我正在尝试使用iTextSharp 5.3.3对服务器(c#)上的pdf文档进行数字签名和验证。
我使用DigiSign(在线工具)生成.Pfx文件,然后使用Windows生成证书(.cer)文件
/// <summary>
/// Signs a PDF document using iTextSharp library
/// </summary>
/// <param name="sourceDocument">The path of the source pdf document which is to be signed</param>
/// <param name="destinationPath">The path at which the signed pdf document should be generated</param>
/// <param name="privateKeyStream">A Stream containing the private/public key in .pfx format which would be used to sign the document</param>
/// <param name="keyPassword">The password for the private key</param>
/// <param name="reason">String describing the reason for signing, would be embedded as part of the signature</param>
/// <param name="location">Location where the document was signed, would be embedded as part of the signature</param>
public static void signPdfFile (string sourceDocument, string destinationPath, Stream privateKeyStream, string keyPassword, string reason, string location)
{
Pkcs12Store pk12=new Pkcs12Store(privateKeyStream, keyPassword.ToCharArray());
privateKeyStream.Dispose();
//then Iterate throught certificate entries to find the private key entry
string alias=null;
foreach (string tAlias in pk12.Aliases)
{
if (pk12.IsKeyEntry(tAlias))
{
alias = tAlias;
break;
}
}
var pk=pk12.GetKey(alias).Key;
// reader and stamper
PdfReader reader = new PdfReader(sourceDocument);
using (FileStream fout = new FileStream(destinationPath, FileMode.Create, FileAccess.ReadWrite))
{
using (PdfStamper stamper = PdfStamper.CreateSignature(reader, fout, '\0'))
{
// appearance
PdfSignatureAppearance appearance = stamper.SignatureAppearance;
//appearance.Image = new iTextSharp.text.pdf.PdfImage();
appearance.Reason = reason;
appearance.Location = location;
appearance.SetVisibleSignature(new iTextSharp.text.Rectangle(20, 10, 170, 60), 1, "Icsi-Vendor");
// digital signature
IExternalSignature es = new PrivateKeySignature(pk, "SHA-256");
MakeSignature.SignDetached(appearance, es, new X509Certificate[] { pk12.GetCertificate(alias).Certificate }, null, null, null, 0, CryptoStandard.CMS);
stamper.Close();
}
}
}
文档签名后,我需要验证文档。我使用下面的代码,但得到错误。
/// <summary>
/// Verifies the signature of a prevously signed PDF document using the specified public key
/// </summary>
/// <param name="pdfFile">a Previously signed pdf document</param>
/// <param name="publicKeyStream">Public key to be used to verify the signature in .cer format</param>
/// <exception cref="System.InvalidOperationException">Throw System.InvalidOperationException if the document is not signed or the signature could not be verified</exception>
public static void verifyPdfSignature (string pdfFile, Stream publicKeyStream)
{
var parser=new X509CertificateParser();
var certificate=parser.ReadCertificate(publicKeyStream);
publicKeyStream.Dispose();
PdfReader reader = new PdfReader(pdfFile);
AcroFields af = reader.AcroFields;
var names = af.GetSignatureNames();
if (names.Count == 0)
{
throw new InvalidOperationException("No Signature present in pdf file.");
}
foreach (string name in names)
{
if (!af.SignatureCoversWholeDocument(name))
{
throw new InvalidOperationException(string.Format("The signature: {0} does not covers the whole document.", name));
}
PdfPKCS7 pk = af.VerifySignature(name);
var cal = pk.SignDate;
var pkc = pk.Certificates;
if (!pk.Verify())
{
throw new InvalidOperationException("The signature could not be verified.");
}
if (!pk.VerifyTimestampImprint())
{
throw new InvalidOperationException("The signature timestamp could not be verified.");
}
IList<VerificationException>[] fails = CertificateVerification.VerifyCertificates(pkc, new X509Certificate[] { certificate }, null, cal);
if (fails != null)
{
throw new InvalidOperationException("The file is not signed using the specified key-pair.");
}
}
}
我在验证时遇到两个错误:
感谢这方面的任何帮助。