iText 添加 ltv 信息
iText adding ltv info
我正在尝试 'complete to ltv' 一个已经签名的 pdf,我使用 itext 找到了这段代码:
http://developers.itextpdf.com/question/how-enable-ltv-timestamp-signature
public void addLtv(String src, String dest, OcspClient ocsp, CrlClient crl, TSAClient tsa)
throws IOException, DocumentException, GeneralSecurityException {
PdfReader r = new PdfReader(src);
FileOutputStream fos = new FileOutputStream(dest);
PdfStamper stp = PdfStamper.createSignature(r, fos, '[=10=]', null, true);
LtvVerification v = stp.getLtvVerification();
AcroFields fields = stp.getAcroFields();
List<String> names = fields.getSignatureNames();
String sigName = names.get(names.size() - 1);
PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
if (pkcs7.isTsp()) {
v.addVerification(sigName, ocsp, crl,
LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
LtvVerification.Level.OCSP_CRL,
LtvVerification.CertificateInclusion.NO);
}
else {
for (String name : names) {
v.addVerification(name, ocsp, crl,
LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.OCSP_CRL,
LtvVerification.CertificateInclusion.NO);
}
}
PdfSignatureAppearance sap = stp.getSignatureAppearance();
LtvTimestamp.timestamp(sap, tsa, null);
}
我读到它与 Adobe 有一个 'problem',因为应用的时间戳未被识别为启用 LTV,建议应用新的 dss 来解决这个问题。
我的问题:
能否在应用时间戳之前添加此信息?如果我要添加一个 dss 来完成,我也可以添加 TSA 时间戳信息(ocsp、crl ...)(可能使用假标志来获取信息)然后应用时间戳而不需要再次使用新的 dss。
如果是...这是 ETSI 批准的? iText 可以处理吗?我注意到 addVerification 从已包含的签名中添加信息,但似乎我无法使用此方法添加所需的信息。还有另一种方法可以添加 'free' 验证或 addVerification 让我和我没注意到?
如果没有...为什么?那为什么我不需要再次为添加的新 dss 添加时间戳?
如您所见...我不是专家,我需要一些帮助。
非常感谢您的帮助!
My questions:
- Can this info be added before applying the timestamp? If i'm adding a dss to complete, i could add TSA timestamp info (ocsp, crl...) too (maybe with a fake sign to get info) and then apply the timestamp without needing a new dss again.
- If yes... this is approved by ETSI? Can iText handle it? I noticed that addVerification adds info from signatures already included, but seems i can't add the required info with this method. There's another way to add 'free' verifications or addVerification let's me and i didn't notice?
- If no... Why? Then why i not need to timestamp again the new dss added?
从技术上讲,您可以在应用相关的签名/时间戳之前添加任何验证相关信息。实际上你甚至必须在老式的 ISO 32000-1 签名的情况下这样做,它需要验证信息在签名的属性中。
这些信息是否被验证者接受,取决于。
ETSI TS 102 778-4 V1.1.1 说:
4.3 Validation Process
It is recommended that that validation process be as follows:
The "latest" document Time-stamp should be validated at current time with validation data collected at the
current time.
The "inner" document Time-stamp should be validated at previous document Time-stamp time with the
validation data present (and time-stamped for the successive enveloping time-stamps) in the previous DSS.
The signature and the signature Time-stamp should be validated at the latest innermost LTV document Timestamp
time using the validation data stored in the DSS and time-stamped (by the successive enveloping timestamps)
Validation of documents without document Time-stamps is outside the scope of this profile.
如果验证者根据这些建议进行验证,它不会按照您的意愿接受您的验证信息,至少它不会识别为验证信息打上时间戳的时间戳。
但由于这些只是建议,其他 TS 或 EN 文档可能会提出不同的建议,您感兴趣的验证者可能会根据您的需要接受您的验证信息。
我正在尝试 'complete to ltv' 一个已经签名的 pdf,我使用 itext 找到了这段代码:
http://developers.itextpdf.com/question/how-enable-ltv-timestamp-signature
public void addLtv(String src, String dest, OcspClient ocsp, CrlClient crl, TSAClient tsa)
throws IOException, DocumentException, GeneralSecurityException {
PdfReader r = new PdfReader(src);
FileOutputStream fos = new FileOutputStream(dest);
PdfStamper stp = PdfStamper.createSignature(r, fos, '[=10=]', null, true);
LtvVerification v = stp.getLtvVerification();
AcroFields fields = stp.getAcroFields();
List<String> names = fields.getSignatureNames();
String sigName = names.get(names.size() - 1);
PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
if (pkcs7.isTsp()) {
v.addVerification(sigName, ocsp, crl,
LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
LtvVerification.Level.OCSP_CRL,
LtvVerification.CertificateInclusion.NO);
}
else {
for (String name : names) {
v.addVerification(name, ocsp, crl,
LtvVerification.CertificateOption.WHOLE_CHAIN,
LtvVerification.Level.OCSP_CRL,
LtvVerification.CertificateInclusion.NO);
}
}
PdfSignatureAppearance sap = stp.getSignatureAppearance();
LtvTimestamp.timestamp(sap, tsa, null);
}
我读到它与 Adobe 有一个 'problem',因为应用的时间戳未被识别为启用 LTV,建议应用新的 dss 来解决这个问题。
我的问题:
能否在应用时间戳之前添加此信息?如果我要添加一个 dss 来完成,我也可以添加 TSA 时间戳信息(ocsp、crl ...)(可能使用假标志来获取信息)然后应用时间戳而不需要再次使用新的 dss。
如果是...这是 ETSI 批准的? iText 可以处理吗?我注意到 addVerification 从已包含的签名中添加信息,但似乎我无法使用此方法添加所需的信息。还有另一种方法可以添加 'free' 验证或 addVerification 让我和我没注意到?
如果没有...为什么?那为什么我不需要再次为添加的新 dss 添加时间戳?
如您所见...我不是专家,我需要一些帮助。
非常感谢您的帮助!
My questions:
- Can this info be added before applying the timestamp? If i'm adding a dss to complete, i could add TSA timestamp info (ocsp, crl...) too (maybe with a fake sign to get info) and then apply the timestamp without needing a new dss again.
- If yes... this is approved by ETSI? Can iText handle it? I noticed that addVerification adds info from signatures already included, but seems i can't add the required info with this method. There's another way to add 'free' verifications or addVerification let's me and i didn't notice?
- If no... Why? Then why i not need to timestamp again the new dss added?
从技术上讲,您可以在应用相关的签名/时间戳之前添加任何验证相关信息。实际上你甚至必须在老式的 ISO 32000-1 签名的情况下这样做,它需要验证信息在签名的属性中。
这些信息是否被验证者接受,取决于。
ETSI TS 102 778-4 V1.1.1 说:
4.3 Validation Process
It is recommended that that validation process be as follows:
The "latest" document Time-stamp should be validated at current time with validation data collected at the current time.
The "inner" document Time-stamp should be validated at previous document Time-stamp time with the validation data present (and time-stamped for the successive enveloping time-stamps) in the previous DSS.
The signature and the signature Time-stamp should be validated at the latest innermost LTV document Timestamp time using the validation data stored in the DSS and time-stamped (by the successive enveloping timestamps)
Validation of documents without document Time-stamps is outside the scope of this profile.
如果验证者根据这些建议进行验证,它不会按照您的意愿接受您的验证信息,至少它不会识别为验证信息打上时间戳的时间戳。
但由于这些只是建议,其他 TS 或 EN 文档可能会提出不同的建议,您感兴趣的验证者可能会根据您的需要接受您的验证信息。