将新页面添加到PDF并使用iText 7

时间:2016-09-02 15:42:25

标签: java pdf adobe signature itext7

对于项目,我必须在工作流程中由多个人在另外创建的页面上对PDF进行数字签名。为了实现这一点,我们使用iText 7库和以下代码,基于Bruno Lowagie的例子:

public static void main(String[] args) throws IOException, GeneralSecurityException, XMPException {
    String path = "F:/Java/keystores/testPdfSign";
    char[] pass = "test".toCharArray();

    KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
    ks.load(new FileInputStream(path), pass);
    String alias = "";
    Enumeration<String> aliases = ks.aliases();
    while (alias.equals("tester")==false && aliases.hasMoreElements()) 
    {
        alias = aliases.nextElement();
    }
    PrivateKey pk = (PrivateKey) ks.getKey(alias, pass);
    Certificate[] chain = ks.getCertificateChain(alias);
    PDFSign app = new PDFSign();
    app.sign(SRC, DEST, chain, pk, DigestAlgorithms.SHA1, "SunJSSE", PdfSigner.CryptoStandard.CMS, "Test", "Test", null, null, null, 0);
}

public void sign(String src, String dest,
                 Certificate[] chain, PrivateKey pk,
                 String digestAlgorithm, String provider, PdfSigner.CryptoStandard subfilter,
                 String reason, String location,
                 Collection<ICrlClient> crlList,
                 IOcspClient ocspClient,
                 ITSAClient tsaClient,
                 int estimatedSize)
        throws GeneralSecurityException, IOException, XMPException {
    // Creating the reader and the signer

    PdfDocument document = new PdfDocument(new PdfReader(SRC), new PdfWriter(DEST+"_temp"));
    if (initial == true)
    {
        document.addNewPage();
    }
    int pageCount = document.getNumberOfPages();
    document.close();
    PdfSigner signer = new PdfSigner(new PdfReader(DEST+"_temp"), new FileOutputStream(DEST), true); 
    // Creating the appearance
    if (initial == true)
    {
        signer.setCertificationLevel(PdfSigner.CERTIFIED_FORM_FILLING_AND_ANNOTATIONS);
    }
    PdfSignatureAppearance appearance = signer.getSignatureAppearance()
            .setReason(reason)
            .setLocation(location)
            .setReuseAppearance(false);
    Rectangle rect = new Rectangle(10, 400, 100, 100);
    appearance
            .setPageRect(rect)
            .setPageNumber(pageCount);
    appearance.setRenderingMode(RenderingMode.NAME_AND_DESCRIPTION);
    signer.setFieldName(signer.getNewSigFieldName());
    // Creating the signature
    IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, provider);
    ProviderDigest digest = new ProviderDigest(provider);
    signer.signDetached(digest, pks, chain, crlList, ocspClient, tsaClient, estimatedSize, subfilter);

}

这导致PDF的新签名版本中的签名无效,因为Adobe Acrobat Reader表示签名后已对其进行了编辑。令人惊讶的是,当我在福昕阅读器中打开文件时,它说它没有被修改并且有效。

我尝试的也是省略了添加新页面的第一步,只是在原始文档的最后一页上签名,然后签名在Adobe Reader中有效,但没有解决我的情况,作为一个额外的页面是必须的。 我尝试的另一件事是没有将certificationLevel设置为CERTIFIED_FORM_FILLING_AND_ANNOTATIONS,而只是将其保留为默认NOT_CERTIFIED,这样我在新页面上也有一个有效的签名,但这不是一个解决方案,因为它不会让我以后添加任何额外的签名。

有人知道Adobe Reader将签名评为无效和/或解决此问题的原因是什么?

先谢谢

大卫

1 个答案:

答案 0 :(得分:1)

简而言之

我无法重现OP的问题。运行他的代码(略微适应当地情况)导致java.security.NoSuchAlgorithmException: no such algorithm: SHA1 for provider SunJSSE。已将提供者参数“SunJSSE”替换为sign调用“BC”,另一方面,代码创建了经过适当认证的PDF。

改编的代码

我通常以JUnit测试的形式检查stackoverflow中的代码;这意味着一些变化。此外,OP的代码包含许多引用但未定义的变量;这些必须给出一个定义。最后我加载文件以从资源中作为流进行签名,而不是从文件系统作为文件进行签名。

因此:

final static File RESULT_FOLDER = new File("target/test-outputs", "signature");

@BeforeClass
public static void setUpBeforeClass() throws Exception
{
    RESULT_FOLDER.mkdirs();
    BouncyCastleProvider provider = new BouncyCastleProvider();
    Security.addProvider(provider);
}

@Test
public void testSignLikeXinDHA() throws GeneralSecurityException, IOException, XMPException
{
    String path = "keystores/demo-rsa2048.p12";
    char[] pass = "demo-rsa2048".toCharArray();

