已启用 iText LTV - 如何添加更多 CRL?
iText LTV enabled - how to add more CRLs?
我需要启用签名的 pdf LTV。签名证书具有三个级别的链(root / public / personal)。我知道需要在pdf中添加证书的OCSP和CRL(root除外)。
我可以使用基本的 LtvVerification.addVerification() 方法吗?
如果我添加一个 运行 两个 CRL,结果 PDF 只有一秒钟。如果我改变顺序,还有一秒钟吗?
如果我在两个 运行 中添加 CRL,它将以相同的方式结束 - 在 pdf 中仍然是第二个添加的 CRL。
我以为 "add" 不会覆盖以前的状态..
如何正确使用方法LtvVerification.merge()? Before/after 添加 first/second/both CRL?
或者我只能使用替代方法LtvVerification.addVerification(String signatureName, Collection ocsps, Collection crls, Collection certs)?
非常感谢您的提示。
源代码:
public void addLtv(String src, String dest) throws IOException, DocumentException, GeneralSecurityException
{
BouncyCastleProvider provider = new BouncyCastleProvider();
Security.addProvider(provider);
PdfReader r = new PdfReader(src);
System.out.println("Source file: " + src);
FileOutputStream fos = new FileOutputStream(dest);
PdfStamper stp = new PdfStamper(r, fos, '[=10=]', true);
LtvVerification v = stp.getLtvVerification();
AcroFields fields = stp.getAcroFields();
ArrayList<String> names = fields.getSignatureNames();
String sigName = names.get(names.size() - 1);
System.out.println("found signature: " + sigName);
PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
//add LTV
OcspClient ocsp = new OcspClientBouncyCastle();
CrlClient crlClient1 = new CrlClientOnline("http://www.postsignum.cz/crl/psrootqca2.crl");
ArrayList<CrlClient> crllist = new ArrayList<CrlClient>();
crllist.add(crlClient1);
CrlClient crlClient2 = new CrlClientOnline("http://www.postsignum.cz/crl/pspublicca2.crl");
crllist.add(crlClient2);
System.out.println("crllist.size=" + crllist.size());
if (pkcs7.isTsp())
{
for (CrlClient crlclient : crllist)
{
if (v.addVerification(sigName, new OcspClientBouncyCastle(), crlclient,
LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO)) {
System.out.println("crl " + crlclient.toString() + " added to timestamp");
}
}
} else{
for (String name : names)
{
for (int i = 0; i < crllist.size(); i++) {
if (v.addVerification(name, ocsp, crllist.get(i),
LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO)) {
System.out.println("crl " + crllist.get(i).toString() + " added to " + name);
}
if (i > 0) {
System.out.println("found verification, merge");
v.merge();
}
}
}
}
stp.close();
}
如果您想向 LtvVerification.addVerification 提供多个 CRL,您 不会 为每个 CRL 调用该方法一次 但是所有 CRL 一次。
为此 CrlClientOnline 也接受多个 URL:
/**
* Creates a CrlClientOnline instance using one or more URLs.
*/
public CrlClientOnline(String... crls)
因此,通过改用此构造函数,我们简化并修复了您的代码
PdfReader r = new PdfReader(src);
FileOutputStream fos = new FileOutputStream(dest);
PdfStamper stp = new PdfStamper(r, fos, '[=11=]', true);
LtvVerification v = stp.getLtvVerification();
AcroFields fields = stp.getAcroFields();
ArrayList<String> names = fields.getSignatureNames();
String sigName = names.get(names.size() - 1);
System.out.println("found signature: " + sigName);
PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
//add LTV
OcspClient ocsp = new OcspClientBouncyCastle();
CrlClient crlClient = new CrlClientOnline("http://www.postsignum.cz/crl/psrootqca2.crl", "http://www.postsignum.cz/crl/pspublicca2.crl");
if (pkcs7.isTsp())
{
if (v.addVerification(sigName, new OcspClientBouncyCastle(), crlClient,
LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO))
{
System.out.println("crl " + crlClient.toString() + " added to timestamp");
}
}
else
{
for (String name : names)
{
if (v.addVerification(name, ocsp, crlClient,
LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO))
{
System.out.println("crl " + crlClient.toString() + " added to " + name);
}
}
}
stp.close();
(AddLtvCrls.java,方法addLtvFixed)
将其应用于您的示例文件,我们得到:
对于某些背景,LtvVerification.addVerification 将它所拥有的信息存储为 相关签名所需的验证信息。多次调用它只会产生最后一次计数尝试的信息。
调用 LtvVerification.merge 在这里也没有帮助,因为它只是将旧版本中不同签名所需的验证信息合并到新的验证相关信息部分。
我需要启用签名的 pdf LTV。签名证书具有三个级别的链(root / public / personal)。我知道需要在pdf中添加证书的OCSP和CRL(root除外)。
我可以使用基本的 LtvVerification.addVerification() 方法吗? 如果我添加一个 运行 两个 CRL,结果 PDF 只有一秒钟。如果我改变顺序,还有一秒钟吗? 如果我在两个 运行 中添加 CRL,它将以相同的方式结束 - 在 pdf 中仍然是第二个添加的 CRL。 我以为 "add" 不会覆盖以前的状态..
