英文:
Digitally sign a pdf file in 2 steps with iText 7, result is corrupted file
问题
我会为您翻译代码部分:
首先,我会翻译计算哈希和签名的部分:
public static byte[] ComputeHash(string source, string temp, X509Certificate[] chains, string reason, string location, int qtySigns, int pageNumber)
{
IList<ICrlClient> crlList = new List<ICrlClient>();
crlList.Add(new CrlClientOnline(chains));
using (var reader = new PdfReader(source))
{
using (var os = new FileStream(temp, FileMode.OpenOrCreate, FileAccess.Write))
{
var signer = new PdfSigner(reader, os, new StampingProperties().UseAppendMode());
var signatureAppearance = signer.GetSignatureAppearance();
signatureAppearance
.SetReason(reason)
.SetLocation(location)
.SetPageNumber(pageNumber)
.SetRenderingMode(PdfSignatureAppearance.RenderingMode.NAME_AND_DESCRIPTION)
.SetCertificate(chains[0])
.SetPageRect(new iText.Kernel.Geom.Rectangle(36, 20, 144, 53));
var container = new EmptySignatureContainer(PdfName.Adobe_PPKLite, PdfName.Adbe_pkcs7_detached);
signer.SignExternalContainer(container, 8192);
byte[] hash = container.Hash;
return hash;
}
}
}
以下是签名容器部分的翻译:
public class EmptySignatureContainer : IExternalSignatureContainer
{
private PdfDictionary _sigDic;
public byte[] Hash;
public byte[] Sign(Stream data)
{
string hashAlgorithm = "SHA256";
try
{
this.Hash = DigestAlgorithms.Digest(data, hashAlgorithm);
}
catch (IOException e)
{
throw new GeneralSecurityException("EmptySignatureContainer signing exception", e);
}
return new byte[0];
}
public void ModifySigningDictionary(PdfDictionary signDic)
{
signDic.PutAll(_sigDic);
}
public EmptySignatureContainer(PdfName filter, PdfName subFilter)
{
_sigDic = new PdfDictionary();
_sigDic.Put(PdfName.Filter, filter);
_sigDic.Put(PdfName.SubFilter, subFilter);
}
}
接下来是计算哈希的部分:
var hash = ComputeHash(inputFile, tempFile, chain, "sign-reason", "", 1, 1);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", false);
var authenAttrBytes = sgn.GetAuthenticatedAttributeBytes(hash, PdfSigner.CryptoStandard.CMS, null, null);
var computedHash = SHA256Managed.Create().ComputeHash(authenAttrBytes);
最后,是签名和添加签名的部分:
Sign(tempFile, outputFile, chain, authenAttrBytes, signedHash);
签名方法的翻译如下:
public static void Sign(string tempFile, string targetFile, X509Certificate[] chains, byte[] hash, byte[] signedHash)
{
using (PdfReader reader = new PdfReader(tempFile))
{
using (FileStream outStream = System.IO.File.OpenWrite(targetFile))
{
var signedContainer = new SignedSignatureContainer(hash, signedHash, chains);
var signer = new PdfSigner(reader, outStream, new StampingProperties());
signer.SignExternalContainer(signedContainer, 8192);
}
}
}
最后是签名容器的翻译:
public class SignedSignatureContainer : IExternalSignatureContainer
{
public byte[] Hash { get; set; }
public byte[] SignedHash { get; set; }
public X509Certificate[] CertChains { get; set; }
public SignedSignatureContainer(byte[] hash, byte[] signedHash, X509Certificate[] certCertChains)
{
this.Hash = hash;
this.SignedHash = signedHash;
this.CertChains = certCertChains;
}
public byte[] Sign(Stream data)
{
var sgn = new PdfPKCS7(null, CertChains, "SHA256", false);
sgn.SetExternalDigest(this.SignedHash, null, "RSA");
return sgn.GetEncodedPKCS7(this.Hash, CryptoStandard.CMS, null, null, null );
}
public void ModifySigningDictionary(PdfDictionary signDic)
{
signDic.Put(PdfName.Filter, PdfName.Adobe_PPKLite);
signDic.Put(PdfName.SubFilter, PdfName.Adbe_pkcs7_detached);
}
}
希望这有助于您理解代码。如果您有其他问题,请随时提出。
英文:
I'm trying to digitally sign a PDF file in two steps: compute hash, sign hash, and then merge the signed hash to the output file. The library that I'm using is iText 7.
However, the result is a corrupted file and cannot be opened.
What is wrong?
