Pades 签名使用 PDFBox ETSI 验证
Pades Signature using PDFBox ETSI validation
我使用 PDFBOX 创建了一个 PDF PAdES 签名,我正在使用 ETSI 在线验证器 1(它需要注册),现在我在报告中只收到两个错误,但我有点迷茫它们是或我该如何修复它们。
这是 etsi 在线验证器报告:
这是我用来签名的代码:
@Override
public byte[] sign(InputStream content) throws IOException {
try {
CMSSignedDataGenerator signGenerator = new CMSSignedDataGenerator();
X509Certificate userCert = (X509Certificate) this.certificateChain[0];
ContentSigner mySigner = new CustomSigner(this.signerKeyHandle);
// TODO check to use cavium as digest provider
MessageDigest md = MessageDigest.getInstance("SHA-256", "Cavium");
md.update(userCert.getEncoded());
byte[] userCertHash = md.digest();
X509CertificateHolder issuerCert = new X509CertificateHolder(this.certificateChain[1].getEncoded());
// IssuerSerial is = new IssuerSerial(issuerCert.get,
// issuerCert.getSerialNumber());
ESSCertIDv2 certid = new ESSCertIDv2(new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256),
userCertHash);
ESSCertIDv2[] essCert1Arr = { certid };
SigningCertificateV2 sigcert = new SigningCertificateV2(certid);
final DERSet attrValues = new DERSet(sigcert);
Attribute attr = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, attrValues);
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(attr);
AttributeTable atttributeTable = new AttributeTable(v);
//Create a standard attribute table from the passed in parameters - certhash
CMSAttributeTableGenerator attrGen = new DefaultSignedAttributeTableGenerator(atttributeTable){
protected Hashtable createStandardAttributeTable(Map parameters)
{
Hashtable result = super.createStandardAttributeTable(parameters);
result.remove(CMSAttributes.signingTime);
return result;
}
};
JcaSignerInfoGeneratorBuilder signerBuilder = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().build());
signerBuilder.setSignedAttributeGenerator(attrGen);
SignerInfoGenerator signerInfoGenerator = signerBuilder.build(mySigner, userCert);
signGenerator.addSignerInfoGenerator(signerInfoGenerator);
signGenerator.addCertificates(new JcaCertStore(Arrays.asList(certificateChain)));
CMSProcessableInputStream msg = new CMSProcessableInputStream(content);
CMSSignedData signedData = signGenerator.generate(msg, false);
return signedData.getEncoded();
} catch (GeneralSecurityException | CMSException | OperatorCreationException e) {
System.err.println(e.getMessage());
throw new RuntimeException("unable to sign pdf!");
}
}
我不太确定这些问题可能在哪里或为什么会产生,一开始我有 5 个,现在我只剩下这两个,所以任何输入将不胜感激
原始问题
您使用 DefaultSignedAttributeTableGenerator
:
signerBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(new AttributeTable(v)));
根据其 JavaDocs,它将
/* Create a standard attribute table from the passed in parameters - this will
* normally include contentType, signingTime, messageDigest, and CMS algorithm protection.
* If the constructor using an AttributeTable was used, entries in it for contentType, signingTime, and
* messageDigest will override the generated ones.
特别是它会创建一个 signingTime
签名属性。
但对于 (non-legacy) PAdES 签名,嵌入式 CMS 容器不得包含 signingTime
属性,请参阅 ETSI EN 319 142-1 第 6.3 节以了解基线签名
SPO: signing-time attribute in CMS signature ... shall not be present
并且 PAdES-BES 和 PAdES-EPES 签名的原始 ETSI TS 102 778-3 第 4.5.3 节已经要求
the signing-time attribute shall not be used.
(严格来说,当前的 ETSI EN 319 142-2 PAdES-E-BES 和 PAdES-E-EPES 配置文件似乎不再禁止使用,它们只是 推荐 使用 M 签名字典条目代替。但是检查 BES/EPES 的软件通常仍然基于确实禁止的旧 TS,见上文。现在应该使用基线签名无论如何...)
