使用itext5 验证PDF文件中的签名证书有效性-验签

实例代码地址：https://github.com/haoxiaoyong1014/testarea-itext5

验证签名模块代码位置：
testarea-itext5/src/test/java/mkl/testarea/itext5/signature/VerifySignature.java

一，实际需求：

用户上传带有签署证书的pdf文件，我们进行验证证书的真实性，有效性以及是否篡改过

二，pom.xml 配置

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0modelVersion>
    <groupId>mkl.testarea.itext5groupId>
    <artifactId>testarea-itext5artifactId>
    <packaging>jarpackaging>
    <name>Test area for public iText v5 issues on stackoverflow etcname>
    <version>5.5.14-SNAPSHOTversion>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.pluginsgroupId>
                <artifactId>maven-compiler-pluginartifactId>
                <configuration>
                    <compilerVersion>1.8compilerVersion>
                    <source>1.8source>
                    <target>1.8target>
                configuration>
            plugin>
        plugins>
    build>

  <properties>
    <junit.version>4.7junit.version>
    <itextpdf.version>${project.version}itextpdf.version>
  properties>
    <dependencies>
        <dependency>
            <groupId>com.itextpdfgroupId>
            <artifactId>itextpdfartifactId>
            <version>5.5.13version>
        dependency>
        <dependency>
            <groupId>com.itextpdfgroupId>
            <artifactId>itext-asianartifactId>
            <version>5.2.0version>
        dependency>
        <dependency>
            <groupId>com.itextpdfgroupId>
            <artifactId>itext-xtraartifactId>
            <version>5.5.13version>
        dependency>
        <dependency>
            <groupId>com.itextpdfgroupId>
            <artifactId>itext-pdfaartifactId>
            <version>5.5.13version>
        dependency>
        <dependency>
            <groupId>com.itextpdf.toolgroupId>
            <artifactId>xmlworkerartifactId>
            <version>5.5.13version>
        dependency>
        <dependency>
            <groupId>junitgroupId>
            <artifactId>junitartifactId>
          <version>${junit.version}version>
          <scope>testscope>
        dependency>
        <dependency>
            <groupId>org.bouncycastlegroupId>
            <artifactId>bcprov-jdk15onartifactId>
            <version>1.49version>
            <type>jartype>
        dependency>
        <dependency>
            <groupId>org.bouncycastlegroupId>
            <artifactId>bcpkix-jdk15onartifactId>
            <version>1.49version>
            <type>jartype>
        dependency>
        <dependency>
            <groupId>org.jfreegroupId>
            <artifactId>jfreechartartifactId>
            <version>1.0.19version>
        dependency>
    dependencies>
project>

三，测试准备

将带有签署证书的pdf文件放到项目中的
testarea-itext5\src\test\resources\mkl\testarea\itext5\signature目录下，当然放到这个目录下只是测试使用，实际开发中pdf文件是用户上传过来的，如果你还没有签署证书的pdf文件的话，你可到项目中的 testarea-itext5/src/test/java/mkl/testarea/itext5/signature/CreateSignature.java 这个类就是将证书签署到pdf文件中，项目中有生成好的证书(demo-rsa2048.ks)，你只需要运行一下测试方法即可，如果你不想运行测试方法也可以，
testarea-itext5\src\test\resources\mkl\testarea\itext5\signature目录下我放了带有证书的pdf文件，你只要运行以下代码就可以实现验签，向pdf中签署证书今天不做讨论，在我下篇博客中说明。接下来咱们继续说明验签过程

四：验签代码

public static void setUp() throws Exception {
        BouncyCastleProvider bcp = new BouncyCastleProvider();
        //Security.addProvider(bcp);
        Security.insertProviderAt(bcp, 1);
    }
 public void testVerifyTestMGomez() throws Exception {
        System.out.println("\n\nTestMGomez.pdf\n==============");
        setUp();
        try (InputStream resource = getClass().getResourceAsStream("TestMGomez.pdf")) {
            PdfReader reader = new PdfReader(resource);
            AcroFields acroFields = reader.getAcroFields();

            List names = acroFields.getSignatureNames();
            for (String name : names) {
                System.out.println("Signature name: " + name);
                System.out.println("Signature covers whole document: " + acroFields.signatureCoversWholeDocument(name));
                PdfPKCS7 pk = acroFields.verifySignature(name);
                System.out.println("Subject: " + CertificateInfo.getSubjectFields(pk.getSigningCertificate()));
                System.out.println("Document verifies: " + pk.verify());
            }
        }

        System.out.println();

        Field rsaDataField = PdfPKCS7.class.getDeclaredField("RSAdata");
        rsaDataField.setAccessible(true);

        try (InputStream resource = getClass().getResourceAsStream("TestMGomez.pdf")) {
            PdfReader reader = new PdfReader(resource);
            AcroFields acroFields = reader.getAcroFields();

            List names = acroFields.getSignatureNames();
            for (String name : names) {
                System.out.println("Signature name: " + name);
                System.out.println("Signature covers whole document: " + acroFields.signatureCoversWholeDocument(name));
                PdfPKCS7 pk = acroFields.verifySignature(name);
                System.out.println("Subject: " + CertificateInfo.getSubjectFields(pk.getSigningCertificate()));

                Object rsaDataFieldContent = rsaDataField.get(pk);
                if (rsaDataFieldContent != null && ((byte[]) rsaDataFieldContent).length == 0) {
                    System.out.println("Found zero-length encapsulated content: ignoring");
                    rsaDataField.set(pk, null);
                }
                System.out.println("Document verifies: " + pk.verify());
            }
        }
    }

其中 TestMGomez.pdf 就是带有签署证书的pdf文件

五，测试结果：

打印的结果中包含 签名值，签名是否涵盖整个文档，证书所有者，验签结果

代码地址：https://github.com/haoxiaoyong1014/testarea-itext5