无法弄清楚为什么我的 PDF 签名没有启用 LTV [英] Can't figure out why my PDF signature is not LTV enabled

问题描述

我正在生成一个带有签名的 PDF 文档，我希望它启用 LTV.为此，我在创建 PDF 时对其进行签名，然后添加包含带有验证相关信息 (VRI) 的 DSS 的第二个版本.正如我在一些文章中发现的那样，我需要添加证书链(没有根证书 - 授权)和证书吊销列表 (CRL).就我而言，两者都有 2 个元素.之后，我添加了 VRI 的条目，它是签名内容的 SHA-1 哈希(在/Contents 的第一个 PDF 版本中找到)，其值引用了上面提到的证书和 CRL.

I'm generating a PDF document with signature and I want it to be LTV enabled. For this, I sign the PDF when creating it and then I add the second version containing the DSS with the validation related informations (VRI). As I found in some articles, I need to add the Certificate chain (without the root certificate - Authority) and the Certificate Revocation List (CRL). In my case, both will have 2 elements. After that I add the entry for the VRI which is a SHA-1 hash of the signature content (found in the first PDF verion in the /Contents ) with the value which refers the Certificates and CRL mentioned above.

对于证书和吊销列表元素，我使用内容的原始字节流.

For both the certificates and the revocation list elements I use the raw bytes stream of the content.

这里是我的 PDF 样本

编辑

我获取 CRL 信息的方式是像这样使用 WynCrypt:

The way I obtain the CRL information is uising WynCrypt like this:

//Retrieve chained certificate
if(!CertGetCertificateChain(hChainEngine, pSignerCert, pTime, hAdditionalStore, &chainPara, dwFlags, NULL, &ppChainContext))
    return NULL;

//first cert in chain is the end cert; last one is the root cert
for(int i = 0; i < ppChainContext->cChain; ++i)
{
    PCERT_SIMPLE_CHAIN simpleChain = ppChainContext->rgpChain[i];

    for(int j = 0; j < (int)simpleChain->cElement - 1; j++)//do not include root certificate
    {
        PCERT_CHAIN_ELEMENT chainElement = simpleChain->rgpElement[j];

        if(chainElement->pCertContext)
        {   
            //the certificate bytes
            byte* certBytes =chainElement->pCertContext->pbCertEncoded
        }

        if(chainElement->pRevocationInfo && chainElement->pRevocationInfo->pCrlInfo)
        {
            PCCRL_CONTEXT crlContext = chainElement->pRevocationInfo->pCrlInfo->pBaseCrlContext;//get revocation context

            //the bytes that will be written in PDF
            byte* crlBytes = crlContext->pbCrlEncoded;
        }
    }
}

推荐答案

SOLUTION

解决此问题的方法相同:另一个问题

这篇关于无法弄清楚为什么我的 PDF 签名没有启用 LTV的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！