无法弄清楚为什么我的 PDF 签名没有启用 LTV [英] Can't figure out why my PDF signature is not LTV enabled
问题描述
我正在生成一个带有签名的 PDF 文档,我希望它启用 LTV.为此,我在创建 PDF 时对其进行签名,然后添加包含带有验证相关信息 (VRI) 的 DSS 的第二个版本.正如我在一些文章中发现的那样,我需要添加证书链(没有根证书 - 授权)和证书吊销列表 (CRL).就我而言,两者都有 2 个元素.之后,我添加了 VRI 的条目,它是签名内容的 SHA-1 哈希(在/Contents 的第一个 PDF 版本中找到),其值引用了上面提到的证书和 CRL.
I'm generating a PDF document with signature and I want it to be LTV enabled. For this, I sign the PDF when creating it and then I add the second version containing the DSS with the validation related informations (VRI). As I found in some articles, I need to add the Certificate chain (without the root certificate - Authority) and the Certificate Revocation List (CRL). In my case, both will have 2 elements. After that I add the entry for the VRI which is a SHA-1 hash of the signature content (found in the first PDF verion in the /Contents ) with the value which refers the Certificates and CRL mentioned above.
对于证书和吊销列表元素,我使用内容的原始字节流.
For both the certificates and the revocation list elements I use the raw bytes stream of the content.
这里是我的 PDF 样本
编辑
我获取 CRL 信息的方式是像这样使用 WynCrypt:
The way I obtain the CRL information is uising WynCrypt like this:
//Retrieve chained certificate
if(!CertGetCertificateChain(hChainEngine, pSignerCert, pTime, hAdditionalStore, &chainPara, dwFlags, NULL, &ppChainContext))
return NULL;
//first cert in chain is the end cert; last one is the root cert
for(int i = 0; i < ppChainContext->cChain; ++i)
{
PCERT_SIMPLE_CHAIN simpleChain = ppChainContext->rgpChain[i];
for(int j = 0; j < (int)simpleChain->cElement - 1; j++)//do not include root certificate
{
PCERT_CHAIN_ELEMENT chainElement = simpleChain->rgpElement[j];
if(chainElement->pCertContext)
{
//the certificate bytes
byte* certBytes =chainElement->pCertContext->pbCertEncoded
}
if(chainElement->pRevocationInfo && chainElement->pRevocationInfo->pCrlInfo)
{
PCCRL_CONTEXT crlContext = chainElement->pRevocationInfo->pCrlInfo->pBaseCrlContext;//get revocation context
//the bytes that will be written in PDF
byte* crlBytes = crlContext->pbCrlEncoded;
}
}
}
推荐答案
SOLUTION
解决此问题的方法相同:另一个问题
这篇关于无法弄清楚为什么我的 PDF 签名没有启用 LTV的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!