使用iText7,我试图对PDF进行签名,以获得外部实体的签名。该过程必须按如下方式执行
问题是,我发现一个错误,即在应用签名后,文档已被更改或损坏<项目实施是。
private final String _pdfToBeSigned = "C:/tmp/ama/PDF1.pdf";
private final String _temporaryPdf = "C:/tmp/ama/PDF1_empty.pdf";
private final String _finalPdf = "C:/tmp/ama/PDF1_assinado.pdf";
private final String _signatureFieldname = "sign1";
private static X509Certificate[] _chain = null;
private static Collection<byte[]> _crlBytesList = null;
private static Collection<byte[]> _ocspBytesList = null;
public static void main(String[] a) throws GeneralSecurityException, IOException {
//Certificates (3) of the service are obtained.
_chain = getCertificates();
TSAClientBouncyCastle tsaClient = new TSAClientBouncyCastle("https://freetsa.org/tsr");
CrlClientOnline crlClients = new CrlClientOnline(_chain);
OcspClientBouncyCastle ocspClient = new OcspClientBouncyCastle(null);
_crlBytesList = getCrlByteList(crlClients);
_ocspBytesList = getOcspBytesList(ocspClient);
TestSign test = new TesteSign();
List<byte[]> hashs = test.getPreSignPDF(tsaClient, ocspClient);
//Note: send hash to sign and wait for return of SMS with code
// if SMS code ok, the signed hash is obtained.
byte[] hashSignedForAma = getHashSignedByAma(hashs.get(0));
//Finally sign the PDF
test.setFinalSignPDF(hashSignedForAma, hashs.get(1), tsaClient);
}
private static Collection<byte[]> getCrlByteList(CrlClientOnline crlClients){
if(crlClients == null) return null;
Collection<byte[]> coll = null;
for(int i=0;i<_chain.length;i++) {
Collection<byte[]> tmp = crlClients.getEncoded(_chain[i], null);
if(null != tmp ) {
coll = new ArrayList<byte[]>();
coll.addAll(tmp);
}
}
return coll;
}
private static Collection<byte[]> getOcspBytesList(OcspClientBouncyCastle ocspClient) {
if(_chain.length <= 1 ||
ocspClient == null) {
return null;
}
Collection<byte[]> list = new ArrayList<byte[]>();
for(var i = 0; i < _chain.length - 1; i++) {
byte[] encoded = ocspClient.getEncoded(_chain[i], _chain[i + 1], null);
if(encoded != null) {
list.add(encoded);
}
}
return list;
}
获取PDF哈希进行签名。散列必须在发送给外部实体进行签名之前具有前缀,并为此创建临时PDF。
public List<byte[]> getPreSignPDF(TSAClientBouncyCastle tsaClient_, OcspClientBouncyCastle ocspClient_) throws GeneralSecurityException, IOException {
try (OutputStream ops = new FileOutputStream(_temporaryPdf);){
PdfReader reader = new PdfReader(_pdfToBeSigned);
StampingProperties prop = new StampingProperties();
PdfSigner pdfSigner = new PdfSigner(reader, ops, prop);
pdfSigner.setFieldName(_signatureFieldname);
PdfSignatureAppearance appearance = pdfSigner.getSignatureAppearance();
appearance.setPageRect(new Rectangle(10,750,150,50))
.setPageNumber(1)
.setLayer2FontSize(6f)
.setReason("reason")
.setLocation("location")
.setCertificate(_chain[0]);
Prepare4AmaSigningContainer container = new Prepare4AmaSigningContainer();
//calculate estimed size
int estimatedSize = 8192 + //initial base container size
( ocspClient_ != null ? 4192 : 0 ) +
( tsaClient_ != null ? 4600 : 0 );
if(_crlBytesList != null) {
for (byte[] bs : _crlBytesList) {
estimatedSize+= bs.length + 10;
}
}
pdfSigner.signExternalContainer(container, estimatedSize);
byte[] HashForSigning = container.getHashToBeSignedByAma();
byte[] NakeHash = container.getHashToBeSignedByAma();
List<byte[]> array = new ArrayList<byte[]>();
array.add(HashForSigning); //idx 0
array.add(NakeHash); //idx 1
return array;
}
}
//***** CLASS ****
class Prepare4AmaSigningContainer extends ExternalBlankSignatureContainer{
