如何将证书吊销列表(CRL)流字节编码为PDF? [英] How do you encode the Certificate Revocation List (CRL) stream bytes in PDF?

问题描述

我签署了PDF文件，并添加了更新版本，其中我编写了具有其CRL，证书，VRI的DSS.

19 0 obj
    [15 0 R 16 0 R]
endobj
20 0 obj
    [13 0 R 14 0 R]
endobj
11 0 obj
    [15 0 R 16 0 R]
endobj
12 0 obj 
    [13 0 R 14 0 R]
endobj
17 0 obj
<<
    /CRL 11 0 R
    /Cert 12 0 R
>>
endobj
18 0 obj
<<
    /5F44CF6F351DFD45FB62F3D0ED046408BC892797 17 0 R
>>
endobj
21 0 obj
<<
    /VRI 18 0 R
    /CRLs 19 0 R
    /Certs 20 0 R
>>

我对应该如何编写证书和CRL流感到困惑.

15 0 obj
<<
    /Length 1454
    /Filter /FlateDecode
>>
stream
xÚ3hb0hb{ÅÄÈhÀÉƪÍÇÌ$ÅÊ`àcÈä2‡²°    3…Šˆ€8\¼®y%E¥Å%:žyÉz†ªÊ
ZbXd{0%KW÷ýY¯’ó‚-ØÂÛ„OÏó½z•î    ‰`®•®   K-›2}tÖ§^_8;xÉì¥Ó®~›.g9A'Õüê½—
ZbXd{0%KW÷ýY¯’ó‚-ØÂÛ„OÏó½z•î    ‰`®•®   K-›2}tÖ§^_8;xÉì¥Ó®~›.g9A'Õüê½— 
endstream
endobj

16 0 obj
<<
    /Length 1477
    /Filter /FlateDecode
>>
stream
„kâR7Å41*!‡#8Íñ3 Ź˜@‰o=«‡çƒ#yë:X]r\~}¼)/Ñmç×£¦³äsËê]ÓÕ_+µ¥$Ô¿}¾ÜÏiÁÝT!¹ôi–Í9üÀ}Š¸|
ìŒH¿GÓø^ú¿ÔVÜK–qõ†µ®"¸»Ý*Žh¾JzåU7c~÷•ÔêýK*îú®¹¸DcÁ­³·NtV~Vóåíé5\‚&½|¶NäïŽ[K­
î›NRZbXd{0%KW÷ýY¯’ó‚-ØÂÛ„OÏó½z•î    ‰`®•®   K-›2}tÖ§^_8;xÉì¥Ó®~›.g9A'Õüê½—›oÇ:ç-¶?
endstream
endobj

13 0 obj
<<
    /Length 1240
    /Filter /FlateDecode
>>
stream
%ŸwC[í2×¾Iej©úkŽ-:ݳÔ<¼a£ƒô/5›‡~zÒ•7ü9uãcfk?ËÅ`ßÃ:Èb—’‚Ÿõ{ÏÅ—¢{]HçQ"9w(ÂB#í×g¥ìþè
^–F«š/r§š¿ì=#,^pëO€{äú=}RÎêð¦ÉŠ7or¼±Ëtë–x·˜§LÌŒŒ‹› Cd0€eùÿ³°03±>0P ñUY$
endstream
endobj

14 0 obj
<<
    /Length 1159
    /Filter /FlateDecode
>>
stream
4!>T‚êPpÎI,.V0Ò™@ûœºƒ=LÍš•ãˆ‘•¹‰‘Ÿ(ÎÅÔÄÈÈplŽ÷A¯¹7k/[‡O\}
öe™¨îö£œ¶ä'¶ÌpžªweÞª[¡$¼ØÍþþtó[½xÉO4ÞZ¥ØŸ^g ø,mu„_Rz™_PÏê.||º¶*þîÝxv½"»êôó»ø%Ü%ý
endstream
endobj

请忽略上面流的长度和内容.我将其截断，因此长度不再对应.溪流比那还要大.

Please ignore the lengths and content of the streams above. I truncated them so the lengths don't correspond anymore. The streams are bigger than that.

问题是我的PDF 未启用LTV ，我测试了一些情况，得出结论: 我的信息流编写方式不正确.

The issue is that my PDF is not LTV enabled and I tested some scenarios from which I concluded that my stream are not being written the right way.

