使用 iText 锁定 pdf
Lock pdf using iText
我最近尝试迁移到 iText7,但遇到了一些问题。我已经有一个 PDF,我正在尝试锁定和限制对此 PDF 的权限。我对 itext5 使用了相同的方法,但结果不一样。更准确地说:
我用过
PdfWriter writer = new PdfWriter(fos, new WriterProperties()
.setPublicKeyEncryption(chain,
new int[EncryptionConstants.ALLOW_DEGRADED_PRINTING],
EncryptionConstants.ENCRYPTION_AES_256));
但是没有任何反应,然后我尝试了
2.
PdfWriter writer = new PdfWriter(fos, new WriterProperties()
.setStandardEncryption("lala".getBytes(), "lala".getBytes(),
EncryptionConstants.ALLOW_PRINTING | EncryptionConstants.ENCRYPTION_AES_256,
EncryptionConstants.ENCRYPTION_AES_256));
什么也没有发生。你碰巧知道一些吗?
方法的完整代码:
public void signPDF(InputStream inputStream, HttpServletResponse response) {
LOG.debug("Inside signPDF...");
Security.addProvider(new BouncyCastleProvider());
try(OutputStream os = response.getOutputStream();
PdfReader reader = new PdfReader(inputStream);
PdfWriter writer = new PdfWriter(os, new WriterProperties().setStandardEncryption(null, "test".getBytes(), EncryptionConstants.ALLOW_PRINTING,
EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA))) {
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream(p12Path), keystorePassword.toCharArray());
String alias = ks.aliases().nextElement();
PrivateKey pk = (PrivateKey) ks.getKey(alias, keystorePassword.toCharArray());
Certificate[] chain = ks.getCertificateChain(alias);
BouncyCastleProvider provider = new BouncyCastleProvider();
ITSAClient tsc = new TSAClientBouncyCastle(tsaClient, "", "");
PdfSigner signer = new PdfSigner(reader, writer.getOutputStream(), true);
PdfSignatureAppearance appearance = signer.getSignatureAppearance()
.setReason("Sign")
.setLocation("Test")
.setReuseAppearance(false);
signer.setFieldName("sig");
IExternalSignature pks = new PrivateKeySignature(pk, DigestAlgorithms.SHA256, provider.getName());
IExternalDigest digest = new BouncyCastleDigest();
System.out.println(signer.getDocument().getNumberOfPages());
addWatermark(appearance,signer);
signer.signDetached(digest, pks, chain, null, null, tsc, 0, PdfSigner.CryptoStandard.CMS);
} catch (Exception e) {
LOG.error("Error while writing to outputstream",e);
}
}
现在已签名,有水印,但未锁定(即复制内容)
iText 7 中的签名和加密目前分两个单独的步骤完成,第一步是对文件进行加密,第二步是对该加密文件进行签名,保持加密完好无损。
在您的尝试中,您创建了一个带有加密信息的 PdfWriter 和一个带有签名信息的 PdfSigner。由于您的 PdfWriter 未被任何 PdfDocument 使用,因此加密信息丢失,仅进行签名。
要同时加密和签名,只需先加密 PDF,例如使用像
这样的东西
void encrypt(InputStream source, OutputStream target, byte[] password) throws IOException {
PdfReader reader = new PdfReader(source);
PdfWriter writer = new PdfWriter(target, new WriterProperties().setStandardEncryption(null, password,
EncryptionConstants.ALLOW_PRINTING, EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA));
new PdfDocument(reader, writer).close();
}
(一种EncryptAndSign方法)
然后签署这个加密的 PDF,例如使用像
这样的东西
void sign(InputStream original, OutputStream result, String name, CryptoStandard subfilter,
int certificationLevel, boolean isAppendMode, byte[] password) throws IOException, GeneralSecurityException {
String reason = "Just another illusionary reason";
String location = "Right around the corner";
boolean setReuseAppearance = false;
String digestAlgorithm = "SHA512";
ITSAClient tsc = null;
PdfReader reader = new PdfReader(original, new ReaderProperties().setPassword(password));
PdfSigner signer = new PdfSigner(reader, result, isAppendMode);
signer.setCertificationLevel(certificationLevel);
// Creating the appearance
signer.getSignatureAppearance()
.setReason(reason)
.setLocation(location)
.setReuseAppearance(setReuseAppearance);
signer.setFieldName(name);
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, BouncyCastleProvider.PROVIDER_NAME);
signer.signDetached(new BouncyCastleDigest(), pks, chain, null, null, tsc, 0, subfilter);
}
(一种EncryptAndSign方法)
pk 和 chain 像您的代码一样确定。
然后结合这些方法,例如像这样
try ( InputStream resourceStream = ...;
OutputStream encryptedResult = new FileOutputStream(encryptedFile) ) {
encrypt(resourceStream, encryptedResult, password);
}
try ( InputStream encryptedSource = new FileInputStream(encryptedFile);
OutputStream signedResult = new FileOutputStream(signedFile)) {
sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}
(EncryptAndSign 测试 testEncryptAndSignLefterisBab)
或者如果你想写入响应并且不想在文件系统中使用中间文件:
byte[] encrypted = null;
try ( InputStream resourceStream = ...;
OutputStream encryptedResult = new ByteArrayOutputStream() ) {
encrypt(resourceStream, encryptedResult, password);
encrypted = encryptedResult.toByteArray();
}
try ( InputStream encryptedSource = new ByteArrayInputStream(encrypted);
OutputStream signedResult = response.getOutputStream() ) {
sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}
我最近尝试迁移到 iText7,但遇到了一些问题。我已经有一个 PDF,我正在尝试锁定和限制对此 PDF 的权限。我对 itext5 使用了相同的方法,但结果不一样。更准确地说:
我用过
PdfWriter writer = new PdfWriter(fos, new WriterProperties() .setPublicKeyEncryption(chain, new int[EncryptionConstants.ALLOW_DEGRADED_PRINTING], EncryptionConstants.ENCRYPTION_AES_256));
但是没有任何反应,然后我尝试了
2.