    KeyStore ks = KeyStore.getInstance("pkcs12", "SunJSSE");
    ks.load(new FileInputStream(path), pass);
    String alias = "";
    Enumeration<String> aliases = ks.aliases();
    while (alias.equals("demo") == false && aliases.hasMoreElements())
    {
        alias = aliases.nextElement();
    }
    PrivateKey pk = (PrivateKey) ks.getKey(alias, pass);
    Certificate[] chain = ks.getCertificateChain(alias);

    try ( InputStream resource = getClass().getResourceAsStream("/mkl/testarea/itext7/content/test.pdf"))
    {
        sign(resource, new File(RESULT_FOLDER, "test_XinDHA_signed_initial.pdf").getAbsolutePath(),
                chain, pk, DigestAlgorithms.SHA1, /*"SunJSSE"*/"BC", PdfSigner.CryptoStandard.CMS, "Test", "Test",
                null, null, null, 0, true);
    }
}

public void sign(InputStream src, String dest, Certificate[] chain, PrivateKey pk, String digestAlgorithm,
        String provider, PdfSigner.CryptoStandard subfilter, String reason, String location,
        Collection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient, int estimatedSize,
        boolean initial)
        throws GeneralSecurityException, IOException, XMPException
{
    // Creating the reader and the signer

    PdfDocument document = new PdfDocument(new PdfReader(src), new PdfWriter(dest + "_temp"));
    if (initial == true)
    {
        document.addNewPage();
    }
    int pageCount = document.getNumberOfPages();
    document.close();
    PdfSigner signer = new PdfSigner(new PdfReader(dest + "_temp"), new FileOutputStream(dest), true);
    // Creating the appearance
    if (initial == true)
    {
        signer.setCertificationLevel(PdfSigner.CERTIFIED_FORM_FILLING_AND_ANNOTATIONS);
    }
    PdfSignatureAppearance appearance = signer.getSignatureAppearance().setReason(reason).setLocation(location)
            .setReuseAppearance(false);
    Rectangle rect = new Rectangle(10, 400, 100, 100);
    appearance.setPageRect(rect).setPageNumber(pageCount);
    appearance.setRenderingMode(RenderingMode.NAME_AND_DESCRIPTION);
    signer.setFieldName(signer.getNewSigFieldName());
    // Creating the signature
    IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, provider);
    ProviderDigest digest = new ProviderDigest(provider);
    signer.signDetached(digest, pks, chain, crlList, ocspClient, tsaClient, estimatedSize, subfilter);
}

AddPageAndSign.java

运行代码

我使用最新的Oracle Java 8和无限强度Java TM 加密扩展策略文件,BouncyCastle 1.49和iText在版本7.0.0或7.0.1-SNAPSHOT中运行代码(当前的发展部门。)

(最终使用从其网站下载的Oracle Java,Oracle JDK的某些变体(由某些Linux发行版提供)包含可能破坏您的代码的安全提供程序中的更改。)

使用提供者参数“SunJSSE”将代码运行到sign调用会导致

java.security.NoSuchAlgorithmException: no such algorithm: SHA1 for provider SunJSSE
    at sun.security.jca.GetInstance.getService(GetInstance.java:87)
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
    at java.security.Security.getImpl(Security.java:698)
    at java.security.MessageDigest.getInstance(MessageDigest.java:227)
    at com.itextpdf.signatures.SignUtils.getMessageDigest(SignUtils.java:134)
    at com.itextpdf.signatures.DigestAlgorithms.getMessageDigest(DigestAlgorithms.java:182)
    at com.itextpdf.signatures.ProviderDigest.getMessageDigest(ProviderDigest.java:69)
    at com.itextpdf.signatures.SignUtils.getMessageDigest(SignUtils.java:127)
    at com.itextpdf.signatures.PdfSigner.signDetached(PdfSigner.java:528)
    at mkl.testarea.itext7.signature.AddPageAndSign.sign(AddPageAndSign.java:125)
    at mkl.testarea.itext7.signature.AddPageAndSign.testSignLikeXinDHA(AddPageAndSign.java:81)

使用提供者参数“BC”将代码运行到sign调用会产生一个经过适当认证的PDF,并在额外页面上显示签名可视化:

Screenshot of signature panel

为什么使用SunJSSE没有意义

我通过“SunJSSE”提供程序获得的异常实际上并不令人惊讶,因为该提供程序不提供SHA1算法。

根据its documentation by Oracle,它根本不提供MessageDigest算法,只是组合作为签名算法(SHA1withRSA)。

因此,IExternalSignature中定义的sign

IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, provider);

将起作用,因为这里将使用SHA1withRSA,但ProviderDigest定义为

ProviderDigest digest = new ProviderDigest(provider);

将失败,因为它尝试使用消息摘要算法SHA1。

作为旁白

您使用SHA1。由于此消息摘要算法在签名创建的上下文中越来越不可信,因此这不是一个好主意。我建议切换到SHA2 famaily的算法。

相关问题
最新问题