如何进行 PAdES 基线 LT 和 PADS 基线LTA在itext中使用Java吗?
我正在使用 itext7 处理 pdf 签名,目前需要支持所有 PAdES 签名级别:BB、BT、B-LT、B-LTA https://ec.europa.eu/digital-building-blocks/wikis/display/ESIGKB/What+are+the+BT-LT+and+LTA+levels+of+an+Electronic+signature
我的问题是如何使用 itext 创建 B-LT 签名? 我使用此代码创建了 BB 和 BT:
signer.signDetached(
new BouncyCastleDigest(),
customExternalSignature,
new Certificate[]{clientX509Certificate},
null,
null,
tsaClient,
0,
PdfSigner.CryptoStandard.CADES);
然后我想添加 B-LTA 级别,因此我使用了此代码 https://github.com/mkl-public/testarea-itext7/blob/master/src/main/java/mkl/testarea/itext7/signature/AdobeLtvEnabling.java 检查添加 BASELINE-LTA 级别,但将此逻辑应用于我的签名后,adobe 表示它是 BASELINE-LT
这会产生两个问题:
- AdobeLtvEnabling 中的此实现是否是正确的添加方法PAdES 级别 B-LT?
- 这是添加 B-LTA 级别的正确方法吗?
//This method extend B-T signature to B-LT
private byte[] addLt(final byte[] signed) throws IOException, GeneralSecurityException {
final ByteArrayOutputStream out = new ByteArrayOutputStream();
try (InputStream resource = new ByteArrayInputStream(signed);
PdfReader pdfReader = new PdfReader(resource);
PdfWriter pdfWriter = new PdfWriter(out);
PdfDocument pdfDocument = new PdfDocument(pdfReader, pdfWriter, new StampingProperties().preserveEncryption().useAppendMode())) {
AdobeLtvEnabling adobeLtvEnabling = new AdobeLtvEnabling(pdfDocument);
IOcspClient ocsp = new OcspClientBouncyCastle(null);
ICrlClient crl = new CrlClientOnline();
adobeLtvEnabling.enable(ocsp, crl);
}
return addLtv(out.toByteArray());
}
//This method extend B-LT signature to B-LTA
private byte[] addLtv(final byte[] pdf) throws IOException, GeneralSecurityException {
final ByteArrayOutputStream signedFile = new ByteArrayOutputStream();
final PdfReader sourceDoc = new PdfReader(new ByteArrayInputStream(pdf));
final PdfSigner signer = new PdfSigner(sourceDoc, signedFile, STAMPING_PROPERTIES);
signer.timestamp(tsaClient, null);
return signedFile.toByteArray();
}
I'm working on pdf signatures using itext7 and currently need to support all PAdES signature levels: B-B, B-T, B-LT, B-LTA
https://ec.europa.eu/digital-building-blocks/wikis/display/ESIGKB/What+are+the+B-T-LT+and+LTA+levels+of+an+electronic+signature
My problem is how i can create B-LT signature with itext?
I have created B-B and B-T with this code:
signer.signDetached(
new BouncyCastleDigest(),
customExternalSignature,
new Certificate[]{clientX509Certificate},
null,
null,
tsaClient,
0,
PdfSigner.CryptoStandard.CADES);
Then I wanted add B-LTA level so I have used this code https://github.com/mkl-public/testarea-itext7/blob/master/src/main/java/mkl/testarea/itext7/signature/AdobeLtvEnabling.java
to check adding BASELINE-LTA level, but after applying this logic to my signature adobe says that it is BASELINE-LT
This creates two questions:
- Is this implementation in AdobeLtvEnabling correct way to add PAdES level B-LT?
- Is this proper way to add B-LTA level?
//This method extend B-T signature to B-LT
private byte[] addLt(final byte[] signed) throws IOException, GeneralSecurityException {
final ByteArrayOutputStream out = new ByteArrayOutputStream();
try (InputStream resource = new ByteArrayInputStream(signed);
PdfReader pdfReader = new PdfReader(resource);
PdfWriter pdfWriter = new PdfWriter(out);
PdfDocument pdfDocument = new PdfDocument(pdfReader, pdfWriter, new StampingProperties().preserveEncryption().useAppendMode())) {
AdobeLtvEnabling adobeLtvEnabling = new AdobeLtvEnabling(pdfDocument);
IOcspClient ocsp = new OcspClientBouncyCastle(null);
ICrlClient crl = new CrlClientOnline();
adobeLtvEnabling.enable(ocsp, crl);
}
return addLtv(out.toByteArray());
}
//This method extend B-LT signature to B-LTA
private byte[] addLtv(final byte[] pdf) throws IOException, GeneralSecurityException {
final ByteArrayOutputStream signedFile = new ByteArrayOutputStream();
final PdfReader sourceDoc = new PdfReader(new ByteArrayInputStream(pdf));
final PdfSigner signer = new PdfSigner(sourceDoc, signedFile, STAMPING_PROPERTIES);
signer.timestamp(tsaClient, null);
return signedFile.toByteArray();
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看起来差不多是对的。 PAdES-B-LT 和 PAdES-B-LTA 之间的唯一实质性区别是签名验证数据也需要加上时间戳。因此,要从 PAdES-B-LT 转到 PAdES-B-LTA,只需添加文档时间戳即可。
对于 iText,或多或少是这样工作的:
另请参阅此处了解一些上下文:https://dzone.com/articles/7-tips-for-creating-pdf-signatures(忽略嗡嗡声标题...)。
编辑:如果您正在寻找一个工具来测试 PAdES 签名是否符合规范中的格式要求,您可能需要请求访问 ETSI 一致性检查器:https://signatures-conformance-checker.etsi.org/pub/index.php。
Looks about right. The only material difference between PAdES-B-LT and PAdES-B-LTA is that the signature validation data needs to be timestamped as well. As such, to go from PAdES-B-LT to PAdES-B-LTA, it suffices to add a document timestamp.
With iText, that more or less works like this:
See also here for some context: https://dzone.com/articles/7-tips-for-creating-pdf-signatures (ignore the buzzfeedy title...).
EDIT: If you're looking for a tool to test your PAdES signatures for conformance with the format requirements in the specification, you might want to request access to the ETSI conformance checker: https://signatures-conformance-checker.etsi.org/pub/index.php.