pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Petr Masopust <petr.masop...@i.cz>
Subject Re: Signatures compatibility between pdfbox 1.8 and 2.0
Date Wed, 28 Jun 2017 12:17:28 GMT
Result pdf's with external and classic signing are identical except 2 
lines at the end with ID:

/ID [<FE878D62B4B60E4AA6C88609DB9E5ECA> <BBB2BC7BAEB141CFDA5C43A09B21D4C8>]

vs.

/ID [<FE878D62B4B60E4AA6C88609DB9E5ECA> <1033015934024A0B952703781E3A0B8E>]

If checksum contains all content including new part with signature 
(except signature itself) it is obvious why checksum fails. Is possible 
to emulate addSignature algorithm from pdfbox 1.8.x in 2.0.x version ?

Best regards
Petr Masopust

On 28.6.2017 13:12, Tilman Hausherr wrote:
> Am 28.06.2017 um 10:24 schrieb Petr Masopust:
>> sign(externalSigning.getContent()) is "called" by external company 
>> and I have only their result. They have also original file but I 
>> don't know their exact algorithm. I don't understand how can differ 
>> signature (or checksum to be precise) for the same pdf file (and 
>> other parameters like signing time) from different pdfbox versions ?
>
> I can't tell without having all the code. You write that it is called 
> but I don't see how. The problem is that to sign one doesn't just need 
> the original file, one needs the signed file with a dummy signature 
> content and then everything except that dummy is used as input for the 
> signature process. If the external company signs independently, you 
> two need to coordinate "calendar.setTimeInMillis(signDate); " .
>
> What you could also try, considering that it worked with 1.8 which had 
> no "external signing" feature, is to use the classic signing in 2.0.6. 
> To use that, you don't call "saveIncrementalForExternalSigning", 
> instead you do this:
>
>                 doc.addSignature(signature, signatureInterface /* not 
> null */, signatureOptions);
>                 doc.saveIncremental(fos); // this will result in a 
> call to signatureInterface.sign()
>                 doc.close();
>                 IOUtils.closeQuietly(signatureOptions);
>
> So whatever was done in the old version with sign() must be done here.
>
>
>
>
> Tilman
>
>>
>> Petr Masopust
>>
>> On 28.6.2017 10:16, Tilman Hausherr wrote:
>>> Am 28.06.2017 um 10:11 schrieb Petr Masopust:
>>>> Hello,
>>>>
>>>> signatureEncoded is equal to cmsSignature in your code. It is 
>>>> computed by external company and I don't know how they create it 
>>>> and have no control about their code. But their signature was 
>>>> correctly inserted with pdfbox 1.8.12 and has invalid checksum with 
>>>> pdfbox 2.0.3.
>>>
>>> But you did not call sign(externalSigning.getContent()), that is the 
>>> problem. So your code leaves it unclear where your signature came 
>>> from, i.e. whether it was calculated from the full PDF minus the 
>>> signature content area.
>>>
>>> Tilman
>>>
>>>
>>>>
>>>> Best regards
>>>> Petr Masopust
>>>>
>>>> On 28.6.2017 10:04, Tilman Hausherr wrote:
>>>>> Am 28.06.2017 um 09:55 schrieb Petr Masopust:
>>>>>>
>>>>>>                 final ExternalSigningSupport 
>>>>>> externalSigningSupport = 
>>>>>> doc.saveIncrementalForExternalSigning(sink);
>>>>>> externalSigningSupport.setSignature(signatureEncoded); 
>>>>>
>>>>>
>>>>> It's too difficult to read your hex dump. However your code above 
>>>>> looks weird: signatureEncoded is never computed. In the 
>>>>> CreateVisibleSignature sample code, it looks like this:
>>>>>
>>>>>
>>>>>                 ExternalSigningSupport externalSigning = 
>>>>> doc.saveIncrementalForExternalSigning(fos);
>>>>>                 // invoke external signature service
>>>>>                 byte[] cmsSignature = 
>>>>> sign(externalSigning.getContent());
>>>>>
>>>>> externalSigning.setSignature(cmsSignature);
>>>>>
>>>>>                 doc.close();
>>>>>
>>>>>                 signatureOptions.close();
>>>>>
>>>>>
>>>>> I strongly recommend to start with the sample code.
>>>>>
>>>>> Tilman
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>>>>
>>>>
>>>>
>>>> -- 
>>>>
>>>> *Petr Masopust*
>>>> Programátor analytik
>>>>
>>>> ------------------------------------------------------------------------

>>>>
>>>>
>>>> *ICZ a.s.*
>>>> Na hřebenech II 1718/10
>>>> 140 00 Praha 4
>>>> Česká republika
>>>> www.i.cz
>>>>
>>>> *Tel.:* +420 222 271 578
>>>> *GSM:* +420 724 429 623
>>>> *Fax:* +420 222 271 112
>>>> *E-mail:* petr.masopust@i.cz
>>>>
>>>
>>>
>>
>>
>> -- 
>>
>> *Petr Masopust*
>> Programátor analytik
>>
>> ------------------------------------------------------------------------
>>
>> *ICZ a.s.*
>> Na hřebenech II 1718/10
>> 140 00 Praha 4
>> Česká republika
>> www.i.cz
>>
>> *Tel.:* +420 222 271 578
>> *GSM:* +420 724 429 623
>> *Fax:* +420 222 271 112
>> *E-mail:* petr.masopust@i.cz
>>
>
>


-- 

*Petr Masopust*
Programátor analytik

------------------------------------------------------------------------

*ICZ a.s.*
Na hřebenech II 1718/10
140 00 Praha 4
Česká republika
www.i.cz

*Tel.:* +420 222 271 578
*GSM:* +420 724 429 623
*Fax:* +420 222 271 112
*E-mail:* petr.masopust@i.cz


Mime
View raw message