我可以使用帶有外部簽名的itextpdf庫簽署文檔。是否有可能使用散列和簽名散列來簽署PDF文檔?
但問題是最終用戶不想發送他的文檔,因爲它可能包含任何敏感數據。因此,我要求最終用戶提供文檔散列以便用外部服務對散列進行簽名,並將簽名散列發送回去。
但是,這裏問題來了,當他們試圖簽下使用itextpdf與給定的簽署哈希文檔(PdfSignatureAppearance)PDF文檔是越來越簽名。但是在驗證簽名時顯示簽名無效。
我在這裏看到過同樣的問題 Sign PDF using an external service and iText。
因此,問題發生的原因是每次我們使用PdfSignatureAppearance(itextpdf庫)打開文檔時散列都會失效。
誰能告訴我是否有可能與先前產生的散列簽署PDF文件,並簽署哈希使用itextpdf庫(這是我從外部服務獲得),這樣的哈希不應該獲得失效?
class MyExternalSignatureContainer implements ExternalSignatureContainer {
protected byte[] sig;
protected Certificate[] chain;
protected PrivateKey pk;
public MyExternalSignatureContainer(byte[] sig,Certificate[] chain,PrivateKey pk) {
this.sig = sig;
this.chain=chain;
this.pk=pk;
}
public byte[] sign(InputStream is)throws GeneralSecurityException {
return sig;
}
public void modifySigningDictionary(PdfDictionary signDic) {
}
}
public byte[] emptySignature_hash(String src, String dest, String fieldname, Certificate[] chain) throws IOException, DocumentException, GeneralSecurityException {
PdfReader reader = new PdfReader(src);
FileOutputStream os = new FileOutputStream(dest);
PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');
PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
appearance.setVisibleSignature(new Rectangle(36, 748, 144, 780), 1, fieldname);
appearance.setCertificate(chain[0]);
ExternalSignatureContainer external = new ExternalBlankSignatureContainer(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
MakeSignature.signExternalContainer(appearance, external, 8192);
InputStream inp = appearance.getRangeStream();
BouncyCastleDigest digest = new BouncyCastleDigest();
byte[] hash = DigestAlgorithms.digest(inp, digest.getMessageDigest("SHA256"));
return hash;
}
public byte[] signed_hash(byte[] hash, PrivateKey pk, Certificate[] chain)throws GeneralSecurityException{
PrivateKeySignature signature = new PrivateKeySignature(pk, "SHA256", "SunPKCS11-eToken");
//return extSignature;
BouncyCastleDigest digest = new BouncyCastleDigest();
Calendar cal = Calendar.getInstance();
String hashAlgorithm = signature.getHashAlgorithm();
System.out.println(hashAlgorithm);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", null, digest, false);
byte[] sh = sgn.getAuthenticatedAttributeBytes(hash, cal, null, null, CryptoStandard.CMS);
byte[] extSignature = signature.sign(sh);
System.out.println(signature.getEncryptionAlgorithm());
// Calendar cal = Calendar.getInstance();
sgn.setExternalDigest(extSignature, null, signature.getEncryptionAlgorithm());
return sgn.getEncodedPKCS7(hash, cal, null, null, null, CryptoStandard.CMS);
}
public void createSignature(String src, String dest, String fieldname,byte[] hash, PrivateKey pk, Certificate[] chain) throws IOException, DocumentException, GeneralSecurityException {
PdfReader reader = new PdfReader(src);
FileOutputStream os = new FileOutputStream(dest);
ExternalSignatureContainer external = new MyExternalSignatureContainer(hash,chain,pk);
MakeSignature.signDeferred(reader, fieldname, os, external);
}
public static void main(String[] args) throws IOException, GeneralSecurityException, DocumentException {
byte[] hh = app.emptySignature_hash(SRC, TEMP, "sig1", chain);
byte[] hh_sign = (app.signed_hash(hh, pk, chain));
app.createSignature(TEMP, DEST1, "sig1",hh_sign, pk, chain);
}
延期簽署 –
我猜想,如果你哈希直接使用類似SHA512其字節的PDF,除非PDF內容得到改變的哈希應該保持相同的所有時間。 – StoneBird
簽署文檔字節是不夠的。某些屬性也需要簽名。您的最終客戶不應使用iText創建散列。對@ StoneBird的評論的另一個補充是,你不能只散列整個文檔。您必須在PDF中放置簽名時留下一個「漏洞」。很顯然,PDF中的每個字節都應該被簽名*,除了簽名本身。* –
@Harish比較[堆棧溢出文檔](https://stackoverflow.com/documentation/pdf/5161/integrated-pdf-signatures/18248/how-integrated-pdf-signatures-are-integrated#t=20170530094206122177)PDF簽名上的某些背景。 – mkl