问题描述
- 客户端选择要签署的PDF格式
- Web服务从pdf中提取哈希并将其发送到外部提供程序
- 外部提供程序对哈希进行签名
- 外部提供程序发回已签名的哈希
- Web服务包括已签名的哈希返回到pdf
- 客户端拥有签名PDF
我试图将签名散列插入/更新为pdf时遇到一个大问题。
$ b
我正在使用iTextSharp。
我已经阅读Bruno Lowagie的白皮书PDF文档的数字签名这是一个很大的帮助,但我无法弄清楚如何插入签名散列,顺便说一句,这是我唯一拥有的,没有证书,没有任何东西。
Please,help。
Gabriel
根据你的评论,你目前的做法如下:
这种做法从根本上说是错误的,您已经开始计算错误的哈希值了!
您首先必须准备您的PDF ;在此准备步骤中,您将某些结构添加到PDF中,将PDF标记为包含签名并为稍后插入签名容器预留一部分;所有除了该保留区段之外都将被散列:
(有关某些背景和指向其他文献的信息,请参阅相当于)
您只需提供与您的提供商进行通信的 ExternalSignature
/ IExternalSignature
实施方案:
public interface IExternalSignature {
$ b $ / **
*返回散列算法。
* @返回哈希算法(例如SHA-1,SHA-256,...)
* /
String GetHashAlgorithm();
/ **
*返回用于签名的加密算法。
* @返回加密算法(RSA或DSA)
* /
String GetEncryptionAlgorithm();
/ **
*使用加密算法和
*摘要算法进行签名。
* @param消息你想被哈希和签名的消息
* @返回一个签名的消息摘要
* @throws GeneralSecurityException
* /
byte [] Sign (byte []消息);
}
I'm developing a WebService were a client could sign a PDF, this are the steps:
- Client select the pdf to sign
- the Web Service Extract the hash from the pdf and send it to an External Provider
- the External Provider sign the hash
- the External Provider sends back the signed Hash
- the Web Service include the signed hash back to the pdf
- the Client have the signed PDF
I'd encounter a big problem trying to insert/update the signed hash into the pdf.
I'm using iTextSharp.
I'd already read the white paper "Digital Signatures for PDF documents" from Bruno Lowagie, and it was a great help, but i can't figure it out how to insert the signed hash, wich by the way, is the only thing i have, no certificates, o nothing.
Please, help.
Gabriel
According to your comment your current approach is as follows:
This approach is fundamentally wrong, you already start by calculating the wrong hash!
You first have to prepare your PDF; during this preparation step you add certain structures to the PDF that mark the PDF as containing a signature and reserve a section for the later insertion of a signature container; everything with the exception of that reserved section then is to be hashed:
(For some backgrounds and pointers to additional literature cf. this answer.)
Thereafter a full-blown PKCS#7 / CMS signature container with a signature for that document hash has to be created and inserted in that reserved section.
This is what most of the iText signing code (here in Java) does for you:
PdfReader reader = new PdfReader(src);
FileOutputStream os = new FileOutputStream(dest);
PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');
// Creating the appearance
PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
appearance.setReason(reason);
appearance.setLocation(location);
appearance.setVisibleSignature(new Rectangle(36, 748, 144, 780), 1, "sig");
// Creating the signature
ExternalDigest digest = new BouncyCastleDigest();
ExternalSignature signature = ...;
MakeSignature.signDetached(appearance, digest, signature, chain, null, null, null, 0, subfilter);
(taken from C2_01_SignHelloWorld.java equivalent to C2_01_SignHelloWorld.cs)
You merely need to provide a ExternalSignature
/IExternalSignature
implementation communicating with your provider:
public interface IExternalSignature {
/**
* Returns the hash algorithm.
* @return the hash algorithm (e.g. "SHA-1", "SHA-256,...")
*/
String GetHashAlgorithm();
/**
* Returns the encryption algorithm used for signing.
* @return the encryption algorithm ("RSA" or "DSA")
*/
String GetEncryptionAlgorithm();
/**
* Signs it using the encryption algorithm in combination with
* the digest algorithm.
* @param message the message you want to be hashed and signed
* @return a signed message digest
* @throws GeneralSecurityException
*/
byte[] Sign(byte[] message);
}
这篇关于iTextSharp - 签名哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!