我使用 WinCrypt.h 中的以下结构:

typedef struct _CERT_CONTEXT {
    DWORD                   dwCertEncodingType;
    BYTE                    *pbCertEncoded;
    DWORD                   cbCertEncoded;
    PCERT_INFO              pCertInfo;
    HCERTSTORE              hCertStore;
} CERT_CONTEXT, *PCERT_CONTEXT;
typedef const CERT_CONTEXT *PCCERT_CONTEXT;

我遍历它们并以这种方式获取字节:

I go through them and get the bytes this way:

PCCERT_CONTEXT  cngContext = (PCCERT_CONTEXT)(*itChain);
ByteArray certBytes(cngContext->pbCertEncoded, (size_t)cngContext->cbCertEncoded);

然后，我仅将FlateDecode应用于获得的字节，并将它们像流一样写入PDF，如在第二个代码块中所见.

Then I just apply FlateDecode on the obtained bytes and write them into the PDF like a stream as you can see in the second block of code.

我错过任何一步了吗?喜欢转化还是什么?我看到该流应该是BER编码的.因此，我应该将字节转换为BER编码，然后应用FlateDecode吗?

您可以在此处找到我的文件

推荐答案

解决方案

问题是我在PDF文件中编写的CRL的流.

每个证书都具有CRL_CONTEXT结构，我只是采用了 pbCrlEncoded 变量并将其直接写入CRL流中.

Having the CRL_CONTEXT structures from each Certificate, I just took the pbCrlEncoded variable and write it directly in the stream of the CRL.

这似乎是正确的，但是我注意到我在此结构的CRL_INFO中没有任何CRL_ENTRY，因此编码的BYTE不包含任何已撤销证书的列表. 因此，发现证书具有URL，您可以从中下载更新的CRL.为此，您可以在Windows中打开管理计算机证书->查找您的证书，然后打开证书-> 详细信息-> CRL分发点-> URL =".." .通过访问此URL，浏览器将自动下载CRL信息.您可以访问它并查看一些信息，例如下一次更新，这是该列表有效的最后一天.在那之后，我假设您需要再次下载它以获得更新的版本.您还可以看到已撤销证书的列表本身.

It seemed correct but I noticed I didn't have any CRL_ENTRY in the CRL_INFO of this structure so the encoded BYTEs didn't contain any list of revoked certificates. Therefore, found that the certificates have a URL from where you can download the updated CRL. You can do that by opening Manage Computer Certificates in Windows -> find your Certificate and Open the Certificate -> Details -> CRL Distribution Points -> URL = "..". By accessing this url, the browser automatically downloads the CRL Info. You can access it and see some informations like Next Update which is the last day that this list is valid. After that, I'm assuming that you need to download it again for getting an updated version. Also you can see the list itself of revoked certificates.

这是我需要放入PDF的CRL流中的列表. 因此，我找到了一种通过代码完成下载过程的方法.这是所使用的代码片段:

This is the list I needed to put into the CRLs streams in PDF. So I found a method to do that download process by code. This is a snippet of code used:

PCERT_CHAIN_ELEMENT chainElement; // this is the certification in the chain
pExtension = CertFindExtension(szOID_CRL_DIST_POINTS, chainElement->pCertContext->pCertInfo->cExtension, chainElement->pCertContext->pCertInfo->rgExtension);
if (!pExtension)
    return ByteArray();

if (!CryptDecodeObject(X509_ASN_ENCODING, szOID_CRL_DIST_POINTS, pExtension->Value.pbData, pExtension->Value.cbData, 0, 0, &cbStructInfo))
    return ByteArray();

if (!(pvStructInfo = LocalAlloc(LMEM_FIXED, cbStructInfo)))
    return ByteArray();

CryptDecodeObject(X509_ASN_ENCODING, szOID_CRL_DIST_POINTS, pExtension->Value.pbData, pExtension->Value.cbData, 0, pvStructInfo, &cbStructInfo);

pInfo = (CRL_DIST_POINTS_INFO*)pvStructInfo;

Net::HttpRequest req;
Net::HttpRequestOptions ops;
ops.verb = Net::GET;
crllist = req.send(pInfo->rgDistPoint->DistPointName.FullName.rgAltEntry->pwszURL);

这样，在将FlateDecode应用于字节之后，我获得了可以粘贴到PDF中的字节. 现在，PDF已启用LTV.

This way I obtained the Bytes that I could paste in PDF after applying FlateDecode on them. Now the PDF is LTV Enabled.

这篇关于如何将证书吊销列表(CRL)流字节编码为PDF?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！