本文介绍了如何使用包含嵌入式OCSP的iText对pdf进行签名的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

第一张图片来自启用LTV的pdf签名.该文件不是我创建的.

The first image is from a pdf signature which is LTV enabled. This document is not created by me.

在吊销信息中,它显示以下文本:

In the revocation information, it shows the following text:

所选证书被认为是有效的,因为尚未使用签名中嵌入的在线证书状态协议"(OCSP)响应对它进行吊销.

我确实使用iText签署了pdf文档,并且还应用了OCSP.

I do sign a pdf document using iText and I also apply an OCSP.

OCSPVerifier ocspVerifier = new OCSPVerifier(null, null); // null,null >https://stackoverflow.com/questions/40765907/itextsharp-ocspclientbouncycastle-constructor-is-deprecated-whats-the-replacem
IOcspClient ocspClient = new OcspClientBouncyCastle(ocspVerifier);
var ocsp = ocspClient.GetEncoded(ocspCert,ocspRootCert, "http://www.myurl.com/aia/ocsp");

if (ocsp == null)
    Console.WriteLine("oscp is null");
else
    Console.WriteLine("ocsp is not null");

//Create the pkcs7 container
PdfPKCS7 sgn = new PdfPKCS7(null, c.ToArray(), HashAlgorithm, false);
Console.WriteLine("PdfPKCS7");
byte[] sh = sgn.GetAuthenticatedAttributeBytes(hash, ocsp, null, PdfSigner.CryptoStandard.CMS);
Console.WriteLine("GetAuthenticatedAttributeBytes");

//Load the signature via pkcs11 hardware
byte[] extSignature = GetSignatureFromHashViaPkcs11(sh, pin);
Console.WriteLine("GetSignatureFromHashViaPkcs11");
sgn.SetExternalDigest(extSignature, null, DigestEncryptionAlgorithm);
Console.WriteLine("SetExternalDigest");
var ret = sgn.GetEncodedPKCS7(hash, tsaClient, ocsp, null, PdfSigner.CryptoStandard.CMS);
Console.WriteLine("GetEncodedPKCS7");

Console.WriteLine($"IsTsp : {sgn.IsTsp()}");

在这种情况下,产生的签名显示为有效,但未启用LTV:

In this case, the produced signature is shown as valid but LTV is not enabled:

在吊销信息中,它显示以下文本:

In the revocation information, it shows the following text:

所选证书被认为是有效的,因为尚未使用在线获得的在线证书状态协议(OCSP)进行实时验证而将其吊销.

我的猜测是这种差异是LTV问题的原因.如何使用iText设置OCSP,使其嵌入而不是在线获取?

My guess is that this difference is responsible for the LTV issue. How can i set the OCSP using iText so that it is embedded instead of obtained on-line?

推荐答案

您添加了一个OCSP响应,您在此处检索到了该响应:

You add one OCSP response, the one you retrieve here:

var ocsp = ocspClient.GetEncoded(ocspCert,ocspRootCert, "http://www.myurl.com/aia/ocsp");

但这不会为您的签名者证书检索OCSP响应,而是为您的PKI的OCSP证书检索.

But this does not retrieve an OCSP response for your signer certificate but instead for the OCSP certificate of your PKI.

您需要的是直至(但不包括)信任锚的所有涉及的证书及其链的吊销信息.

What you need are revocation information for all involved certificates and their chains up to but excluding the trust anchor.

因此

  1. 您应该从签署者证书及其链开始;

  1. you should start with the signer certificate and its chain;

例如如果您的 c 按链进行排序,请检索 c [0],c [1] ,然后是 c [1],c [2]的OCSP响应 c [2],c [3] 等,直至信任锚;

e.g. if your c is sorted as a chain, retrieve OCSP responses for c[0], c[1], then c[1], c[2], c[2], c[3] etc. up to the trust anchor;

如果您的签名包含时间戳,请同时对TSA证书执行步骤1;

if your signature contains a time stamp, execute step 1 also for the TSA certificate;

然后,您必须检查那些OCSP响应,检索其签署者证书,构建其链,并对所有它们执行步骤1 (具有 id-id的证书除外)pkix-ocsp-nocheck 扩展名.

then you have to inspect those OCSP responses, retrieve their signer certificates, build their chains, and execute step 1 for all of them except for certificates that have a id-pkix-ocsp-nocheck extension.

请注意,由该证书本身签名的证书的OCSP响应显然不值一分钱...

这篇关于如何使用包含嵌入式OCSP的iText对pdf进行签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-18 21:46