如何正确使用方法LtvVerification.merge()? Before/after 添加 first/second/both CRL?
或者我只能使用替代方法LtvVerification.addVerification(String signatureName, Collection ocsps, Collection crls, Collection certs)?
非常感谢您的提示。
源代码:
public void addLtv(String src, String dest) throws IOException, DocumentException, GeneralSecurityException
{
BouncyCastleProvider provider = new BouncyCastleProvider();
Security.addProvider(provider);
PdfReader r = new PdfReader(src);
System.out.println("Source file: " + src);
FileOutputStream fos = new FileOutputStream(dest);
PdfStamper stp = new PdfStamper(r, fos, '[=10=]', true);
LtvVerification v = stp.getLtvVerification();
AcroFields fields = stp.getAcroFields();
ArrayList<String> names = fields.getSignatureNames();
String sigName = names.get(names.size() - 1);
System.out.println("found signature: " + sigName);
PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
//add LTV
OcspClient ocsp = new OcspClientBouncyCastle();
CrlClient crlClient1 = new CrlClientOnline("http://www.postsignum.cz/crl/psrootqca2.crl");
ArrayList<CrlClient> crllist = new ArrayList<CrlClient>();
crllist.add(crlClient1);
CrlClient crlClient2 = new CrlClientOnline("http://www.postsignum.cz/crl/pspublicca2.crl");
crllist.add(crlClient2);
System.out.println("crllist.size=" + crllist.size());
if (pkcs7.isTsp())
{
for (CrlClient crlclient : crllist)
{
if (v.addVerification(sigName, new OcspClientBouncyCastle(), crlclient,
LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO)) {
System.out.println("crl " + crlclient.toString() + " added to timestamp");
}
}
} else{
for (String name : names)
{
for (int i = 0; i < crllist.size(); i++) {
if (v.addVerification(name, ocsp, crllist.get(i),
LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO)) {
System.out.println("crl " + crllist.get(i).toString() + " added to " + name);
}
if (i > 0) {
System.out.println("found verification, merge");
v.merge();
}
}
}
}
stp.close();
}
如果您想向 LtvVerification.addVerification 提供多个 CRL,您 不会 为每个 CRL 调用该方法一次 但是所有 CRL 一次。
为此 CrlClientOnline 也接受多个 URL:
/**
* Creates a CrlClientOnline instance using one or more URLs.
*/
public CrlClientOnline(String... crls)
因此,通过改用此构造函数,我们简化并修复了您的代码
PdfReader r = new PdfReader(src);
FileOutputStream fos = new FileOutputStream(dest);
PdfStamper stp = new PdfStamper(r, fos, '[=11=]', true);
LtvVerification v = stp.getLtvVerification();
AcroFields fields = stp.getAcroFields();
ArrayList<String> names = fields.getSignatureNames();
String sigName = names.get(names.size() - 1);
System.out.println("found signature: " + sigName);
PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
//add LTV
OcspClient ocsp = new OcspClientBouncyCastle();
CrlClient crlClient = new CrlClientOnline("http://www.postsignum.cz/crl/psrootqca2.crl", "http://www.postsignum.cz/crl/pspublicca2.crl");
if (pkcs7.isTsp())
{
if (v.addVerification(sigName, new OcspClientBouncyCastle(), crlClient,
LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO))
{
System.out.println("crl " + crlClient.toString() + " added to timestamp");
}
}
else
{
for (String name : names)
{
if (v.addVerification(name, ocsp, crlClient,
LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.CRL,
LtvVerification.CertificateInclusion.NO))
{
System.out.println("crl " + crlClient.toString() + " added to " + name);
}
}
}
stp.close();
(AddLtvCrls.java,方法addLtvFixed)
将其应用于您的示例文件,我们得到:
对于某些背景,LtvVerification.addVerification 将它所拥有的信息存储为 相关签名所需的验证信息。多次调用它只会产生最后一次计数尝试的信息。
调用 LtvVerification.merge 在这里也没有帮助,因为它只是将旧版本中不同签名所需的验证信息合并到新的验证相关信息部分。