pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Diego Azevedo <dazev...@esec.com.br>
Subject Re: PDF Signing, generated PDF Document certification is invalid, using HSM
Date Thu, 25 May 2017 13:37:04 GMT
Hey, Paresh

I had the same problem with a similar workflow, and glancing at your code I
think you did the same as I did before:


   - Grab original PDF
   - add signature dictionary and get the hash
   - discart changes
   - send the hash to client
   - mount CMS package with information returned from client
   - grab original PDF
   - add signature dictionary AND the CMS

This won't work. Adding the same dictionary, with the same information, in
two different moments will create two different PDFs, with different hashes.
The cause is the trailer dictionary. It has an ID entry that will always
change.

If that's really the cause (I only glanced at your code), you have two
workarrounds:

   - Change PDFbox to create the same ID in different moments (It uses the
   document itself and I think it also uses "currentTimeInMilis" somewhere)
   - save your PDF with a garbage signature and update it latter with the
   CMS




On Thu, May 25, 2017 at 7:42 AM, Paresh Chouhan <pareshchouhan2013@gmail.com
> wrote:

> oh I cannot attach the image, see my work flow is something like this
> http://i64.tinypic.com/29v02u.png
> so I am doing the signing on the client and reattaching the signed hash
> that I receive from client.
>
> On Thu, May 25, 2017 at 4:09 PM Paresh Chouhan <
> pareshchouhan2013@gmail.com> wrote:
>
>> On Thu, May 25, 2017 at 3:13 PM Tilman Hausherr <THausherr@t-online.de>
>> wrote:
>>
>>> Am 25.05.2017 um 08:22 schrieb Paresh Chouhan:
>>> > Original PDF : https://www.mediafire.com/?bg9z4c9450v01io
>>> > Signed PDF : https://www.mediafire.com/?fqvnf9mg50pfzjh
>>>
>>> Thanks... I wanted to see the files first because I'm lazy and had hoped
>>> it's some obvious problem in the PDF itself, but it isn't. So I looked
>>> at your code... the signing is quite different than in our example, why
>>> is this so? The "CreateSignatureBase" class has the code to produce the
>>> signature.
>>>
>>> That you mention a HSM isn't really relevant... At work, I'm signing
>>> with a PKI card and all I had to change was getting the keystore.
>>>
>>> Tilman
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>
>> [image: workflow.png]
>>>
>> --
>> Regards
>> Paresh Chouhan
>> https://github.com/pareshchouhan
>>
> --
> Regards
> Paresh Chouhan
> https://github.com/pareshchouhan
>



-- 
[]'s

Diego Azevedo

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message