添加PDF吊销信息作为已签名属性pdfRevocationInfoArchival OID 1.2.840.113583.1.1.8

huangapple go评论37阅读模式
英文:

Adding PDF revocation information as an signed attribute pdfRevocationInfoArchival OID 1.2.840.113583.1.1.8

问题

We have added pdfRevocationInfoArchival OID (1.2.840.113583.1.1.8) as a signed attribute while generating signature. While building this attribute we used external CRL file (ca-crl.crl) and builds the OID 1.2.840.113583.1.1.8 as ASN1 object. After signing pdf and timestamping signature, everything works fine. But we are not able to understand the identifier (adbe-revocationInfoArchival) which added is in the PDF is correct and which can be used to verify this PDF by fetching this OID. Also we are not able to check that this attribute is in proper format in which PDF can verify it. Is there any tool or utility available to check this attribute which is inserted as a signed attribute is valid.

If any PDF tool/utility is available to visualize attribute are available in PDF please share.

We have build the issuers CRL info at position [0] is this correct to way add the CRL in this OID? I have share the code below code snippet

以下是Adobe的吊销信息属性的对象标识符:
adbe-revocationInfoArchival OBJECT IDENTIFIER ::= { adbe(1.2.840.113583) acrobat(1) security(1) 8 }

Adobe的吊销信息属性值具有ASN.1类型RevocationInfoArchival:

  crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL
  ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL
  otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL
}```

