我尝试在 iText 中使用外部签名 webService 实现对 PDF 的签名。我使用 iText ( https://raw.githubusercontent.com/itext/i5ns-tutorial/master/signatures/chapter4/C4_07_ClientServerSigning/C4_07_ClientServerSigning.cs ) 提供的示例客户端-服务器签名作为蓝图。
public class ServerSignature : IExternalSignature
{
public String GetHashAlgorithm()
{
return DigestAlgorithms.SHA256;
}
public String GetEncryptionAlgorithm()
{
return "ECDSA";
//return "1.2.840.10045.4.3.2";
}
public byte[] Sign(byte[] message)
{
string base64encodedMessage = Convert.ToBase64String(message);
// upload to WebService and return response
return Convert.FromBase64String(signatureValueFromWebServiceResponse)
}
}
在方法 public byte[] sign(byte[] message) 我使用以下请求将收到的消息上传到网络服务
<?xml version='1.0' encoding='UTF-8'?>
<CreateXMLSignatureRequest xmlns='http://www.buergerkarte.at/namespaces/securitylayer/1.2#'>
<KeyboxIdentifier>SecureSignatureKeypair</KeyboxIdentifier>
<DataObjectInfo Structure='detached'>
<DataObject>
<Base64Content>_BASE_64_ENCODED_MESSAGE_GOES_HERE_</Base64Content>
</DataObject>
<TransformsInfo>
<FinalDataMetaInfo>
<MimeType>application/octet-stream</MimeType>
</FinalDataMetaInfo>
</TransformsInfo>
</DataObjectInfo>
</CreateXMLSignatureRequest>
从收到的响应中,我返回 dsig:SignatureValue 的 base64 解码值。但是生成的 pdf 中的签名无效。
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<sl:CreateXMLSignatureResponse xmlns:sl="http://www.buergerkarte.at/namespaces/securitylayer/1.2#">
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="signature-1-1">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<dsig:Reference Id="reference-1-1" URI="#signed-data-1-1">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<xpf:XPath xmlns:xpf="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect">id('signed-data-1-1')/node()</xpf:XPath>
</dsig:Transform>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#base64"/>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>7jsgSqDrGHnQkoM4DbxMl8zrw2uOPDCKssM40dbsnG4=</dsig:DigestValue>
</dsig:Reference>
<dsig:Reference Id="etsi-data-reference-1-1" Type="http://uri.etsi.org/01903/v1.1.1#SignedProperties" URI="">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<xpf:XPath xmlns:xpf="http://www.w3.org/2002/06/xmldsig-filter2" Filter="intersect" xmlns:etsi="http://uri.etsi.org/01903/v1.1.1#">//*[@Id='etsi-signed-1-1']/etsi:QualifyingProperties/etsi:SignedProperties</xpf:XPath>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<dsig:DigestValue>AJjWF42gp3Tqlm1e48cFpEag6qimlxxNLJCN3ifdILo=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>OOf0hDYe3iviLhhI+ILVzDBMdFe81dyQ9wvGlJoPqK8x8EJ307sNhf6Ek+tG769BB5dwc4cfdA+FdImq32zCrw==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIIFm[...]RLIq62uftJSg==</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
<dsig:Object Id="signed-data-1-1">MYGRMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwLwYJKoZIhvcNAQkEMSIEIKIfaQzzGO9vOx1dur+Rj8cLeE2YGq/0a3yiOSrhOPIyMEQGCyqGSIb3DQEJEAIvMTUwMzAxMC8wCwYJYIZIAWUDBAIBBCAr+qi8RnPA0LmY6f0eQiHiJSypOC4h8FIOOPMMN9TFsA==</dsig:Object>
<dsig:Object Id="etsi-signed-1-1">
<etsi:QualifyingProperties xmlns:etsi="http://uri.etsi.org/01903/v1.1.1#" Target="#signature-1-1">
<etsi:SignedProperties>
<etsi:SignedSignatureProperties>
<etsi:SigningTime>2019-11-10T23:00:45Z</etsi:SigningTime>
<etsi:SigningCertificate>
<etsi:Cert>
<etsi:CertDigest>
<etsi:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<etsi:DigestValue>2wlg8N3c1NxfsP3JJs9V/VJevH8=</etsi:DigestValue>
</etsi:CertDigest>
<etsi:IssuerSerial>
<dsig:X509IssuerName>CN=a-sign-premium-mobile-05,OU=a-sign-premium-mobile-05,O=A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH,C=AT</dsig:X509IssuerName>
<dsig:X509SerialNumber>548505616</dsig:X509SerialNumber>
</etsi:IssuerSerial>
</etsi:Cert>
</etsi:SigningCertificate>
<etsi:SignaturePolicyIdentifier>
<etsi:SignaturePolicyImplied/>
</etsi:SignaturePolicyIdentifier>
</etsi:SignedSignatureProperties>
<etsi:SignedDataObjectProperties>
<etsi:DataObjectFormat ObjectReference="#reference-1-1">
<etsi:MimeType>application/octet-stream</etsi:MimeType>
</etsi:DataObjectFormat>
</etsi:SignedDataObjectProperties>
</etsi:SignedProperties>
</etsi:QualifyingProperties>
</dsig:Object>
</dsig:Signature>
</sl:CreateXMLSignatureResponse>
有人知道我需要如何修改我的代码以生成有效的签名 pdf 文件吗?