使用iText7将吊销信息添加到签名 [英] Add revocation information to signature using iText7

问题描述

我正在制作长期签名.我试图将吊销信息(Crls，OCSP响应，证书链)作为未签名的属性添加到签名，但是吊销信息未嵌入最终的签名中. 以下是代码段:

        Stream outputStream = new MemoryStream();

        List<byte[]> ocspCollection = new List<byte[]>();
        List<byte[]> crlCollection = new List<byte[]>();
        List<byte[]> certsCollection = new List<byte[]>();

        Stream readerStream = new MemoryStream(signedDocument);
        PdfReader pdfReader = new PdfReader(readerStream);
        PdfSigner pdfSigner = new PdfSigner(pdfReader, outputStream, new StampingProperties().UseAppendMode());

        LtvVerification ltvVerification = new LtvVerification(pdfSigner.GetDocument());

        X509Chain chain = new X509Chain();
        chain.Build(signerCertificate);

        foreach (X509ChainElement item in chain.ChainElements)
        {
            byte[] certBytes = item.Certificate.Export(X509ContentType.Cert);
            certsCollection.Add(certBytes);
        }

        foreach (byte[] ocsp in revocationInfo.OCSPResponses)
        {
            ocspCollection.Add(ocsp);
        }

        foreach (byte[] crlBytes in revocationInfo.CRLs)
        {
            crlCollection.Add(crlBytes);
        }

        bool revocationInfoAdded = ltvVerification.AddVerification(signingRequest.FieldName, ocspCollection, crlCollection, certsCollection);

ltvVerification.AddVerification()方法返回true作为响应.

请从以下链接中找到签名的文件: https://1drv.ms/b/s!AvIgyv7xAxxoihGn9aFbe9=KQPs4? >

在这方面的任何帮助都将受到高度赞赏. 问候

解决方案

一些有效的代码

您使用了PdfSigner(仅在还应用签名或文档时间戳时才有意义，但仅提供了已签名的文件)，并且具有一些我在这里没有的变量.因此，我基本上只基于PdfDocument编写了一个示例，并且您的共享文件没有这些额外的变量:

using (PdfReader pdfReader = new PdfReader("LTV Doc-Revocation Info Issue.pdf"))
using (PdfWriter pdfWriter = new PdfWriter("LTV Doc-Revocation Info Issue-WithRevocation.pdf"))
using (PdfDocument pdfDocument = new PdfDocument(pdfReader, pdfWriter, new StampingProperties().UseAppendMode()))
{
    List<byte[]> ocspCollection = new List<byte[]>();
    List<byte[]> crlCollection = new List<byte[]>();
    List<byte[]> certsCollection = new List<byte[]>();
    ocspCollection.Add(File.ReadAllBytes(@"Ocsp"));
    crlCollection.Add(File.ReadAllBytes(@"Crl.crl"));

    LtvVerification ltvVerification = new LtvVerification(pdfDocument);
    ltvVerification.AddVerification("SH_SIGNATURE_532546", ocspCollection, crlCollection, certsCollection);
    ltvVerification.Merge();
}

检查结果，您会看到:

尤其是将提供的OCSP响应和提供的CRL嵌入在PDF中，因此iText LtvVerification类可以完成其工作.

项目中可能出现的问题

首先您要说的是:

我正在尝试将撤销信息(Crls，OCSP响应，证书链)作为未签名的属性添加到签名

这已经表明不匹配:您使用LtvVerification类，我在上面的工作代码中也是如此. 该类不会不更改嵌入式CMS容器.它不会不将吊销信息添加到嵌入式CMS容器的未签名属性中，而是PDF的DSS(文档安全存储)结构.

实际上，无法以互操作方式将吊销数据嵌入为嵌入式CMS签名容器的 unsigned 属性:您可以在CMS中使用 signed adbe-revocationInfoArchival属性容器或CMS容器外部的DSS.

(某些验证器接受以CAdES样式嵌入到无符号属性中的吊销数据，但严格来说，这是PAdES中禁止的，并且在PDF 2.0中不能互操作.)

因此，如果您实际上想将吊销数据嵌入到CMS容器中，则将其提供给您选择的PdfSigner签名方法，它们都将显式或隐式地接受要嵌入的吊销数据，

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype)

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype, SignaturePolicyInfo signaturePolicy)

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype, SignaturePolicyIdentifier signaturePolicy)

或

public virtual void SignExternalContainer(IExternalSignatureContainer externalSignatureContainer,
    int estimatedSize)

前三个明确接受CRL和OCSP客户端(可以实现以提供现有的CRL和OCSP)，而后三个则从给定的IExternalSignatureContainer实现中获取完整的CMS容器，因此在该实现中，您可以添加任何您想要的信息.

