delphi实现数字签名
- 上周,另一部门需要支援解决数字签名问题。但因为之前也没做过,现学现卖。此方面可参考的中文资料较少,特作分享,方便查阅。
上周,另一部门需要支援解决数字签名问题。但因为之前也没做过,现学现卖。此方面可参考的中文资料较少,特作分享,方便查阅。
有关数字签名的概念、原理,这里就不做介绍了,请自行google或百度。
利用证书对文件进行签名,从证书来源看,可分为两种:1、软证书:就是将*.pfx文件导入到系统中,这意味着,只要登录到PC中的用户,均可以使用该证书;2、硬证书:通常将证书存放到uKey中(smart card),这样的好处是,只有拥有usb key的人才有权限使用该证书。
USB Key通常支持CryptToAPI——除非特殊安全需要,只公布使用自己的接口,不支持微软接口。由于使用CryptToAPI,使用起来较繁琐,微软提供了CAPICOM组件,方便开发。
不论是硬证书或软证书,只要支持CryptToAPI接口,那么CAPICOM均可使用。为此本次内容以CAPICOM,作为数字签名功能的基础。
动手之前,首先要熟悉数字签名的过程。通过分析,主要是两部分:数字签名(身份标识及防篡改)和数字信封;其实按业务流程,签名之前还有签章的过程(也就是通常的盖章);过程大致如下:
发送方
1、验证证书是否准备好?(若是硬证书,usbkey是否已插入;判断证书是否有效);
2、对文件进行签名;
3、对文件进行数字信封(公钥加密);
4、可选:填入CSP(加密服务提供商,通常是在USB Key当中)信息
接收方:
1、获取文件,读取CSP信息;
2、依据CSP信息,获取相关证书并验证;
3、利用证书进行数字解封;
4、签名验证,确认身份及文件的完整性(是否被篡改);
依据以上分析,程序可这样设计,由于USB Key可能支持CAPICOM,也可能不支持,所以,后续可能会有相应由多种方法去执行签名。可提取接口,来解除这样的依赖。
接口定义如下:
- IDigitalIntf = interface(IUNKNOWN)
- ['{78657307-FD4A-452F-91FF-956379A7F654}']
- //验证设备
- function VerifyUserAvailable: Boolean;
- //签名与数字信封加密
- function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;
- //数字信封解密与签名验证
- function Unpack(const sInPath: string; const sOutPath: string;
- bCreateDirectory: Boolean): Boolean;
- //获取数字指纹
- function GetThumbPrint: string;
- //获取证书信息
- function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;
- end;
IDigitalIntf = interface(IUNKNOWN)
['{78657307-FD4A-452F-91FF-956379A7F654}']
//验证设备
function VerifyUserAvailable: Boolean;
//签名与数字信封加密
function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;
//数字信封解密与签名验证
function Unpack(const sInPath: string; const sOutPath: string;
bCreateDirectory: Boolean): Boolean;
//获取数字指纹
function GetThumbPrint: string;
//获取证书信息
function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;
end;
CAPICOM实现类,构造如下:
- TDigital_CAPICOM = class(TInterfacedObject, IDigitalIntf)
- private
- FProviderName, FStoreName: string;
- function GetStoreByName(AStoreName: string): TStore;
- protected
- FStoreList: TStringList;
- ICert: ICertificate;
- ICert2: ICertificate2;
- FPublicKey: string;//公钥
- FPKLength: Integer;//算法长度
- FAlgType: string; // 算法类型
- {----------------------方法定义-----------------------}
- //证书库操作
- function OpenStore(AStoreName: string): TStore;
- procedure CloseStore;
- //获取证书接口
- procedure GetCertificate;
- //执行文件签名
- function SignedFile(const AFileName: string;
- EncodeType: CAPICOM_ENCODING_TYPE): Boolean;
- //验证文件签名
- function VerifySign(const AFileName: string): Boolean;
- //附加签名信息
- function AppendSignedContent(const AFileName, ASignedContent: string): Boolean;
- //分解签名信息
- function ExtractSignedContent(const AFileName: string): string;
- {-----------------------------------------------------}
- {---------------------属性定义------------------------}
- //CSP提供商
- property ProviderName : string read FProviderName;
- //证书存放位置
- property StoreName : string read FStoreName;
- {-----------------------------------------------------}
- public
- function VerifyUserAvailable: Boolean;
- function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;
- function Unpack(const sInPath: string; const sOutPath: string;
- bCreateDirectory: Boolean): Boolean;
- function GetThumbPrint: string;
- function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;
