pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From István Viczián <viczian.ist...@gmail.com>
Subject Re: PDF sign and timestamp
Date Sat, 21 Dec 2013 23:05:44 GMT
Hello Thomas,

Thank you for your very detailed answers! It helps me a lot!

I don't work work with encripted documents, so I can upgrade the BC
version to 1.50. The signing and the timestamping works fine!
My solution:
- Using setPreferedSignatureSize method - thank you, thank you :)
- Using CMSSignedDataGenerator (http://www.cryptoworkshop.com/guide/)
- Using TimeStampResponse.getTimeStampToken().getEncoded() instead of
TimeStampResponse.getEncoded()
- Using the hash of the signature to timestamp instead of the digest
of the document. For example:
http://p2p.wrox.com/book-beginning-cryptography-java/76182-problems-while-verifying-embedded-timestamp-signature.html
- Foxit reader don't support BER encoding. You should transcode to DER:

ByteArrayOutputStream baos = new ByteArrayOutputStream();
new DEROutputStream(baos).writeObject(signedData.toASN1Structure());
return baos.toByteArray();

Only one problem left:
- My document is signed, but not certificated. How can I set the
certification level? (Equivalent to
appearance.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED);
in iText)
--
Viczián István


2013/12/19 Thomas Chojecki <info@rayman2200.de>:
>
> Zitat von István Viczián <viczian.istvan@gmail.com>:
>
>> Hello,
>
> Hi,
>
>
>>
>> I'm trying to sign and timestamp my PDF document.
>> pdfbox 1.8.3
>> bcmail-jdk15on 1.50
>> The signing works fine, the Adobe Acrobat Reader shows the certificate
>> correctly.
>
>
> pdfbox 1.8.3 normally require bc in the version 1.44. I think newer will
> also work if you do not work with encrypted documents. You can also try to
> work with the pdfbox 2.0.0 snapshot if you need to use bc in version 1.46 or
> newer. The signing code is identical, so you will have the same results with
> 1.8.3 and 2.0.0.
>
> https://repository.apache.org/content/groups/snapshots/org/apache/pdfbox/pdfbox/2.0.0-SNAPSHOT/
>
>
>> Based on the the sample app:
>> http://media-nation.de/~rayman2200/PDFBox-SignExample.zip
>
> This example was updated and ported a while ago into the pdfbox-examples.
> You can find it in the svn. Just checkout the src from:
>
> svn checkout http://svn.apache.org/repos/asf/pdfbox/trunk/
>
> But I haven't add any timestamp examples yet.
>
>
>> (But the Foxit Reader not! Signing with other PDF library - you know
>> which - the Foxit Reader shows the certificate right.)
>>
>> But the timestamping does not work. Calling
>> .setSignedAttributeGenerator I don't see any timestamp, the size of
>> the pdf doesn't change.
>
>
> How did you created the timestamp? which format you are using (RFC3161 works
> for me)? You can also try to do a signature timestamp instead of a content
> timestamp. Maybe the foxit reader does not support content timestamps.
>
>
>> With gen.generate(msg, true); the exception is:
>>
>> java.io.IOException: Can't write signature, not enough space
>>
>> How can I add space for signature?
>
>
> This exception is a good point. So your timestamp was added to the cms
> structure but it was too large to fit into the predefined gap.
>
> You can increase the size with setPreferedSignatureSize(...) inside the
> SignatureOptions. For the right size of the signature you need to
> experiment. A good start is to take the size of the certificates /
> certificate chain you are adding into the signature and all additional
> attributes like the timestamp.
>
>
>>
>> I don't find any example for timestamping pdf. Could you send me one?
>
>
> I don't have any example right now, but you can search the net for creating
> cms signatures with timestamp. I found one for itext
>
> https://www.mail-archive.com/itext-questions@lists.sourceforge.net/msg40287.html
>
> or this one
>
> http://bouncy-castle.1462172.n4.nabble.com/Insert-Time-stamp-into-CMS-Signed-Data-td1464065.html
>
> So try to use unsigned attribute for a signature timestamp or signed
> attribute for a content timestamp.
>
>
>> (I can post my source code, if it is necessary.)
>>
>> Same with BouncyCastle 1.49 with deprecated addSigner method.
>>
>> --
>> Viczián István
>
>
> I hope this will help you a bit. If you have questions, just ask.
>
> Best regards
> Thomas
>

Mime
View raw message