java pdfbox - 文档自签名后已被更改或损坏
问题描述 投票:0回答:0
当我尝试使用带有子过滤器的 pdfbox 为 etsi.cades.detached 签署文档时,出现以下错误
我正在从 CSC 获取证书信息和签名哈希。这是我的代码
public InputStream signDocument(InputStream inputStream, String requestId, String providerId, SealFieldLocation location) throws Exception {
File outFile = null;
try {
PDDocument document = PDDocument.load(inputStream);
outFile = File.createTempFile("signedFIle", ".pdf");
Certificate[] certificateChain = fetchCertificateChainFromCSC();
setCertificateChain(certificateChain);
// sign
FileOutputStream output = new FileOutputStream(outFile);
IOUtils.copy(inputStream, output);
// create signature dictionary
PDSignature signature = new PDSignature();
signature.setType(COSName.SIG);
signature.setFilter(PDSignature.FILTER_ADOBE_PPKLITE);
signature.setSubFilter(PDSignature.SUBFILTER_ETSI_CADES_DETACHED);
signature.setName("Test Name");
signature.setSignDate(Calendar.getInstance());
Rectangle2D humanRect = new Rectangle2D.Float(location.getLeft(), location.getBottom(), location.getRight(), location.getTop());
PDRectangle rect = createSignatureRectangle(document, humanRect);
SignatureOptions signatureOptions = new SignatureOptions();
signatureOptions.setVisualSignature(createVisualSignatureTemplate(document, 0, rect, signature));
signatureOptions.setPage(0);
document.addSignature(signature, signatureOptions);
ExternalSigningSupport externalSigning =
document.saveIncrementalForExternalSigning(output);
InputStream content = externalSigning.getContent();
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
X509Certificate cert = (X509Certificate) certificateChain[0];
gen.addCertificates(new JcaCertStore(Arrays.asList(certificateChain)));
MessageDigest digest = MessageDigest.getInstance("SHA-256");
// Use a buffer to read the input stream in chunks
byte[] buffer = new byte[4096];
int bytesRead;
while ((bytesRead = content.read(buffer)) != -1) {
digest.update(buffer, 0, bytesRead);
}
byte[] hashBytes = digest.digest();
ESSCertIDv2 certid = new ESSCertIDv2(
new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.1.1.11")),
MessageDigest.getInstance("SHA-256").digest(cert.getEncoded())
);
SigningCertificateV2 sigcert = new SigningCertificateV2(certid);
final DERSet attrValues = new DERSet(sigcert);
Attribute attr = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, attrValues);
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(attr);
AttributeTable atttributeTable = new AttributeTable(v);
//Create a standard attribute table from the passed in parameters - certhash
CMSAttributeTableGenerator attrGen = new NewSignedAttributeTableGenerator(atttributeTable);
java.util.Base64.Encoder encoder = java.util.Base64.getEncoder();
List<String> hash = Arrays.asList(encoder.encodeToString(hashBytes));
SignHashRequest signHashRequest = new SignHashRequest();
signHashRequest.setCredentialID(credentialId);
signHashRequest.setHash(hash);
signHashRequest.setPIN(pin);
signHashRequest.setSignAlgo("1.2.840.113549.1.1.11");
final byte[] signedHash = fetchSignedHashFromCSC(requestId, providerId, accessToken, signHashRequest);
ContentSigner nonSigner = new ContentSigner() {
@Override
public byte[] getSignature() {