- constructor Create(const StoreName, ProviderName: string); virtual;
- destructor Destroy; override;
- end;
TDigital_CAPICOM = class(TInterfacedObject, IDigitalIntf)
private
FProviderName, FStoreName: string;
function GetStoreByName(AStoreName: string): TStore;
protected
FStoreList: TStringList;
ICert: ICertificate;
ICert2: ICertificate2;
FPublicKey: string;//公钥
FPKLength: Integer;//算法长度
FAlgType: string; // 算法类型
{----------------------方法定义-----------------------}
//证书库操作
function OpenStore(AStoreName: string): TStore;
procedure CloseStore;
//获取证书接口
procedure GetCertificate;
//执行文件签名
function SignedFile(const AFileName: string;
EncodeType: CAPICOM_ENCODING_TYPE): Boolean;
//验证文件签名
function VerifySign(const AFileName: string): Boolean;
//附加签名信息
function AppendSignedContent(const AFileName, ASignedContent: string): Boolean;
//分解签名信息
function ExtractSignedContent(const AFileName: string): string;
{-----------------------------------------------------}
{---------------------属性定义------------------------}
//CSP提供商
property ProviderName : string read FProviderName;
//证书存放位置
property StoreName : string read FStoreName;
{-----------------------------------------------------}
public
function VerifyUserAvailable: Boolean;
function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;
function Unpack(const sInPath: string; const sOutPath: string;
bCreateDirectory: Boolean): Boolean;
function GetThumbPrint: string;
function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;
constructor Create(const StoreName, ProviderName: string); virtual;
destructor Destroy; override;
end;
其实现代码去除了关键信息:
- function TDigital_CAPICOM.AppendSignedContent(const AFileName,
- ASignedContent: string): Boolean;
- var
- msSrc, ms1: TMemoryStream;
- iLen: Integer;
- sSignedData, sLength: string;
- BDA: TByteDynArray;
- begin
- if not FileExists(AFileName) then
- raise Exception.Create('文件"' + AFileName + '"不存在');
- //拼接签名信息
- sLength := IntToStr(Length(ASignedContent));
- sLength := FillChars(sLength, HashString_Length);
- sSignedData := HYMSignature + sLength + ASignedContent;
- BDA:= String2Byte(sSignedData);
- iLen := Length(sSignedData);
- msSrc := TMemoryStream.Create;
- ms1 := TMemoryStream.Create;
- try
- msSrc.LoadFromFile(AFileName);
- ms1.Write(BDA[0], iLen); //写入文件头信息
- ms1.Write(msSrc.Memory^, msSrc.Size); //把文件内容附加上
- ms1.SaveToFile(AFileName);
- finally
- ms1.Free;
- msSrc.Free;
- end;
- Result := True;
- end;
- procedure TDigital_CAPICOM.CloseStore;
- var
- vStore: TStore;
- iCnt: Integer;
- begin
- try
- for iCnt := 0 to FStoreList.Count - 1 do
- begin
- vStore := TStore(FStoreList.Objects[iCnt]);
- vStore.Disconnect;
- end;
- except
- raise Exception.Create('关闭密钥库失败!');
- end;
- end;
- constructor TDigital_CAPICOM.Create(const StoreName, ProviderName: string);
- begin
- CoInitialize(nil);
- FProviderName:= ProviderName;
- FStoreName := StoreName;
- FStoreList:= TStringlist.create;
- GetCertificate;
- end;
- destructor TDigital_CAPICOM.Destroy;
- begin
- FStoreList.Free;
- ICert := nil;
- ICert2:= nil;
- CoUninitialize;
- inherited;
- end;
- function TDigital_CAPICOM.ExtractSignedContent(
- const AFileName: string): string;
