我正在使用 itext7 处理 pdf 签名,目前需要支持所有 PAdES 签名级别:B-B、B-T、B-LT、B-LTA https://ec.europa.eu/digital-building-blocks/wikis/display/ESIGKB/What+are+the+B-T-LT+and+LTA+levels+of+an+Electronic+signature
我的问题是如何使用 itext 创建 B-LT 签名? 我用这段代码创建了 B-B 和 B-T:
signer.signDetached(
new BouncyCastleDigest(),
customExternalSignature,
new Certificate[]{clientX509Certificate},
null,
null,
tsaClient,
0,
PdfSigner.CryptoStandard.CADES);
然后我想添加 B-LTA 级别,所以我使用了这段代码https://github.com/mkl-public/testarea-itext7/blob/master/src/main/java/mkl/testarea/itext7/signature/ AdobeLtvEnabling.java 检查添加 BASELINE-LTA 级别,但将此逻辑应用到我的签名 adobe 后说它是 BASELINE-LT
这产生了两个问题:
//This method extend B-T signature to B-LT
private byte[] addLt(final byte[] signed) throws IOException, GeneralSecurityException {
final ByteArrayOutputStream out = new ByteArrayOutputStream();
try (InputStream resource = new ByteArrayInputStream(signed);
PdfReader pdfReader = new PdfReader(resource);
PdfWriter pdfWriter = new PdfWriter(out);
PdfDocument pdfDocument = new PdfDocument(pdfReader, pdfWriter, new StampingProperties().preserveEncryption().useAppendMode())) {
AdobeLtvEnabling adobeLtvEnabling = new AdobeLtvEnabling(pdfDocument);
IOcspClient ocsp = new OcspClientBouncyCastle(null);
ICrlClient crl = new CrlClientOnline();
adobeLtvEnabling.enable(ocsp, crl);
}
return addLtv(out.toByteArray());
}
//This method extend B-LT signature to B-LTA
private byte[] addLtv(final byte[] pdf) throws IOException, GeneralSecurityException {
final ByteArrayOutputStream signedFile = new ByteArrayOutputStream();
final PdfReader sourceDoc = new PdfReader(new ByteArrayInputStream(pdf));
final PdfSigner signer = new PdfSigner(sourceDoc, signedFile, STAMPING_PROPERTIES);
signer.timestamp(tsaClient, null);
return signedFile.toByteArray();
}
看起来不错。 PAdES-B-LT 和 PAdES-B-LTA 之间的唯一实质性区别是签名验证数据也需要加上时间戳。因此,要从 PAdES-B-LT 转到 PAdES-B-LTA,只需添加文档时间戳即可。
使用 iText,或多或少是这样工作的:
try(InputStream is = ...; // this should contain the PAdES-B-LT output
PdfReader reader = new PdfReader(is);
OutputStream os = new FileOutputStream(OUTPUT_DOCUMENT)) {
PdfSigner pdfSigner = new PdfSigner(reader, os, new StampingProperties().useAppendMode());
// .timestamp(...) is for producing document timestamps
pdfSigner.timestamp(tsaClient, timeStampFieldName);
}
另请参阅此处了解一些上下文:https://dzone.com/articles/7-tips-for-creating-pdf-signatures(忽略嗡嗡声标题...)。
编辑:如果您正在寻找一个工具来测试 PAdES 签名是否符合规范中的格式要求,您可能需要请求访问 ETSI 一致性检查器:https://signatures-conformance-checker.etsi .org/pub/index.php.