1

我有类似的问题。我尝试使用移动签名签署 pdf。我在签名时使用 itextpdf-5.1.3.jar,bcprov-jdk16-1.46.jar。

X509Certificate root0 = Utils.getCert(PropertyUtils 
                                                .getProperty(Property.SIGN_ROOT_CERT0_PATH.value)); 
X509Certificate root1 = Utils.getCert(PropertyUtils 
                                                .getProperty(Property.SIGN_ROOT_CERT1_PATH.value)); 
X509Certificate[] chain =  {root1,root0};

我创建 pdfstamper ,将值设置为 PdfSignatureAppearance (我创建带有颁发者证书的 Cert.chain )并预先关闭 PdfSignatureAppearance 以计算 pdf 的哈希值。我将此哈希发送到移动签名服务,他们将证书和签名值返回给我。比我添加了这个证书。链接并继续签名过程。

我的问题是当我用 adobe 打开 pdf 文件时,我只看到一个证书,我看不到其他两个根证书。我在它下面放了链接,其中包含我的代码、单个 pdf 和我使用的证书。你能帮助我吗 ?

www dropbox.com/sh/g8yand5vlt5mxi8/I_mdANaJGC

更新

在图 1 中,我只看到一个证书。但我想在图 2 中看到。我怎样才能放置根证书。成pdf?

完整代码

package com.dotto.mobilesign.sign;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.HashMap;

import org.apache.log4j.Logger;
import org.bouncycastle.jce.provider.X509CertParser;
import org.etsi.uri.ts102204.v1_1.MSSSignatureRespType;

import com.dotto.mobilesign.types.Constant.FILE_TYPE;
import com.dotto.mobilesign.types.Constant.MESSAGE_TYPE;
import com.dotto.mobilesign.types.Constant.Property;
import com.dotto.mobilesign.types.dotto.AveaMobileSignResponse;
import com.dotto.mobilesign.util.ArchiveUtils;
import com.dotto.mobilesign.util.PropertyUtils;
import com.dotto.mobilesign.util.Utils;
import com.itextpdf.text.Rectangle;
import com.itextpdf.text.pdf.OcspClientBouncyCastle;
import com.itextpdf.text.pdf.PdfDate;
import com.itextpdf.text.pdf.PdfDictionary;
import com.itextpdf.text.pdf.PdfName;
import com.itextpdf.text.pdf.PdfPKCS7;
import com.itextpdf.text.pdf.PdfReader;
import com.itextpdf.text.pdf.PdfSignature;
import com.itextpdf.text.pdf.PdfSignatureAppearance;
import com.itextpdf.text.pdf.PdfStamper;
import com.itextpdf.text.pdf.PdfString;

public class PDFSignHelper {

    private static Logger log = Logger.getLogger(PDFSignHelper.class.getName());
    private static String transId = "-1";
    private static byte[] pdfDataUnsigned;
    private static byte[] pdfDatasigned;

    public AveaMobileSignResponse signSync(String rawBase64File,
            String mobilePhone, String signText, FILE_TYPE fType,
            MESSAGE_TYPE mType) throws Exception {
        SignWSSyncHelper helper = new SignWSSyncHelper();
        AveaMobileSignResponse response = null;
        try {
            transId = System.currentTimeMillis() + "";
            log.info("Trans Id : " + transId);
            pdfDataUnsigned = Utils.base64Decode(rawBase64File);
            log.info("PDF Data decoded");
            /*
             * Sign pdf
             */
            try {
                PdfReader pdf = new PdfReader(new ByteArrayInputStream(
                        pdfDataUnsigned));
                ByteArrayOutputStream signedPdf = new ByteArrayOutputStream();
                Calendar cal = Calendar.getInstance();
                final PdfStamper stamper = PdfStamper.createSignature(pdf,
                        signedPdf, '\0');
                log.info("PDF stamper created");
                PdfSignatureAppearance sap = stamper.getSignatureAppearance();
                X509Certificate root0 = Utils.getCert(PropertyUtils
                        .getProperty(Property.SIGN_ROOT_CERT0_PATH.value));
                X509Certificate root1 = Utils.getCert(PropertyUtils
                        .getProperty(Property.SIGN_ROOT_CERT1_PATH.value));

