我试图在启用了时间戳和LTV的情况下签署pdf,以便在Adobe Reader中将其显示为:
用英语表示“签名包括嵌入式时间戳”和“签名具有LTV功能”。这是我正在使用的代码:
PrivateKey pk = // get pk from an encrypting certificate created using encrypting file system
Certificate[] chain = ks.getCertificateChain(alias);
PdfReader reader = new PdfReader(src);
FileOutputStream fout = new FileOutputStream(dest);
PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
ExternalSignature signature = new PrivateKeySignature(pk, "SHA-512", "SunMSCAPI");
TSAClient tsc = null;
String url = // TSA URL
tsc = new TSAClientBouncyCastle(url, null, null, 4096, "SHA-512");
List<CrlClient> crlList = new ArrayList<>();
crlList.add(new CrlClientOnline(chain));
ExternalDigest digest = new BouncyCastleDigest();
MakeSignature.signDetached(sap, digest, signature, chain, crlList, null, tsc, 0, CryptoStandard.CMS);
基于this answer,我需要一种将TSA证书的CRL获取到
CrlList的方法,但是..我如何获得TSA证书?我是否需要向TSA发出timestamp-query请求并读取响应,然后将其添加到CrlList中?注意,当它调用MakeSignature.signDetached时,已经在sgn.getEncodedPKCS7内部完成了。请注意,我正在使用免费的TSA服务器。这是上面的代码在Adobe Reader中显示的内容。
签名细节:
时间戳详细信息:
TSA证书详细信息:
更新
由于它是免费的TSA服务器,因此我只需要在Adobe Trusted Certificates中添加TSA服务器证书即可使用。
但是,我使用智能卡对文档进行了另一个测试,这就是我所得到的(我已将根证书添加到Adobe中的“受信任的证书”中):
签名细节:
签名证书详细信息:
基于this link,启用LTV意味着PDF内包含验证文件所需的所有信息(减去根证书)。因此,如果PDF签名正确并且包含所有必需的证书以及每个证书的有效CRL或OSCP响应,并且PDF包括CRL和OCSP上的签名,而不仅仅是签名证书,则启用LTV。看来我满足了所有这些要求,或者我错过了什么?如果是这样,我怎么知道缺少启用LTV的pdf的内容?
最佳答案
首先,基于@mkl注释,我将TSA服务器证书添加到Adobe Trusted Certificates中,以便消息
签名包含嵌入式时间戳,但不能
已验证
成为
签名包括嵌入式时间戳
并解决
签名未启用LTV,将在(...)之后过期
我可以注意到使用
List<CrlClient> crlList = new ArrayList<>();
crlList.add(new CrlClientOnline(chain));
某些CRL(某些证书具有多个分发点)未添加-使pdf LTV无法启用。为了解决这个问题,我这样做:
// long term validation (LTV)
List<CrlClient> crlList = new ArrayList<>();
for(Certificate cert : chain) {
X509Certificate c = (X509Certificate)cert;
List<String> crls = this.getCrlDistributionPoints(c);
if(crls != null && !crls.isEmpty()) {
crlList.add(new CrlClientOnline(crls.toArray(new String[crls.size()])));
}
}
private List<String> getCrlDistributionPoints(final X509Certificate cert) throws Exception {
final byte[] crldpExt = cert.getExtensionValue(X509Extension.cRLDistributionPoints.getId());
if (crldpExt == null) {
final List<String> emptyList = new ArrayList<String>();
return emptyList;
}
ASN1InputStream oAsnInStream = null;
ASN1InputStream oAsnInStream2 = null;
List<String> crlUrls = new ArrayList<String>();
try {
oAsnInStream = new ASN1InputStream(new ByteArrayInputStream(crldpExt));
final ASN1Object derObjCrlDP = oAsnInStream.readObject();
final DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP;
final byte[] crldpExtOctets = dosCrlDP.getOctets();
oAsnInStream2 = new ASN1InputStream(new ByteArrayInputStream(crldpExtOctets));
final ASN1Object derObj2 = oAsnInStream2.readObject();
final CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);
for (final DistributionPoint dp : distPoint.getDistributionPoints()) {
final DistributionPointName dpn = dp.getDistributionPoint();
// Look for URIs in fullName
if (dpn != null) {
if (dpn.getType() == DistributionPointName.FULL_NAME) {
final GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
// Look for an URI
for (int j = 0; j < genNames.length; j++) {
if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) {
final String url = DERIA5String.getInstance(genNames[j].getName()).getString();
crlUrls.add(url);
}
}
}
}
}
} catch(IOException e) {
throw new Exception(e.getMessage(), e);
} finally {
IOUtils.closeQuietly(oAsnInStream);
IOUtils.closeQuietly(oAsnInStream2);
}
return crlUrls;
}