CAdES数字签名

Question

I've been trying to implement digital signing (CAdES) for PDF files using Portuguese Citizen Card, however I'm having a hard time figuring out the perfectly working solution. 我一直在尝试使用葡萄牙语公民卡为PDF文件实现数字签名（CAdES），但是我一直在努力寻找完美的解决方案。 Currently I have two sets of code. 目前，我有两套代码。

First one: 第一：

public void signCAdES(...)
{
        String pkcs11Config = "name=GemPC" + "\n" + "library=C:\\WINDOWS\\SysWOW64\\pteidpkcs11.dll";
        ByteArrayInputStream configStream = new ByteArrayInputStream(pkcs11Config.getBytes());
        Provider pkcs11Provider = new sun.security.pkcs11.SunPKCS11(configStream);

                    //provider_name: SunPKCS11-GemPC
        Security.addProvider(pkcs11Provider);

        javax.security.auth.callback.CallbackHandler cmdLineHdlr = new DialogCallbackHandler();

        KeyStore.Builder builder = KeyStore.Builder.newInstance("PKCS11", pkcs11Provider,
                new KeyStore.CallbackHandlerProtection(cmdLineHdlr));
        KeyStore ks= builder.getKeyStore();

        PdfReader reader = new PdfReader(src);
        FileOutputStream os = new FileOutputStream(dest);

        PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0', new File(tempPath), true);
        PdfSignatureAppearance appearance = stamper.getSignatureAppearance();

        appearance.setReason(reason);
        appearance.setLocation(location);
        appearance.setCertificationLevel(level);

        String alias = "CITIZEN SIGNATURE CERTIFICATE";

                    //certificates from electronic card and resources folder
        Certificate[] certs = getSignatureCertificatesChain(ks);

        PrivateKey pk = (PrivateKey) ks.getKey(alias, null);

        ExternalSignature es = new PrivateKeySignature(pk, "SHA-1", pkcs11Provider.getName());
        ExternalDigest digest = new BouncyCastleDigest();

        MakeSignature.signDetached(appearance, digest, es, certs, null, null, null, 0, MakeSignature.CryptoStandard.CADES);
}

The first one works, however I have a validator given to me that verifies if the signatures of a PDF satisfies the standards, and it seems that one of the attributes is missing (sigining certificate issuer's serial number). 第一个有效，但是我提供了一个验证器，可以验证PDF的签名是否满足标准，并且似乎缺少其中一个属性（起始证书颁发者的序列号）。

The second one is different, and I have to add the attributes manually, however the generated PDF is corrupted (and then I might need to add the issuer serial attribute too): 第二个是不同的，我必须手动添加属性，但是生成的PDF已损坏（然后我可能也需要添加发布者序列属性）：

private static void signCAdES(byte[] aDocument, PrivateKey aPrivateKey, Certificate[] certChain, String outputPath) {
    try {

        Security.addProvider(new BouncyCastleProvider());
        ArrayList<X509Certificate> certsin = new ArrayList<X509Certificate>();
        for (Certificate certChain1 : certChain) {
            certsin.add((X509Certificate) certChain1);
        }

        X509Certificate signingCertificate= certsin.get(0);

        MessageDigest dig = MessageDigest.getInstance("SHA-1");
        byte[] certHash = dig.digest(signingCertificate.getEncoded());

        ESSCertID essCertid = new ESSCertID(certHash);
        DERSet set = new DERSet(new SigningCertificate(essCertid));

        Attribute certHAttribute = new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificate, set);
        AttributeTable at = getAttributeTableWithSigningCertificateAttribute(certHAttribute);
        CMSAttributeTableGenerator attrGen = new DefaultSignedAttributeTableGenerator(at);

        SignerInfoGeneratorBuilder genBuild = new SignerInfoGeneratorBuilder(new BcDigestCalculatorProvider());
        genBuild.setSignedAttributeGenerator(attrGen);

        CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
        ContentSigner shaSigner = new JcaContentSignerBuilder("SHA1withRSA").build(aPrivateKey);
        SignerInfoGenerator sifGen = genBuild.build(shaSigner, new X509CertificateHolder(signingCertificate.getEncoded()));
        gen.addSignerInfoGenerator(sifGen);
        JcaCertStore jcaCertStore = new JcaCertStore(certsin);
        gen.addCertificates(jcaCertStore);

        CMSTypedData msg = new CMSProcessableByteArray(aDocument);
        CMSSignedData sigData = gen.generate(msg, false); // false=detached

        byte[] encoded = sigData.getEncoded();

        ASN1InputStream in = new ASN1InputStream(encoded);
        CMSSignedData sigData2 = new CMSSignedData(new CMSProcessableByteArray(aDocument), in);
        byte[] encoded2 = sigData2.getEncoded();

        FileOutputStream fos = new FileOutputStream(outputPath);
        fos.write(encoded2);
//      fos.write(encoded);
        fos.flush();
        fos.close();
    } catch (CMSException | IOException | OperatorCreationException | CertificateEncodingException ex) {
        log("signCAdES", "Error: " + ex.toString());
    }
}

Is there anyone who understands CAdES digital signature using Java? 是否有人了解使用Java的CAdES数字签名？ Any help would be appreciated! 任何帮助，将不胜感激！

Answer 1

The 'issuer-serial' attribute is absent or does not match! 'issuer-serial'属性不存在或不匹配！

It means that your cades signature has not signed attribute: the signed reference to the signing certificate or that this reference is tampered. 这意味着您的cades签名未签名属性：签名证书的签名参考或该参考已被篡改。

Please check: ETSI TS 101 733 V2.2.1 (2013-04) for more information: 有关更多信息，请检查：ETSI TS 101 733 V2.2.1（2013-04）：

5.7.3 Signing Certificate Reference Attributes 5.7.3签名证书参考属性

The Signing certificate reference attributes are supported by using either the ESS signing-certificate attribute or the ESS-signing-certificate-v2 attribute... 通过使用ESS signing-certificate属性或ESS-signing-certificate-v2属性来支持签名证书参考属性...

CAdES数字签名

问题描述

1 个解决方案

解决方案1
1 2015-02-23 22:27:08

CAdES数字签名

问题描述

1 个解决方案

解决方案1 1 2015-02-23 22:27:08

解决方案1
1 2015-02-23 22:27:08