无法弄清楚为什么我的PDF签名未启用LTV [英] Can't figure out why my PDF signature is not LTV enabled

问题描述

我正在生成带有签名的PDF文档，并且希望将其启用LTV. 为此，我在创建PDF时对其进行签名，然后添加包含DSS以及验证相关信息(VRI)的第二个版本. 正如我在某些文章中发现的那样，我需要添加证书链(不包含根证书-Authority)和证书吊销列表(CRL).就我而言，这两个元素都有两个.之后，我添加了VRI的条目，该条目是签名内容的SHA-1哈希(在/Contents的第一个PDF版本中找到)，其值引用了上面提到的证书和CRL.

I'm generating a PDF document with signature and I want it to be LTV enabled. For this, I sign the PDF when creating it and then I add the second version containing the DSS with the validation related informations (VRI). As I found in some articles, I need to add the Certificate chain (without the root certificate - Authority) and the Certificate Revocation List (CRL). In my case, both will have 2 elements. After that I add the entry for the VRI which is a SHA-1 hash of the signature content (found in the first PDF verion in the /Contents ) with the value which refers the Certificates and CRL mentioned above.

对于证书和吊销列表元素，我都使用内容的原始字节流.

For both the certificates and the revocation list elements I use the raw bytes stream of the content.

这里是 我的PDF示例

修改

我获取CRL信息的方式是像这样使用WynCrypt:

The way I obtain the CRL information is uising WynCrypt like this:

//Retrieve chained certificate
if(!CertGetCertificateChain(hChainEngine, pSignerCert, pTime, hAdditionalStore, &chainPara, dwFlags, NULL, &ppChainContext))
    return NULL;

//first cert in chain is the end cert; last one is the root cert
for(int i = 0; i < ppChainContext->cChain; ++i)
{
    PCERT_SIMPLE_CHAIN simpleChain = ppChainContext->rgpChain[i];

    for(int j = 0; j < (int)simpleChain->cElement - 1; j++)//do not include root certificate
    {
        PCERT_CHAIN_ELEMENT chainElement = simpleChain->rgpElement[j];

        if(chainElement->pCertContext)
        {   
            //the certificate bytes
            byte* certBytes =chainElement->pCertContext->pbCertEncoded
        }

        if(chainElement->pRevocationInfo && chainElement->pRevocationInfo->pCrlInfo)
        {
            PCCRL_CONTEXT crlContext = chainElement->pRevocationInfo->pCrlInfo->pBaseCrlContext;//get revocation context

            //the bytes that will be written in PDF
            byte* crlBytes = crlContext->pbCrlEncoded;
        }
    }
}

推荐答案

解决方案

与解决该问题的方法相同: 查看全文