使用Java Bouncy Castle API构建Adobe的吊销信息属性值:

```private ASN1EncodableVector genPdfInfoArchival(ASN1EncodableVector v) {
    	
    	ASN1EncodableVector v1 = new ASN1EncodableVector();
    	
    	List<X509CRL> crls = new ArrayList<X509CRL>();
    	ASN1InputStream t = null;
    	try {
    		
    		CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
            CRL crl = certFactory.generateCRL(new FileInputStream(new File("e://app//esp//crl//NSDLe-GovCA2019-Test-2.crl")));
            System.out.println("crl:" + crl);
            crls.add((X509CRL)crl);
    		
    		if (!crls.isEmpty()) {
    			ASN1EncodableVector v11 = new ASN1EncodableVector();
    			for (Iterator<X509CRL> i = crls.iterator(); i.hasNext();) {
    				t = new ASN1InputStream(new ByteArrayInputStream(i.next().getEncoded()));
    				v11.add(t.readObject());
    			}
    			//0 for CRL
    			v1.add(new DERTaggedObject(true, 0, new DERSequence(v11)));
    		}
} 
		
		return v1;}

在构建OID并将其添加为签名属性后,生成签名,然后将此签名添加到PDF中:

        	ASN1EncodableVector signedAttr = new ASN1EncodableVector();
			String ID_ADBE_REVOCATION = "1.2.840.113583.1.1.8";

        	//TODO add message digest for sgning - nikhilW
        	Attribute attr = new Attribute(CMSAttributes.messageDigest,  new DERSet(new DEROctetString(IOUtils.toByteArray(hashdata))));
        	signedAttr.add(attr);
        	
        	//TODO generate pdf info archival and add it as CMS signed attribute - nikhilW
        	ASN1EncodableVector pdfInfo = genPdfInfoArchival(signedAttr);
        	Attribute ar = new Attribute(new ASN1ObjectIdentifier(ID_ADBE_REVOCATION),   new DERSet (new DERSequence(pdfInfo)));
        	signedAttr.add(ar);
        	
            List<Certificate> certList = new ArrayList<Certificate>();
            certList.addAll(Arrays.asList(certificateChain));
            Store certs = new JcaCertStore(certList);
            
            DefaultSignedAttributeTableGenerator sa = new DefaultSignedAttributeTableGenerator(new AttributeTable(signedAttr));
            SignerInfoGeneratorBuilder builder = new SignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
            
			builder.setSignedAttributeGenerator(sa);

请查看以下Google Drive链接,其中包含示例签名的PDF文件**hello_signed_ts_pdfarchivalinfo.pdf**
pdf_sample_signed

任何帮助将不胜感激。

英文:

>We have added pdfRevocationInfoArchival OID (1.2.840.113583.1.1.8) as a signed attribute while generating signature. While building this attribute we used external CRL file (ca-crl.crl) and builds the OID 1.2.840.113583.1.1.8 as ASN1 object. After signing pdf and timestamping signature, everything works fine. But we are not able to understand the identifier (adbe-revocationInfoArchival) which added is in the PDF is correct and which can be used to verify this PDF by fetching this OID. Also we are not able to check that this attribute is in proper format in which PDF can verify it. Is there any tool or utility available to check this attribute which is inserted as a signed attribute is valid.
>> If any PDF tool/utility is available to visualize attribute are available in PDF please share.

> We have build the issuers CRL info at position [0] is this correct to way add the CRL in this OID? I have share the code below code snippet

The following object identifier identifies Adobe's revocation information attribute:

adbe-revocationInfoArchival OBJECT IDENTIFIER ::=
        { adbe(1.2.840.113583) acrobat(1) security(1) 8 }

Adobe's Revocation Information attribute value has ASN.1 type RevocationInfoArchival:

    /**
     ** RevocationInfoArchival ::= SEQUENCE {
     **   crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL
     **   ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL
     **   otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL
      }
    */

Adobe's Revocation Information attribute value building using in Java Bouncy Castle API:

private ASN1EncodableVector genPdfInfoArchival(ASN1EncodableVector v) {
    	
    	ASN1EncodableVector v1 = new ASN1EncodableVector();
    	
    	List&lt;X509CRL&gt; crls = new ArrayList&lt;X509CRL&gt;();
    	ASN1InputStream t = null;
    	try {
    		
    		CertificateFactory certFactory = CertificateFactory.getInstance(&quot;X.509&quot;);
            CRL crl = certFactory.generateCRL(new FileInputStream(new File(&quot;e://app//esp//crl//NSDLe-GovCA2019-Test-2.crl&quot;)));
            System.out.println(&quot;crl:&quot; + crl);
            crls.add((X509CRL)crl);
    		
    		if (!crls.isEmpty()) {
    			ASN1EncodableVector v11 = new ASN1EncodableVector();
    			for (Iterator&lt;X509CRL&gt; i = crls.iterator(); i.hasNext();) {
    				t = new ASN1InputStream(new ByteArrayInputStream(i.next().getEncoded()));
    				v11.add(t.readObject());
    			}
    			//0 for CRL
    			v1.add(new DERTaggedObject(true, 0, new DERSequence(v11)));
    		}
} 
		
		return v1;}

>After building OID adding it in SignerInforGeneratorBuilder as a signed attribute and generating the signature and then adding this signature in PDF

			CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
        	ASN1EncodableVector signedAttr = new ASN1EncodableVector();
			String ID_ADBE_REVOCATION = &quot;1.2.840.113583.1.1.8&quot;;

        	//TODO add message digest for sgning - nikhilW
        	Attribute attr = new Attribute(CMSAttributes.messageDigest,  new DERSet(new DEROctetString(IOUtils.toByteArray(hashdata))));
        	signedAttr.add(attr);
        	
        	//TODO generate pdf info archival and add it as CMS signed attribute - nikhilW
        	ASN1EncodableVector pdfInfo = genPdfInfoArchival(signedAttr);
        	Attribute ar = new Attribute(new ASN1ObjectIdentifier(ID_ADBE_REVOCATION),   new DERSet (new DERSequence(pdfInfo)));
        	signedAttr.add(ar);
        	
            List&lt;Certificate&gt; certList = new ArrayList&lt;Certificate&gt;();
            certList.addAll(Arrays.asList(certificateChain));
            Store certs = new JcaCertStore(certList);
            
            DefaultSignedAttributeTableGenerator sa = new DefaultSignedAttributeTableGenerator(new AttributeTable(signedAttr));
            SignerInfoGeneratorBuilder builder = new SignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
            
			builder.setSignedAttributeGenerator(sa);

>Please find below google drive link contains sample signed pdf file hello_signed_ts_pdfarchivalinfo.pdf
pdf_sample_signed

Any help would be appreciated.

答案1

得分: 0

我已经检查了使用以下Java源代码添加的PDF属性。此外,有一个iText Java实用程序可以调试PDF对象树 iText RUP 或从我的Google驱动器链接中下载 下载 iTextRUP Java Jar,使用 java -jar jar-name 运行它可能有助于调试PDF对象。

Pdf归档信息检索源代码返回位置[0]的CRL流对象

private void getPdfRevoInfoArch(SignerInformation signerInform) {
    
    AttributeTable at = signerInform.getSignedAttributes();
    
    ASN1Encodable arch = at.get(new ASN1ObjectIdentifier("1.2.840.113583.1.1.8")).getAttrValues().getObjectAt(0);
    
    // ASN1Encodable arch1 = at.get(new ASN1ObjectIdentifier("1.2.840.113583.1.1.8")).getAttrValues().getObjectAt(1);
            
    System.out.println("arc:" + arch);
    System.out.println("archSize:" + at.get(new ASN1ObjectIdentifier("1.2.840.113583.1.1.8")).getAttrValues().size());
    
}
英文:

I have checked for the attribute added in pdf using below java source code. Also there is iText Java utility which will debug pdf object tree iText RUP or download it from my google drive link Download iTextRUP Java Jar run it with java -jar jar-name may it will help debuging pdf objects.

Pdf Archival Info Retrieval Source Code Returns CRL stream object at position [0]

private void getPdfRevoInfoArch(SignerInformation signerInform) {
    	
    	AttributeTable at = signerInform.getSignedAttributes();
		
		ASN1Encodable arch =	at.get(new ASN1ObjectIdentifier(&quot;1.2.840.113583.1.1.8&quot;)).getAttrValues().getObjectAt(0);
		
		//ASN1Encodable arch1 =	at.get(new ASN1ObjectIdentifier(&quot;1.2.840.113583.1.1.8&quot;)).getAttrValues().getObjectAt(1);
				
		System.out.println(&quot;arc:&quot; + arch);
		System.out.println(&quot;archSize:&quot; + at.get(new ASN1ObjectIdentifier(&quot;1.2.840.113583.1.1.8&quot;)).getAttrValues().size());
		
	}

huangapple
  • 本文由 发表于 2020年7月30日 16:44:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/63169453.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定