如何使用脱机签名和OCSP响应创建PADES
[英]How to create PADES using offline signature and OCSP response
问题描述
I'm stumped trying to figure out Esig DSS java suite just from docs and source. 
我很困难,试图从文档和源代码中找出Esig DSS java套件。 (eu.europa.esig.dss.* tree) (eu.europa.esig.dss。* tree)
We connect to Swedish BankID to sign PDF's and simple plain texts. 我们连接到瑞典BankID以签署PDF和简单的纯文本。 Response is a SOAP XML with fields for the signature and an OCSP response. 响应是一个SOAP XML,包含签名字段和OCSP响应。
The end goal is to combine these two parts into a single object "a valid signature" that can be embedded in a PDF (using DSS and PDFbox). 最终目标是将这两个部分组合成一个可以嵌入PDF(使用DSS和PDFbox)的“有效签名”对象。
The contents of the BankID Soap fields seems to have the right format for DSS tools: BankID Soap字段的内容似乎具有DSS工具的正确格式:
The signature can be loaded with 签名可以加载
DSSDocument sigDoc = new InMemoryDocument(xmlSignature)
SignedDocumentValidator documentValidator = SignedDocumentValidator.fromDocument(sigDoc);
// ...
AdvancedSignature advancedSignature = documentValidator.getSignatures().get(0);
and the OCSP response can be read with 并且可以读取OCSP响应
ExternalResourcesOCSPSource source = new ExternalResourcesOCSPSource(ocspBytes);
BasicOCSPResp basicOCSPResp = source.getContainedOCSPResponses().get(0);
I can print out various info from the objects, find embedded certificates etc, so the format seems legit. 我可以打印出来自对象的各种信息,查找嵌入式证书等,因此格式似乎合法。
Question: How do I get a valid OCSPToken from the ExternalResourcesOCSPSource? 问题:如何从ExternalResourcesOCSPSource获取有效的OCSPToken?
I keep running in circles trying to combining the two into a single AdvancedSignature (if that's what I can use to embed into a PDF). 我一直在试图将两者合并为一个AdvancedSignature(如果这是我可以用来嵌入PDF的话)。
1 个解决方案
解决方案1
0 已采纳 2018-09-12 19:59:08
An advanced digital signature provided by a third system can not be used to create a valid signed PDF 第三个系统提供的高级数字签名不能用于创建有效的签名PDF
A PAdES signature is always enveloped into a PDF document, so it is not possible for the signature service to be returning a detached PAdES signature that is considered valid by DSS. PAdES签名始终封装在PDF文档中,因此签名服务无法返回DSS认为有效的分离PAdES签名。
It probably provides a detached CAdES or XAdES signature into the SOAP message that can be processed by DSS( DSS provides a high level API to sign documents using XAdES, CAdES, PAdES and aSiCS formats). 它可能在SOAP消息中提供可以由DSS处理的分离的CAdES或XAdES签名(DSS提供高级API以使用XAdES,CAdES,PAdES和aSiCS格式对文档进行签名)。
Both formats support embedding the OCSP responses, but it requires to add a TimeStamp too, which make more difficult to build the final format. 两种格式都支持嵌入OCSP响应,但它也需要添加TimeStamp,这使得构建最终格式变得更加困难。 It could be the reason to use a custom field into the SOAP message to return the OCSP response 这可能是在SOAP消息中使用自定义字段以返回OCSP响应的原因
XAdES and PAdES are conceptually similar but structurally different. XAdES和PAdES在概念上相似但结构上不同。 A XAdES signature is XML and PAdES is binary. XAdES签名是XML,PAdES是二进制。 A XML signature can not be converted to PAdES XML签名无法转换为PAdES
PAdES and CAdES use CMS, both are binary and they use ASN.1 syntax. PAdES和CAdES使用CMS,两者都是二进制的,它们使用ASN.1语法。 But the signed message is different, CAdES signature is calculated on the entire document (and some othe attributes) and PAdes use certain data of the PDF document. 但签名的消息不同,CAdES签名是在整个文档(以及其他一些属性)上计算的,而PAdes使用PDF文档的某些数据。 Therefore a cades signature could not be converted to PAdes either. 因此,cades签名也无法转换为PAdes。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.