将DSS添加到PDF使其无效
我正在使用PDF签名者/验证器,并且正在使用Itext7。
首先,我使用Itext7中的SignDetached方法签名PDF:
signer.signDetached(digest, pks, chain, crlClients, ocspClient, tsaClient, 0, signatureType);
第二,我使用以下代码添加LTV信息:
PdfReader reader = new PdfReader(src);
PdfWriter writer = new PdfWriter(dest2);
PdfDocument pdfDoc = new PdfDocument(reader, writer, new
StampingProperties().useAppendMode());
LtvVerification v = new LtvVerification(pdfDoc);
SignatureUtil signatureUtil = new SignatureUtil(pdfDoc);
List<String> names = signatureUtil.getSignatureNames();
String sigName = names.get(names.size() - 1);
for (String name : names){
v.addVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.YES);
}
v.merge();
此时签名并添加了DSS。但是,当我尝试在此处验证问题到来的地方时,我正在使用itext7方法来验证签名涵盖整个文档:
signatureUtil.signatureCoversWholeDocument(name);
但是它一直在失败,因为签名并未涵盖所有文档仅签署DSS信息,并且在进行更多挖掘之后,我发现checkwhethersignaturecoverswholedocument()方法中的signaturecoverswholedocument()方法是为什么当它在它来检查字节范围
this.tokens.getSafeFile().length() == (long)(byteRange[2] + byteRange[3])
此检查始终失败,这就是为什么它说文件不涵盖所有文档的原因。
那么这里怎么了,我错过了什么?我需要的只是签署文件,添加DSS并能够验证该签名涵盖所有文档。
I'm working on a PDF Signer/Validator and I'm using Itext7.
First I sign the pdf using the signDetached method from Itext7 :
signer.signDetached(digest, pks, chain, crlClients, ocspClient, tsaClient, 0, signatureType);
Second I add LTV info using these lines of code :
PdfReader reader = new PdfReader(src);
PdfWriter writer = new PdfWriter(dest2);
PdfDocument pdfDoc = new PdfDocument(reader, writer, new
StampingProperties().useAppendMode());
LtvVerification v = new LtvVerification(pdfDoc);
SignatureUtil signatureUtil = new SignatureUtil(pdfDoc);
List<String> names = signatureUtil.getSignatureNames();
String sigName = names.get(names.size() - 1);
for (String name : names){
v.addVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.YES);
}
v.merge();
At this point the file is signed and DSS is added. but when I try to validate the file here where the problem comes, I'm using Itext7 method to verify that the signature covers the whole document :
signatureUtil.signatureCoversWholeDocument(name);
But it keeps failing because the signature does not covers all the document although the file is not altered after signing only the DSS info is added and after more digging I found that the checkWhetherSignatureCoversWholeDocument() method inside the signatureCoversWholeDocument() method is the reason why it fails when it comes to check the byte ranges
this.tokens.getSafeFile().length() == (long)(byteRange[2] + byteRange[3])
This check always fail and that is the reason why it says that the file does not covers all document.
So what is wrong here, am I missing something ? All I need is to sign the file, add DSS and be able to validate this signature that it covers all the document .
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
但这显然是不可能的。
当您拥有签名的PDF并向其添加验证信息时,您可以通过在携带这些数据的PDF中添加增量更新来执行此操作。
现在,显然,签名不再涵盖完整文档,特别是使用验证信息涵盖增量更新。
因此,这里出了问题,您期望在签名的PDF中添加一些东西后,签名仍将覆盖完整的文档。
另一个错误是,您认为未覆盖完整文档的签名是无效的。
But exactly this obviously is impossible.
When you have a signed PDF and add verification information to it, then you do this by adding an incremental update to the PDF carrying these data.
Now obviously the signature does not cover the full document anymore, in particular it does not cover the incremental update with the verification information.
So, what is wrong here, is your expectation that after adding something to a signed PDF, the signature would still cover the full document.
And another error is that you think that a signature not covering the full document is invalid.
我通过使用Signdeferred方法而不是SignDetached解决了它。
签名后,试图将DSS添加到PDF字典中时,就会发生问题,因为它在签名后被认为是编辑文件,因此签名不再涵盖整个文档。
解决方案是使用SignDeferred方法,它通过首先使用SignexternalContainer方法来修改PDF字典,并留下空白的占位符以添加签名,然后使用Signdeferred方法将此空白的占位符填充签名。
检查官方ITEXT7文档中是否有Signdeferred方法:
”使用Signdeferred签名,但不添加CRL或DSS的时间戳或时间戳,因此您可以检查我的实现使用SignDeferred方法添加CRL和嵌入式时间戳。
I Solved it by using signDeferred method instead of signDetached.
The problem occurs when trying to add DSS to the pdf dictionary after signing because it's considered as Editing the file after signing it so the signature does not covers the whole document anymore.
The solution was to use signDeferred method, It works by first use signExternalContainer method to modify the pdf dictionary and leave a blank placeholder for the signature to be added lately, then use the signDeferred method to fill this blank placeholder with the signature.
Check the official IText7 documentation for the signDeferred method :
IText7 signDeferred
The documentation shows how to sign using signDeferred but without adding crl or timestamp to the DSS so you can check my implementation here for adding crl and embedded timestamp with signDeferred method.