java - CAdES Digital Signature -
java - CAdES Digital Signature -
i've been trying implement digital signing (cades) pdf files using portuguese citizen card, i'm having hard time figuring out working solution. have 2 sets of code.
first one:
public void signcades(...) { string pkcs11config = "name=gempc" + "\n" + "library=c:\\windows\\syswow64\\pteidpkcs11.dll"; bytearrayinputstream configstream = new bytearrayinputstream(pkcs11config.getbytes()); provider pkcs11provider = new sun.security.pkcs11.sunpkcs11(configstream); //provider_name: sunpkcs11-gempc security.addprovider(pkcs11provider); javax.security.auth.callback.callbackhandler cmdlinehdlr = new dialogcallbackhandler(); keystore.builder builder = keystore.builder.newinstance("pkcs11", pkcs11provider, new keystore.callbackhandlerprotection(cmdlinehdlr)); keystore ks= builder.getkeystore(); pdfreader reader = new pdfreader(src); fileoutputstream os = new fileoutputstream(dest); pdfstamper stamper = pdfstamper.createsignature(reader, os, '\0', new file(temppath), true); pdfsignatureappearance appearance = stamper.getsignatureappearance(); appearance.setreason(reason); appearance.setlocation(location); appearance.setcertificationlevel(level); string alias = "citizen signature certificate"; //certificates electronic card , resources folder certificate[] certs = getsignaturecertificateschain(ks); privatekey pk = (privatekey) ks.getkey(alias, null); externalsignature es = new privatekeysignature(pk, "sha-1", pkcs11provider.getname()); externaldigest digest = new bouncycastledigest(); makesignature.signdetached(appearance, digest, es, certs, null, null, null, 0, makesignature.cryptostandard.cades); } the first 1 works, have validator given me verifies if signatures of pdf satisfies standards, , seems 1 of attributes missing (sigining certificate issuer's serial number).
the sec 1 different, , have add together attributes manually, generated pdf corrupted (and might need add together issuer serial attribute too):
private static void signcades(byte[] adocument, privatekey aprivatekey, certificate[] certchain, string outputpath) { seek { security.addprovider(new bouncycastleprovider()); arraylist<x509certificate> certsin = new arraylist<x509certificate>(); (certificate certchain1 : certchain) { certsin.add((x509certificate) certchain1); } x509certificate signingcertificate= certsin.get(0); messagedigest dig = messagedigest.getinstance("sha-1"); byte[] certhash = dig.digest(signingcertificate.getencoded()); esscertid esscertid = new esscertid(certhash); derset set = new derset(new signingcertificate(esscertid)); attribute certhattribute = new attribute(pkcsobjectidentifiers.id_aa_signingcertificate, set); attributetable @ = getattributetablewithsigningcertificateattribute(certhattribute); cmsattributetablegenerator attrgen = new defaultsignedattributetablegenerator(at); signerinfogeneratorbuilder genbuild = new signerinfogeneratorbuilder(new bcdigestcalculatorprovider()); genbuild.setsignedattributegenerator(attrgen); cmssigneddatagenerator gen = new cmssigneddatagenerator(); contentsigner shasigner = new jcacontentsignerbuilder("sha1withrsa").build(aprivatekey); signerinfogenerator sifgen = genbuild.build(shasigner, new x509certificateholder(signingcertificate.getencoded())); gen.addsignerinfogenerator(sifgen); jcacertstore jcacertstore = new jcacertstore(certsin); gen.addcertificates(jcacertstore); cmstypeddata msg = new cmsprocessablebytearray(adocument); cmssigneddata sigdata = gen.generate(msg, false); // false=detached byte[] encoded = sigdata.getencoded(); asn1inputstream in = new asn1inputstream(encoded); cmssigneddata sigdata2 = new cmssigneddata(new cmsprocessablebytearray(adocument), in); byte[] encoded2 = sigdata2.getencoded(); fileoutputstream fos = new fileoutputstream(outputpath); fos.write(encoded2); // fos.write(encoded); fos.flush(); fos.close(); } grab (cmsexception | ioexception | operatorcreationexception | certificateencodingexception ex) { log("signcades", "error: " + ex.tostring()); } } is there understands cades digital signature using java? help appreciated!
the 'issuer-serial' attribute absent or not match!
it means cades signature has not signed attribute: signed reference signing certificate or reference tampered.
please check: etsi ts 101 733 v2.2.1 (2013-04) more information:
5.7.3 signing certificate reference attributes
the signing certificate reference attributes supported using either ess signing-certificate attribute or ess-signing-certificate-v2 attribute...
java pdf digital-signature bouncycastle
Comments
Post a Comment