我正在使用移动签名服务签署PDF文档。我在签署文档的哈希值后从服务中收到证书。我可以使用证书替换文档中的零填充签名容器而没有任何问题,但我在包含证书链方面遇到了问题。
我有应用程序的root,intermediate和leaf证书,但我无法将它们包含在签名中。我认为我能做的是在代码中创建一个链,然后从该链中注入编码的字节,但这会导致证书无效。
我用来做的代码如下:
X509CertificateParser cp = new X509CertificateParser();
var certFromServer = getCertFromServer();
var rootCert = cp.ReadCertificate(new X509Certificate2(rootCertPath).RawData);
var interCert = cp.ReadCertificate(new X509Certificate2(interCertPath)RawData);
var leafCert = cp.ReadCertificate(new X509Certificate2(leafCertPath).RawData);
List<X509Certificate> intermediateCerts = new List<X509Certificate> {
interCert,
leafCert
};
X509CertificateParser parser = new X509CertificateParser();
PkixCertPathBuilder builder = new PkixCertPathBuilder();
X509CertStoreSelector holder = new X509CertStoreSelector {
Certificate = parser.ReadCertificate(certFromServer)
};
intermediateCerts.Add(holder.Certificate);
HashSet rootCerts = new HashSet {new TrustAnchor(rootCert, null)};
PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder)
{
IsRevocationEnabled = false
};
X509CollectionStoreParameters intermediateStoreParameters =
new X509CollectionStoreParameters(intermediateCerts);
builderParams.AddStore(X509StoreFactory.Create(
"Certificate/Collection", intermediateStoreParameters)
);
PkixCertPathBuilderResult result = builder.Build(builderParams);
byte[] certChainBytes = result.CertPath.GetEncoded("PKCS7");
// ExternalSignatureContainer is a container that simply returns the cert bytes
// from its Sign method without changing them.
IExternalSignatureContainer container = new ExternalSignatureContainer(certChainBytes);
MakeSignature.SignDeferred(reader, _signatureFieldName, baos, container);
创建链的方法来自以下StackOverflow问题:Build certificate chain in BouncyCastle in C#
在iTextSharp中为签名容器构建证书链的正确方法是什么?