{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 The star\" 的问题《In Itext 7, how to get the range stream to sign a》','https://www.manongdao.com/q-244810.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to migrate my application from iText 5.5.9 to iText 7 and I have a problem with signing a document on the server using a signature created on the client (described in the Digital Signatures for PDF documents).
As the getRangeStream() method isn't public anymore as it was in iText 5.5.9, how can I obtain a reference to the range stream?
getRangeStreamis not the only method that was refactored fromPdfSignatureAppearancetoPdfSignerand madeprotectedon that way. The same problem exists for other methods, too, likepreCloseandclosewhich are also methods used in thePreSignandPostSignservlets from Digital Signatures for PDF documents which you seem to use or at least borrow code from.This, as I presume, has been done to make iText 7 users use the
signDeferred,signDetached, andsignExternalContainermethods which usually are sufficient for signing applications and "do it correctly", i.e. use the other, now not anymore public methods in a way that creates valid signatures.The
PreSignandPostSignservlets as they are unfortunately cannot use those three methods, they actually are like thesignDetachedcode ripped in two halves with the relevant local variables stored in the HTTP session.Thus, you essentially have two choices:
Use the protected methods nonetheless
Unless I overlooked something, this can even be done by deriving your own signer class from
PdfSignerand making those methods and probably member variables publicly accessibly again; using reflection magic at first sight doesn't seem necessary.Change the
PreSignandPostSignservlet architectureIf you could switch from keeping those signing related objects in memory (referenced via the HTTP session) to merely keeping an intermediary PDF file in memory or even on disk and probably the half-baked signature container in memory, you could proceed like this:
Replace the
PreSignservlet by a servlet that "signs" the PDF usingPdfSigner.signExternalContainerwith aIExternalSignatureContainerimplementation that merely provides a dummy signature, e.g.new byte[0].This
IExternalSignatureContainerretrieves the sought-for range stream as parameter of itssignmethod, so it can calculate the range stream hash.Now the PDF with the dummy signature can be saved to disk or held in memory. And based on the range stream hash you can continue constructing and feeding the
PdfPKCS7instance as before. And hold that in memory, e.g. referenced from the HTTP session.Replace the
PostSignservlet by a servlet that as before finishes feeding thePdfPKCS7instance and generates a CMS signature container. Then inject this container into the saved PDF using thePdfSigner.signDeferredmethod.Alternatively you could even move the whole CMS signature container creation to the client. In that case all the session has to remember is where the intermediary PDF is stored...
Some inspiration may come from the C4_09_DeferredSigning.java iText 7 example.