pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paresh Chouhan <pareshchouhan2...@gmail.com>
Subject Re: PDF Signing, generated PDF Document certification is invalid, using HSM
Date Thu, 25 May 2017 13:59:57 GMT
Hi  Diego,
Only thing is I am not discarding changes so my steps are more like
   - Grab original PDF
   - add signature dictionary and get the hash
   - send the hash to client
   - Wait for data on Standard Input.
   - Wait for Client to send the signed hash back, This data is then feeded
to the paused program, that is, the data is sent to standard input of the
program
   - add the CMS. :)

On Thu, May 25, 2017 at 7:07 PM Diego Azevedo <dazevedo@esec.com.br> wrote:

> Hey, Paresh
>
> I had the same problem with a similar workflow, and glancing at your code I
> think you did the same as I did before:
>
>
>    - Grab original PDF
>    - add signature dictionary and get the hash
>    - discart changes
>    - send the hash to client
>    - mount CMS package with information returned from client
>    - grab original PDF
>    - add signature dictionary AND the CMS
>
> This won't work. Adding the same dictionary, with the same information, in
> two different moments will create two different PDFs, with different
> hashes.
> The cause is the trailer dictionary. It has an ID entry that will always
> change.
>
> If that's really the cause (I only glanced at your code), you have two
> workarrounds:
>
>    - Change PDFbox to create the same ID in different moments (It uses the
>    document itself and I think it also uses "currentTimeInMilis" somewhere)
>    - save your PDF with a garbage signature and update it latter with the
>    CMS
>
>
>
>
> On Thu, May 25, 2017 at 7:42 AM, Paresh Chouhan <
> pareshchouhan2013@gmail.com
> > wrote:
>
> > oh I cannot attach the image, see my work flow is something like this
> > http://i64.tinypic.com/29v02u.png
> > so I am doing the signing on the client and reattaching the signed hash
> > that I receive from client.
> >
> > On Thu, May 25, 2017 at 4:09 PM Paresh Chouhan <
> > pareshchouhan2013@gmail.com> wrote:
> >
> >> On Thu, May 25, 2017 at 3:13 PM Tilman Hausherr <THausherr@t-online.de>
> >> wrote:
> >>
> >>> Am 25.05.2017 um 08:22 schrieb Paresh Chouhan:
> >>> > Original PDF : https://www.mediafire.com/?bg9z4c9450v01io
> >>> > Signed PDF : https://www.mediafire.com/?fqvnf9mg50pfzjh
> >>>
> >>> Thanks... I wanted to see the files first because I'm lazy and had
> hoped
> >>> it's some obvious problem in the PDF itself, but it isn't. So I looked
> >>> at your code... the signing is quite different than in our example, why
> >>> is this so? The "CreateSignatureBase" class has the code to produce the
> >>> signature.
> >>>
> >>> That you mention a HSM isn't really relevant... At work, I'm signing
> >>> with a PKI card and all I had to change was getting the keystore.
> >>>
> >>> Tilman
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> >>> For additional commands, e-mail: users-help@pdfbox.apache.org
> >>>
> >> [image: workflow.png]
> >>>
> >> --
> >> Regards
> >> Paresh Chouhan
> >> https://github.com/pareshchouhan
> >>
> > --
> > Regards
> > Paresh Chouhan
> > https://github.com/pareshchouhan
> >
>
>
>
> --
> []'s
>
> Diego Azevedo
>
-- 
Regards
Paresh Chouhan
https://github.com/pareshchouhan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message