使用iText锁定pdf

Question

我最近尝试迁移到iText7，但是遇到了一些问题。 我已经有一个PDF，并且我试图锁定和限制对此PDF的权限。 我对itext5使用了相同的方法，但是结果不一样。 更准确地说：

1. 我用了

    PdfWriter writer = new PdfWriter(fos, new WriterProperties() .setPublicKeyEncryption(chain, new int[EncryptionConstants.ALLOW_DEGRADED_PRINTING], EncryptionConstants.ENCRYPTION_AES_256)); 

但是什么都没发生，然后我尝试

2。

PdfWriter writer = new PdfWriter(fos, new WriterProperties()
            .setStandardEncryption("lala".getBytes(), "lala".getBytes(),
             EncryptionConstants.ALLOW_PRINTING | EncryptionConstants.ENCRYPTION_AES_256,
                    EncryptionConstants.ENCRYPTION_AES_256));

再也没有发生任何事情。 你碰巧知道一些吗？

该方法的完整代码：

 public void signPDF(InputStream inputStream, HttpServletResponse response) {
        LOG.debug("Inside signPDF...");
        Security.addProvider(new BouncyCastleProvider());
        try(OutputStream os = response.getOutputStream();
            PdfReader reader = new PdfReader(inputStream);
            PdfWriter writer = new PdfWriter(os, new WriterProperties().setStandardEncryption(null, "test".getBytes(), EncryptionConstants.ALLOW_PRINTING,
                    EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA))) {
            KeyStore ks = KeyStore.getInstance("pkcs12");
            ks.load(new FileInputStream(p12Path), keystorePassword.toCharArray());
            String alias = ks.aliases().nextElement();
            PrivateKey pk = (PrivateKey) ks.getKey(alias, keystorePassword.toCharArray());
            Certificate[] chain = ks.getCertificateChain(alias);
            BouncyCastleProvider provider = new BouncyCastleProvider();
            ITSAClient tsc = new TSAClientBouncyCastle(tsaClient, "", "");
            PdfSigner signer = new PdfSigner(reader, writer.getOutputStream(), true);
            PdfSignatureAppearance appearance = signer.getSignatureAppearance()
                    .setReason("Sign")
                    .setLocation("Test")
                    .setReuseAppearance(false);
            signer.setFieldName("sig");
            IExternalSignature pks = new PrivateKeySignature(pk, DigestAlgorithms.SHA256, provider.getName());
            IExternalDigest digest = new BouncyCastleDigest();
            System.out.println(signer.getDocument().getNumberOfPages());
            addWatermark(appearance,signer);
            signer.signDetached(digest, pks, chain, null, null, tsc, 0, PdfSigner.CryptoStandard.CMS);

        } catch (Exception e) {
            LOG.error("Error while writing to outputstream",e);
        }
    }

现在已签名，具有水印，但未锁定（即复制内容）

Answer 1

目前，iText 7中的签名和加密是通过两个单独的步骤完成的，第一步是对文件进行加密，第二步是对该加密文件进行签名，以保持加密完整。

在尝试中，您创建了带有加密信息的PdfWriter和带有签名信息的PdfSigner 。 但是，由于您的PdfWriter未被任何PdfDocument使用，因此加密信息会丢失，因此只会进行签名。

要同时加密和签名，只需先加密PDF，例如使用类似

void encrypt(InputStream source, OutputStream target, byte[] password) throws IOException {
    PdfReader reader = new PdfReader(source);
    PdfWriter writer = new PdfWriter(target, new WriterProperties().setStandardEncryption(null, password,
            EncryptionConstants.ALLOW_PRINTING, EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA));
    new PdfDocument(reader, writer).close();
}

（一个EncryptAndSign方法）

然后签署这个加密的PDF，例如使用类似

void sign(InputStream original, OutputStream result, String name, CryptoStandard subfilter,
        int certificationLevel, boolean isAppendMode, byte[] password) throws IOException, GeneralSecurityException {
    String reason = "Just another illusionary reason";
    String location = "Right around the corner";
    boolean setReuseAppearance = false;
    String digestAlgorithm = "SHA512";
    ITSAClient tsc = null;

    PdfReader reader = new PdfReader(original, new ReaderProperties().setPassword(password));
    PdfSigner signer = new PdfSigner(reader, result, isAppendMode);

    signer.setCertificationLevel(certificationLevel);

    // Creating the appearance
    signer.getSignatureAppearance()
          .setReason(reason)
          .setLocation(location)
          .setReuseAppearance(setReuseAppearance);

    signer.setFieldName(name);

    // Creating the signature
    IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, BouncyCastleProvider.PROVIDER_NAME);
    signer.signDetached(new BouncyCastleDigest(), pks, chain, null, null, tsc, 0, subfilter);
}

（一个EncryptAndSign方法）

像您的代码中那样确定pk和chain 。

然后结合这些方法，例如这样

try (   InputStream resourceStream = ...;
        OutputStream encryptedResult = new FileOutputStream(encryptedFile)  ) {
    encrypt(resourceStream, encryptedResult, password);
}

try (   InputStream encryptedSource = new FileInputStream(encryptedFile);
        OutputStream signedResult = new FileOutputStream(signedFile)) {
    sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}

（ EncryptAndSign测试testEncryptAndSignLefterisBab ）

或者，如果您要写入响应并且不想在文件系统中使用中间文件，请执行以下操作：

byte[] encrypted = null;

try (   InputStream resourceStream = ...;
        OutputStream encryptedResult = new ByteArrayOutputStream()  ) {
    encrypt(resourceStream, encryptedResult, password);
    encrypted = encryptedResult.toByteArray();
}

try (   InputStream encryptedSource = new ByteArrayInputStream(encrypted);
        OutputStream signedResult = response.getOutputStream()   ) {
    sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}