private final byte[] _sha256SigPrefix = {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, (byte)0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
private byte[] hashToBeSignedByAma;
private byte[] nakeHash = null;
public Prepare4AmaSigningContainer(){
super(PdfName.Adobe_PPKLite, PdfName.Adbe_pkcs7_detached);
}
public byte[] getHashToBeSignedByAma() {
return hashToBeSignedByAma;
}
public byte[] getNakeHash() {
return nakeHash;
}
@Override
public byte[] sign(InputStream data){
try {
// create pdf pkcs7 for signing the document
BouncyCastleDigest digest = new BouncyCastleDigest();
PdfPKCS7 sgn = new PdfPKCS7(null, _chain, DigestAlgorithms.SHA256, null, digest, false);
// get hash for document bytes
nakeHash = DigestAlgorithms.digest(data, digest.getMessageDigest(DigestAlgorithms.SHA256));
// get attributes
byte[] docBytes = sgn.getAuthenticatedAttributeBytes(nakeHash, PdfSigner.CryptoStandard.CMS, _crlBytesList, _crlBytesList);
// hash it again
try(InputStream myInputStream = new ByteArrayInputStream(docBytes);){
byte[] docBytesHash = DigestAlgorithms.digest(myInputStream, digest.getMessageDigest("SHA256"));
//prepend sha256 prefix to hash for send signed
hashToBeSignedByAma = new byte[_sha256SigPrefix.length + docBytesHash.length];
System.arraycopy(_sha256SigPrefix, 0, hashToBeSignedByAma, 0, _sha256SigPrefix.length );
System.arraycopy(docBytesHash, 0, hashToBeSignedByAma, _sha256SigPrefix.length, docBytesHash.length );
return new byte[0]; // empty array
}
}catch (IOException | GeneralSecurityException ioe) {
throw new RuntimeException(ioe);
}
}
}
我用签名的散列对临时PDF进行签名
public void setFinalSignPDF(byte[] HashSignedForAma_, byte[] nakedHashFromIntermediaryPdf_, TSAClientBouncyCastle tsaClient_) throws IOException, GeneralSecurityException{
try (OutputStream writer = new FileOutputStream(_finalPdf);) {
PdfReader pdfReader = new PdfReader(_temporaryPdf);
PdfDocument document = new PdfDocument(pdfReader);
InjectAmaSignatureContainer finalContainer = new InjectAmaSignatureContainer(
HashSignedForAma_,
nakedHashFromIntermediaryPdf_,
tsaClient_);
PdfSigner.signDeferred(document, _signatureFieldname, writer, finalContainer);
}
}
//***** CLASS ****
class InjectAmaSignatureContainer implements IExternalSignatureContainer {
private byte[] documentHash;
private byte[] signature;
private TSAClientBouncyCastle tsaClient;
private byte[] dados = null;
public InjectAmaSignatureContainer(byte[] signature_, byte[] documentHash_, TSAClientBouncyCastle tsaClient_) {
signature = signature_;
documentHash = documentHash_;
tsaClient = tsaClient_;
}
public byte[] getDados() {
return dados;
}
@Override
public byte[] sign(InputStream is) throws GeneralSecurityException {
BouncyCastleDigest digest = new BouncyCastleDigest();
PdfPKCS7 sgn = new PdfPKCS7(null,
_chain,
DigestAlgorithms.SHA256,
null,
digest,
false);
sgn.setExternalDigest(signature, null, "RSA");
byte[] encodedSig = sgn.getEncodedPKCS7(documentHash, PdfSigner.CryptoStandard.CMS, tsaClient, _ocspBytesList, _crlBytesList);
return encodedSig;
}
@Override
public void modifySigningDictionary(PdfDictionary signDic) {
}
}
谢谢
编辑:方法:Prepare4AmaSigningContainer中的错误修复
byte[] docBytes = sgn.getAuthenticatedAttributeBytes(nakeHash, PdfSigner.CryptoStandard.CMS, _ocspBytesList, _crlBytesList);
经过多次尝试和信息分析,我找到了这个链接示例iText代码
*****重要提示******
由于函数应在类的签名容器方法中“停止”,因此该示例根本无法解决问题。这种方法解决了以下问题:应用签名后文档已被更改或损坏。
PDF签名
