使用java api和epass2003令牌的pdf數字簽名

Question

我嘗試使用java api添加數字簽名到pdf，並且簽名被epass2003令牌讀取。所以，在這裏我完成了這項工作（將數字簽名添加到pdf）， 及其工作正常，但是當我在另一個系統中打開這個pdf文檔時，它顯示 「Atleast one signature has problem」，在我的系統中，請幫助我。我在下面附上了我的代碼，請找到它。

public class Test { 
    public static void main(String args[]) throws IOException, GeneralSecurityException, DocumentException, CertificateVerificationException{ 
    // Create instance of SunPKCS11 provider 

    String userFile = "C:/results/test.pdf"; 
    String userFile_signed = "C:/results/test_signed.pdf"; 

    String pkcs11Config = "name=eToken\nlibrary=C:\\Windows\\System32\\eps2003csp11.dll"; 
    java.io.ByteArrayInputStream pkcs11ConfigStream = new java.io.ByteArrayInputStream(pkcs11Config.getBytes()); 
    sun.security.pkcs11.SunPKCS11 providerPKCS11 = new sun.security.pkcs11.SunPKCS11(pkcs11ConfigStream); 
    java.security.Security.addProvider(providerPKCS11); 

    // Get provider KeyStore and login with PIN 
    String pin = "12345678"; 
    java.security.KeyStore keyStore = java.security.KeyStore.getInstance("PKCS11", providerPKCS11); 
    keyStore.load(null, pin.toCharArray()); 

    // Enumerate items (certificates and private keys) in the KeyStore 
    java.util.Enumeration<String> aliases = keyStore.aliases(); 
    String alias = null; 
    while (aliases.hasMoreElements()) { 
     alias = aliases.nextElement(); 
     System.out.println(alias); 
    } 

    PrivateKey pk = (PrivateKey)keyStore.getKey(alias, "12345678".toCharArray()); 
     Certificate[] chain = keyStore.getCertificateChain(alias); 
     OcspClient ocspClient = new OcspClientBouncyCastle(); 
     TSAClient tsaClient = null; 
     for (int i = 0; i < chain.length; i++) { 
      X509Certificate cert = (X509Certificate)chain[i]; 
      String tsaUrl = CertificateUtil.getTSAURL(cert); 
      if (tsaUrl != null) { 
       tsaClient = new TSAClientBouncyCastle(tsaUrl); 
       break; 
      } 
     } 
     List<CrlClient> crlList = new ArrayList<CrlClient>(); 
     crlList.add(new CrlClientOnline(chain)); 
     Test t = new Test(); 
     t.sign(userFile, userFile_signed, chain, pk, DigestAlgorithms.SHA256, providerPKCS11.getName(), 
        CryptoStandard.CMS, "Test", "Signature", crlList, ocspClient, tsaClient, 0); 
} 
public void sign(String src, String dest, 
     Certificate[] chain, PrivateKey pk, 
     String digestAlgorithm, String provider, CryptoStandard subfilter, 
     String reason, String location, 
     Collection<CrlClient> crlList, 
     OcspClient ocspClient, 
     TSAClient tsaClient, 
     int estimatedSize) 
       throws GeneralSecurityException, IOException, DocumentException { 
    // Creating the reader and the stamper 
    PdfReader reader = new PdfReader(src); 
    FileOutputStream os = new FileOutputStream(dest); 
    PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0'); 
    // Creating the appearance 
    PdfSignatureAppearance appearance = stamper.getSignatureAppearance(); 
    appearance.setReason(reason); 
    appearance.setLocation(location); 
    appearance.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1, "sig"); 
    // Creating the signature 
    ExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, provider); 
    ExternalDigest digest = new BouncyCastleDigest(); 
    MakeSignature.signDetached(appearance, digest, pks, chain, crlList, ocspClient, tsaClient, estimatedSize, subfilter); 
} 
} 

以上是我的代碼請幫幫我。

Answer 1

望着簽名屬性人們看到：

此對話框狀態問題：

，因爲它沒有被包含在受信任的證書列表中的簽名者的身份不明並且它的父證書都不是可信證書。

而且一看簽名的證書顯示：

因此，你的代碼只嵌入簽名證書本身，而不是它的證書路徑（否則他們將在證書查看器窗口中顯示已）。不幸的是，頒發者證書（用於RCAI Class 2 2014的SafeScrypt sub-CA）並不是立即可信的，該證書的頒發者（SafeScrypt CA 2014）也不是，而是該證書的頒發者（CCA India 2014）。

最有可能在您的計算機上，整個證書鏈都是已知的，或者至少是明確信任的證書。

要在其他只知道根證書的計算機上獲得相同的效果，只需將「SafeScrypt sub-CA for RCAI Class 2 2014」和「SafeScrypt CA 2014」的證書添加到您的Certificate[] chain。