First I'm computing the hash and sign the input file with an empty signature container:
public static byte[] ComputeHash(string source, string temp, X509Certificate[] chains, string reason, string location, int qtySigns, int pageNumber)
{
IList<ICrlClient> crlList = new List<ICrlClient>();
crlList.Add(new CrlClientOnline(chains));
using (var reader = new PdfReader(source))
{
using (var os = new FileStream(temp, FileMode.OpenOrCreate, FileAccess.Write))
{
var signer = new PdfSigner(reader, os, new StampingProperties().UseAppendMode());
var signatureAppearance = signer.GetSignatureAppearance();
signatureAppearance
.SetReason(reason)
.SetLocation(location)
.SetPageNumber(pageNumber)
.SetRenderingMode(PdfSignatureAppearance.RenderingMode.NAME_AND_DESCRIPTION)
.SetCertificate(chains[0])
.SetPageRect(new iText.Kernel.Geom.Rectangle(36, 20, 144, 53));
var container = new EmptySignatureContainer(PdfName.Adobe_PPKLite, PdfName.Adbe_pkcs7_detached);
signer.SignExternalContainer(container, 8192);
byte[] hash = container.Hash;
return hash;
}
}
}
Here is the container:
public class EmptySignatureContainer : IExternalSignatureContainer
{
private PdfDictionary _sigDic;
public byte[] Hash;
public byte[] Sign(Stream data)
{
string hashAlgorithm = "SHA256";
try
{
this.Hash = DigestAlgorithms.Digest(data, hashAlgorithm);
}
catch (IOException e)
{
throw new GeneralSecurityException("EmptySignatureContainer signing exception", e);
}
return new byte[0];
}
public void ModifySigningDictionary(PdfDictionary signDic)
{
signDic.PutAll(_sigDic);
}
public EmptySignatureContainer(PdfName filter, PdfName subFilter)
{
_sigDic = new PdfDictionary();
_sigDic.Put(PdfName.Filter, filter);
_sigDic.Put(PdfName.SubFilter, subFilter);
}
}
After that, I get the authenticated attribute bytes and compute its hash:
var hash = ComputeHash(inputFile, tempFile, chain, "sign-reason", "", 1, 1);
PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA256", false);
var authenAttrBytes = sgn.GetAuthenticatedAttributeBytes(hash, PdfSigner.CryptoStandard.CMS, null, null);
var computedHash = SHA256Managed.Create().ComputeHash(authenAttrBytes);`
The computedHash then will be sent to the hsm server to sign.
The signed hash then will be added back to the temporary file as following code:
Sign(tempFile, outputFile, chain, authenAttrBytes, signedHash);
And here is the Sign method:
public static void Sign(string tempFile, string targetFile, X509Certificate[] chains, byte[] hash, byte[] signedHash)
{
using (PdfReader reader = new PdfReader(tempFile))
{
using (FileStream outStream = System.IO.File.OpenWrite(targetFile))
{
var signedContainer = new SignedSignatureContainer(hash, signedHash, chains);
var signer = new PdfSigner(reader, outStream, new StampingProperties());
signer.SignExternalContainer(signedContainer, 8192);
}
}
}
The Signed container as following:
public class SignedSignatureContainer : IExternalSignatureContainer
{
public byte[] Hash { get; set; }
public byte[] SignedHash { get; set; }
public X509Certificate[] CertChains { get; set; }
public SignedSignatureContainer(byte[] hash, byte[] signedHash, X509Certificate[] certCertChains)
{
this.Hash = hash;
this.SignedHash = signedHash;
this.CertChains = certCertChains;
}
public byte[] Sign(Stream data)
{
var sgn = new PdfPKCS7(null, CertChains, "SHA256", false);
sgn.SetExternalDigest(this.SignedHash, null, "RSA");
return sgn.GetEncodedPKCS7(this.Hash, CryptoStandard.CMS, null, null, null );
}
public void ModifySigningDictionary(PdfDictionary signDic)
{
signDic.Put(PdfName.Filter, PdfName.Adobe_PPKLite);
signDic.Put(PdfName.SubFilter, PdfName.Adbe_pkcs7_detached);
}
}
答案1
得分: 0
在你的Sign方法中,你使用了PdfSigner方法的SignExternalContainer:
var signedContainer = new SignedSignatureContainer(hash, signedHash, chains);
var signer = new PdfSigner(reader, outStream, new StampingProperties());
signer.SignExternalContainer(signedContainer, 8192);
但这不会填充原先准备好的签名!相反,它会创建另一个签名字段,并使用原始签名的签名来填充它。
请改用静态的PdfSigner方法SignDeferred:
/// <summary>Signs a PDF where space was already reserved.</summary>
/// <param name="document">the original PDF</param>
/// <param name="fieldName">the field to sign. It must be the last field</param>
/// <param name="outs">the output PDF</param>
/// <param name="externalSignatureContainer">
/// the signature container doing the actual signing. Only the
/// method ExternalSignatureContainer.sign is used
/// </param>
public static void SignDeferred(PdfDocument document, String fieldName, Stream outs,
IExternalSignatureContainer externalSignatureContainer)
英文:
In your Sign method you use the PdfSigner method SignExternalContainer:
var signedContainer = new SignedSignatureContainer(hash, signedHash, chains);
var signer = new PdfSigner(reader, outStream, new StampingProperties());
signer.SignExternalContainer(signedContainer, 8192);
But that does not fill in the originally prepared signature! Instead this creates another signature field and fills it with a signature for the original one.
Use the static PdfSigner method SignDeferred instead:
/// <summary>Signs a PDF where space was already reserved.</summary>
/// <param name="document">the original PDF</param>
/// <param name="fieldName">the field to sign. It must be the last field</param>
/// <param name="outs">the output PDF</param>
/// <param name="externalSignatureContainer">
/// the signature container doing the actual signing. Only the
/// method ExternalSignatureContainer.sign is used
/// </param>
public static void SignDeferred(PdfDocument document, String fieldName, Stream outs,
IExternalSignatureContainer externalSignatureContainer)
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论