private static final String input = "c:/tmp/ama/PDF-1.pdf";
private static final String output = "c:/tmp/ama/signed_signed.pdf";
public static void main(String[] args) throws IOException, GeneralSecurityException {
Security.addProvider(new BouncyCastleProvider());
PdfReader reader = new PdfReader(input);
OutputStream fos = new FileOutputStream(output);
StampingProperties stampingProperties = new StampingProperties();
//For any signature in the Pdf but the first one, you need to use appendMode
// stampingProperties.useAppendMode();
PdfSigner pdfSigner = new PdfSigner(reader, fos, stampingProperties);
/*you can modify the signature appearance */
PdfSignatureAppearance appearance = pdfSigner.getSignatureAppearance();
appearance.setPageRect(new Rectangle(36, 508, 254, 200));
appearance.setPageNumber(1);
appearance.setLayer2FontSize(10f);
appearance.setReason("Teste Assinatura");
appearance.setLocation("Lisboa");
IExternalSignatureContainer gsContainer = new GSSignatureContainer(PdfName.Adobe_PPKLite, PdfName.Adbe_pkcs7_detached);
pdfSigner.signExternalContainer(gsContainer, 8049);
}
public class GSSignatureContainer implements IExternalSignatureContainer {
/* Signature dictionary. Filter and SubFilter. */
private PdfDictionary sigDic;
public GSSignatureContainer( PdfName filter, PdfName subFilter) {
sigDic = new PdfDictionary();
sigDic.put(PdfName.Filter, filter);
sigDic.put(PdfName.SubFilter, subFilter);
}
@Override
public byte[] sign(InputStream data) throws GeneralSecurityException {
try {
//get all certificates (3) from client via web service
Certificate[] chain = new CallAMA().getCertificates();
String hashAlgorithm = DigestAlgorithms.SHA256;//"SHA-256";
BouncyCastleDigest digest = new BouncyCastleDigest();
MessageDigest md = digest.getMessageDigest(hashAlgorithm);
byte[] hash = DigestAlgorithms.digest(data, md);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, hashAlgorithm, null, digest, false);
Collection<byte[]> ocsp = null;
byte[] attributeBytes = sgn.getAuthenticatedAttributeBytes(hash, PdfSigner.CryptoStandard.CADES, ocsp, null);
//criar sha256 message digest
byte[] attributeBytesDigest = MessageDigest.getInstance(hashAlgorithm).digest(attributeBytes);
/****************************************************
* CALL client (AMA) -> receive SMS and signed hash *
****************************************************/
byte[] signedHash = new CallAMA().getHashSignedByAma(attributeBytesDigest);
sgn.setExternalDigest(signedHash, null, "RSA");
ITSAClient tsaClient = null;//new GSTSAClient(access);
return sgn.getEncodedPKCS7(hash, PdfSigner.CryptoStandard.CADES, tsaClient, ocsp, null);
} catch (IOException | GeneralSecurityException de) {
de.printStackTrace();
throw new GeneralSecurityException(de);
}
}
@Override
public void modifySigningDictionary(PdfDictionary signDic) {
signDic.putAll(sigDic);
}
}
这是我解决这个问题的方法。感谢MKL提供的提示。。。
private static final String input = "c:/tmp/ama/PDF-1.pdf";
private static final String tmp = "c:/tmp/ama/tmpPDF.pdf";
private static final String output = "c:/tmp/ama/signed.pdf";
public static void main(String[] args) throws IOException, GeneralSecurityException {
BouncyCastleProvider providerBC = new BouncyCastleProvider();
Security.addProvider(providerBC);
//get (via web service) all certificate (3 at all)
Certificate[] chain = new CallAMA().getCertificates();
StackOverflow app = new StackOverflow();
//read the HASH to be signed (via web service) and create a tmp pdf.