                X509Certificate[] chain =  {root1,root0};
                sap.setCrypto(null, chain, null,
                        PdfSignatureAppearance.WINCER_SIGNED);

                sap.setContact(PropertyUtils
                        .getProperty(Property.SIGN_CONTACT.value));
                sap.setReason(PropertyUtils
                        .getProperty(Property.SIGN_REASON.value));
                sap.setLocation(PropertyUtils
                        .getProperty(Property.SIGN_LOCATION.value));
                sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED);
                sap.setSignDate(cal);

                sap.setAcro6Layers(true);
                sap.setLayer2Text(signText);
                sap.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1,
                        "Signature");
                sap.setExternalDigest(new byte[128], new byte[20], "RSA");

                PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE,
                        new PdfName("adbe.pkcs7.detached"));
                dic.setReason(sap.getReason());
                dic.setLocation(sap.getLocation());
                dic.setContact(sap.getContact());
                dic.setDate(new PdfDate(sap.getSignDate()));
                sap.setCryptoDictionary(dic);
                log.info("PDF hash  creating");

                int contentEstimated = 35000;

                HashMap<PdfName, Integer> exc = new HashMap<PdfName, Integer>();
                exc.put(PdfName.CONTENTS, contentEstimated * 2 + 2);
                sap.preClose(exc);

                final MessageDigest messageDigest = MessageDigest
                        .getInstance("SHA1");
                InputStream data = sap.getRangeStream();
                byte[] buf = new byte[8192];
                int n;
                while ((n = data.read(buf, 0, buf.length)) > 0) {
                    messageDigest.update(buf, 0, n);
                }
                byte hash[] = messageDigest.digest();
                log.info("PDF hash  created");
                log.info("PDF hash  sended to sign for web service");
                MSSSignatureRespType signResponse = helper.signSyncron(transId,
                        Utils.base64Encode(hash), mobilePhone, signText);
                log.info("WS returns result");
                int statusCode = -1;
                String statusMessage = null;
                if (signResponse.getStatus() != null) {

                    if (signResponse.getStatus().getStatusCode() != null
                            && signResponse.getStatus().getStatusCode()
                                    .getValue() != null) {
                        statusCode = signResponse.getStatus().getStatusCode()
                                .getValue().intValue();
                    }
                    log.info("WS returns status code " + statusCode);

                    statusMessage = signResponse.getStatus().getStatusMessage();
                    log.info("WS returns status message " + statusMessage);

                    String errorText = "";
                    boolean error = true;
                    if (statusCode == 502) {
                        log.info(statusMessage);
                        error = false;
                        /*
                         * success
                         */
                    } else if (statusCode == -1) {
                        errorText = "Status Code : none Status Message : "
                                + statusMessage;
                    } else if (statusCode == 208) {
                        errorText = "Status Code : "
                                + statusCode
                                + " Status Message : "
                                + statusMessage
                                + ".  Message can't reach client Timeout. Response "
                                + helper.soapResponseText;
                    } else {
                        errorText = "Status Code : " + statusCode
                                + " Status Message : " + statusMessage
                                + ".  General Error . Response "
                                + helper.soapResponseText;
                    }
                    if (error) {
                        log.error(errorText);
                        throw new Exception(errorText);
                    }
                }

                /*
                 * Success
                 */
                response = new AveaMobileSignResponse();
                response.fileType = fType.getValue();
                response.messageType = mType.getValue();
                response.mobilePhone = mobilePhone;
                response.statusCode = statusCode;
                response.statusMessage = statusMessage;
                if (signResponse.getMSSSignature() == null) {
                    log.error("Signature Empty. " + helper.soapResponseText);
                    throw new Exception("Signature Empty. "
                            + helper.soapResponseText);
                }
                log.info("getting cert. and sign ");
                byte[] certificate = signResponse.getMSSSignature()
                        .getBase64Signature();
                X509CertParser certParser = new X509CertParser();
                certParser.engineInit(new ByteArrayInputStream(certificate));
                X509Certificate cer = (X509Certificate) certParser.engineRead();
                if (root0 != null) {
                    chain = new X509Certificate[3];
                    chain[0] = cer;
                    chain[1] = root1;
                    chain[2] = root0;
                } else {
                    chain = new X509Certificate[1];
                    chain[0] = cer;
                }