PdfWriter writer = new PdfWriter(fos, new WriterProperties()
.setStandardEncryption("lala".getBytes(), "lala".getBytes(),
EncryptionConstants.ALLOW_PRINTING | EncryptionConstants.ENCRYPTION_AES_256,
EncryptionConstants.ENCRYPTION_AES_256));
什么也没有发生。你碰巧知道一些吗?
方法的完整代码:
public void signPDF(InputStream inputStream, HttpServletResponse response) {
LOG.debug("Inside signPDF...");
Security.addProvider(new BouncyCastleProvider());
try(OutputStream os = response.getOutputStream();
PdfReader reader = new PdfReader(inputStream);
PdfWriter writer = new PdfWriter(os, new WriterProperties().setStandardEncryption(null, "test".getBytes(), EncryptionConstants.ALLOW_PRINTING,
EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA))) {
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream(p12Path), keystorePassword.toCharArray());
String alias = ks.aliases().nextElement();
PrivateKey pk = (PrivateKey) ks.getKey(alias, keystorePassword.toCharArray());
Certificate[] chain = ks.getCertificateChain(alias);
BouncyCastleProvider provider = new BouncyCastleProvider();
ITSAClient tsc = new TSAClientBouncyCastle(tsaClient, "", "");
PdfSigner signer = new PdfSigner(reader, writer.getOutputStream(), true);
PdfSignatureAppearance appearance = signer.getSignatureAppearance()
.setReason("Sign")
.setLocation("Test")
.setReuseAppearance(false);
signer.setFieldName("sig");
IExternalSignature pks = new PrivateKeySignature(pk, DigestAlgorithms.SHA256, provider.getName());
IExternalDigest digest = new BouncyCastleDigest();
System.out.println(signer.getDocument().getNumberOfPages());
addWatermark(appearance,signer);
signer.signDetached(digest, pks, chain, null, null, tsc, 0, PdfSigner.CryptoStandard.CMS);
} catch (Exception e) {
LOG.error("Error while writing to outputstream",e);
}
}
现在已签名,有水印,但未锁定(即复制内容)
iText 7 中的签名和加密目前分两个单独的步骤完成,第一步是对文件进行加密,第二步是对该加密文件进行签名,保持加密完好无损。
在您的尝试中,您创建了一个带有加密信息的 PdfWriter 和一个带有签名信息的 PdfSigner。由于您的 PdfWriter 未被任何 PdfDocument 使用,因此加密信息丢失,仅进行签名。
要同时加密和签名,只需先加密 PDF,例如使用像
这样的东西void encrypt(InputStream source, OutputStream target, byte[] password) throws IOException {
PdfReader reader = new PdfReader(source);
PdfWriter writer = new PdfWriter(target, new WriterProperties().setStandardEncryption(null, password,
EncryptionConstants.ALLOW_PRINTING, EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA));
new PdfDocument(reader, writer).close();
}
(一种EncryptAndSign方法)
然后签署这个加密的 PDF,例如使用像
这样的东西void sign(InputStream original, OutputStream result, String name, CryptoStandard subfilter,
int certificationLevel, boolean isAppendMode, byte[] password) throws IOException, GeneralSecurityException {
String reason = "Just another illusionary reason";
String location = "Right around the corner";
boolean setReuseAppearance = false;
String digestAlgorithm = "SHA512";
ITSAClient tsc = null;
PdfReader reader = new PdfReader(original, new ReaderProperties().setPassword(password));
PdfSigner signer = new PdfSigner(reader, result, isAppendMode);
signer.setCertificationLevel(certificationLevel);
// Creating the appearance
signer.getSignatureAppearance()
.setReason(reason)
.setLocation(location)
.setReuseAppearance(setReuseAppearance);
signer.setFieldName(name);
// Creating the signature
IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, BouncyCastleProvider.PROVIDER_NAME);
signer.signDetached(new BouncyCastleDigest(), pks, chain, null, null, tsc, 0, subfilter);
}
(一种EncryptAndSign方法)
pk 和 chain 像您的代码一样确定。
然后结合这些方法,例如像这样
try ( InputStream resourceStream = ...;
OutputStream encryptedResult = new FileOutputStream(encryptedFile) ) {
encrypt(resourceStream, encryptedResult, password);
}
try ( InputStream encryptedSource = new FileInputStream(encryptedFile);
OutputStream signedResult = new FileOutputStream(signedFile)) {
sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}
(EncryptAndSign 测试 testEncryptAndSignLefterisBab)
或者如果你想写入响应并且不想在文件系统中使用中间文件:
byte[] encrypted = null;
try ( InputStream resourceStream = ...;
OutputStream encryptedResult = new ByteArrayOutputStream() ) {
encrypt(resourceStream, encryptedResult, password);
encrypted = encryptedResult.toByteArray();
}
try ( InputStream encryptedSource = new ByteArrayInputStream(encrypted);
OutputStream signedResult = response.getOutputStream() ) {
sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}