[英]PDF Signature fails verification
I'm using iTextSharp.LGPLv2 to sign PDF documents (The only available option for.Net Core right now).我正在使用 iTextSharp.LGPLv2 签署 PDF 文档(.Net Core 目前唯一可用的选项)。 I'm able to produce a signature but most readers reject it.
我能够产生签名,但大多数读者拒绝它。 You can download the file: https://www.dropbox.com/s/ns35fdi5tyq52cw/blank.bs.pdf?dl=0
您可以下载文件: https://www.dropbox.com/s/ns35fdi5tyq52cw/blank.bs.pdf?dl=0
Few important issues:几个重要的问题:
I'm kind of puzzled here and I'll be glad to hear any suggestions/hints/directions.我在这里有点困惑,我很高兴听到任何建议/提示/方向。
There are (at least) two errors in the signature:签名中有(至少)两个错误:
Mismatch in document hash:文档 hash 不匹配:
The SHA256 hash of the signed byte ranges is有符号字节范围的 SHA256 hash 是
69CF153087670FC5D450FF23675C207BB9659A235A465202F5802ABED7BA7C21
but your signature container claims it is但你的签名容器声称它是
93D5804C1A9A31B17F041DE79FB1CD598E1FCC7CDC2A37885CD0502D4FCBB5A6
which explains why validators assume that the document has been altered.这解释了为什么验证器会假设文档已被更改。
Mismatch in hash of signed attributes:签名属性的 hash 不匹配:
The SHA256 hash of the signed attributes of the SignerInfo
in your CMS signature container is CMS 签名容器中
SignerInfo
的签名属性的 SHA256 hash 是
C84C6600F5E11291AAD8240239B7DC09FC00BD6A9056B6BBF584E8D46C8CEBE5
but the hash value in you SHA256withRSA signature value is但是 SHA256withRSA 签名值中的 hash 值是
93D5804C1A9A31B17F041DE79FB1CD598E1FCC7CDC2A37885CD0502D4FCBB5A6
which would make validation fail even if the document hash (see above) would match.即使文档 hash(见上文)匹配,这也会导致验证失败。
Incidentally this hash in the signature value is identical to your claimed (incorrect) document hash value.顺便说一句,签名值中的这个 hash 与您声明的(不正确的)文档 hash 值相同。
The latter mismatch probably is caused by you signing the wrong data.后一种不匹配可能是由于您签署了错误的数据造成的。
The former mismatch may be due because of some error in your code calculating the hash of the signed byte ranges, or it might be due to the signed data actually being manipulated.前一种不匹配可能是由于您的代码在计算带符号字节范围的 hash 时出现了一些错误,也可能是由于实际操作了带符号的数据。
To further analyze the problem, your signing code would be required.要进一步分析问题,需要您的签名代码。
PS: There also is at least one error in your certificate, it has a negative serial number. PS:您的证书中也至少有一个错误,它的序列号为负数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.