delphi实现数字签名

http://blog.csdn.net/avan_lau/article/details/7367480

[delphi] view plaincopyprint?

1. 上周，另一部门需要支援解决数字签名问题。但因为之前也没做过，现学现卖。此方面可参考的中文资料较少，特作分享，方便查阅。

    上周，另一部门需要支援解决数字签名问题。但因为之前也没做过，现学现卖。此方面可参考的中文资料较少，特作分享，方便查阅。

有关数字签名的概念、原理，这里就不做介绍了，请自行google或百度。

利用证书对文件进行签名，从证书来源看，可分为两种：1、软证书：就是将*.pfx文件导入到系统中，这意味着，只要登录到PC中的用户，均可以使用该证书；2、硬证书：通常将证书存放到uKey中（smart
card），这样的好处是，只有拥有usb key的人才有权限使用该证书。

USB
Key通常支持CryptToAPI——除非特殊安全需要，只公布使用自己的接口，不支持微软接口。由于使用CryptToAPI，使用起来较繁琐，微软提供了CAPICOM组件，方便开发。

不论是硬证书或软证书，只要支持CryptToAPI接口，那么CAPICOM均可使用。为此本次内容以CAPICOM，作为数字签名功能的基础。

动手之前，首先要熟悉数字签名的过程。通过分析，主要是两部分：数字签名（身份标识及防篡改）和数字信封；其实按业务流程，签名之前还有签章的过程（也就是通常的盖章）；过程大致如下：

发送方

1、验证证书是否准备好？（若是硬证书，usbkey是否已插入；判断证书是否有效）；

2、对文件进行签名；

3、对文件进行数字信封（公钥加密）；

4、可选：填入CSP（加密服务提供商，通常是在USB Key当中）信息

接收方：

1、获取文件，读取CSP信息；

2、依据CSP信息，获取相关证书并验证；

3、利用证书进行数字解封；

4、签名验证，确认身份及文件的完整性（是否被篡改）；

依据以上分析，程序可这样设计，由于USB
Key可能支持CAPICOM，也可能不支持，所以，后续可能会有相应由多种方法去执行签名。可提取接口，来解除这样的依赖。

接口定义如下：

[delphi] view plaincopyprint?

1. IDigitalIntf = interface(IUNKNOWN)


2. [‘{78657307-FD4A-452F-91FF-956379A7F654}‘]


3. //验证设备


4. function VerifyUserAvailable: Boolean;


5. //签名与数字信封加密


6. function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;


7. //数字信封解密与签名验证


8. function Unpack(const sInPath: string; const sOutPath: string;


9. bCreateDirectory: Boolean): Boolean;


10. //获取数字指纹


11. function GetThumbPrint: string;


12. //获取证书信息


13. function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;


14. end;

  IDigitalIntf = interface(IUNKNOWN)

  [‘{78657307-FD4A-452F-91FF-956379A7F654}‘]

    //验证设备

    function VerifyUserAvailable: Boolean;

    //签名与数字信封加密

    function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;

    //数字信封解密与签名验证

    function Unpack(const sInPath: string; const sOutPath: string;

                        bCreateDirectory: Boolean): Boolean;

    //获取数字指纹

    function GetThumbPrint: string;

    //获取证书信息

    function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;

  end;

CAPICOM实现类，构造如下：

[delphi] view plaincopyprint?

1. TDigital_CAPICOM = class(TInterfacedObject, IDigitalIntf)


2. private


3. FProviderName, FStoreName: string;
4. function GetStoreByName(AStoreName: string): TStore;


5. protected


6. FStoreList: TStringList;


7. ICert: ICertificate;


8. ICert2: ICertificate2;


9. FPublicKey: string;//公钥


10. FPKLength: Integer;//算法长度


11. FAlgType: string; // 算法类型


12. {----------------------方法定义-----------------------}


13. //证书库操作


14. function OpenStore(AStoreName: string): TStore;


15. procedure CloseStore;


16. //获取证书接口


17. procedure GetCertificate;


18. //执行文件签名


19. function SignedFile(const AFileName: string;


