Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E14A0200D20 for ; Tue, 3 Oct 2017 02:11:31 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id DF6D7160BCB; Tue, 3 Oct 2017 00:11:31 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 08B461609EF for ; Tue, 3 Oct 2017 02:11:30 +0200 (CEST) Received: (qmail 99667 invoked by uid 500); 3 Oct 2017 00:11:30 -0000 Mailing-List: contact users-help@pdfbox.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@pdfbox.apache.org Delivered-To: mailing list users@pdfbox.apache.org Received: (qmail 99618 invoked by uid 99); 3 Oct 2017 00:11:29 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Oct 2017 00:11:29 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 052C51A092F for ; Tue, 3 Oct 2017 00:11:29 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KAM_ASCII_DIVIDERS=0.8, KAM_SHORT=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=hellosign.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id YAHASrJQCFbA for ; Tue, 3 Oct 2017 00:11:26 +0000 (UTC) Received: from mail-pf0-f172.google.com (mail-pf0-f172.google.com [209.85.192.172]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id A112860E09 for ; Tue, 3 Oct 2017 00:11:25 +0000 (UTC) Received: by mail-pf0-f172.google.com with SMTP id d2so512776pfh.0 for ; Mon, 02 Oct 2017 17:11:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=jtQb9U6TjtUork+X74sLytsPV1bXTKg3+yuZApa6SG8=; b=PdoOzOaTq8mlKkM3/xsKt01ZyIXvL/A9X2fuYMmzRrE9o+gSoIahLoFpsuERmzV4OF lRqVkf8z/ZX46G3NE6f0/zTeZqvJ4kdlEHZLqiUyTQiwZcAOp9alif6VJJ1SzW92WaaD 0/vZwfTHT/e5KMOfW2Dugy2C46DcgaQgt5ZGKqGahERcZ0FUsNqJdpca/jYJiV38xfoC 8SBxf3ylsJFxl4MCwRsaaWF6RJyeLOp2ZLQpAvRJiButivVWNYfuDLO8khI7Oar6tS7M JY1+4fWN+Aujm4fkp/MTxqs6x6QMaJ+2rJ60UqxYId8vWhGlBC4a8fG+BM5YUwRRwdGl gshg== X-Gm-Message-State: AHPjjUjobwsjvIztznpqSSo4z4ga3mO/Ksr5vXJ2LA21ciXHVaNW3cRB BDL9yTrYQGdGJ4bVpkFlbwazvxi1dek= X-Google-Smtp-Source: AOwi7QCEe2GJg5ELPtgi5OZ0CLkNH+nghiIhMuCHmr6bEpAZQrzgdb18yJeyItt+nIyjH1Y7Nd7TaA== X-Received: by 10.84.179.65 with SMTP id a59mr15890713plc.162.1506989484226; Mon, 02 Oct 2017 17:11:24 -0700 (PDT) Received: from [10.0.8.90] (JN-PROJECTS.bar1.SanFrancisco1.Level3.net. [4.16.192.254]) by smtp.gmail.com with ESMTPSA id t71sm9990808pgb.84.2017.10.02.17.11.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Oct 2017 17:11:23 -0700 (PDT) From: Michael Lindsay Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: HSM Signing Date: Mon, 2 Oct 2017 17:11:22 -0700 References: <5f81ded7-8797-50bc-d1ca-06db81ac7d32@t-online.de> To: users@pdfbox.apache.org In-Reply-To: <5f81ded7-8797-50bc-d1ca-06db81ac7d32@t-online.de> Message-Id: <1DDA009D-5194-463C-A926-8F6B98233585@hellosign.com> X-Mailer: Apple Mail (2.3273) archived-at: Tue, 03 Oct 2017 00:11:32 -0000 I=E2=80=99m happy to post the code, but I have yet to get it working. = The biggest change from the example code appears to be in = CreateSignatureBase.sign public byte[] sign(InputStream content) throws IOException { //TODO this method should be private try { List certList =3D new ArrayList<>(); certList.addAll(Arrays.asList(certificateChain)); Store certs =3D new JcaCertStore(certList); CMSSignedDataGenerator gen =3D new CMSSignedDataGenerator(); // This is my hash generation code, I=E2=80=99m = presuming that content is the part of the pdf to be signed // create hex encoded sha256 message digest byte[] sh =3D = MessageDigest.getInstance("SHA-256").digest(IOUtils.toByteArray(content));= String hexencodedDigest =3D new BigInteger(1, = sh).toString(16); hexencodedDigest =3D hexencodedDigest.toUpperCase(); final String signedHash =3D = certProvider.signPdfDigest(hexencodedDigest); // This is the new code from Paresh ContentSigner nonSigner =3D new ContentSigner() { @Override public byte[] getSignature() { try { return Hex.decodeHex(signedHash.toCharArray()); } catch (DecoderException e) { e.printStackTrace(); } //we can also base64 decode and return (used to be = the case, now it isn't) // return Base64.decodeBase64(signedHash); return null; } @Override public OutputStream getOutputStream() { return new ByteArrayOutputStream(); } @Override public AlgorithmIdentifier getAlgorithmIdentifier() { return new = DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption"= ); } }; org.bouncycastle.asn1.x509.Certificate cert =3D = org.bouncycastle.asn1.x509.Certificate.getInstance(certificateChain[0].get= Encoded()); JcaSignerInfoGeneratorBuilder sigb =3D new = JcaSignerInfoGeneratorBuilder(new = JcaDigestCalculatorProviderBuilder().build()); //ContentSigner sha1Signer =3D new = JcaContentSignerBuilder("SHA256WithRSA").build(privateKey); gen.addSignerInfoGenerator(sigb.build(nonSigner, new = X509CertificateHolder(cert))); gen.addCertificates(certs); CMSTypedDataInputStream msg =3D new = CMSTypedDataInputStream(new = ByteArrayInputStream("useless_data".getBytes())); // this is never used. //CMSProcessableInputStream msg =3D new = CMSProcessableInputStream(content); CMSSignedData signedData =3D gen.generate(msg, false); if (tsaClient !