byte[] hash4Sign = app.emptySignature(input, tmp, "sig", chain);
//Concatenate the sha256SigPrefix to the hash and send it to be signed (via web service)
//wait for the code received via SMS
//(accepts the code via the keyboard and sends it via webservice)
//finally receive the signed hash
byte[] signedHash = new CallAMA().getHashSignedByAma(hash4Sign);
//insert hash in tmp pdf, and create a new pdf signed
app.createSignature(signedHash, tmp, output, "sig", chain);
}
public byte[] emptySignature(String src, String dest, String fieldname, Certificate[] chain) throws IOException, GeneralSecurityException {
PdfReader reader = new PdfReader(src);
PdfSigner signer = new PdfSigner(reader, new FileOutputStream(dest), new StampingProperties().useAppendMode());
PdfSignatureAppearance appearance = signer.getSignatureAppearance();
appearance
.setLayer2FontSize(6)
.setPageRect(new Rectangle(36, 748, 250, 50))
.setPageNumber(1)
.setCertificate(chain[0])
.setSignatureCreator("ORIGEM");
signer.setFieldName(fieldname);
/* ExternalBlankSignatureContainer constructor will create the PdfDictionary for the signature
* information and will insert the /Filter and /SubFilter values into this dictionary.
* It will leave just a blank placeholder for the signature that is to be inserted later.
*/
MyExternalBlankSignatureContainer external = new MyExternalBlankSignatureContainer(chain, PdfName.Adobe_PPKLite, PdfName.Adbe_pkcs7_detached);
// Sign the document using an external container.
// 8192 is the size of the empty signature placeholder.
signer.signExternalContainer(external, 8192);
byte[] hash4Sign = external.getHash4Sign();
return hash4Sign;
}
public void createSignature(byte[] hashSigned, String src, String dest, String fieldName, Certificate[] chain)
throws IOException, GeneralSecurityException {
PdfReader reader = new PdfReader(src);
try(FileOutputStream os = new FileOutputStream(dest)) {
PdfSigner signer = new PdfSigner(reader, os, new StampingProperties());
IExternalSignatureContainer external = new MyExternalSignatureContainer(hashSigned, chain, PdfName.Adobe_PPKLite, PdfName.Adbe_pkcs7_detached);
// Signs a PDF where space was already reserved. The field must cover the whole document.
signer.signDeferred(signer.getDocument(), fieldName, os, external);
}
}
class MyExternalSignatureContainer implements IExternalSignatureContainer {
/* Signature dictionary. Filter and SubFilter. */
private PdfDictionary sigDic;
private byte[] signedHash =null;
private Certificate[] chain = null;
public MyExternalSignatureContainer(byte[] _signedHash, Certificate[] _chain, PdfName filter, PdfName subFilter) {
sigDic = new PdfDictionary();
sigDic.put(PdfName.Filter, filter);
sigDic.put(PdfName.SubFilter, subFilter);
signedHash = _signedHash;
chain = _chain;
}
@Override
public byte[] sign(InputStream data) throws GeneralSecurityException {
try {
String hashAlgorithm = DigestAlgorithms.SHA256;//"SHA-256";
BouncyCastleDigest digest = new BouncyCastleDigest();
MessageDigest md = digest.getMessageDigest(hashAlgorithm);
byte[] hash = DigestAlgorithms.digest(data, md);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, hashAlgorithm, null, digest, false);
//Collection<byte[]> ocsp = new OcspClientBouncyCastle(null);
OcspClientBouncyCastle ocspClient = new OcspClientBouncyCastle(null);
Collection<byte[]> ocsp = new ArrayList<byte[]>();