- var
- fs: TFileStream;
- iHeadLen, iContentLen, iPos: Integer;
- sContentLength: string;
- ms: TMemoryStream;
- BDA_Head, BDA_Cont: TByteDynArray;
- begin
- Result := '';
- if not FileExists(AFileName) then
- raise Exception.Create('文件"' + AFileName + '"不存在');
- iHeadLen := Length(HYMSignature) + HashString_Length;
- SetLength(BDA_Head, iHeadLen);
- ms:= TMemoryStream.Create;
- ms.LoadFromFile(AFileName);
- fs := TFileStream.Create(AFileName, fmCreate);
- try
- ms.Position:= 0;
- ms.Read(BDA_Head[0], iHeadLen);
- sContentLength := Byte2String(BDA_Head); //含有长度信息
- iPos := Pos(HYMSignature, sContentLength);
- if iPos > 0 then
- begin
- //取得长度
- iContentLen := StrToInt(Copy(sContentLength, Length(HYMSignature) + 1, MaxInt));
- SetLength(BDA_Cont, iContentLen);
- ms.Read(BDA_Cont[0], iContentLen);
- Result := Byte2String(BDA_Cont);
- //该位置之后的内容为真正需要的
- fs.CopyFrom(ms, ms.Size - ms.Position); //读取文件内容去除文件头部分
- fs.Position := 0;
- end
- finally
- ms.Free;
- fs.Free;
- end;
- end;
- function TDigital_CAPICOM.GetCertficateInfo(
- var ACertInfo: TStampInfo): Boolean;
- var
- iCnt: Integer;
- begin
- Result := True;
- if ICert <> nil then
- begin
- ACertInfo.PKAlg := FAlgType;
- ACertInfo.PKLength := FPKLength;
- for iCnt := 0 to Length(FPublicKey) - 1 do
- begin
- ACertInfo.PKContent[iCnt] := FPublicKey[iCnt + 1];
- end;
- ACertInfo.EndDate:= ICert.ValidToDate;
- ACertInfo.DispachTime:= ICert.ValidFromDate;
- end
- else
- result:= False;
- end;
- procedure TDigital_CAPICOM.GetCertificate;
- var
- vStore: TStore;
- iCnt: Integer;
- IBaseIntf: IInterface;
- ICert2Dsp: ICertificate2Disp;
- begin
- if ICert2 = nil then
- begin
- vStore := OpenStore(FStoreName);
- for iCnt := 1 to vStore.Certificates.Count do
- begin
- IBaseIntf := vStore.Certificates.Item[iCnt];
- try
- if IBaseIntf.QueryInterface(ICertificate2Disp, ICert2Dsp) = 0
- then
- begin
- //确认硬件是否连接
- if ICert2Dsp.HasPrivateKey then
- begin
- //确认是否为指定CSP提供商
- if ((FProviderName = CSPProvider_ePass) and
- ((ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_1K) or
- (ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_3K)))
- or (ICert2Dsp.PrivateKey.ProviderName = FProviderName)
- then
- begin
- IBaseIntf.QueryInterface(IID_ICertificate2, ICert2);
- IBaseIntf.QueryInterface(IID_ICertificate, ICert);
- FPublicKey:= ICert2Dsp.publickey.EncodedKey.Format(True);
- FPKLength:= ICert2Dsp.publickey.Length;
- FAlgType:= ICert2Dsp.publickey.Algorithm.FriendlyName;
- end;
- end;
- end;
- except
- //某些不支持CAPICOM的,会出现异常
- ICert2 := nil;
- end;
- end;
- end;
- end;
- function TDigital_CAPICOM.GetStoreByName(AStoreName: string): TStore;
- var
- i: integer;
- begin
- i := FStoreList.IndexOf(AStoreName);
- if i >= 0 then
- result := FStoreList.Objects[i] as Tstore
- else
- result := nil;
- end;
- function TDigital_CAPICOM.GetThumbPrint: string;
- begin
- Result := '';
- if ICert <> nil then
- Result := ICert.Thumbprint;
- end;
- function TDigital_CAPICOM.OpenStore(AStoreName: string): TStore;
- var
- vStore: TStore;
- begin
- vStore := self.GetStoreByName(AStoreName);
- if vStore = nil then
- try
- vStore := TStore.Create(nil);
- //默认为从CurrenUser读取, 后续可能会是CAPICOM_SMART_CARD_USER_STORE 智能卡
