pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Lindsay <michael.lind...@hellosign.com.INVALID>
Subject Re: HSM Signing
Date Tue, 03 Oct 2017 00:11:22 GMT
I’m happy to post the code, but I have yet to get it working.  The biggest change from the
example code appears to be in CreateSignatureBase.sign


    public byte[] sign(InputStream content) throws IOException
    {
        //TODO this method should be private
        try
        {
            List<Certificate> certList = new ArrayList<>();
            certList.addAll(Arrays.asList(certificateChain));
            Store certs = new JcaCertStore(certList);
            CMSSignedDataGenerator gen = new CMSSignedDataGenerator();

		// This is my hash generation code, I’m presuming that content is the part of the pdf
to be signed
		// create hex encoded sha256 message digest
            byte[] sh = MessageDigest.getInstance("SHA-256").digest(IOUtils.toByteArray(content));
            String hexencodedDigest = new BigInteger(1, sh).toString(16);
            hexencodedDigest = hexencodedDigest.toUpperCase();
            final String signedHash = certProvider.signPdfDigest(hexencodedDigest);

		// This is the new code from Paresh
            ContentSigner nonSigner = new ContentSigner() {

                @Override
                public byte[] getSignature() {
                    try {
                        return Hex.decodeHex(signedHash.toCharArray());
                    } catch (DecoderException e) {
                        e.printStackTrace();
                    }
                    //we can also base64 decode and return (used to be the case, now it isn't)
//                    return Base64.decodeBase64(signedHash);
                    return null;
                }

                @Override
                public OutputStream getOutputStream() {
                    return new ByteArrayOutputStream();
                }

                @Override
                public AlgorithmIdentifier getAlgorithmIdentifier() {
                    return new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption");
                }
            };

            org.bouncycastle.asn1.x509.Certificate cert = org.bouncycastle.asn1.x509.Certificate.getInstance(certificateChain[0].getEncoded());
            JcaSignerInfoGeneratorBuilder sigb = new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build());

            //ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA256WithRSA").build(privateKey);
            gen.addSignerInfoGenerator(sigb.build(nonSigner, new X509CertificateHolder(cert)));
            gen.addCertificates(certs);
            CMSTypedDataInputStream msg = new CMSTypedDataInputStream(new ByteArrayInputStream("useless_data".getBytes()));
// this is never used.

            //CMSProcessableInputStream msg = new CMSProcessableInputStream(content);
            CMSSignedData signedData = gen.generate(msg, false);
            if (tsaClient != null)
            {
                signedData = signTimeStamps(signedData);
            }
            return signedData.getEncoded();
        }
        catch (GeneralSecurityException | CMSException | TSPException | OperatorCreationException
e)
        {
            throw new IOException(e);
        } catch (SessionExpiredException | TokenExpiredException | CertProviderException e)
{
            throw new IOException(e);
        }
    }

When I view the pdf, it says my document has bee altered or corrupted.  Not sure where I’m
going wrong.

Any help greatly appreciated!


> On Oct 2, 2017, at 2:34 AM, Tilman Hausherr <THausherr@t-online.de> wrote:
> 
> Hi,
> 
> The 0bin content has expired... if you have something useful to share (and it seems so)
please post the entire code here so it will be archived.
> 
> Tilman
> 
> Am 29.09.2017 um 18:58 schrieb Paresh Chouhan:
>> that returns the signed value which was signed by external signer @Michael
>> 1. prepareToSign() - to prepare pdf for signing - this generates Hash and
>> pass it to the client (HSM) for signing (I access HSM using JS, hashtosign
>> is sent to JS script)
>> -- ANY AMOUNT OF DELAY BETWEEN THESE STEPS--
>> 2. finishSign() - takes the signed hash value and resumes to sign PDF. (PDF
>> is saved in memory while this is happening)
>> 
>> 
>> On Fri, Sep 29, 2017 at 3:12 AM Michael Lindsay
>> <michael.lindsay@hellosign.com.invalid> wrote:
>> 
>>> Hi Paresh,
>>> 
>>> Thanks so much for the quick reply and the code snippets.  Very helpful
>>> indeed.
>>> 
>>> Couple quick questions…. There’s a reference here to
>>> 
>>> final String signedHash = pdfFile.getPdfSignedHash();
>>> 
>>> But I can’t find where pdfFile is created or what it’s type is.
>>> 
>>> Also, can you share your generateHash method and your PDFSigner class?
>>> 
>>> Thanks again,
>>>  - Michael
>>> 
>>> 
>>> 
>>>> On Sep 28, 2017, at 5:09 AM, Paresh Chouhan <pareshchouhan2013@gmail.com>
>>> wrote:
>>>> here's the setup for signing
>>>> 
>>> https://0bin.net/paste/1hDByAx4i9dBAoGh#0CCZBX5Il0FHxsuYQUvoe7otY3-tHxtM0Zs9IYqLozG
>>>> On Thu, Sep 28, 2017 at 5:35 PM Paresh Chouhan <
>>> pareshchouhan2013@gmail.com>
>>>> wrote:
>>>> 
>>>>> Yes, Michael I wrote that post, It is working well with an HSM,
>>>>> 
>>>>> 
>>> https://0bin.net/paste/iEhbQJm8y-waiV+O#2deRPmaGUdvWwg0iD+htfR4gWm3wmKUe3upyt0+3jRS
>>>>> 
>>>>> On Wed, Sep 27, 2017 at 10:19 PM Michael Lindsay
>>>>> <michael.lindsay@hellosign.com.invalid> wrote:
>>>>> 
>>>>>> Hello List!
>>>>>> 
>>>>>> I’ve got an implementation of pdfbox digital signing working fabulously
>>>>>> with a self signed cert based on the examples provided.  We are trying
>>> to
>>>>>> switch over to using an HSM and I can’t seem to crack it.  I believe
>>> from
>>>>>> the post here that such a thing is possible:
>>>>>> 
>>> https://stackoverflow.com/questions/44196316/pdf-signing-generated-pdf-document-certification-is-invalid-using-external-si
>>>>>> <
>>>>>> 
>>> https://stackoverflow.com/questions/44196316/pdf-signing-generated-pdf-document-certification-is-invalid-using-external-si
>>>>>> The signing service provides a signing certificate and ocsp which
I
>>> need
>>>>>> to use to calculate the digest then pass that along to them for signing
>>>>>> with the private key.  All of the examples in the documentation assume
>>> I
>>>>>> have the private key.
>>>>>> 
>>>>>> Does anyone here have any example code for calculating and sending
pdf
>>>>>> digest to external service to sign pdfs?  Any help would be greatly
>>>>>> appreciated.
>>>>>> 
>>>>>> Thanks,
>>>>>> - Michael
>>>>> --
>>>>> Regards
>>>>> Paresh Chouhan
>>>>> https://github.com/pareshchouhan
>>>>> 
>>>> --
>>>> Regards
>>>> Paresh Chouhan
>>>> https://github.com/pareshchouhan
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
>>> For additional commands, e-mail: users-help@pdfbox.apache.org
>>> 
>>> --
>> Regards
>> Paresh Chouhan
>> https://github.com/pareshchouhan
>> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
> For additional commands, e-mail: users-help@pdfbox.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: users-help@pdfbox.apache.org


Mime
View raw message