for(var i = 0; i < chain.length - 1; i++) {
byte[] encoded = ocspClient.getEncoded((X509Certificate)chain[i], (X509Certificate)chain[i + 1], null);
if(encoded != null) ocsp.add(encoded);
}
sgn.setExternalDigest(signedHash, null, "RSA");
ITSAClient tsaClient = null;//new GSTSAClient(access);
return sgn.getEncodedPKCS7(hash, PdfSigner.CryptoStandard.CADES, tsaClient, ocsp, null);
} catch (IOException | GeneralSecurityException de) {
de.printStackTrace();
throw new GeneralSecurityException(de);
}
}
@Override
public void modifySigningDictionary(PdfDictionary signDic) {
signDic.putAll(sigDic);
}
}
class MyExternalBlankSignatureContainer implements IExternalSignatureContainer {
/* Signature dictionary. Filter and SubFilter. */
private PdfDictionary sigDic;
private byte[] hash4Sign = null;
private Certificate[] chain = null;
public MyExternalBlankSignatureContainer(Certificate[] _chain, PdfName filter, PdfName subFilter) {
sigDic = new PdfDictionary();
sigDic.put(PdfName.Filter, filter);
sigDic.put(PdfName.SubFilter, subFilter);
chain = _chain;
}
public byte[] getHash4Sign() {
return hash4Sign;
}
@Override
public byte[] sign(InputStream data) throws GeneralSecurityException {
try {
String hashAlgorithm = DigestAlgorithms.SHA256;//"SHA-256";
BouncyCastleDigest digest = new BouncyCastleDigest();
MessageDigest md = digest.getMessageDigest(hashAlgorithm);
byte[] hash = DigestAlgorithms.digest(data, md);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, hashAlgorithm, null, digest, false);
OcspClientBouncyCastle ocspClient = new OcspClientBouncyCastle(null);
Collection<byte[]> ocsp = new ArrayList<byte[]>();
for(var i = 0; i < chain.length - 1; i++) {
byte[] encoded = ocspClient.getEncoded((X509Certificate)chain[i], (X509Certificate)chain[i + 1], null);
if(encoded != null) ocsp.add(encoded);
}
byte[] attributeBytes = sgn.getAuthenticatedAttributeBytes(hash, PdfSigner.CryptoStandard.CADES, ocsp, null);
//create sha256 message digest
hash4Sign = MessageDigest.getInstance(hashAlgorithm).digest(attributeBytes);
return new byte[0];
} catch (IOException | GeneralSecurityException de) {
de.printStackTrace();
throw new GeneralSecurityException(de);
}
}
@Override
public void modifySigningDictionary(PdfDictionary signDic) {
signDic.putAll(sigDic);
}
}
作为我对客户机/服务器pdf签名研究的一部分,我测试了itext pdf延迟签名示例。不幸的是,我得到的合并空签名pdf和哈希值的pdf ie输出显示无效签名。 下面是我的代码片段 我正在使用pkcss11 usb令牌进行签名
我有一个问题与数字签名PDF文件已标记为PDF/A-3A兼容。使用PDFBox(最新版本,2.0.24)最终在Adobe Acrobat中获得无效签名,而使用iText7(最新版本)获得有效签名。目标是获得符合PAdES LTV的签名。 我的流程如下(使用PDFBox和iText7): 打开PDF,创建用于签名的散列(要签名的数据) 我呼叫第三方服务以取回数字签名 在服务响应中,我还获得了OCSP
目标是实现一个PDF签名过程,其中服务器根据请求向客户端提供要签名的哈希。然后,客户端使用通过PKCS#11接口从智能卡获得的私钥对给定哈希进行签名。然后,签名被发送回服务器,以便使用iTextSharp 5.5.4附加到PDF文件中。 在Acrobat Reader中查看签名时,我发现错误“自签名应用以来,文档已被更改或损坏”。 下面是我在服务器上计算哈希的方法。 客户端对给定的哈希签名后,我将
本文向大家介绍8085中产生时间延迟,包括了8085中产生时间延迟的使用技巧和注意事项,需要的朋友参考一下 在本节中,我们将看到如何使用8085程序生成时间延迟。该延迟将在不同的地方使用,以模拟时钟,计数器或其他区域。 当执行延迟子例程时,微处理器不执行其他任务。对于延迟,我们使用指令执行时间。在循环中执行一些指令,会产生延迟。有一些产生延迟的方法。这些方法如下。 使用NOP指令 使用8位寄存器作
我在PDF文档中(以编程方式)填写一个表单(AcroPdf),然后在文档上签名。我从doc.pdf开始,使用pdfbox的setfields.java示例创建doc_filler.pdf。然后我对doc_fill.pdf进行签名,创建doc?filled_signer.pdf,使用一些代码,基于签名示例并在Acrobat Reader中打开pdf。输入的字段数据是可见的,并且签名面板告诉我 “此签
我一直在监视我的微服务应用程序的端到端延迟。每个服务通过ActiveMQ Artemis队列松散耦合。 服务1作为HTTPendpoint侦听并生成队列1。服务2从队列1消费,修改消息,并生成到队列2。服务3从队列2消耗。每个服务在单独的表中向db插入一行。从那里我还可以监视延迟。因此,“端到端”将进入“服务1”,并从“服务3”中出来。 每个服务处理时间保持稳定,并且大多数消息具有几毫秒的合理e2