因此,您应该使用不包含签名时间属性的 CMSAttributeTableGenerator
实现,例如通过复制 DefaultSignedAttributeTableGenerator
代码并从其 createStandardAttributeTable
方法中删除签名时间。
更新后的问题
您在评论中说,在解决上述问题后,仍然存在一个错误:
Right now its only an error and its the number 63 that says Location-{CodeTest}:Contents/CAdESSignature/content/signedData/signerInfos/signerInfo1/signedAttrs/attribute[4]/attrValues/NotKnownComponent1-{ForAllTheChildrenDo} An unknown component has been reached. Consequently, its children and their processing are unknown to the TLCC. No further checks will be done to this component
根据 RFC 6211 从 2011 年 4 月开始,您 SignerInfo
中的最后一个(第四个)签名属性是 算法标识符保护属性。考虑到年龄ETSI 签名一致性检查器可能确实不知道此属性。
如果您希望一致性检查器不显示该错误,只需从 DefaultSignedAttributeTableGenerator
的标准属性 table 中删除该属性,就像删除签名时间属性一样。
我使用 PDFBOX 创建了一个 PDF PAdES 签名,我正在使用 ETSI 在线验证器 1(它需要注册),现在我在报告中只收到两个错误,但我有点迷茫它们是或我该如何修复它们。
这是 etsi 在线验证器报告:
这是我用来签名的代码:
@Override
public byte[] sign(InputStream content) throws IOException {
try {
CMSSignedDataGenerator signGenerator = new CMSSignedDataGenerator();
X509Certificate userCert = (X509Certificate) this.certificateChain[0];
ContentSigner mySigner = new CustomSigner(this.signerKeyHandle);
// TODO check to use cavium as digest provider
MessageDigest md = MessageDigest.getInstance("SHA-256", "Cavium");
md.update(userCert.getEncoded());
byte[] userCertHash = md.digest();
X509CertificateHolder issuerCert = new X509CertificateHolder(this.certificateChain[1].getEncoded());
// IssuerSerial is = new IssuerSerial(issuerCert.get,
// issuerCert.getSerialNumber());
ESSCertIDv2 certid = new ESSCertIDv2(new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256),
userCertHash);
ESSCertIDv2[] essCert1Arr = { certid };
SigningCertificateV2 sigcert = new SigningCertificateV2(certid);
final DERSet attrValues = new DERSet(sigcert);
Attribute attr = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, attrValues);
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(attr);
AttributeTable atttributeTable = new AttributeTable(v);
//Create a standard attribute table from the passed in parameters - certhash
CMSAttributeTableGenerator attrGen = new DefaultSignedAttributeTableGenerator(atttributeTable){
protected Hashtable createStandardAttributeTable(Map parameters)
{
Hashtable result = super.createStandardAttributeTable(parameters);
result.remove(CMSAttributes.signingTime);
return result;
}
};
JcaSignerInfoGeneratorBuilder signerBuilder = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().build());
signerBuilder.setSignedAttributeGenerator(attrGen);
SignerInfoGenerator signerInfoGenerator = signerBuilder.build(mySigner, userCert);
signGenerator.addSignerInfoGenerator(signerInfoGenerator);
signGenerator.addCertificates(new JcaCertStore(Arrays.asList(certificateChain)));
CMSProcessableInputStream msg = new CMSProcessableInputStream(content);
CMSSignedData signedData = signGenerator.generate(msg, false);
return signedData.getEncoded();
} catch (GeneralSecurityException | CMSException | OperatorCreationException e) {
System.err.println(e.getMessage());
throw new RuntimeException("unable to sign pdf!");
}
}
我不太确定这些问题可能在哪里或为什么会产生,一开始我有 5 个,现在我只剩下这两个,所以任何输入将不胜感激
原始问题
您使用 DefaultSignedAttributeTableGenerator
:
signerBuilder.setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator(new AttributeTable(v)));
根据其 JavaDocs,它将
/* Create a standard attribute table from the passed in parameters - this will
* normally include contentType, signingTime, messageDigest, and CMS algorithm protection.
* If the constructor using an AttributeTable was used, entries in it for contentType, signingTime, and
* messageDigest will override the generated ones.
特别是它会创建一个 signingTime
签名属性。
但对于 (non-legacy) PAdES 签名,嵌入式 CMS 容器不得包含 signingTime
属性,请参阅 ETSI EN 319 142-1 第 6.3 节以了解基线签名
SPO: signing-time attribute in CMS signature ... shall not be present
并且 PAdES-BES 和 PAdES-EPES 签名的原始 ETSI TS 102 778-3 第 4.5.3 节已经要求
the signing-time attribute shall not be used.
(严格来说,当前的 ETSI EN 319 142-2 PAdES-E-BES 和 PAdES-E-EPES 配置文件似乎不再禁止使用,它们只是 推荐 使用 M 签名字典条目代替。但是检查 BES/EPES 的软件通常仍然基于确实禁止的旧 TS,见上文。现在应该使用基线签名无论如何...)
因此,您应该使用不包含签名时间属性的 CMSAttributeTableGenerator
实现,例如通过复制 DefaultSignedAttributeTableGenerator
代码并从其 createStandardAttributeTable
方法中删除签名时间。
更新后的问题
您在评论中说,在解决上述问题后,仍然存在一个错误:
Right now its only an error and its the number 63 that says Location-{CodeTest}:Contents/CAdESSignature/content/signedData/signerInfos/signerInfo1/signedAttrs/attribute[4]/attrValues/NotKnownComponent1-{ForAllTheChildrenDo} An unknown component has been reached. Consequently, its children and their processing are unknown to the TLCC. No further checks will be done to this component
根据 RFC 6211 从 2011 年 4 月开始,您 SignerInfo
中的最后一个(第四个)签名属性是 算法标识符保护属性。考虑到年龄ETSI 签名一致性检查器可能确实不知道此属性。
如果您希望一致性检查器不显示该错误,只需从 DefaultSignedAttributeTableGenerator
的标准属性 table 中删除该属性,就像删除签名时间属性一样。