Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

java LTV支持PDF格式的签名

5 月,2 周 Questions & Answers

据我所知,有两种方法

  • 添加DSS字典
  • 在签名时在签名中嵌入CRL或OCSP响应

DSS方式似乎可行,Adobe将该签名识别为启用了LTV。第二种方法将更适合我们的应用程序,所以我仍然尝试让它工作。我在将OCSP响应添加到签名时遇到问题,因此我只尝试添加证书和CRL。如果我错了,请纠正我,但据我所知,CRL或OCSP响应应该添加到签名中。两者都不需要吗?我收集签名证书及其根证书,以及TSA证书及其根证书。之后,我去拿所有的CRL。所有这些都是在签名和时间戳之前添加的。仅添加证书和CRL似乎不起作用,因为Adobe不承认该签名已启用LTV。我真的不明白我做错了什么,所以非常感谢任何帮助

Store crlStore = new JcaCRLStore(crls); 
gen.addCRLs(crlStore);

Store certStore = new JcaCertStore(certList); 
gen.addCertificates(certStore);

共 (1) 个答案

  1. # 1 楼答案

    错误之处在于将CRL放入通常用于CRL的CMS签名容器元素中。然而,在集成PDF签名的情况下,情况就不同了;在这里,CRL应该在一个特殊的有符号属性中

    查看ISO 32000-1,其中已经指定了该属性:

    The PKCS#7 object should contain the following:

    ...

    • Revocation information as an signed attribute (PDF 1.6): This attribute may include all the revocation information that is necessary to carry out revocation checks for the signer's certificate and its issuer certificates. Since revocation information is a signed attribute, it must be obtained before the computation of the digital signature. This means that the software used by the signer must be able to construct the certification path and the associated revocation information. If one of the elements cannot be obtained (e.g. no connection is possible), a signature with this attribute will not be possible.

    ...

    12.8.3.3.2 Revocation Information

    The adbe Revocation Information attribute:

    adbe-revocationInfoArchival OBJECT IDENTIFIER ::=
                              { adbe(1.2.840.113583) acrobat(1) security(1) 8 }

    The value of the revocation information attribute can include any of the following data types:

    • Certificate Revocation Lists (CRLs), described in RFC 3280 (see the Bibliography): CRLs are generally large and therefore should not be embedded in the PKCS#7 object.
    • Online Certificate Status Protocol (OCSP) Responses, described in RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol — OCSP (see the Bibliography): These are generally small and constant in size and should be the data type included in the PKCS#7 object.
    • Custom revocation information: The format is not prescribed by this specification, other than that it be encoded as an OCTET STRING. The application should be able to determine the type of data contained within the OCTET STRING by looking at the associated OBJECT IDENTIFIER.

    adbe's Revocation Information attribute value has ASN.1 type RevocationInfoArchival:

    RevocationInfoArchival ::= SEQUENCE {
  crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL
  ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL
  otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL
}
OtherRevInfo ::= SEQUENCE {
  Type OBJECT IDENTIFIER
  Value OCTET STRING
}