c# - 使用 iTextSharp 库提取 pdf 文件中包含的签名图像

Question

我有一个签名的 PDF 文件。通过使用 iTextSharp 库的此功能，我找到了证书 p7m 签名:

        private void GetSignature(string FileName)
    {
        AcroFields acroFields = new PdfReader(FileName).AcroFields;
        List<string> names = acroFields.GetSignatureNames();

        foreach (var name in names)
        {
            PdfDictionary dict = acroFields.GetSignatureDictionary(name);
            PdfString contents = (PdfString)PdfReader.GetPdfObject(dict.Get(PdfName.CONTENTS));

            byte[] PKCS7 = contents.GetOriginalBytes();
            ByteArrayToFile(@"c:\signature\" + name + ".p7m", PKCS7);

        }
    }

现在...如何提取与签名关联的图像(位图)？是否可以？谢谢，路易吉

Answer 1

在您的示例文档中，术语签名适用于三个方面:

1. 它包含符合 PDF 规范的数字签名 ISO 32000-1:2008 .
2. 相应的可视化包含手写签名的位图图像。
3. 相应的签名字典包含将所有签名数据添加到 PDF 的软件的专有信息。这些专有信息很可能包含 OP 评论中提到的生物识别数据。

根据创建这些多级签名的软件制造商的说法，手写签名似乎是主要的身份证明。数字版仅用于保护文档不被更改；它不一定反射(reflect)了手动签名的人的身份，而不是创建该手动签名的设备的所有者(“请在此处签名表示您收到了包裹”):

Functions

Handwritten Signature Capturing - Forensically identifiable signatures on signature pads, payment terminals, the iPad or Android devices.

Signature Verification - Compare a handwritten signature against a pre-enrolled profile.

Control all steps in the signing process - Including positioning signature fields, filling out forms, adding annotations, adding attachments, and much more.

Protects the Integrity of Documents - By sealing them with a digital signature.

(xyzmo English website start page)

关于使用 iText 提取所有这些信息...

1. 可以使用 AcroFields 类的签名相关方法轻松提取和验证数字签名的属性，正如 OP 已经观察到的那样。
2. 手写签名的位图图像也可以很容易地提取出来。签名表单字段字典的外观流仅绘制作为资源附加到流的位图。
3. 也可以提取包含专有信息的数据容器，因为它只是签名字典中另一个 key 的值。
4. 不幸的是，该数据容器的内容被打包到一个自称为EncryptedSignatureDataContainer 的XML 片段中。这个 XML 片段的有效载荷数据是否可以被正确解密以及如何解释它是 xyzmo 人自己要求的信息，我不知道他们是否认为这些信息是公开的。

因此，最相关的信息是最难访问的信息。

PS 关于加密生物识别负载的解密，我在制造商的网站上发现了以下内容:

The document contains a captured signature that has been encrypted (RSA 4096 + AES256). A person’s signature is encrypted immediately as it is captured by the signature pad, using the private key of a special certificate. This special certificate is selected by the company using the xyzmo suite, and is typically stored in a secure environment outside the company (bank safe, external notary, etc.). Thus, xyzmo itself has NO access to this certificate. For the encryption of signatures, the xyzmo suite just needs the public key of the certificate. It is only for decryption, and the extraction of signatures from a document, that the private key is required. Only specific people, to whom the company has granted access to this certificate, will be able to decrypt the profile using the PenAnalyst tool, which is provided as part of the suite.

(xyzmo English website Digital Signature Capture FAQ's)

因此，要解密生物识别数据，您必须有权访问相应的私钥，这些私钥通常存储在公司外部的安全环境(银行保险箱、外部公证人等)中。如果你有那种访问权限，我们可能会继续讨论那些解密数据的格式......;)

顺便说一句，如果任何人都可以简单地从签名的文档中检索生物特征数据，那么很容易将这些数据复制到其他文档以伪造签名。

提取手写签名的位图图像

由于对手写签名的位图图像的提取特别感兴趣，这里有一个快速而肮脏的助手来提取签名的图像。如前所述，我用 Java 来做，因为我在那里更自在:

public class XyzmoSignatureDataExtractor
{
    public XyzmoSignatureDataExtractor(PdfReader reader)
    {
        this.reader = reader;
    }

    public PdfImageObject extractImage(String signatureName) throws IOException
    {
        MyImageRenderListener listener = new MyImageRenderListener();

        PdfDictionary sigFieldDic = reader.getAcroFields().getFieldItem(signatureName).getMerged(0);
        PdfDictionary appearancesDic = sigFieldDic.getAsDict(PdfName.AP);
        PdfStream normalAppearance = appearancesDic.getAsStream(PdfName.N);

        PdfDictionary resourcesDic = normalAppearance.getAsDict(PdfName.RESOURCES);
    
        PdfContentStreamProcessor processor = new PdfContentStreamProcessor(listener);
        processor.processContent(ContentByteUtils.getContentBytesFromContentObject(normalAppearance), resourcesDic);        

        return listener.image;
    }

    class MyImageRenderListener implements RenderListener
    {
        public void beginTextBlock() { }

        public void endTextBlock() { }

        public void renderImage(ImageRenderInfo renderInfo)
        {
            try
            {
                image = renderInfo.getImage();
            }
            catch (IOException e)
            {
                throw new RuntimeException("Failure retrieving image", e);
            }
        }

        public void renderText(TextRenderInfo renderInfo) { }

        PdfImageObject image = null;
    }

    final PdfReader reader;
}

你可以这样使用它:

PdfReader reader = new PdfReader(resourceStream);
XyzmoSignatureDataExtractor extractor = new XyzmoSignatureDataExtractor(reader);
AcroFields acroFields = reader.getAcroFields();

for (String name: acroFields.getSignatureNames())
{
    System.out.printf("\nTesting signature '%s'.\n", name);
    PdfImageObject image = extractor.extractImage(name);

    OutputStream os = new FileOutputStream("target/test-outputs/SampleXyzmoSignature-image-" + name + "." + image.getFileType());
    os.write(image.getImageAsBytes());
    os.close();

    PdfDictionary imageDictionary = image.getDictionary();
    PRStream maskStream = (PRStream) imageDictionary.getAsStream(PdfName.SMASK);
    if (maskStream != null)
    {
        PdfImageObject maskImage = new PdfImageObject(maskStream);

        os = new FileOutputStream("target/test-outputs/SampleXyzmoSignature-image-" + name + "-mask." + maskImage.getFileType());
        os.write(maskImage.getImageAsBytes());
        os.close();
    }
}

警告:XyzmoSignatureDataExtractor 类确实是一个快速而肮脏的 hack。做出了许多假设，null - 检查被排除在外，...