在 iText PDF Java 中验证签名和安全 PDF 的证书
[英]Verifying certificate of signed and secured PDF in iText PDF Java
问题描述
I secured a PDF using Adobe Acrobat and then signed it, but when I try to verify the signature using iText, it gives an error
我使用 Adobe Acrobat 保护了 PDF,然后对其进行了签名,但是当我尝试使用 iText 验证签名时,出现错误
Exception in thread "main" java.lang.IllegalArgumentException: can't decode PKCS7SignedData object
at com.itextpdf.text.pdf.security.PdfPKCS7.<init>(PdfPKCS7.java:214)
at com.itextpdf.text.pdf.AcroFields.verifySignature(AcroFields.java:2427)
at com.itextpdf.text.pdf.AcroFields.verifySignature(AcroFields.java:2373)
at C5_01_SignatureIntegrity.verifySignature(C5_01_SignatureIntegrity.java:19)
at C5_03_CertificateValidation.verifySignature(C5_03_CertificateValidation.java:42)
at C5_01_SignatureIntegrity.verifySignatures(C5_01_SignatureIntegrity.java:32)
at C5_03_CertificateValidation.main(C5_03_CertificateValidation.java:134)
I am using the sample code from https://developers.itextpdf.com/examples/security/digital-signatures-white-paper/digital-signatures-chapter-5#887-c5_03_certificatevalidation.java我正在使用https://developers.itextpdf.com/examples/security/digital-signatures-white-paper/digital-signatures-chapter-5#887-c5_03_certificatevalidation.java 中的示例代码
I used a generic PDF, password protected from Adobe Acrobat and then self-signed it from Adobe Acrobat.我使用了通用 PDF,密码受 Adobe Acrobat 保护,然后从 Adobe Acrobat 对其进行自签名。
1 个解决方案
解决方案1
1 已采纳 2018-01-16 22:47:26
The iText 5 security API indeed cannot verify signatures of encrypted documents. iText 5 安全 API 确实无法验证加密文档的签名。
The cause is a deficiency of the decryption code: Just like most other strings it also "decrypts" the values of the Contents key of signature dictionaries.原因是解密代码的缺陷:就像大多数其他字符串一样,它也“解密”了签名字典的Contents键的值。 As these are not encrypted to start with, though, this "decryption" actually scrambles them.但是,由于这些最初没有加密,因此这种“解密”实际上会扰乱它们。 Thus, the PdfPKCS7 class cannot parse them as signature containers and throws the observed exception.因此, PdfPKCS7类无法将它们解析为签名容器并抛出观察到的异常。
In contrast to this the iText 7 security API can verify such signatures.与此相反,iText 7 安全 API 可以验证此类签名。
In distinction from the iText 5 situation explained above, decryption of PDF strings here is deferred until their contents actually are used.与上面解释的 iText 5 情况不同,这里的 PDF 字符串解密被推迟到实际使用它们的内容时。 The signature API, before accessing the content, marks the Contents PDF strings as not encrypted .签名 API 在访问内容之前,将内容PDF 字符串标记为未加密。 Thus, their original value can be accessed as is.因此,它们的原始值可以按原样访问。
(This is a bit risky because some code may retrieve the contents of those strings beforehand and so cause "decryption". On the other hand this removes the necessity to parse the PDF AcroForm information in the PdfReader ; as form parsing in general and signature parsing in particular are not part of the kernel module, such a necessity either would have resulted in duplication of code or merging of multiple modules.) (这有点冒险,因为某些代码可能会预先检索这些字符串的内容,因此会导致“解密”。另一方面,这消除了在PdfReader解析 PDF AcroForm 信息的PdfReader ;作为一般的表单解析和签名解析特别是不是内核模块的一部分,这种必要性要么会导致代码重复或多个模块的合并。)
The issue is covered in more detail in this answer .这个问题在这个答案中有更详细的介绍。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.