PDF时间戳数字签名
可信时间戳是由时间戳服务中心(TSA:Time Stamp Authority)颁发的具有法律效力的电子凭证, 时间戳与电子数据唯一对应,其中包含电子数据 “指纹”、产生时间、时间戳服务中心信息等。
可信时间戳的法律效力、作用我就不说了 直接贴代码吧。
import com.itextpdf.text.DocumentException; import com.itextpdf.text.Rectangle; import com.itextpdf.text.pdf.*; import java.io.*; import java.security.MessageDigest; import java.security.SignatureException; import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; import java.util.Calendar; import java.util.HashMap; /** * Created by zhangzhenhua on 2016/11/1. */ public class PDFSigner { //tsa private SignerKeystore signerKeystore; private TSAClient tsaClient; private PDFSigner(){} /** * * @param tsa_url tsa服务器地址 * @param tsa_accnt tsa账户号 * @param tsa_passw tsa密码 * @param cert_path 证书路径 * @param cert_passw 证书密码 */ public PDFSigner(String tsa_url,String tsa_accnt,String tsa_passw,String cert_path,String cert_passw) { tsaClient = new TSAClientBouncyCastle(tsa_url, tsa_accnt, tsa_passw); try { signerKeystore = new SignerKeystorePKCS12(new FileInputStream(cert_path), cert_passw); } catch (Exception e) { e.printStackTrace(); } } /** * TSA时间戳签名 * @param infilePath 未签名的文件路径 * @param outfilePath 签名后的文件路径 * @throws Exception */ public void signPDF(String infilePath,String outfilePath) throws Exception { PdfReader reader = new PdfReader(infilePath); FileOutputStream fout = new FileOutputStream(outfilePath); PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0'); PdfSignatureAppearance sap = stp.getSignatureAppearance(); sap.setCrypto(null, this.signerKeystore.getChain(), null, PdfSignatureAppearance.SELF_SIGNED); sap.setVisibleSignature(new Rectangle(100, 100, 300, 200), 1, "Signature"); PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, new PdfName("adbe.pkcs7.detached")); dic.setReason(sap.getReason()); dic.setLocation(sap.getLocation()); dic.setContact(sap.getContact()); dic.setDate(new PdfDate(sap.getSignDate())); sap.setCryptoDictionary(dic); int contentEstimated = 15000; HashMap exc = new HashMap(); exc.put(PdfName.CONTENTS, new Integer(contentEstimated * 2 + 2)); sap.preClose(exc); PdfPKCS7 sgn = new PdfPKCS7(this.signerKeystore.getPrivateKey(), this.signerKeystore.getChain(), null, "SHA1", null, false); InputStream data = sap.getRangeStream(); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte buf[] = new byte[8192]; int n; while ((n = data.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte hash[] = messageDigest.digest(); Calendar cal = Calendar.getInstance(); byte[] ocsp = null; if ( this.signerKeystore.getChain().length >= 2) { String url = PdfPKCS7.getOCSPURL((X509Certificate) this.signerKeystore.getChain()[0]); if (url != null && url.length() > 0) ocsp = new OcspClientBouncyCastle((X509Certificate) this.signerKeystore.getChain()[0], (X509Certificate) this.signerKeystore.getChain()[1], url).getEncoded(); } byte sh[] = sgn.getAuthenticatedAttributeBytes(hash, cal, ocsp); sgn.update(sh, 0, sh.length); byte[] encodedSig = sgn.getEncodedPKCS7(hash, cal, this.tsaClient, ocsp); if (contentEstimated + 2 < encodedSig.length) throw new Exception("Not enough space"); byte[] paddedSig = new byte[contentEstimated]; System.arraycopy(encodedSig, 0, paddedSig, 0, encodedSig.length); PdfDictionary dic2 = new PdfDictionary(); dic2.put(PdfName.CONTENTS, new PdfString(paddedSig).setHexWriting(true)); sap.close(dic2); } public static void main(String[] args) { //test String TSA_URL = "http://tsa.safelayer.com:8093"; String TSA_ACCNT = ""; String TSA_PASSW = ""; String IN_FILE = "E:\\项目\\paperless\\lipsum.pdf"; String OUT_FILE = "E:\\项目\\paperless\\test_signed.pdf"; String CERT_PATH = "E:\\项目\\paperless\\bfnsh.pfx"; String CERT_PASSW = "123456"; PDFSigner signer = new PDFSigner(TSA_URL,TSA_ACCNT,TSA_PASSW,CERT_PATH,CERT_PASSW); try { signer.signPDF(IN_FILE,OUT_FILE); } catch (Exception e) { e.printStackTrace(); } } }
以上是签名类,再贴一下辅助读取证书的类
import java.security.PrivateKey; import java.security.Provider; import java.security.cert.Certificate; /** * Created by zhangzhenhua on 2016/10/28. */ public interface SignerKeystore { public PrivateKey getPrivateKey() ; public Certificate[] getChain() ; public Provider getProvider(); }
/** * Created by hmt on 2016/10/28. */ import java.io.InputStream; import java.security.KeyStore; import java.security.PrivateKey; import java.security.Provider; import java.security.Security; import java.security.cert.Certificate; /** * SignerKeystore implementation using PKCS#12 file (.pfx etc) */ public class SignerKeystorePKCS12 implements SignerKeystore { private static Provider prov = null; private KeyStore ks; private String alias; private String pwd; private PrivateKey key; private Certificate[] chain; public SignerKeystorePKCS12(InputStream inp, String passw) throws Exception { // This should be done once only for the provider... if (prov == null) { prov = new org.bouncycastle.jce.provider.BouncyCastleProvider(); Security.addProvider(prov); } this.ks = KeyStore.getInstance("pkcs12", prov); this.pwd = passw; this.ks.load(inp, pwd.toCharArray()); this.alias = (String)ks.aliases().nextElement(); this.key = (PrivateKey)ks.getKey(alias, pwd.toCharArray()); this.chain = ks.getCertificateChain(alias); } public PrivateKey getPrivateKey() { return key; } public Certificate[] getChain() { return chain; } public Provider getProvider() { return ks.getProvider(); } }
测试结果