20. EncodeType: CAPICOM_ENCODING_TYPE): Boolean;


21. //验证文件签名


22. function VerifySign(const AFileName: string): Boolean;


23. //附加签名信息


24. function AppendSignedContent(const AFileName, ASignedContent: string): Boolean;


25. //分解签名信息


26. function ExtractSignedContent(const AFileName: string): string;


27. {-----------------------------------------------------}


28. {---------------------属性定义------------------------}


29. //CSP提供商


30. property ProviderName : string read FProviderName;


31. //证书存放位置


32. property StoreName : string read FStoreName;


33. {-----------------------------------------------------}


34. public


35. function VerifyUserAvailable: Boolean;


36. function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;


37. function Unpack(const sInPath: string; const sOutPath: string;


38. bCreateDirectory: Boolean): Boolean;


39. function GetThumbPrint: string;


40. function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;
41. constructor Create(const StoreName, ProviderName: string); virtual;


42. destructor Destroy; override;


43. end;

  TDigital_CAPICOM = class(TInterfacedObject, IDigitalIntf)

  private

    FProviderName, FStoreName: string;

function GetStoreByName(AStoreName: string): TStore;

  protected

    FStoreList: TStringList;

    ICert: ICertificate;

    ICert2: ICertificate2;

    FPublicKey: string;//公钥

    FPKLength: Integer;//算法长度

    FAlgType: string; // 算法类型

    {----------------------方法定义-----------------------}

    //证书库操作

    function OpenStore(AStoreName: string): TStore;

    procedure CloseStore;

    //获取证书接口

    procedure GetCertificate;

    //执行文件签名

    function SignedFile(const AFileName: string;

      EncodeType: CAPICOM_ENCODING_TYPE): Boolean;

    //验证文件签名

    function VerifySign(const AFileName: string): Boolean;

    //附加签名信息

    function AppendSignedContent(const AFileName, ASignedContent: string): Boolean;

    //分解签名信息

    function ExtractSignedContent(const AFileName: string): string;

    {-----------------------------------------------------}

    {---------------------属性定义------------------------}

    //CSP提供商

    property ProviderName : string read FProviderName;

    //证书存放位置

    property StoreName : string read FStoreName;

    {-----------------------------------------------------}

  public

    function VerifyUserAvailable: Boolean;

    function Pack(const sInPath: string; const sOutPath: string; bOverride: Boolean): Boolean;

    function Unpack(const sInPath: string; const sOutPath: string;

                        bCreateDirectory: Boolean): Boolean;

    function GetThumbPrint: string;

    function GetCertficateInfo(var ACertInfo: TStampInfo): Boolean;
constructor Create(const StoreName, ProviderName: string); virtual;

    destructor Destroy; override;

  end; 

其实现代码去除了关键信息：

[delphi] view plaincopyprint?

[delphi] view plaincopyprint?

1. function TDigital_CAPICOM.AppendSignedContent(const AFileName,


2. ASignedContent: string): Boolean;


3. var


4. msSrc, ms1: TMemoryStream;


5. iLen: Integer;


6. sSignedData, sLength: string;


7. BDA: TByteDynArray;


8. begin


9. if not FileExists(AFileName) then


10. raise Exception.Create(‘文件"‘ + AFileName + ‘"不存在‘);


11. //拼接签名信息


12. sLength := IntToStr(Length(ASignedContent));


13. sLength := FillChars(sLength, HashString_Length);


14. sSignedData := HYMSignature + sLength + ASignedContent;


15. BDA:= String2Byte(sSignedData);


16. iLen := Length(sSignedData);
17. msSrc := TMemoryStream.Create;


18. ms1 := TMemoryStream.Create;


19. try


20. msSrc.LoadFromFile(AFileName);


21. ms1.Write(BDA[0], iLen); //写入文件头信息


22. ms1.Write(msSrc.Memory^, msSrc.Size); //把文件内容附加上


23. ms1.SaveToFile(AFileName);


24. finally


25. ms1.Free;


26. msSrc.Free;


27. end;


28. Result := True;


29. end;
30. procedure TDigital_CAPICOM.CloseStore;


