启用iText LTV - 如何添加更多CRL?

时间:2016-02-01 15:46:30

标签: pdf itext

我需要启用已签名的pdf LTV。签名证书具有三个级别的链(root / public / personal)。我知道有必要在pdf中添加证书的OCSP和CRL(root除外)。

  • 我可以使用它的基本LtvVerification.addVerification()方法吗? 如果我添加一个运行两个CRL,结果PDF只是一秒钟。如果我改变订单,那么还有一秒钟。 如果我在两次运行中添加CRL,它将以相同的方式结束 - 在pdf中仍然将CRL添加为秒。 我认为“添加”不会覆盖以前的状态..

  • 如何正确使用方法LtvVerification.merge()?在添加第一个/第二个/两个CRL之前/之后?

  • 或者我只能使用替代方法LtvVerification.addVerification(String signatureName,Collection ocsps,Collection crls,Collection certs)?

非常感谢您的提示。

源代码:

public void addLtv(String src, String dest) throws IOException, DocumentException, GeneralSecurityException
{

    BouncyCastleProvider provider = new BouncyCastleProvider();
    Security.addProvider(provider);

    PdfReader r = new PdfReader(src);
    System.out.println("Source file: " + src);
    FileOutputStream fos = new FileOutputStream(dest);
    PdfStamper stp = new PdfStamper(r, fos, '\0', true);
    LtvVerification v = stp.getLtvVerification();
    AcroFields fields = stp.getAcroFields();

    ArrayList<String> names = fields.getSignatureNames();
    String sigName = names.get(names.size() - 1);
    System.out.println("found signature: " + sigName);
    PdfPKCS7 pkcs7 = fields.verifySignature(sigName);

    //add LTV
    OcspClient ocsp = new OcspClientBouncyCastle();
    CrlClient crlClient1 = new CrlClientOnline("http://www.postsignum.cz/crl/psrootqca2.crl");
    ArrayList<CrlClient> crllist = new ArrayList<CrlClient>();
    crllist.add(crlClient1);
    CrlClient crlClient2 = new CrlClientOnline("http://www.postsignum.cz/crl/pspublicca2.crl");
    crllist.add(crlClient2);
    System.out.println("crllist.size=" + crllist.size());

    if (pkcs7.isTsp())
    {
        for (CrlClient crlclient : crllist)
        {
            if (v.addVerification(sigName, new OcspClientBouncyCastle(), crlclient,
                    LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
                    LtvVerification.Level.CRL,
                    LtvVerification.CertificateInclusion.NO)) {
                System.out.println("crl " + crlclient.toString() + " added to timestamp");
            }
        }

    } else{


        for (String name : names)
        {
            for (int i = 0; i < crllist.size(); i++) {
                if (v.addVerification(name, ocsp, crllist.get(i),
                        LtvVerification.CertificateOption.WHOLE_CHAIN,
                        LtvVerification.Level.CRL,
                        LtvVerification.CertificateInclusion.NO)) {
                    System.out.println("crl " + crllist.get(i).toString() + " added to " + name);
                }

                if (i > 0) {
                    System.out.println("found verification, merge");
                    v.merge();
                }

            }
        }
    }

    stp.close();
}

1 个答案:

答案 0 :(得分:0)

如果要为LtvVerification.addVerification提供多个CRL,则为每个CRL 调用一次方法,而对所有CRL执行一次

对此CrlClientOnline也接受多个网址:

/**
 * Creates a CrlClientOnline instance using one or more URLs.
 */
public CrlClientOnline(String... crls)

因此,通过使用此构造函数,我们将代码简化并修复为

PdfReader r = new PdfReader(src);
FileOutputStream fos = new FileOutputStream(dest);
PdfStamper stp = new PdfStamper(r, fos, '\0', true);
LtvVerification v = stp.getLtvVerification();
AcroFields fields = stp.getAcroFields();

ArrayList<String> names = fields.getSignatureNames();
String sigName = names.get(names.size() - 1);
System.out.println("found signature: " + sigName);
PdfPKCS7 pkcs7 = fields.verifySignature(sigName);

//add LTV
OcspClient ocsp = new OcspClientBouncyCastle();
CrlClient crlClient = new CrlClientOnline("http://www.postsignum.cz/crl/psrootqca2.crl", "http://www.postsignum.cz/crl/pspublicca2.crl");

if (pkcs7.isTsp())
{
    if (v.addVerification(sigName, new OcspClientBouncyCastle(), crlClient,
            LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
            LtvVerification.Level.CRL,
            LtvVerification.CertificateInclusion.NO))
    {
        System.out.println("crl " + crlClient.toString() + " added to timestamp");
    }
}
else
{
    for (String name : names)
    {
        if (v.addVerification(name, ocsp, crlClient,
                LtvVerification.CertificateOption.WHOLE_CHAIN,
                LtvVerification.Level.CRL,
                LtvVerification.CertificateInclusion.NO))
        {
            System.out.println("crl " + crlClient.toString() + " added to " + name);
        }
    }
}
stp.close();

AddLtvCrls.java,方法addLtvFixed

将它应用于您的示例文件,我们得到:

Signature panel view

对于某些背景信息,LtvVerification.addVerification会将所拥有的信息存储为相关签名所需的 验证信息。多次调用会导致信息仅来自最后一次尝试计数。

调用LtvVerification.merge在这里没有帮助,因为它只是将旧版本中不同签名所需的验证信息合并到新的验证相关信息部分。

相关问题
最新问题