使用PKCS#11和iText使用eID对PDF进行签名 [英] Signing a PDF with an eID using PKCS#11 and iText
问题描述
按照的pensource项目,你只需要打电话给 After following the "Signing a document using a smart card and PKCS#11" topic in http://itextpdf.com/book/digitalsignatures and creating a code sample similar to the provided one, the signed file signature is invalid in Adobe Reader, the signature appearance has the name of the non-repudiation certificate (i.e., the name of the eID owner) but in Adobe Reader's Signature Panel shows: The error occured while validating:
I'm using a Gemalto PinPad and the Portuguese eID I've tried:关注哈希和
ExternalSignature
界面所需的算法,哈希为 SHA-1 ,加密 RSA
pteidpkcs11.dll
installed with the eID middleware software, located in C:\Windows\System32.
ks.getCertificateChain("CITIZEN SIGNATURE CERTIFICATE");
only has the signature certificate
The provided code sample tries to get the PrivateKey
of the signature certificate, I found it odd but figured it was just used as a reference. Navigating through the stack trace of the exception that is triggered when the user cancels the process in the PinPad gave me the following idea, which, fortunately, solved this:
- Create a custom
com.itextpdf.text.pdf.security.ExternalSignature
implementation - Implement an utility class that, using the
sun.security.pkcs11.wrapper.PKCS11
wrapper, interacts with your eID pkcs11 dll (in my case, pteidpkcs11.dll) and provides a signing method that receives a byte[] message which is then sent to the SmartCard reader to be signed, and returns the byte[] result of this operation - Use the utility class in your CustomExternalSignature.sign(...)
Some tips that you can use if you're developing for the Portuguese eID Cartão Cidadão:
- For the second item of the previous list, I'm using the
PTeID4JPKCS11
class from an opensource project named pteid4j created by André Barbosa, you just need to callPTeID4JPKCS11.getInstance().sign(...);
- Regarding the Hash and Encryption algorithm required by the
ExternalSignature
interface, the hash is SHA-1 and the Encryption RSA
这篇关于使用PKCS#11和iText使用eID对PDF进行签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!