I am producing Long Term signature. I am trying to add revocation information (Crls, OCSP Responses, Certificate Chain) to the signature as an unsigned attributes but the revocation information is not been embedded in the final signature. Following is the code snippet:

        Stream outputStream = new MemoryStream();

        List<byte[]> ocspCollection = new List<byte[]>();
        List<byte[]> crlCollection = new List<byte[]>();
        List<byte[]> certsCollection = new List<byte[]>();

        Stream readerStream = new MemoryStream(signedDocument);
        PdfReader pdfReader = new PdfReader(readerStream);
        PdfSigner pdfSigner = new PdfSigner(pdfReader, outputStream, new StampingProperties().UseAppendMode());

        LtvVerification ltvVerification = new LtvVerification(pdfSigner.GetDocument());

        X509Chain chain = new X509Chain();
        chain.Build(signerCertificate);

        foreach (X509ChainElement item in chain.ChainElements)
        {
            byte[] certBytes = item.Certificate.Export(X509ContentType.Cert);
            certsCollection.Add(certBytes);
        }

        foreach (byte[] ocsp in revocationInfo.OCSPResponses)
        {
            ocspCollection.Add(ocsp);
        }

        foreach (byte[] crlBytes in revocationInfo.CRLs)
        {
            crlCollection.Add(crlBytes);
        }

        bool revocationInfoAdded = ltvVerification.AddVerification(signingRequest.FieldName, ocspCollection, crlCollection, certsCollection);

ltvVerification.AddVerification() method returns true in response.

Please find the signed document from below link: https://1drv.ms/b/s!AvIgyv7xAxxoihGn9aFbe9TQSps4?e=eKPdn8

Any help in this regard is highly appreciated. Regards

解决方案

Some working code

You used a PdfSigner (which only makes sense when also applying a signature or document time stamp but you provided only the already signed file) and have some variables I do not have here. Thus, I essentially wrote an example based on a mere PdfDocument and your shared files without those extra variables:

using (PdfReader pdfReader = new PdfReader("LTV Doc-Revocation Info Issue.pdf"))
using (PdfWriter pdfWriter = new PdfWriter("LTV Doc-Revocation Info Issue-WithRevocation.pdf"))
using (PdfDocument pdfDocument = new PdfDocument(pdfReader, pdfWriter, new StampingProperties().UseAppendMode()))
{
    List<byte[]> ocspCollection = new List<byte[]>();
    List<byte[]> crlCollection = new List<byte[]>();
    List<byte[]> certsCollection = new List<byte[]>();
    ocspCollection.Add(File.ReadAllBytes(@"Ocsp"));
    crlCollection.Add(File.ReadAllBytes(@"Crl.crl"));

    LtvVerification ltvVerification = new LtvVerification(pdfDocument);
    ltvVerification.AddVerification("SH_SIGNATURE_532546", ocspCollection, crlCollection, certsCollection);
    ltvVerification.Merge();
}

Inspecting the result one sees:

In particular the provided OCSP response and the provided CRL are embedded in the PDF, so the iText LtvVerification class does its job.

Possible issues in your project

First of all your say:

I am trying to add revocation information (Crls, OCSP Responses, Certificate Chain) to the signature as an unsigned attributes

This already indicates a mismatch: You use the LtvVerification class, and so do I in the working code above. This class does not change the embedded CMS containers. It does not add the revocation information to the unsigned attributes of the embedded CMS container but instead to the DSS (Document Security Store) structure of the PDF.

Embedding revocation data as unsigned attributes of the embedded CMS signature container actually is not possible in an interoperable way: You either use the signed adbe-revocationInfoArchival attribute in the CMS container or the DSS outside of the CMS container.

(Some validators accept revocation data embedded CAdES-style in the unsigned attributes but strictly speaking that is forbidden in PAdES and not interoperable in PDF 2.0.)

So if you actually want to embed the revocation data in the CMS container, provide them to the PdfSigner signing method of your choice, they all explicitly or implicitly accept revocation data to embed,

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype)

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype, SignaturePolicyInfo signaturePolicy)

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype, SignaturePolicyIdentifier signaturePolicy)

or

public virtual void SignExternalContainer(IExternalSignatureContainer externalSignatureContainer,
    int estimatedSize)

The former three explicitly accept CRL and OCSP clients (which can be implemented to provide pre-existing CRLs and OCSPs) while the latter gets the full CMS container from the given IExternalSignatureContainer implementation, so in that implementation you can add any information to it you want.

这篇关于使用iText7将吊销信息添加到签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！