=3D null) { signedData =3D signTimeStamps(signedData); } return signedData.getEncoded(); } catch (GeneralSecurityException | CMSException | TSPException | = OperatorCreationException e) { throw new IOException(e); } catch (SessionExpiredException | TokenExpiredException | = CertProviderException e) { throw new IOException(e); } } When I view the pdf, it says my document has bee altered or corrupted. = Not sure where I=E2=80=99m going wrong. Any help greatly appreciated! > On Oct 2, 2017, at 2:34 AM, Tilman Hausherr = wrote: >=20 > Hi, >=20 > The 0bin content has expired... if you have something useful to share = (and it seems so) please post the entire code here so it will be = archived. >=20 > Tilman >=20 > Am 29.09.2017 um 18:58 schrieb Paresh Chouhan: >> that returns the signed value which was signed by external signer = @Michael >> 1. prepareToSign() - to prepare pdf for signing - this generates Hash = and >> pass it to the client (HSM) for signing (I access HSM using JS, = hashtosign >> is sent to JS script) >> -- ANY AMOUNT OF DELAY BETWEEN THESE STEPS-- >> 2. finishSign() - takes the signed hash value and resumes to sign = PDF. (PDF >> is saved in memory while this is happening) >>=20 >>=20 >> On Fri, Sep 29, 2017 at 3:12 AM Michael Lindsay >> wrote: >>=20 >>> Hi Paresh, >>>=20 >>> Thanks so much for the quick reply and the code snippets. Very = helpful >>> indeed. >>>=20 >>> Couple quick questions=E2=80=A6. There=E2=80=99s a reference here to >>>=20 >>> final String signedHash =3D pdfFile.getPdfSignedHash(); >>>=20 >>> But I can=E2=80=99t find where pdfFile is created or what it=E2=80=99s= type is. >>>=20 >>> Also, can you share your generateHash method and your PDFSigner = class? >>>=20 >>> Thanks again, >>> - Michael >>>=20 >>>=20 >>>=20 >>>> On Sep 28, 2017, at 5:09 AM, Paresh Chouhan = >>> wrote: >>>> here's the setup for signing >>>>=20 >>> = https://0bin.net/paste/1hDByAx4i9dBAoGh#0CCZBX5Il0FHxsuYQUvoe7otY3-tHxtM0Z= s9IYqLozG >>>> On Thu, Sep 28, 2017 at 5:35 PM Paresh Chouhan < >>> pareshchouhan2013@gmail.com> >>>> wrote: >>>>=20 >>>>> Yes, Michael I wrote that post, It is working well with an HSM, >>>>>=20 >>>>>=20 >>> = https://0bin.net/paste/iEhbQJm8y-waiV+O#2deRPmaGUdvWwg0iD+htfR4gWm3wmKUe3u= pyt0+3jRS >>>>>=20 >>>>> On Wed, Sep 27, 2017 at 10:19 PM Michael Lindsay >>>>> wrote: >>>>>=20 >>>>>> Hello List! >>>>>>=20 >>>>>> I=E2=80=99ve got an implementation of pdfbox digital signing = working fabulously >>>>>> with a self signed cert based on the examples provided. We are = trying >>> to >>>>>> switch over to using an HSM and I can=E2=80=99t seem to crack it. = I believe >>> from >>>>>> the post here that such a thing is possible: >>>>>>=20 >>> = https://stackoverflow.com/questions/44196316/pdf-signing-generated-pdf-doc= ument-certification-is-invalid-using-external-si >>>>>> < >>>>>>=20 >>> = https://stackoverflow.com/questions/44196316/pdf-signing-generated-pdf-doc= ument-certification-is-invalid-using-external-si >>>>>> The signing service provides a signing certificate and ocsp which = I >>> need >>>>>> to use to calculate the digest then pass that along to them for = signing >>>>>> with the private key. All of the examples in the documentation = assume >>> I >>>>>> have the private key. >>>>>>=20 >>>>>> Does anyone here have any example code for calculating and = sending pdf >>>>>> digest to external service to sign pdfs? Any help would be = greatly >>>>>> appreciated. >>>>>>=20 >>>>>> Thanks, >>>>>> - Michael >>>>> -- >>>>> Regards >>>>> Paresh Chouhan >>>>> https://github.com/pareshchouhan >>>>>=20 >>>> -- >>>> Regards >>>> Paresh Chouhan >>>> https://github.com/pareshchouhan >>>=20 >>> = --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org >>> For additional commands, e-mail: users-help@pdfbox.apache.org >>>=20 >>> -- >> Regards >> Paresh Chouhan >> https://github.com/pareshchouhan >>=20 >=20 >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org > For additional commands, e-mail: users-help@pdfbox.apache.org >=20 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@pdfbox.apache.org For additional commands, e-mail: users-help@pdfbox.apache.org