PDF签名，生成的PDF文档认证无效？ （使用外部签名，web-eid，HSM） [英] PDF Signing, generated PDF Document certification is invalid? (using external signing, web-eid, HSM)

问题描述

我有一个签署数据并为我提供签名哈希的服务，
它正确生成PKCS＃7 DigestInfo，如 rfc2315＃section-9.4

I have a service which signs the data and provides me with the signed hash, it correctly generates PKCS#7 DigestInfo as stated in rfc2315#section-9.4

像这样的东西

上述系统的代码为： https://pastebin.com/b3qZH6xW

            //prepare signature
        PDSignature signature = new PDSignature();
        signature.setFilter(PDSignature.FILTER_ADOBE_PPKLITE);
        signature.setSubFilter(PDSignature.SUBFILTER_ADBE_PKCS7_DETACHED);
        signature.setName("Ankit");
        signature.setLocation("Bhopal, IN");
        signature.setReason("Testing");
        // TODO extract the above details from the signing certificate? Reason as a parameter?

        // the signing date, needed for valid signature
        signature.setSignDate(Calendar.getInstance());

        if (accessPermissions == 0)
        {
            setMDPPermission(document, signature, 3);
        }

        FileOutputStream fos = new FileOutputStream(new File("signed_file.pdf"));

        DetachedPkcs7 detachedPkcs7 = new DetachedPkcs7();
        //populate signature options for visible signature. if any.
        SignatureOptions signatureOptions = null;
        document.addSignature(signature);
        ExternalSigningSupport externalSigning = document.saveIncrementalForExternalSigning(fos);
        InputStream dataToSign = externalSigning.getContent();
        byte[] cmsSignature = detachedPkcs7.sign(dataToSign);
        externalSigning.setSignature(cmsSignature);  

工作流程是这样的：
- 抓取原始PDF

- 添加签名字典并获取哈希值
- 将哈希值发送到客户端

- 等待标准输入数据。

- 等待客户端发送已签名的哈希值，然后将此数据提供给暂停的程序
，即将数据发送到
程序的标准输入

- 添加CMS。 :)

Workflow is something like this
- Grab original PDF
- add signature dictionary and get the hash
- send the hash to client
- Wait for data on Standard Input.
- Wait for Client to send the signed hash back, This data is then feeded to the paused program, that is, the data is sent to standard input of the program
- add the CMS. :)

我不知道为什么使用此过程生成的PDF的签名显示为无效。

I have no clue why the PDF generated using this process has the signature shown as invalid.

推荐答案

客户端或与之通信中至少存在两个问题：

There are at least two problems in the client or the communication with it:

客户端返回的签名值，当使用签名者证书的公钥解密时，包含此 DigestInfo 结构：

The signature value returned by the client, when decrypted using the public key of the signer certificate, contains this DigestInfo structure:

  0  81: SEQUENCE {
  2  13:   SEQUENCE {
  4   9:     OBJECT IDENTIFIER sha-512 (2 16 840 1 101 3 4 2 3)
 15   0:     NULL
       :     }
 17  64:   OCTET STRING
       :     '413140d54372f9baf481d4c54e2d5c7bcf28fd6087000280'
       :     'e07976121dd54af2'
       :   }

In特别是它声称 SHA512 已用于计算哈希值。尽管如此，它包含一个32字节长的摘要值，因此不能是SHA512摘要值！

In particular it claims that SHA512 has been used to calculate the hash. Nonetheless it contains a digest value which is 32 bytes in length, which therefore cannot be a SHA512 digest value!

所以你的索赔

我有一个签署数据并为我提供签名哈希的服务，它正确生成PKC＃7 DigestInfo，如rfc2315＃section-9.4

I have a service which signs the data and provides me with the signed hash, it correctly generates PKCS#7 DigestInfo as stated in rfc2315#section-9.4

要么不正确，要么与服务通信的代码会向其提供不正确的数据。

either is incorrect or your code communicating with the service feeds it incorrect data.

因此，请修复您的客户端或客户端通信组件，使他们将正确的摘要算法OID引入签名的 DigestInfo 结构。

Thus, please fix your client or client communication component to make them introduce the correct digest algorithm OID into the signed DigestInfo structure.

即使上面的OID被更正，其中的哈希值也是错误的，PDF的有符号范围的正确SHA256哈希值是

Even if the above OID is corrected, the hash value in it is wrong, the correct SHA256 hash value of the signed ranges of your PDF is

9a75434965d5cf2635eb963752494b408a480effabfca1d87b82e619040dfb4b

因此，请调试您的工具链找出错误哈希值的来源。

Thus, please debug your tool chain to find out where the wrong hash value came from.

另一个您的解决方案的缺点是生成的CMS容器的结构非常简单。特别是它根本不包含签名属性。虽然CMS规范允许这样做，但这对于许多可能的伪造攻击来说是非常不安全的。因此，当前规范中几乎没有任何CMS容器配置文件认为此类签名容器有效。

Another shortcoming of your solution is that the structure of the generated CMS container is very simple. In particular it does not contain signed attributes at all. While this is allowed by the CMS specification, this is extremely insecure against numerous possible forging attacks. Therefore, hardly any CMS container profile in current specifications considers this kind of signature container valid.

因此，除非您的签名文档仅在具有组织措施的非常受控的环境中使用防止那些伪造攻击，它们的价值实际上是零。

Thus, unless your signed documents are used only in a very controlled environment with organisational measures preventing those forging attacks, their value is effectively nil.

这篇关于PDF签名，生成的PDF文档认证无效？ （使用外部签名，web-eid，HSM）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！