- vStore.Open(CAPICOM_CURRENT_USER_STORE, AStoreName,
- CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED or CAPICOM_STORE_OPEN_INCLUDE_ARCHIVED
- or CAPICOM_STORE_OPEN_EXISTING_ONLY);
- self.FStoreList.AddObject(AStoreName, vStore);
- except
- on E:exception do
- raise exception.Create('无法打开密钥库!'+E.Message);
- end;
- Result := vStore;
- end;
- function TDigital_CAPICOM.Pack(const sInPath, sOutPath: string;
- bOverride: Boolean): Boolean;
- var
- EnvelopedData: IEnvelopedData;
- BUFFER: WideString;
- FileStm: TFileStream;
- iP, oP: string;
- begin
- ip:= StringReplace(sInPath, '\\', '\', [rfReplaceAll]);
- op:= StringReplace(sOutPath, '\\', '\', [rfReplaceAll]);
- Result := True;
- EnvelopedData := CoEnvelopedData.Create;
- //指定采用的CSP算法类型
- EnvelopedData.Algorithm.Name := Algorithm;
- //指定加密长度
- EnvelopedData.Algorithm.KeyLength := EnLength;
- try
- //获取证书接口
- GetCertificate;
- //目前sInPath是一个文件夹,先压缩,再解密
- Files2ZipArchive(ip, op, RZipPassWd);
- //执行签名
- SignedFile(op, CAPICOM_ENCODE_BASE64);
- //获取要加密的内容
- FileStm := TFileStream.Create(sOutPath, fmOpenRead);
- try
- Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);
- FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);
- EnvelopedData.Content:= Buffer;
- finally
- FileStm.Free;
- end;
- //基于64位编码加密
- EnvelopedData.Recipients.Add(ICert2);
- Buffer:= EnvelopedData.Encrypt(CAPICOM_ENCODE_BASE64);
- //输出加密内容
- FileStm := TFileStream.Create(sOutPath, fmCreate);
- try
- FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));
- finally
- FileStm.Free;
- end;
- except
- Result := False;
- end;
- end;
- function TDigital_CAPICOM.SignedFile(const AFileName: string;
- EncodeType: CAPICOM_ENCODING_TYPE): Boolean;
- var
- Signer: ISigner2;
- SignedData: ISignedData;
- HashString: string;
- SignedContent: WideString;
- begin
- Result := True;
- try
- GetCertificate;
- //获取文件哈希值
- HashString:= GetFileHash(AFileName);
- //构建 签名者
- Signer := CoSigner.Create;
- Signer.Certificate := ICert2;
- //构建 数据签名对象
- SignedData := CoSignedData.Create;
- //执行签名
- SignedData.Content:= HashString;
- SignedContent := SignedData.Sign(Signer, False, EncodeType);
- //附加签名信息
- AppendSignedContent(AFileName, SignedContent);
- except
- Result := False;
- end;
- end;
- function TDigital_CAPICOM.Unpack(const sInPath, sOutPath: string;
- bCreateDirectory: Boolean): Boolean;
- var
- EnvelopedData: IEnvelopedData;
- BUFFER: WideString;
- FileStm: TFileStream;
- vDecryptFileName: string;
- begin
- Result := True;
- EnvelopedData := CoEnvelopedData.Create;
- //指定采用的CSP算法类型
- EnvelopedData.Algorithm.Name := Algorithm;
- //指定加密长度
- EnvelopedData.Algorithm.KeyLength := EnLength;
- try
- //获取数字证书接口
- GetCertificate;
- //关联证书以解密
- EnvelopedData.Recipients.Add(ICert2);
- //获取加密内容
- FileStm := TFileStream.Create(sInPath, fmOpenRead );
- try
- Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);
- FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);
- finally
- FileStm.Free;
- end;
- //解密
- EnvelopedData.Decrypt(Buffer);
- Buffer:= EnvelopedData.Content;
- //输出解密内容
- vDecryptFileName:= sOutPath + ExtractFileName(sInPath);
- FileStm := TFileStream.Create(vDecryptFileName, fmCreate);
- try
- FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));
- finally
- FileStm.Free;
- end;
- //验证签名
- VerifySign(vDecryptFileName);
- //因为有压缩,再解压 ZipArchive2Files
- ZipArchive2Files(vDecryptFileName, sOutPath, RZipPassWd);
- DeleteFile(PAnsiChar(vDecryptFileName));
- except
- Result := False;
- end;
- end;
- function TDigital_CAPICOM.VerifySign(const AFileName: string): Boolean;
- var
- SignedData: ISignedData;
- HashString: WideString;
- ASignedContent: string;
- begin
- Result := True;
- try
- GetCertificate;
- //先获取签名信息,因为会做信息分离,还原出加上签名前的数据
- ASignedContent:= ExtractSignedContent(AFileName);
- //获取文件哈希值
- HashString:= GetFileHash(AFileName);
- //构建 数据签名对象
- SignedData := CoSignedData.Create;
- SignedData.Content := HashString;
- //执行检查
- SignedData.Verify(ASignedContent, False, CAPICOM_VERIFY_SIGNATURE_ONLY);
- except
- Result := False;
- Raise Exception.Create('数字签名校验失败!');
- end;
- end;
- function TDigital_CAPICOM.VerifyUserAvailable: Boolean;
- begin
- Result := False;
- if (ICert2 <> nil) and ICert2.HasPrivateKey then
- Result:= True;
- end;
function TDigital_CAPICOM.AppendSignedContent(const AFileName,
ASignedContent: string): Boolean;
var
msSrc, ms1: TMemoryStream;
iLen: Integer;
sSignedData, sLength: string;
BDA: TByteDynArray;
begin
if not FileExists(AFileName) then
raise Exception.Create('文件"' + AFileName + '"不存在');
//拼接签名信息
sLength := IntToStr(Length(ASignedContent));
sLength := FillChars(sLength, HashString_Length);
sSignedData := HYMSignature + sLength + ASignedContent;
BDA:= String2Byte(sSignedData);
iLen := Length(sSignedData);
msSrc := TMemoryStream.Create;
ms1 := TMemoryStream.Create;
try
msSrc.LoadFromFile(AFileName);
ms1.Write(BDA[0], iLen); //写入文件头信息
ms1.Write(msSrc.Memory^, msSrc.Size); //把文件内容附加上
ms1.SaveToFile(AFileName);
finally
ms1.Free;
msSrc.Free;
end;
Result := True;
end;
procedure TDigital_CAPICOM.CloseStore;
var
vStore: TStore;
iCnt: Integer;
begin
try
for iCnt := 0 to FStoreList.Count - 1 do
begin
vStore := TStore(FStoreList.Objects[iCnt]);
vStore.Disconnect;
end;
except
raise Exception.Create('关闭密钥库失败!');
end;
end;
constructor TDigital_CAPICOM.Create(const StoreName, ProviderName: string);
begin
CoInitialize(nil);
FProviderName:= ProviderName;
FStoreName := StoreName;
FStoreList:= TStringlist.create;
GetCertificate;
end;
destructor TDigital_CAPICOM.Destroy;
begin
FStoreList.Free;
ICert := nil;
ICert2:= nil;
CoUninitialize;
inherited;
end;
function TDigital_CAPICOM.ExtractSignedContent(
const AFileName: string): string;
var
fs: TFileStream;
iHeadLen, iContentLen, iPos: Integer;
sContentLength: string;
ms: TMemoryStream;
BDA_Head, BDA_Cont: TByteDynArray;
begin
Result := '';
if not FileExists(AFileName) then
raise Exception.Create('文件"' + AFileName + '"不存在');
iHeadLen := Length(HYMSignature) + HashString_Length;
SetLength(BDA_Head, iHeadLen);
ms:= TMemoryStream.Create;
ms.LoadFromFile(AFileName);
fs := TFileStream.Create(AFileName, fmCreate);
try
ms.Position:= 0;
ms.Read(BDA_Head[0], iHeadLen);
sContentLength := Byte2String(BDA_Head); //含有长度信息
iPos := Pos(HYMSignature, sContentLength);
if iPos > 0 then
begin
//取得长度
iContentLen := StrToInt(Copy(sContentLength, Length(HYMSignature) + 1, MaxInt));
