我们正在尝试使用 CAdES 方法和dss-cookbook中的示例作为起点,使用最新版本 (4.6.RC1) 签署 PDF 文档。
按照 中的示例SignPdfPadesBDetached.java
,我们已经成功地使用PAdES
. 但是,由于没有 的示例CAdES
,我们尝试将上面的示例改编为使用CAdES
,但它不起作用。具体来说,生成的 PDF 文档的大小仅为 7k,而不是预期的 2.5MB,并且在尝试打开 PDF 时显示以下错误:我们假设 7k 实际上只是签名,因此不包括实际文档。我们使用的设置是:
- SignatureLevel.CAdES_BASELINE_B
- SignaturePackaging.DETACHED
- 摘要算法.SHA256
而亲戚的方法代码目前是这样的:
public static void signPdfWithCades(DSSDocument toSignDocument) {
LOG.info("Signing PDF with CADES B");
try {
AbstractSignatureTokenConnection signingToken = new Pkcs12SignatureToken("password", KEYSTORE_PATH);
DSSPrivateKeyEntry privateKey = signingToken.getKeys().get(0);
// Preparing parameters for the CAdES signature
CAdESSignatureParameters parameters = new CAdESSignatureParameters();
// We choose the level of the signature (-B, -T, -LT, -LTA).
parameters.setSignatureLevel(SignatureLevel.CAdES_BASELINE_B);
// We choose the type of the signature packaging (ENVELOPING, DETACHED).
parameters.setSignaturePackaging(SignaturePackaging.DETACHED);
// We set the digest algorithm to use with the signature algorithm. You must use the
// same parameter when you invoke the method sign on the token. The default value is
// SHA256
parameters.setDigestAlgorithm(DigestAlgorithm.SHA256);
// We set the signing certificate
parameters.setSigningCertificate(privateKey.getCertificate());
// We set the certificate chain
parameters.setCertificateChain(privateKey.getCertificateChain());
// Create common certificate verifier
CommonCertificateVerifier commonCertificateVerifier = new CommonCertificateVerifier();
// Create PAdES xadesService for signature
CAdESService service = new CAdESService(commonCertificateVerifier);
// Get the SignedInfo segment that need to be signed.
ToBeSigned dataToSign = service.getDataToSign(toSignDocument, parameters);
// This function obtains the signature value for signed information using the
// private key and specified algorithm
DigestAlgorithm digestAlgorithm = parameters.getDigestAlgorithm();
SignatureValue signatureValue = signingToken.sign(dataToSign, digestAlgorithm, privateKey);
// We invoke the cadesService to sign the document with the signature value obtained in
// the previous step.
DSSDocument signedDocument = service.signDocument(toSignDocument, parameters, signatureValue);
LOG.info("Signed PDF size = " + signedDocument.getBytes().length);
//We use the DSSUtils to Save to file
DSSUtils.saveToFile(signedDocument.openStream(), "target/signedPdfCadesBDetached.pdf");
} catch (Exception e) {
LOG.error(e.getMessage(), e);
}
}
对应的签名方法与PAdES
上面类似,调整为PAdES
(也就是我们那里使用了PAdESSignatureParameters
,SignatureLevel.PAdES_BASELINE_B
和PAdESService
)类。
请注意,SD-DSS 项目未托管在 Maven 中央存储库中,因此我们必须明确引用它:
<repositories>
<repository>
<id>europa</id>
<url>https://joinup.ec.europa.eu/nexus/content/groups/public/</url>
</repository>
</repositories>
此外,我相信我们在以下内容中包含了所有必需/相应的依赖项pom.xml
:
<dependency>
<groupId>eu.europa.ec.joinup.sd-dss</groupId>
<artifactId>dss-token</artifactId>
<version>4.6.RC1</version>
</dependency>
<dependency>
<groupId>eu.europa.ec.joinup.sd-dss</groupId>
<artifactId>dss-pades</artifactId>
<version>4.6.RC1</version>
</dependency>
<dependency>
<groupId>eu.europa.ec.joinup.sd-dss</groupId>
<artifactId>dss-cades</artifactId>
<version>4.6.RC1</version>
</dependency>
<dependency>
<groupId>eu.europa.ec.joinup.sd-dss</groupId>
<artifactId>dss-document</artifactId>
<version>4.6.RC1</version>
</dependency>
在此之前,我们也尝试过PDFBox,但根据我们想要完成的任务,文档并没有那么有用。
知道这里有什么问题吗?改变包装 ENVELOPING 也没有区别。使用 CAdES 签名的方法是否如此不同以至于不应将 PAdES 示例用作指南?