31. var


32. vStore: TStore;


33. iCnt: Integer;


34. begin


35. try


36. for iCnt := 0 to FStoreList.Count - 1 do


37. begin


38. vStore := TStore(FStoreList.Objects[iCnt]);


39. vStore.Disconnect;


40. end;


41. except


42. raise Exception.Create(‘关闭密钥库失败！‘);


43. end;


44. end;
45. constructor TDigital_CAPICOM.Create(const StoreName, ProviderName: string);


46. begin


47. CoInitialize(nil);


48. FProviderName:= ProviderName;


49. FStoreName := StoreName;


50. FStoreList:= TStringlist.create;


51. GetCertificate;


52. end;
53. destructor TDigital_CAPICOM.Destroy;


54. begin


55. FStoreList.Free;


56. ICert := nil;


57. ICert2:= nil;


58. CoUninitialize;


59. inherited;


60. end;
61. function TDigital_CAPICOM.ExtractSignedContent(


62. const AFileName: string): string;


63. var


64. fs: TFileStream;


65. iHeadLen, iContentLen, iPos: Integer;


66. sContentLength: string;


67. ms: TMemoryStream;


68. BDA_Head, BDA_Cont: TByteDynArray;


69. begin


70. Result := ‘‘;


71. if not FileExists(AFileName) then


72. raise Exception.Create(‘文件"‘ + AFileName + ‘"不存在‘);


73. iHeadLen := Length(HYMSignature) + HashString_Length;


74. SetLength(BDA_Head, iHeadLen);


75. ms:= TMemoryStream.Create;


76. ms.LoadFromFile(AFileName);


77. fs := TFileStream.Create(AFileName, fmCreate);


78. try


79. ms.Position:= 0;


80. ms.Read(BDA_Head[0], iHeadLen);


81. sContentLength := Byte2String(BDA_Head); //含有长度信息


82. iPos := Pos(HYMSignature, sContentLength);


83. if iPos > 0 then


84. begin


85. //取得长度


86. iContentLen := StrToInt(Copy(sContentLength, Length(HYMSignature) + 1, MaxInt));


87. SetLength(BDA_Cont, iContentLen);


88. ms.Read(BDA_Cont[0], iContentLen);


89. Result := Byte2String(BDA_Cont);


90. //该位置之后的内容为真正需要的


91. fs.CopyFrom(ms, ms.Size - ms.Position); //读取文件内容去除文件头部分


92. fs.Position := 0;


93. end


94. finally


95. ms.Free;


96. fs.Free;


97. end;


98. end;
99. function TDigital_CAPICOM.GetCertficateInfo(


100. var ACertInfo: TStampInfo): Boolean;


101. var


102. iCnt: Integer;


103. begin


104. Result := True;


105. if ICert <> nil then


106. begin


107. ACertInfo.PKAlg := FAlgType;


108. ACertInfo.PKLength := FPKLength;


109. for iCnt := 0 to Length(FPublicKey) - 1 do


110. begin


111. ACertInfo.PKContent[iCnt] := FPublicKey[iCnt + 1];


112. end;


113. ACertInfo.EndDate:= ICert.ValidToDate;


114. ACertInfo.DispachTime:= ICert.ValidFromDate;


115. end


116. else


117. result:= False;


118. end;
119. procedure TDigital_CAPICOM.GetCertificate;


120. var


121. vStore: TStore;


122. iCnt: Integer;


123. IBaseIntf: IInterface;


124. ICert2Dsp: ICertificate2Disp;


125. begin


126. if ICert2 = nil then


127. begin


128. vStore := OpenStore(FStoreName);


129. for iCnt := 1 to vStore.Certificates.Count do


130. begin


131. IBaseIntf := vStore.Certificates.Item[iCnt];


132. try


133. if IBaseIntf.QueryInterface(ICertificate2Disp, ICert2Dsp) = 0


134. then


135. begin


136. //确认硬件是否连接


137. if ICert2Dsp.HasPrivateKey then


138. begin


139. //确认是否为指定CSP提供商


140. if ((FProviderName = CSPProvider_ePass) and


141. ((ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_1K) or


142. (ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_3K)))