SetLength(BDA_Cont, iContentLen);
ms.Read(BDA_Cont[0], iContentLen);
Result := Byte2String(BDA_Cont);
//该位置之后的内容为真正需要的
fs.CopyFrom(ms, ms.Size - ms.Position); //读取文件内容去除文件头部分
fs.Position := 0;
end
finally
ms.Free;
fs.Free;
end;
end;
function TDigital_CAPICOM.GetCertficateInfo(
var ACertInfo: TStampInfo): Boolean;
var
iCnt: Integer;
begin
Result := True;
if ICert <> nil then
begin
ACertInfo.PKAlg := FAlgType;
ACertInfo.PKLength := FPKLength;
for iCnt := 0 to Length(FPublicKey) - 1 do
begin
ACertInfo.PKContent[iCnt] := FPublicKey[iCnt + 1];
end;
ACertInfo.EndDate:= ICert.ValidToDate;
ACertInfo.DispachTime:= ICert.ValidFromDate;
end
else
result:= False;
end;
procedure TDigital_CAPICOM.GetCertificate;
var
vStore: TStore;
iCnt: Integer;
IBaseIntf: IInterface;
ICert2Dsp: ICertificate2Disp;
begin
if ICert2 = nil then
begin
vStore := OpenStore(FStoreName);
for iCnt := 1 to vStore.Certificates.Count do
begin
IBaseIntf := vStore.Certificates.Item[iCnt];
try
if IBaseIntf.QueryInterface(ICertificate2Disp, ICert2Dsp) = 0
then
begin
//确认硬件是否连接
if ICert2Dsp.HasPrivateKey then
begin
//确认是否为指定CSP提供商
if ((FProviderName = CSPProvider_ePass) and
((ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_1K) or
(ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_3K)))
or (ICert2Dsp.PrivateKey.ProviderName = FProviderName)
then
begin
IBaseIntf.QueryInterface(IID_ICertificate2, ICert2);
IBaseIntf.QueryInterface(IID_ICertificate, ICert);
FPublicKey:= ICert2Dsp.publickey.EncodedKey.Format(True);
FPKLength:= ICert2Dsp.publickey.Length;
FAlgType:= ICert2Dsp.publickey.Algorithm.FriendlyName;
end;
end;
end;
except
//某些不支持CAPICOM的,会出现异常
ICert2 := nil;
end;
end;
end;
end;
function TDigital_CAPICOM.GetStoreByName(AStoreName: string): TStore;
var
i: integer;
begin
i := FStoreList.IndexOf(AStoreName);
if i >= 0 then
result := FStoreList.Objects[i] as Tstore
else
result := nil;
end;
function TDigital_CAPICOM.GetThumbPrint: string;
begin
Result := '';
if ICert <> nil then
Result := ICert.Thumbprint;
end;
function TDigital_CAPICOM.OpenStore(AStoreName: string): TStore;
var
vStore: TStore;
begin
vStore := self.GetStoreByName(AStoreName);
if vStore = nil then
try
vStore := TStore.Create(nil);
//默认为从CurrenUser读取, 后续可能会是CAPICOM_SMART_CARD_USER_STORE 智能卡
vStore.Open(CAPICOM_CURRENT_USER_STORE, AStoreName,
CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED or CAPICOM_STORE_OPEN_INCLUDE_ARCHIVED
or CAPICOM_STORE_OPEN_EXISTING_ONLY);
self.FStoreList.AddObject(AStoreName, vStore);
except
on E:exception do
raise exception.Create('无法打开密钥库!'+E.Message);
end;
Result := vStore;
end;
function TDigital_CAPICOM.Pack(const sInPath, sOutPath: string;
bOverride: Boolean): Boolean;
var
EnvelopedData: IEnvelopedData;
BUFFER: WideString;
FileStm: TFileStream;
iP, oP: string;
begin
ip:= StringReplace(sInPath, '\\', '\', [rfReplaceAll]);
op:= StringReplace(sOutPath, '\\', '\', [rfReplaceAll]);
Result := True;
EnvelopedData := CoEnvelopedData.Create;
//指定采用的CSP算法类型
EnvelopedData.Algorithm.Name := Algorithm;
//指定加密长度
EnvelopedData.Algorithm.KeyLength := EnLength;
try
//获取证书接口
GetCertificate;
//目前sInPath是一个文件夹,先压缩,再解密
Files2ZipArchive(ip, op, RZipPassWd);
//执行签名
SignedFile(op, CAPICOM_ENCODE_BASE64);