                PdfPKCS7 sgn = new PdfPKCS7(null, chain, null, "SHA1", null,
                        true);
                byte[] signedHashValue = signResponse.getMSSSignature()
                        .getXMLSignature().getSignatureValue().getValue();

                String TSA_URL = PropertyUtils
                        .getProperty(Property.SIGN_TIMESTAMP_URL.value);
                String TSA_ACCNT = PropertyUtils
                        .getProperty(Property.SIGN_TIMESTAMP_ACC.value);
                String TSA_PASSW = PropertyUtils
                        .getProperty(Property.SIGN_TIMESTAMP_PSS.value);


                CustomTSAClient tsc=new CustomTSAClient(TSA_URL, Integer.parseInt(TSA_ACCNT), TSA_PASSW);

                //TSAClientBouncyCastle tsc=new TSAClientBouncyCastle("http://zd.e-guven.com/TSS/HttpTspServer");
                //TSAClient tsc = new TSAClientBouncyCastle(TSA_URL, TSA_ACCNT, TSA_PASSW);
                OcspClientBouncyCastle ocs = null;
                byte[] ocsp = null;
                if (chain.length >= 2) {
                    String url = PdfPKCS7.getOCSPURL(chain[0]);
                    if (url != null && url.length() > 0)
                        ocs = new OcspClientBouncyCastle();
                    ocsp = ocs.getEncoded(chain[0], chain[1], url);
                }

                byte sh[] = sgn.getAuthenticatedAttributeBytes(signedHashValue,
                        cal, ocsp);
                sgn.update(sh, 0, sh.length);

                sgn.setExternalDigest(signedHashValue, hash, "RSA");

                byte[] paddedSig = new byte[contentEstimated];

                byte[] encodedSig = sgn.getEncodedPKCS7(null, cal, tsc, ocsp);
                System.arraycopy(encodedSig, 0, paddedSig, 0, encodedSig.length);
                if (contentEstimated + 2 < encodedSig.length)
                    throw new Exception("Not enough space for signature");

                PdfDictionary dic2 = new PdfDictionary();
                dic2.put(PdfName.CONTENTS,
                        new PdfString(paddedSig).setHexWriting(true));
                sap.close(dic2);
                log.info("inserting sign ");
                pdfDatasigned = signedPdf.toByteArray();
                response.signedRawBase64File = Utils
                        .base64Encode(pdfDatasigned);
                log.info("insertied sign ");
                ArchiveUtils.archive(transId, pdfDataUnsigned, pdfDatasigned,
                        fType, mType);
                return response;
            } catch (Exception e) {
                log.error("Error while signing. " + helper.soapResponseText, e);
                throw new Exception("Error while signing. "
                        + helper.soapResponseText, e);
            }

        } catch (Exception e) {
            log.error("Error", e);
            throw e;
        }
    }
}

图片 1:http ://dl.dropbox.com/u/24426467/pdf-sign/img1.jpg 图片 2:http ://dl.dropbox.com/u/24426467/pdf-sign/img2.jpg

4

1 回答 1

2

你好像混淆了什么。以下证书包含在 PDF 的 CMS 容器中(非 ASCII 字符可能有些混淆):

第一个:

主题:序列号=20000000002,C=TR,CN=GÃœNAY DEMÄ°R

发行人:CN=Avea Mobil Nitelikli Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi AS,C=TR

第二

主题:CN=e-Guven Nitelikli Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi AS,C=TR

发行人:CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi AS,C=TR

第三

主题:CN=Avea Mobil Nitelikli Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi AS,C=TR

发行人:CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi AS,C=TR

第一个是签名者证书,第三个是中间 CA 证书,即您的“根 1.crt”,但第二个只是基于相同根证书的另一个 CA 证书。

您的投递箱中的实际根证书“root.cer”已丢失。

您可能想要检查引用您的根证书和 CA 证书的属性的值。

(为了清楚起见,您应该更改变量和文件的名称,以不将中间 CA 证书称为根证书。)

于 2012-11-09T14:22:37.117 回答