143. or (ICert2Dsp.PrivateKey.ProviderName = FProviderName)


144. then


145. begin


146. IBaseIntf.QueryInterface(IID_ICertificate2, ICert2);


147. IBaseIntf.QueryInterface(IID_ICertificate, ICert);


148. FPublicKey:= ICert2Dsp.publickey.EncodedKey.Format(True);


149. FPKLength:= ICert2Dsp.publickey.Length;


150. FAlgType:= ICert2Dsp.publickey.Algorithm.FriendlyName;


151. end;


152. end;


153. end;


154. except


155. //某些不支持CAPICOM的，会出现异常


156. ICert2 := nil;


157. end;


158. end;


159. end;


160. end;
161. function TDigital_CAPICOM.GetStoreByName(AStoreName: string): TStore;


162. var


163. i: integer;


164. begin


165. i := FStoreList.IndexOf(AStoreName);


166. if i >= 0 then


167. result := FStoreList.Objects[i] as Tstore


168. else


169. result := nil;


170. end;
171. function TDigital_CAPICOM.GetThumbPrint: string;


172. begin


173. Result := ‘‘;


174. if ICert <> nil then


175. Result := ICert.Thumbprint;


176. end;
177. function TDigital_CAPICOM.OpenStore(AStoreName: string): TStore;


178. var


179. vStore: TStore;


180. begin


181. vStore := self.GetStoreByName(AStoreName);


182. if vStore = nil then


183. try


184. vStore := TStore.Create(nil);


185. //默认为从CurrenUser读取, 后续可能会是CAPICOM_SMART_CARD_USER_STORE 智能卡


186. vStore.Open(CAPICOM_CURRENT_USER_STORE, AStoreName,


187. CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED or CAPICOM_STORE_OPEN_INCLUDE_ARCHIVED


188. or CAPICOM_STORE_OPEN_EXISTING_ONLY);


189. self.FStoreList.AddObject(AStoreName, vStore);


190. except


191. on E:exception do


192. raise exception.Create(‘无法打开密钥库！‘+E.Message);


193. end;


194. Result := vStore;


195. end;
196. function TDigital_CAPICOM.Pack(const sInPath, sOutPath: string;


197. bOverride: Boolean): Boolean;


198. var


199. EnvelopedData: IEnvelopedData;


200. BUFFER: WideString;


201. FileStm: TFileStream;


202. iP, oP: string;


203. begin


204. ip:= StringReplace(sInPath, ‘\\‘, ‘\‘, [rfReplaceAll]);


205. op:= StringReplace(sOutPath, ‘\\‘, ‘\‘, [rfReplaceAll]);


206. Result := True;


207. EnvelopedData := CoEnvelopedData.Create;


208. //指定采用的CSP算法类型


209. EnvelopedData.Algorithm.Name := Algorithm;


210. //指定加密长度


211. EnvelopedData.Algorithm.KeyLength := EnLength;


212. try


213. //获取证书接口


214. GetCertificate;


215. //目前sInPath是一个文件夹，先压缩，再解密


216. Files2ZipArchive(ip, op, RZipPassWd);


217. //执行签名


218. SignedFile(op, CAPICOM_ENCODE_BASE64);


219. //获取要加密的内容


220. FileStm := TFileStream.Create(sOutPath, fmOpenRead);


221. try


222. Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);


223. FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);


224. EnvelopedData.Content:= Buffer;


225. finally


226. FileStm.Free;


227. end;


228. //基于64位编码加密


229. EnvelopedData.Recipients.Add(ICert2);


230. Buffer:= EnvelopedData.Encrypt(CAPICOM_ENCODE_BASE64);


231. //输出加密内容


232. FileStm := TFileStream.Create(sOutPath, fmCreate);


233. try


234. FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));


235. finally


236. FileStm.Free;


237. end;


238. except


239. Result := False;


240. end;


241. end;
242. function TDigital_CAPICOM.SignedFile(const AFileName: string;


