appearance, external, 8192);
        InputStream inp = appearance.getRangeStream();   
        BouncyCastleDigest digest = new BouncyCastleDigest();
        PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", null, digest, false);
        byte[] hash = DigestAlgorithms.digest(inp, digest.getMessageDigest("SHA256"));
        Calendar cal = Calendar.getInstance();
        cal1=cal;
        System.out.println(cal);
        byte[] sh = sgn.getAuthenticatedAttributeBytes(hash, cal, null, null, CryptoStandard.CMS);

        return(sh);
    }

public byte[] signed_hash(byte[] hash, PrivateKey pk, Certificate[] chain)throws GeneralSecurityException{
        PrivateKeySignature signature = new PrivateKeySignature(pk, "SHA256", "SunPKCS11-eToken");
        byte[] extSignature = signature.sign(hash);
        //return extSignature;
       BouncyCastleDigest digest = new BouncyCastleDigest();
        Calendar cal = Calendar.getInstance();
        String hashAlgorithm = signature.getHashAlgorithm();
        System.out.println(hashAlgorithm);
        PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", null, digest, false);
        sgn.setExternalDigest(extSignature, null, signature.getEncryptionAlgorithm());
    return sgn.getEncodedPKCS7(hash, cal1, null, null, null, CryptoStandard.CMS);

        }

 public void createSignature(String src, String dest, String fieldname,byte[] hash, PrivateKey pk, Certificate[] chain) throws IOException, DocumentException, GeneralSecurityException {

    PdfReader reader = new PdfReader(src);
    FileOutputStream os = new FileOutputStream(dest);
    ExternalSignatureContainer external = new MyExternalSignatureContainer(hash,chain);
    MakeSignature.signDeferred(reader, fieldname, os, external);
}

public static void main(String[] args) throws IOException, GeneralSecurityException, DocumentException {

byte[] hh = app.emptySignature_hash(SRC, TEMP, "sig1", chain);
                byte[] hh_sign = (app.signed_hash(hh,  pk,  chain));
                app.createSignature(TEMP, DEST1, "sig1",hh_sign, pk, chain);

}

出了点问题.我不知道.搜索了很多相同的教程.

something went wrong . i could not figure out. searched a lot for tutorials of the same.

我正在使用pkcss11 usb令牌进行签名

I am using pkcss11 usb token for signing

推荐答案

在为MakeSignature.signExternalContainer运行后使用PdfSignatureAppearance appearance时，您的体系结构是错误的. MakeSignature中的signExternalContainer和signDetached重载都关闭了基础PdfStamper，PdfSignatureAppearance和PdfReader实例.

Your architecture is wrong insofar as you use the PdfSignatureAppearance appearance after running MakeSignature.signExternalContainer for it. Both signExternalContainer and the signDetached overloads in MakeSignature close the underlying PdfStamper, PdfSignatureAppearance, and PdfReader instances.

因此，当您在方法emptySignature_hash

    MakeSignature.signExternalContainer(appearance, external, 8192);
    InputStream inp = appearance.getRangeStream();   

您的inp不一定包含任何有意义的内容.

your inp may not necessarily contain anything sensible.

相反，您应该访问字节范围以登录external对象，它会将该对象作为其sign方法的参数进行检索.简单地将哈希计算重构为该方法，并将计算出的哈希存储在该容器的成员中，以在emptySignature_hash中进行检索.

Instead you should access the byte ranges to sign in your external object, it retrieves it as parameter of its sign method. Simple refactor your hash calculation into that method and store the calculated hash in a member of that container to retrieve it in emptySignature_hash.

由于您尚未共享签名代码的示例结果，因此我无法尝试确定您的签名中是否还存在其他问题.

As you have not shared an example result of your signing code, I cannot try to determine whether there also are other issues in your signing.

这篇关于itext pdf带有无效签名的pdf中的递延签名结果的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！