如何检查签名文档的数字签名是否由可信证书签名？答案

【问题标题】：How to check if digital signature of signed document signed by trusted certificate?如何检查签名文档的数字签名是否由可信证书签名？
【发布时间】：2016-07-06 13:50:04
【问题描述】：

我开发了适用于 pdf 文档的应用程序，并且我必须了解我的文档是由受信任的签名签名的。我使用 itextsharp 获取信息，但我不知道如何检查签名的有效性。

var pdfReader = new PdfReader(document.FilePath);
var acroFields = pdfReader.AcroFields;
var names = acroFields.GetSignatureNames();

    foreach (var name in names)
    {
         var signatureName = name as string;
         var pk = acroFields.VerifySignature(signatureName);
         var signatureIsValid = false;
         foreach (var certificate in pk.Certificates)
         {
             signatureIsValid = certificate.IsValidNow; // It just check date
         }
    }

下面屏幕上的文档有两个数字签名，但他们在没有受信任证书的情况下签名。我必须向用户显示一些类似的消息。

【问题讨论】：

你检查所有pk.Certificates。这不是必需的，签名可能会带来比构建签名链所需的证书更多的证书。因此，正如@fatherOfWine 在他的回答中所表明的那样，选择签名者证书，构建其链并检查该链。

标签： c# pdf itext digital-signature

【解决方案1】：

为了检查受信任的权威机构，您需要拥有受信任的 CA 证书以进行检查。如果你有一个，你可以使用这样的代码来检查证书是否来自你所期望的受信任的权威：

    X509Certificate2 authorityCert = GetAuthorityCertificate();
    X509Certificate2 certificateToCheck = GetYourCertificate();

    X509Chain chain = new X509Chain();
    chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
    chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
    chain.ChainPolicy.VerificationTime = DateTime.Now;
    chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);

    //Adding your CA root to the chain
    chain.ChainPolicy.ExtraStore.Add(authorityCert);

    bool isChainValid = chain.Build(certificateToCheck);
    if (!isChainValid)
    {
        //Ok, let c what is wrong...
        string[] errors = chain.ChainStatus
            .Select(m => $"{m.StatusInformation.Trim()}, status: {m.Status}")
            .ToArray();

        string certificateErrors = "Error occured during checking certificate.";
        if (errors != null && errors.Length > 0)
            certificateErrors = string.Join(" \n", errors);

        throw new ApplicationException("Trust chain is not from known authority. Errors: " + certificateErrors);
    }

    //Let see if our chain actually contains known root, for which you are cheking
    if (!chain.ChainElements
        .Cast<X509ChainElement>()
        .Any(m => m.Certificate.Thumbprint == authorityCert.Thumbprint))
        throw new ApplicationException("Could not locate CA root!Thumbprints did not match.");

【讨论】：