243. EncodeType: CAPICOM_ENCODING_TYPE): Boolean;


244. var


245. Signer: ISigner2;


246. SignedData: ISignedData;


247. HashString: string;


248. SignedContent: WideString;


249. begin


250. Result := True;


251. try


252. GetCertificate;


253. //获取文件哈希值


254. HashString:= GetFileHash(AFileName);


255. //构建 签名者


256. Signer := CoSigner.Create;


257. Signer.Certificate := ICert2;


258. //构建 数据签名对象


259. SignedData := CoSignedData.Create;


260. //执行签名


261. SignedData.Content:= HashString;


262. SignedContent := SignedData.Sign(Signer, False, EncodeType);


263. //附加签名信息


264. AppendSignedContent(AFileName, SignedContent);


265. except


266. Result := False;


267. end;


268. end;
269. function TDigital_CAPICOM.Unpack(const sInPath, sOutPath: string;


270. bCreateDirectory: Boolean): Boolean;


271. var


272. EnvelopedData: IEnvelopedData;


273. BUFFER: WideString;


274. FileStm: TFileStream;


275. vDecryptFileName: string;


276. begin


277. Result := True;


278. EnvelopedData := CoEnvelopedData.Create;


279. //指定采用的CSP算法类型


280. EnvelopedData.Algorithm.Name := Algorithm;


281. //指定加密长度


282. EnvelopedData.Algorithm.KeyLength := EnLength;


283. try


284. //获取数字证书接口


285. GetCertificate;


286. //关联证书以解密


287. EnvelopedData.Recipients.Add(ICert2);


288. //获取加密内容


289. FileStm := TFileStream.Create(sInPath, fmOpenRead );


290. try


291. Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);


292. FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);


293. finally


294. FileStm.Free;


295. end;


296. //解密


297. EnvelopedData.Decrypt(Buffer);


298. Buffer:= EnvelopedData.Content;


299. //输出解密内容


300. vDecryptFileName:= sOutPath + ExtractFileName(sInPath);


301. FileStm := TFileStream.Create(vDecryptFileName, fmCreate);


302. try


303. FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));


304. finally


305. FileStm.Free;


306. end;


307. //验证签名


308. VerifySign(vDecryptFileName);


309. //因为有压缩，再解压   ZipArchive2Files


310. ZipArchive2Files(vDecryptFileName, sOutPath, RZipPassWd);


311. DeleteFile(PAnsiChar(vDecryptFileName));


312. except


313. Result := False;


314. end;


315. end;
316. function TDigital_CAPICOM.VerifySign(const AFileName: string): Boolean;


317. var


318. SignedData: ISignedData;


319. HashString: WideString;


320. ASignedContent: string;


321. begin


322. Result := True;


323. try


324. GetCertificate;


325. //先获取签名信息，因为会做信息分离，还原出加上签名前的数据


326. ASignedContent:= ExtractSignedContent(AFileName);


327. //获取文件哈希值


328. HashString:= GetFileHash(AFileName);


329. //构建 数据签名对象


330. SignedData := CoSignedData.Create;


331. SignedData.Content := HashString;


332. //执行检查


333. SignedData.Verify(ASignedContent, False, CAPICOM_VERIFY_SIGNATURE_ONLY);


334. except


335. Result := False;


336. Raise Exception.Create(‘数字签名校验失败！‘);


337. end;


338. end;
339. function TDigital_CAPICOM.VerifyUserAvailable: Boolean;


340. begin


341. Result := False;


342. if (ICert2 <> nil) and ICert2.HasPrivateKey then


343. Result:= True;


344. end;

function TDigital_CAPICOM.AppendSignedContent(const AFileName,

  ASignedContent: string): Boolean;

var

  msSrc, ms1: TMemoryStream;

  iLen: Integer;

  sSignedData, sLength: string;

  BDA: TByteDynArray;

begin

  if not FileExists(AFileName) then

    raise Exception.Create(‘文件"‘ + AFileName + ‘"不存在‘);

  //拼接签名信息

  sLength := IntToStr(Length(ASignedContent));

  sLength := FillChars(sLength, HashString_Length);

  sSignedData := HYMSignature + sLength + ASignedContent;