//获取要加密的内容
FileStm := TFileStream.Create(sOutPath, fmOpenRead);
try
Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);
FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);
EnvelopedData.Content:= Buffer;
finally
FileStm.Free;
end;
//基于64位编码加密
EnvelopedData.Recipients.Add(ICert2);
Buffer:= EnvelopedData.Encrypt(CAPICOM_ENCODE_BASE64);
//输出加密内容
FileStm := TFileStream.Create(sOutPath, fmCreate);
try
FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));
finally
FileStm.Free;
end;
except
Result := False;
end;
end;
function TDigital_CAPICOM.SignedFile(const AFileName: string;
EncodeType: CAPICOM_ENCODING_TYPE): Boolean;
var
Signer: ISigner2;
SignedData: ISignedData;
HashString: string;
SignedContent: WideString;
begin
Result := True;
try
GetCertificate;
//获取文件哈希值
HashString:= GetFileHash(AFileName);
//构建 签名者
Signer := CoSigner.Create;
Signer.Certificate := ICert2;
//构建 数据签名对象
SignedData := CoSignedData.Create;
//执行签名
SignedData.Content:= HashString;
SignedContent := SignedData.Sign(Signer, False, EncodeType);
//附加签名信息
AppendSignedContent(AFileName, SignedContent);
except
Result := False;
end;
end;
function TDigital_CAPICOM.Unpack(const sInPath, sOutPath: string;
bCreateDirectory: Boolean): Boolean;
var
EnvelopedData: IEnvelopedData;
BUFFER: WideString;
FileStm: TFileStream;
vDecryptFileName: string;
begin
Result := True;
EnvelopedData := CoEnvelopedData.Create;
//指定采用的CSP算法类型
EnvelopedData.Algorithm.Name := Algorithm;
//指定加密长度
EnvelopedData.Algorithm.KeyLength := EnLength;
try
//获取数字证书接口
GetCertificate;
//关联证书以解密
EnvelopedData.Recipients.Add(ICert2);
//获取加密内容
FileStm := TFileStream.Create(sInPath, fmOpenRead );
try
Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);
FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);
finally
FileStm.Free;
end;
//解密
EnvelopedData.Decrypt(Buffer);
Buffer:= EnvelopedData.Content;
//输出解密内容
vDecryptFileName:= sOutPath + ExtractFileName(sInPath);
FileStm := TFileStream.Create(vDecryptFileName, fmCreate);
try
FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));
finally
FileStm.Free;
end;
//验证签名
VerifySign(vDecryptFileName);
//因为有压缩,再解压 ZipArchive2Files
ZipArchive2Files(vDecryptFileName, sOutPath, RZipPassWd);
DeleteFile(PAnsiChar(vDecryptFileName));
except
Result := False;
end;
end;
function TDigital_CAPICOM.VerifySign(const AFileName: string): Boolean;
var
SignedData: ISignedData;
HashString: WideString;
ASignedContent: string;
begin
Result := True;
try
GetCertificate;
//先获取签名信息,因为会做信息分离,还原出加上签名前的数据
ASignedContent:= ExtractSignedContent(AFileName);
//获取文件哈希值
HashString:= GetFileHash(AFileName);
//构建 数据签名对象
SignedData := CoSignedData.Create;
SignedData.Content := HashString;
//执行检查
SignedData.Verify(ASignedContent, False, CAPICOM_VERIFY_SIGNATURE_ONLY);
except
Result := False;
Raise Exception.Create('数字签名校验失败!');
end;
end;
function TDigital_CAPICOM.VerifyUserAvailable: Boolean;
begin
Result := False;
if (ICert2 <> nil) and ICert2.HasPrivateKey then
Result:= True;
end;
另外,还需要一个管理类,目的是解除依赖,这里就不说明了。
功能的实现,通过google,不论你了解或不了解,都可以得到较多信息,帮助实现。更多的还是在于怎么去设计?怎么让后续的开发人员更容易维护?
这里面有个与证书接口相关的问题,比如在GetCertificate,里面有判断PrivateKey,必须使用Disp接口,直接用ICertificate,会出现地址错误。具体原因,还待查证。有谁知道的,还请你指点指点。谢谢!
