pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From István Viczián <viczian.ist...@gmail.com>
Subject Re: PDF sign and timestamp
Date Fri, 27 Dec 2013 16:03:01 GMT
Hi,

If someone is interested, here is a working sample application for
signing and timestamping (!!!) PDF with PDFBox:

https://github.com/vicziani/jtechlog-signpdf/tree/master/jtechlog-signpdf-pdfbox/src/main/java/jtechlog/signpdf

--
Viczián István


2013/12/22 István Viczián <viczian.istvan@gmail.com>:
> Hello Thomas,
>
> Thank you for your very detailed answers! It helps me a lot!
>
> I don't work work with encripted documents, so I can upgrade the BC
> version to 1.50. The signing and the timestamping works fine!
> My solution:
> - Using setPreferedSignatureSize method - thank you, thank you :)
> - Using CMSSignedDataGenerator (http://www.cryptoworkshop.com/guide/)
> - Using TimeStampResponse.getTimeStampToken().getEncoded() instead of
> TimeStampResponse.getEncoded()
> - Using the hash of the signature to timestamp instead of the digest
> of the document. For example:
> http://p2p.wrox.com/book-beginning-cryptography-java/76182-problems-while-verifying-embedded-timestamp-signature.html
> - Foxit reader don't support BER encoding. You should transcode to DER:
>
> ByteArrayOutputStream baos = new ByteArrayOutputStream();
> new DEROutputStream(baos).writeObject(signedData.toASN1Structure());
> return baos.toByteArray();
>
> Only one problem left:
> - My document is signed, but not certificated. How can I set the
> certification level? (Equivalent to
> appearance.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED);
> in iText)
> --
> Viczián István
>
>
> 2013/12/19 Thomas Chojecki <info@rayman2200.de>:
>>
>> Zitat von István Viczián <viczian.istvan@gmail.com>:
>>
>>> Hello,
>>
>> Hi,
>>
>>
>>>
>>> I'm trying to sign and timestamp my PDF document.
>>> pdfbox 1.8.3
>>> bcmail-jdk15on 1.50
>>> The signing works fine, the Adobe Acrobat Reader shows the certificate
>>> correctly.
>>
>>
>> pdfbox 1.8.3 normally require bc in the version 1.44. I think newer will
>> also work if you do not work with encrypted documents. You can also try to
>> work with the pdfbox 2.0.0 snapshot if you need to use bc in version 1.46 or
>> newer. The signing code is identical, so you will have the same results with
>> 1.8.3 and 2.0.0.
>>
>> https://repository.apache.org/content/groups/snapshots/org/apache/pdfbox/pdfbox/2.0.0-SNAPSHOT/
>>
>>
>>> Based on the the sample app:
>>> http://media-nation.de/~rayman2200/PDFBox-SignExample.zip
>>
>> This example was updated and ported a while ago into the pdfbox-examples.
>> You can find it in the svn. Just checkout the src from:
>>
>> svn checkout http://svn.apache.org/repos/asf/pdfbox/trunk/
>>
>> But I haven't add any timestamp examples yet.
>>
>>
>>> (But the Foxit Reader not! Signing with other PDF library - you know
>>> which - the Foxit Reader shows the certificate right.)
>>>
>>> But the timestamping does not work. Calling
>>> .setSignedAttributeGenerator I don't see any timestamp, the size of
>>> the pdf doesn't change.
>>
>>
>> How did you created the timestamp? which format you are using (RFC3161 works
>> for me)? You can also try to do a signature timestamp instead of a content
>> timestamp. Maybe the foxit reader does not support content timestamps.
>>
>>
>>> With gen.generate(msg, true); the exception is:
>>>
>>> java.io.IOException: Can't write signature, not enough space
>>>
>>> How can I add space for signature?
>>
>>
>> This exception is a good point. So your timestamp was added to the cms
>> structure but it was too large to fit into the predefined gap.
>>
>> You can increase the size with setPreferedSignatureSize(...) inside the
>> SignatureOptions. For the right size of the signature you need to
>> experiment. A good start is to take the size of the certificates /
>> certificate chain you are adding into the signature and all additional
>> attributes like the timestamp.
>>
>>
>>>
>>> I don't find any example for timestamping pdf. Could you send me one?
>>
>>
>> I don't have any example right now, but you can search the net for creating
>> cms signatures with timestamp. I found one for itext
>>
>> https://www.mail-archive.com/itext-questions@lists.sourceforge.net/msg40287.html
>>
>> or this one
>>
>> http://bouncy-castle.1462172.n4.nabble.com/Insert-Time-stamp-into-CMS-Signed-Data-td1464065.html
>>
>> So try to use unsigned attribute for a signature timestamp or signed
>> attribute for a content timestamp.
>>
>>
>>> (I can post my source code, if it is necessary.)
>>>
>>> Same with BouncyCastle 1.49 with deprecated addSigner method.
>>>
>>> --
>>> Viczián István
>>
>>
>> I hope this will help you a bit. If you have questions, just ask.
>>
>> Best regards
>> Thomas
>>

Mime
View raw message