  BDA:= String2Byte(sSignedData);

  iLen := Length(sSignedData);

msSrc := TMemoryStream.Create;

  ms1 := TMemoryStream.Create;

  try

    msSrc.LoadFromFile(AFileName);

    ms1.Write(BDA[0], iLen); //写入文件头信息

    ms1.Write(msSrc.Memory^, msSrc.Size); //把文件内容附加上

    ms1.SaveToFile(AFileName);

  finally

    ms1.Free;

    msSrc.Free;

  end;

  Result := True;

end;
procedure TDigital_CAPICOM.CloseStore;

var

  vStore: TStore;

  iCnt: Integer;

begin

  try

    for iCnt := 0 to FStoreList.Count - 1 do

    begin

      vStore := TStore(FStoreList.Objects[iCnt]);

      vStore.Disconnect;

    end;

  except

    raise Exception.Create(‘关闭密钥库失败！‘);

  end;

end;
constructor TDigital_CAPICOM.Create(const StoreName, ProviderName: string);

begin

  CoInitialize(nil);

  FProviderName:= ProviderName;

  FStoreName := StoreName;

  FStoreList:= TStringlist.create;

  GetCertificate;

end;
destructor TDigital_CAPICOM.Destroy;

begin

  FStoreList.Free;

  ICert := nil;

  ICert2:= nil;

  CoUninitialize;

  inherited;

end;
function TDigital_CAPICOM.ExtractSignedContent(

  const AFileName: string): string;

var

  fs: TFileStream;

  iHeadLen, iContentLen, iPos: Integer;

  sContentLength: string;

  ms: TMemoryStream;

  BDA_Head, BDA_Cont: TByteDynArray;

begin

  Result := ‘‘;

  if not FileExists(AFileName) then

    raise Exception.Create(‘文件"‘ + AFileName + ‘"不存在‘);

  iHeadLen := Length(HYMSignature) + HashString_Length;

  SetLength(BDA_Head, iHeadLen);

  ms:= TMemoryStream.Create;

  ms.LoadFromFile(AFileName);

  fs := TFileStream.Create(AFileName, fmCreate);

  try

    ms.Position:= 0;

    ms.Read(BDA_Head[0], iHeadLen);

    sContentLength := Byte2String(BDA_Head); //含有长度信息

    iPos := Pos(HYMSignature, sContentLength);

    if iPos > 0 then

    begin

      //取得长度

      iContentLen := StrToInt(Copy(sContentLength, Length(HYMSignature) + 1, MaxInt));

      SetLength(BDA_Cont, iContentLen);

      ms.Read(BDA_Cont[0], iContentLen);

      Result := Byte2String(BDA_Cont);

      //该位置之后的内容为真正需要的

      fs.CopyFrom(ms, ms.Size - ms.Position); //读取文件内容去除文件头部分

      fs.Position := 0;

    end

  finally

    ms.Free;

    fs.Free;

  end;

end;
function TDigital_CAPICOM.GetCertficateInfo(

  var ACertInfo: TStampInfo): Boolean;

var

  iCnt: Integer;

begin

  Result := True;

  if ICert <> nil then

  begin

    ACertInfo.PKAlg := FAlgType;

    ACertInfo.PKLength := FPKLength;

    for iCnt := 0 to Length(FPublicKey) - 1 do

    begin

      ACertInfo.PKContent[iCnt] := FPublicKey[iCnt + 1];

    end;

    ACertInfo.EndDate:= ICert.ValidToDate;

    ACertInfo.DispachTime:= ICert.ValidFromDate;

  end

  else

    result:= False;

end;
procedure TDigital_CAPICOM.GetCertificate;

var

  vStore: TStore;

  iCnt: Integer;

  IBaseIntf: IInterface;

