由于PDFBOX中提供了这个优秀的样本,我能够使用PDFBOX 1.8.5对PDF文档进行数字签名。
签署此样本时,请使用本地计算机的日期/时间(第175行):
//签名日期,有效签名所需 signature.setSignDate(Calendar.getInstance());
这意味着Acrobat Reader不会信任签名日期,就像使用外部时间戳管理局(TSA)完成一样。
任何人都知道如何在PDFBOX中使用外部TSA?
感谢。
答案 0 :(得分:3)
CreateSignature PDFBox示例已在2.0.0-SNAPSHOT开发版本中进行了扩展,还可选择包含来自某些TSA的时间戳。
主要区别在于,在sign(InputStream)中创建CMS签名后,CMS签名容器在另一个方法signTimeStamps(CMSSignedData)中得到增强,还带有签名时间戳:
public byte[] sign(InputStream content) throws IOException
{
...
CMSSignedData signedData = gen.generate(processable, false);
// vvv Additional call
if (tsaClient != null)
{
signedData = signTimeStamps(signedData);
}
// ^^^ Additional call
return signedData.getEncoded();
...
}
// vvv Additional helper methods
private CMSSignedData signTimeStamps(CMSSignedData signedData)
throws IOException, TSPException
{
SignerInformationStore signerStore = signedData.getSignerInfos();
List<SignerInformation> newSigners = new ArrayList<SignerInformation>();
for (SignerInformation signer : (Collection<SignerInformation>)signerStore.getSigners())
{
newSigners.add(signTimeStamp(signer));
}
return CMSSignedData.replaceSigners(signedData, new SignerInformationStore(newSigners));
}
private SignerInformation signTimeStamp(SignerInformation signer)
throws IOException, TSPException
{
AttributeTable unsignedAttributes = signer.getUnsignedAttributes();
ASN1EncodableVector vector = new ASN1EncodableVector();
if (unsignedAttributes != null)
{
vector = unsignedAttributes.toASN1EncodableVector();
}
byte[] token = tsaClient.getTimeStampToken(signer.getSignature());
ASN1ObjectIdentifier oid = PKCSObjectIdentifiers.id_aa_signatureTimeStampToken;
ASN1Encodable signatureTimeStamp = new Attribute(oid, new DERSet(byteToASN1Object(token)));
vector.add(signatureTimeStamp);
Attributes signedAttributes = new Attributes(vector);
SignerInformation newSigner = SignerInformation.replaceUnsignedAttributes(
signer, new AttributeTable(signedAttributes));
if (newSigner == null)
{
return signer;
}
return newSigner;
}
private ASN1Object byteToASN1Object(byte[] data) throws IOException
{
ASN1InputStream in = new ASN1InputStream(data);
try
{
return in.readObject();
}
finally
{
in.close();
}
}
// ^^^ Additional helper methods
(CreateSignature.java,2.0.0-SNAPSHOT开发版)
此处tsaClient是一个新的CreateSignature成员变量,其中包含与所讨论的外部TSA接口的TSAClient实例:
/**
* Time Stamping Authority (TSA) Client [RFC 3161].
* @author Vakhtang Koroghlishvili
* @author John Hewson
*/
public class TSAClient
{
private static final Log log = LogFactory.getLog(TSAClient.class);
private final URL url;
private final String username;
private final String password;
private final MessageDigest digest;
public TSAClient(URL url, String username, String password, MessageDigest digest)
{
this.url = url;
this.username = username;
this.password = password;
this.digest = digest;
}
public byte[] getTimeStampToken(byte[] messageImprint) throws IOException
{
digest.reset();
byte[] hash = digest.digest(messageImprint);
// 32-bit cryptographic nonce
SecureRandom random = new SecureRandom();
int nonce = random.nextInt();
// generate TSA request
TimeStampRequestGenerator tsaGenerator = new TimeStampRequestGenerator();
tsaGenerator.setCertReq(true);
ASN1ObjectIdentifier oid = getHashObjectIdentifier(digest.getAlgorithm());
TimeStampRequest request = tsaGenerator.generate(oid, hash, BigInteger.valueOf(nonce));
// get TSA response
byte[] tsaResponse = getTSAResponse(request.getEncoded());
TimeStampResponse response;
try
{
response = new TimeStampResponse(tsaResponse);
response.validate(request);
}
catch (TSPException e)
{
throw new IOException(e);
}
TimeStampToken token = response.getTimeStampToken();
if (token == null)
{
throw new IOException("Response does not have a time stamp token");
}
return token.getEncoded();
}
// gets response data for the given encoded TimeStampRequest data
// throws IOException if a connection to the TSA cannot be established
private byte[] getTSAResponse(byte[] request) throws IOException
{
log.debug("Opening connection to TSA server");
// todo: support proxy servers
URLConnection connection = url.openConnection();
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setRequestProperty("Content-Type", "application/timestamp-query");
log.debug("Established connection to TSA server");
if (username != null && password != null)
{
if (!username.isEmpty() && !password.isEmpty())
{
connection.setRequestProperty(username, password);
}
}
// read response
OutputStream output = null;
try
{
output = connection.getOutputStream();
output.write(request);
}
finally
{
IOUtils.closeQuietly(output);
}
log.debug("Waiting for response from TSA server");
InputStream input = null;
byte[] response;
try
{
input = connection.getInputStream();
response = IOUtils.toByteArray(input);
}
finally
{
IOUtils.closeQuietly(input);
}
log.debug("Received response from TSA server");
return response;
}
// returns the ASN.1 OID of the given hash algorithm
private ASN1ObjectIdentifier getHashObjectIdentifier(String algorithm)
{
// TODO can bouncy castle or Java provide this information?
if (algorithm.equals("MD2"))
{
return new ASN1ObjectIdentifier("1.2.840.113549.2.2");
}
else if (algorithm.equals("MD5"))
{
return new ASN1ObjectIdentifier("1.2.840.113549.2.5");
}
else if (algorithm.equals("SHA-1"))
{
return new ASN1ObjectIdentifier("1.3.14.3.2.26");
}
else if (algorithm.equals("SHA-224"))
{
return new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.4");
}
else if (algorithm.equals("SHA-256"))
{
return new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.1");
}
else if (algorithm.equals("SHA-394"))
{
return new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.2");
}
else if (algorithm.equals("SHA-512"))
{
return new ASN1ObjectIdentifier("2.16.840.1.101.3.4.2.3");
}
else
{
return new ASN1ObjectIdentifier(algorithm);
}
}
}
(TSAClient.java,2.0.0-SNAPSHOT开发版)
由于这些添加仅依赖于所使用的BouncyCastle版本而不依赖于PDFBox代码,因此该代码也应易于向后端口以与PDFBox 1.8.x一起使用。