java - 使用 iText 锁定 pdf

Question

我最近尝试迁移到 iText7，但遇到了一些问题。我已经有一个 PDF，我正在尝试锁定和限制此 PDF 的权限。我对 itext5 使用了相同的方法，但结果不一样。更准确地说:

1. 我用过

   PdfWriter writer = new PdfWriter(fos, new WriterProperties()
           .setPublicKeyEncryption(chain,
           new int[EncryptionConstants.ALLOW_DEGRADED_PRINTING],
           EncryptionConstants.ENCRYPTION_AES_256));
   

但是什么也没发生，然后我尝试了

2.

PdfWriter writer = new PdfWriter(fos, new WriterProperties()
            .setStandardEncryption("lala".getBytes(), "lala".getBytes(),
             EncryptionConstants.ALLOW_PRINTING | EncryptionConstants.ENCRYPTION_AES_256,
                    EncryptionConstants.ENCRYPTION_AES_256));

什么也没发生。你碰巧知道一些事情吗？

该方法的完整代码:

 public void signPDF(InputStream inputStream, HttpServletResponse response) {
        LOG.debug("Inside signPDF...");
        Security.addProvider(new BouncyCastleProvider());
        try(OutputStream os = response.getOutputStream();
            PdfReader reader = new PdfReader(inputStream);
            PdfWriter writer = new PdfWriter(os, new WriterProperties().setStandardEncryption(null, "test".getBytes(), EncryptionConstants.ALLOW_PRINTING,
                    EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA))) {
            KeyStore ks = KeyStore.getInstance("pkcs12");
            ks.load(new FileInputStream(p12Path), keystorePassword.toCharArray());
            String alias = ks.aliases().nextElement();
            PrivateKey pk = (PrivateKey) ks.getKey(alias, keystorePassword.toCharArray());
            Certificate[] chain = ks.getCertificateChain(alias);
            BouncyCastleProvider provider = new BouncyCastleProvider();
            ITSAClient tsc = new TSAClientBouncyCastle(tsaClient, "", "");
            PdfSigner signer = new PdfSigner(reader, writer.getOutputStream(), true);
            PdfSignatureAppearance appearance = signer.getSignatureAppearance()
                    .setReason("Sign")
                    .setLocation("Test")
                    .setReuseAppearance(false);
            signer.setFieldName("sig");
            IExternalSignature pks = new PrivateKeySignature(pk, DigestAlgorithms.SHA256, provider.getName());
            IExternalDigest digest = new BouncyCastleDigest();
            System.out.println(signer.getDocument().getNumberOfPages());
            addWatermark(appearance,signer);
            signer.signDetached(digest, pks, chain, null, null, tsc, 0, PdfSigner.CryptoStandard.CMS);

        } catch (Exception e) {
            LOG.error("Error while writing to outputstream",e);
        }
    }

现在已签名，有水印，但未锁定(即复制内容)

Answer 1

iText 7 中的签名和加密目前分两个单独的步骤完成，第一步对文件进行加密，第二步对该加密文件进行签名，保持加密完好无损。

在您的尝试中，您创建了一个包含加密信息的 PdfWriter 和一个包含签名信息的 PdfSigner。不过，由于您的 PdfWriter 未被任何 PdfDocument 使用，因此加密信息会丢失，只进行签名。

要加密和签名，只需首先加密 PDF，例如使用类似的东西

void encrypt(InputStream source, OutputStream target, byte[] password) throws IOException {
    PdfReader reader = new PdfReader(source);
    PdfWriter writer = new PdfWriter(target, new WriterProperties().setStandardEncryption(null, password,
            EncryptionConstants.ALLOW_PRINTING, EncryptionConstants.ENCRYPTION_AES_128 | EncryptionConstants.DO_NOT_ENCRYPT_METADATA));
    new PdfDocument(reader, writer).close();
}

(EncryptAndSign 方法)

然后签署此加密的 PDF，例如使用类似的东西

void sign(InputStream original, OutputStream result, String name, CryptoStandard subfilter,
        int certificationLevel, boolean isAppendMode, byte[] password) throws IOException, GeneralSecurityException {
    String reason = "Just another illusionary reason";
    String location = "Right around the corner";
    boolean setReuseAppearance = false;
    String digestAlgorithm = "SHA512";
    ITSAClient tsc = null;

    PdfReader reader = new PdfReader(original, new ReaderProperties().setPassword(password));
    PdfSigner signer = new PdfSigner(reader, result, isAppendMode);

    signer.setCertificationLevel(certificationLevel);

    // Creating the appearance
    signer.getSignatureAppearance()
          .setReason(reason)
          .setLocation(location)
          .setReuseAppearance(setReuseAppearance);

    signer.setFieldName(name);

    // Creating the signature
    IExternalSignature pks = new PrivateKeySignature(pk, digestAlgorithm, BouncyCastleProvider.PROVIDER_NAME);
    signer.signDetached(new BouncyCastleDigest(), pks, chain, null, null, tsc, 0, subfilter);
}

(EncryptAndSign 方法)

使用 pk 和 chain 确定，就像在您的代码中一样。

然后结合这些方法，例如像这样

try (   InputStream resourceStream = ...;
        OutputStream encryptedResult = new FileOutputStream(encryptedFile)  ) {
    encrypt(resourceStream, encryptedResult, password);
}

try (   InputStream encryptedSource = new FileInputStream(encryptedFile);
        OutputStream signedResult = new FileOutputStream(signedFile)) {
    sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}

( EncryptAndSign 测试 testEncryptAndSignLefterisBab)

或者如果您想写入响应并且不希望文件系统中存在中间文件:

byte[] encrypted = null;

try (   InputStream resourceStream = ...;
        OutputStream encryptedResult = new ByteArrayOutputStream()  ) {
    encrypt(resourceStream, encryptedResult, password);
    encrypted = encryptedResult.toByteArray();
}

try (   InputStream encryptedSource = new ByteArrayInputStream(encrypted);
        OutputStream signedResult = response.getOutputStream()   ) {
    sign(encryptedSource, signedResult, "Signature", CryptoStandard.CADES, 0, false, password);
}