  ICert2Dsp: ICertificate2Disp;

begin

  if ICert2 = nil then

  begin

    vStore := OpenStore(FStoreName);

    for iCnt := 1 to vStore.Certificates.Count do

    begin

      IBaseIntf := vStore.Certificates.Item[iCnt];

      try

        if IBaseIntf.QueryInterface(ICertificate2Disp, ICert2Dsp) = 0

        then

        begin

          //确认硬件是否连接

          if ICert2Dsp.HasPrivateKey then

          begin

            //确认是否为指定CSP提供商

            if ((FProviderName = CSPProvider_ePass) and

                ((ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_1K) or

                 (ICert2Dsp.PrivateKey.ProviderName = CSPProvider_ePass_3K)))

               or (ICert2Dsp.PrivateKey.ProviderName = FProviderName)

            then

            begin

              IBaseIntf.QueryInterface(IID_ICertificate2, ICert2);

              IBaseIntf.QueryInterface(IID_ICertificate, ICert);

              FPublicKey:= ICert2Dsp.publickey.EncodedKey.Format(True);

              FPKLength:= ICert2Dsp.publickey.Length;

              FAlgType:= ICert2Dsp.publickey.Algorithm.FriendlyName;

            end;

          end;

        end;

      except

        //某些不支持CAPICOM的，会出现异常

        ICert2 := nil;

      end;

    end;

  end;

end;
function TDigital_CAPICOM.GetStoreByName(AStoreName: string): TStore;

var

  i: integer;

begin

  i := FStoreList.IndexOf(AStoreName);

  if i >= 0 then

    result := FStoreList.Objects[i] as Tstore

  else

    result := nil;

end;
function TDigital_CAPICOM.GetThumbPrint: string;

begin

  Result := ‘‘;

  if ICert <> nil then

    Result := ICert.Thumbprint;

end;
function TDigital_CAPICOM.OpenStore(AStoreName: string): TStore;

var

  vStore: TStore;

begin

  vStore := self.GetStoreByName(AStoreName);

  if vStore = nil then

  try

    vStore := TStore.Create(nil);

    //默认为从CurrenUser读取, 后续可能会是CAPICOM_SMART_CARD_USER_STORE 智能卡

    vStore.Open(CAPICOM_CURRENT_USER_STORE, AStoreName,

       CAPICOM_STORE_OPEN_MAXIMUM_ALLOWED or CAPICOM_STORE_OPEN_INCLUDE_ARCHIVED

       or CAPICOM_STORE_OPEN_EXISTING_ONLY);

    self.FStoreList.AddObject(AStoreName, vStore);

  except

   on E:exception do

    raise exception.Create(‘无法打开密钥库！‘+E.Message);

  end;

  Result := vStore;

end;
function TDigital_CAPICOM.Pack(const sInPath, sOutPath: string;

  bOverride: Boolean): Boolean;

var

  EnvelopedData: IEnvelopedData;

  BUFFER: WideString;

  FileStm: TFileStream;

  iP, oP: string;

begin

  ip:= StringReplace(sInPath, ‘\\‘, ‘\‘, [rfReplaceAll]);

  op:= StringReplace(sOutPath, ‘\\‘, ‘\‘, [rfReplaceAll]);

  Result := True;

  EnvelopedData := CoEnvelopedData.Create;

  //指定采用的CSP算法类型

  EnvelopedData.Algorithm.Name := Algorithm;

  //指定加密长度

  EnvelopedData.Algorithm.KeyLength := EnLength;

  try

    //获取证书接口

    GetCertificate;

    //目前sInPath是一个文件夹，先压缩，再解密

    Files2ZipArchive(ip, op, RZipPassWd);

    //执行签名

    SignedFile(op, CAPICOM_ENCODE_BASE64);

    //获取要加密的内容

    FileStm := TFileStream.Create(sOutPath, fmOpenRead);

    try

      Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);

      FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);

      EnvelopedData.Content:= Buffer;

    finally

      FileStm.Free;

    end;

    //基于64位编码加密

    EnvelopedData.Recipients.Add(ICert2);

    Buffer:= EnvelopedData.Encrypt(CAPICOM_ENCODE_BASE64);

    //输出加密内容

    FileStm := TFileStream.Create(sOutPath, fmCreate);

    try

      FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));

    finally

      FileStm.Free;

    end;

  except

    Result := False;

  end;

end;
function TDigital_CAPICOM.SignedFile(const AFileName: string;

