Certifying Pdf document with iText

2019-09-02 18:43发布

问题:

I can sign my pdf and verify it by adding my smith.crt to be trusted in adobe reader (i get the green check mark) , my problem is certifying my pdf, i can not get the blue ribbon in the top left corner of my pdf, is it because i use the self-signed certificate?
I get the message:

The validity of the document certification is UNKNOWN. The author could not be verified.

Can you please help me out, how can I get that blue ribbon?

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;



import org.bouncycastle.jce.provider.BouncyCastleProvider;



import com.itextpdf.text.Document;
import com.itextpdf.text.DocumentException;
import com.itextpdf.text.Paragraph;
import com.itextpdf.text.Rectangle;
import com.itextpdf.text.pdf.PdfReader;
import com.itextpdf.text.pdf.PdfSignatureAppearance;
import com.itextpdf.text.pdf.PdfStamper;
import com.itextpdf.text.pdf.PdfWriter;
import com.itextpdf.text.pdf.security.BouncyCastleDigest;
import com.itextpdf.text.pdf.security.ExternalDigest;
import com.itextpdf.text.pdf.security.ExternalSignature;
import com.itextpdf.text.pdf.security.MakeSignature.CryptoStandard;
import com.itextpdf.text.pdf.security.PrivateKeySignature;
import com.itextpdf.text.pdf.security.MakeSignature;


public class SO  {

    public static String ORIGINAL = "src/test.pdf";
    public static String SIGNED1 = "src/signedtest.pdf";

    public void createPdf(String filename) throws IOException, DocumentException {
        Document document = new Document();
        PdfWriter.getInstance(document, new FileOutputStream(filename));
        document.open();
        document.add(new Paragraph("Test!"));
        document.close();
    }


    public void signPdf(String src, String dest)
        throws IOException, DocumentException, GeneralSecurityException {
        String path = "src/keyS";
        String keystore_password = "SOSOSO";
        String key_password = "SOSOSO";
        String alias = "SO";
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(new FileInputStream(path), keystore_password.toCharArray());
        PrivateKey pk = (PrivateKey) ks.getKey(alias, key_password.toCharArray());
        Certificate[] chain = ks.getCertificateChain(alias);
        // reader / stamper
        PdfReader reader = new PdfReader(src);
        FileOutputStream os = new FileOutputStream(dest);
        PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0', null, true);
        // appearance
        PdfSignatureAppearance appearance = stamper
                .getSignatureAppearance();


        appearance.setReason("Test");
        appearance.setLocation("Test st.");
        appearance.setVisibleSignature(new Rectangle(350, 750, 500, 800), 1, "first");
        appearance.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED);

        // digital signature
        ExternalSignature es = new PrivateKeySignature(pk, "SHA-256", "BC");
        ExternalDigest digest = new BouncyCastleDigest();
        MakeSignature.signDetached(appearance, digest, es, chain, null, null, null, 0, CryptoStandard.CMS);

    }

    public static void main(String[] args)
        throws IOException, DocumentException, GeneralSecurityException {
        Security.addProvider(new BouncyCastleProvider());
        SO potpis = new SO();
        potpis.createPdf(ORIGINAL);
        potpis.signPdf(ORIGINAL, SIGNED1);

    }
}

回答1:

Verification requires a CA (Certification Authority). When you copy the document to a new site (customer's computer), it will perform verification by going through the trusted CA store. There, it cannot find you and verification fails.

You may try and register yourself as a Trusted CA, but it is for the only purpose to test your code in a development environment.

To have the real thing, you must use a Trusted CA that is already registered at the new site (customer's computer). Generally, on the Internet at large this means you need a REAL CA (VeriSign or similar).

More about installing a Trusted CA on your computer: How to install a Trusted Root CA Certificates

Again, this latter option will give you the blue ribbon on your site (development machine) but not on any other site (customer's computer).