return signedHash;
}
@Override
public OutputStream getOutputStream() {
return new ByteArrayOutputStream();
}
@Override
public AlgorithmIdentifier getAlgorithmIdentifier() {
return new DefaultSignatureAlgorithmIdentifierFinder().find( "SHA256WithRSA" );
}
};
org.bouncycastle.asn1.x509.Certificate cert2 = org.bouncycastle.asn1.x509.Certificate.getInstance(ASN1Primitive.fromByteArray(cert.getEncoded()));
JcaSignerInfoGeneratorBuilder sigb = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build());
sigb.setSignedAttributeGenerator(attrGen);
gen.addSignerInfoGenerator(sigb.build(nonSigner, new X509CertificateHolder(cert2)));
CMSTypedData msg = new CMSProcessableInputStream( inputStream);
CMSSignedData signedData = gen.generate((CMSTypedData)msg, false);
byte[] cmsSignature = signedData.getEncoded();
inputStream.close();
externalSigning.setSignature(cmsSignature);
IOUtils.closeQuietly(signatureOptions);
showSignature(outFile);
return new FileInputStream(outFile);
} catch (Exception e) {
throw e;
} finally {
if (outFile != null) {
outFile.delete();
}
}
}
private PDRectangle createSignatureRectangle(PDDocument doc, Rectangle2D humanRect)
{
float x = (float) humanRect.getX();
float y = (float) humanRect.getY();
float width = (float) humanRect.getWidth();
float height = (float) humanRect.getHeight();
PDPage page = doc.getPage(0);
PDRectangle pageRect = page.getCropBox();
PDRectangle rect = new PDRectangle();
// signing should be at the same position regardless of page rotation.
switch (page.getRotation())
{
case 90:
rect.setLowerLeftY(x);
rect.setUpperRightY(x + width);
rect.setLowerLeftX(y);
rect.setUpperRightX(y + height);
break;
case 180:
rect.setUpperRightX(pageRect.getWidth() - x);
rect.setLowerLeftX(pageRect.getWidth() - x - width);
rect.setLowerLeftY(y);
rect.setUpperRightY(y + height);
break;
case 270:
rect.setLowerLeftY(pageRect.getHeight() - x - width);
rect.setUpperRightY(pageRect.getHeight() - x);
rect.setLowerLeftX(pageRect.getWidth() - y - height);
rect.setUpperRightX(pageRect.getWidth() - y);
break;
case 0:
default:
rect.setLowerLeftX(x);
rect.setUpperRightX(x + width);
rect.setLowerLeftY(pageRect.getHeight() - y - height);
rect.setUpperRightY(pageRect.getHeight() - y);
break;
}
return rect;
}
我认为在计算文档的哈希值时存在一些问题。这个问题也适用于 adbe.pkcs7.detached。如果我们删除添加属性表的代码,那么问题就解决了 adbe.pkcs7.detached。但是对于 etsi.cades.detachhed,需要添加签名证书属性。
最新问题
- 修剪字符串开头和结尾的非字母
- 如何在 flutter 中显示带有时间的国家/地区缩写(例如迪拜 7:55 PM DXB 或巴基斯坦 7:55 PM PKT)
- 需要帮助了解 ingress-nginx(后端证书身份验证)
- 本地 Azure Function 启动使用错误的 Azurite 服务地址
- 更改 Sublime Text 2 的透明度
- aws s3 虚拟托管样式 URL 与路径样式 URL 之间有什么区别
- 检查用户是否登录 Firebase Flutter 时出现重定向功能错误
- docker build 未安装 vite
- 我正在使用 GraphQL 分页。在某些请求丢失 cookie 并给出 GraphQL 错误“无法读取未定义的属性(读取 '_id')”
- io.cucumber 和 info.cukes 有什么区别
- Shiny 文字推荐
- Snakeyaml loadAll,修改数据,然后dumpAll
- 使用 UIApplicationShortcutItem 启动
- 扩展应用程序时,concurrent.futures.ThreadPoolExecutor 最大工作线程数的工作
- 直观地解释这个 4D numpy 数组索引
- Git:“git rebase origin/branch”和“git rebase originbranch”之间的区别
- vscode 中 sapui5 应用出现问题(未找到组件)
- “git log --oneline”,以空行作为分隔符
- 计算一维numpy数组中元素的相对差异
- Mongo X509 tls 连接选项
© www.soinside.com 2019 - 2024. All rights reserved.