  EncodeType: CAPICOM_ENCODING_TYPE): Boolean;

var

  Signer: ISigner2;

  SignedData: ISignedData;

  HashString: string;

  SignedContent: WideString;

begin

  Result := True;

  try

    GetCertificate;

    //获取文件哈希值

    HashString:= GetFileHash(AFileName);

    //构建 签名者

    Signer := CoSigner.Create;

    Signer.Certificate := ICert2;

    //构建 数据签名对象

    SignedData := CoSignedData.Create;

    //执行签名

    SignedData.Content:= HashString;

    SignedContent := SignedData.Sign(Signer, False, EncodeType);

    //附加签名信息

    AppendSignedContent(AFileName, SignedContent);

  except

    Result := False;

  end;

end;
function TDigital_CAPICOM.Unpack(const sInPath, sOutPath: string;

  bCreateDirectory: Boolean): Boolean;

var

  EnvelopedData: IEnvelopedData;

  BUFFER: WideString;

  FileStm: TFileStream;

  vDecryptFileName: string;

begin

  Result := True;

  EnvelopedData := CoEnvelopedData.Create;

  //指定采用的CSP算法类型

  EnvelopedData.Algorithm.Name := Algorithm;

  //指定加密长度

  EnvelopedData.Algorithm.KeyLength := EnLength;

  try

    //获取数字证书接口

    GetCertificate;

    //关联证书以解密

    EnvelopedData.Recipients.Add(ICert2);

    //获取加密内容

    FileStm := TFileStream.Create(sInPath, fmOpenRead );

    try

      Pointer(Buffer):= SysAllocStringByteLen (nil, FileStm.Size);

      FileStm.ReadBuffer(Pointer(Buffer)^, FileStm.Size);

    finally

      FileStm.Free;

    end;

    //解密

    EnvelopedData.Decrypt(Buffer);

    Buffer:= EnvelopedData.Content;

    //输出解密内容

    vDecryptFileName:= sOutPath + ExtractFileName(sInPath);

    FileStm := TFileStream.Create(vDecryptFileName, fmCreate);

    try

      FileStm.WriteBuffer(Pointer(Buffer)^, SysStringByteLen(PWideChar(Buffer)));

    finally

      FileStm.Free;

    end;

    //验证签名

    VerifySign(vDecryptFileName);

    //因为有压缩，再解压   ZipArchive2Files

    ZipArchive2Files(vDecryptFileName, sOutPath, RZipPassWd);

    DeleteFile(PAnsiChar(vDecryptFileName));

  except

    Result := False;

  end;

end;
function TDigital_CAPICOM.VerifySign(const AFileName: string): Boolean;

var

  SignedData: ISignedData;

  HashString: WideString;

  ASignedContent: string;

begin

  Result := True;

  try

    GetCertificate;

    //先获取签名信息，因为会做信息分离，还原出加上签名前的数据

    ASignedContent:= ExtractSignedContent(AFileName);

    //获取文件哈希值

    HashString:= GetFileHash(AFileName);

    //构建 数据签名对象

    SignedData := CoSignedData.Create;

    SignedData.Content := HashString;

    //执行检查

    SignedData.Verify(ASignedContent, False, CAPICOM_VERIFY_SIGNATURE_ONLY);

  except

    Result := False;

    Raise Exception.Create(‘数字签名校验失败！‘);

  end;

end;
function TDigital_CAPICOM.VerifyUserAvailable: Boolean;

begin

  Result := False;

  if (ICert2 <> nil) and ICert2.HasPrivateKey then

    Result:= True;

end;

另外，还需要一个管理类，目的是解除依赖，这里就不说明了。

功能的实现，通过google，不论你了解或不了解，都可以得到较多信息，帮助实现。更多的还是在于怎么去设计？怎么让后续的开发人员更容易维护？

这里面有个与证书接口相关的问题，比如在GetCertificate，里面有判断PrivateKey，必须使用Disp接口，直接用ICertificate，会出现地址错误。具体原因，还待查证。有谁知道的，还请你指点指点。谢谢！

delphi实现数字签名,布布扣,bubuko.com