pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tilman Hausherr <THaush...@t-online.de>
Subject Re: Signatures compatibility between pdfbox 1.8 and 2.0
Date Wed, 28 Jun 2017 12:36:24 GMT
Am 28.06.2017 um 14:17 schrieb Petr Masopust:
> Result pdf's with external and classic signing are identical except 2 
> lines at the end with ID:
>
> /ID [<FE878D62B4B60E4AA6C88609DB9E5ECA> 
> <BBB2BC7BAEB141CFDA5C43A09B21D4C8>]
>
> vs.
>
> /ID [<FE878D62B4B60E4AA6C88609DB9E5ECA> 
> <1033015934024A0B952703781E3A0B8E>]
>
> If checksum contains all content including new part with signature 
> (except signature itself) it is obvious why checksum fails. Is 
> possible to emulate addSignature algorithm from pdfbox 1.8.x in 2.0.x 
> version ?

If you mean the /ID calculation - you could take the source code (in 
COSWriter.java, search for COSName.ID) and compare / debug and then 
build your own jar file.

If you mean the "addSignature algorithm" - don't know. It's quite 
possible that there are fine differences in the way pdfs are written, 
e.g. the sequence in dictionaries, etc. If the "external party" is 
trying to mirror what you're doing and then passes the signature to you 
- that will be really tricky, if not impossible. It would be better that 
you pass the sequence to sign to this external party, and let them sign it.


Tilman


>
> Best regards
> Petr Masopust
>
> On 28.6.2017 13:12, Tilman Hausherr wrote:
>> Am 28.06.2017 um 10:24 schrieb Petr Masopust:
>>> sign(externalSigning.getContent()) is "called" by external company 
>>> and I have only their result. They have also original file but I 
>>> don't know their exact algorithm. I don't understand how can differ 
>>> signature (or checksum to be precise) for the same pdf file (and 
>>> other parameters like signing time) from different pdfbox versions ?
>>
>> I can't tell without having all the code. You write that it is called 
>> but I don't see how. The problem is that to sign one doesn't just 
>> need the original file, one needs the signed file with a dummy 
>> signature content and then everything except that dummy is used as 
>> input for the signature process. If the external company signs 
>> independently, you two need to coordinate 
>> "calendar.setTimeInMillis(signDate); " .
>>
>> What you could also try, considering that it worked with 1.8 which 
>> had no "external signing" feature, is to use the classic signing in 
>> 2.0.6. To use that, you don't call 
>> "saveIncrementalForExternalSigning", instead you do this:
>>
>>                 doc.addSignature(signature, signatureInterface /* not 
>> null */, signatureOptions);
>>                 doc.saveIncremental(fos); // this will result in a 
>> call to signatureInterface.sign()
>>                 doc.close();
>>                 IOUtils.closeQuietly(signatureOptions);
>>
>> So whatever was done in the old version with sign() must be done here.
>>
>>
>>
>>
>> Tilman
>>
>>>
>>> Petr Masopust
>>>
>>> On 28.6.2017 10:16, Tilman Hausherr wrote:
>>>> Am 28.06.2017 um 10:11 schrieb Petr Masopust:
>>>>> Hello,
>>>>>
>>>>> signatureEncoded is equal to cmsSignature in your code. It is 
>>>>> computed by external company and I don't know how they create it 
>>>>> and have no control about their code. But their signature was 
>>>>> correctly inserted with pdfbox 1.8.12 and has invalid checksum 
>>>>> with pdfbox 2.0.3.
>>>>
>>>> But you did not call sign(externalSigning.getContent()), that is 
>>>> the problem. So your code leaves it unclear where your signature 
>>>> came from, i.e. whether it was calculated from the full PDF minus 
>>>> the signature content area.
>>>>
>>>> Tilman
>>>>
>>>>
>>>>>
>>>>> Best regards
>>>>> Petr Masopust
>>>>>
>>>>> On 28.6.2017 10:04, Tilman Hausherr wrote:
>>>>>> Am 28.06.2017 um 09:55 schrieb Petr Masopust:
>>>>>>>
>>>>>>>                 final ExternalSigningSupport 
>>>>>>> externalSigningSupport = 
>>>>>>> doc.saveIncrementalForExternalSigning(sink);
>>>>>>> externalSigningSupport.setSignature(signatureEncoded); 
>>>>>>
>>>>>>
>>>>>> It's too difficult to read your hex dump. However your code above

>>>>>> looks weird: signatureEncoded is never computed. In the 
>>>>>> CreateVisibleSignature sample code, it looks like this:
>>>>>>
>>>>>>
>>>>>>                 ExternalSigningSupport externalSigning = 
>>>>>> doc.saveIncrementalForExternalSigning(fos);
>>>>>>                 // invoke external signature service
>>>>>>                 byte[] cmsSignature = 
>>>>>> sign(externalSigning.getContent());
>>>>>>
>>>>>> externalSigning.setSignature(cmsSignature);
>>>>>>
>>>>>>                 doc.close();
>>>>>>
>>>>>>                 signatureOptions.close();
>>>>>>
>>>>>>
>>>>>> I strongly recommend to start with the sample code.
>>>>>>
>>>>>> Tilman
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------

>>>>>>
>>>>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>>>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>>
>>>>> *Petr Masopust*
>>>>> Programátor analytik
>>>>>
>>>>> ------------------------------------------------------------------------

>>>>>
>>>>>
>>>>> *ICZ a.s.*
>>>>> Na hřebenech II 1718/10
>>>>> 140 00 Praha 4
>>>>> Česká republika
>>>>> www.i.cz
>>>>>
>>>>> *Tel.:* +420 222 271 578
>>>>> *GSM:* +420 724 429 623
>>>>> *Fax:* +420 222 271 112
>>>>> *E-mail:* petr.masopust@i.cz
>>>>>
>>>>
>>>>
>>>
>>>
>>> -- 
>>>
>>> *Petr Masopust*
>>> Programátor analytik
>>>
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> *ICZ a.s.*
>>> Na hřebenech II 1718/10
>>> 140 00 Praha 4
>>> Česká republika
>>> www.i.cz
>>>
>>> *Tel.:* +420 222 271 578
>>> *GSM:* +420 724 429 623
>>> *Fax:* +420 222 271 112
>>> *E-mail:* petr.masopust@i.cz
>>>
>>
>>
>
>
> -- 
>
> *Petr Masopust*
> Programátor analytik
>
> ------------------------------------------------------------------------
>
> *ICZ a.s.*
> Na hřebenech II 1718/10
> 140 00 Praha 4
> Česká republika
> www.i.cz
>
> *Tel.:* +420 222 271 578
> *GSM:* +420 724 429 623
> *Fax:* +420 222 271 112
> *E-mail:* petr.masopust@i.cz
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message