[
https://issues.apache.org/jira/browse/PDFBOX-5709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tanmay Sharma updated PDFBOX-5709:
----------------------------------
Description:
I am trying to do external signing. For that we use to calculate hash of pdf
and get it sign using some external trust service provider. Now our use case is
that instead of signing hash bytes we need to do signing over DER encoding
signing attributes. But after generating signed hash and embedding it to
document we are getting document corrupted error.
Code of content signer is
{code:java}
ContentSigner contentSigner = new ContentSigner() {
private MessageDigest digest = MessageDigest.getInstance("SHA-256");
private OutputStream stream = OutputStreamFactory.createStream(digest);
@SneakyThrows
@Override
public byte[] getSignature() {
try {
byte[] b = new byte[4096];
int count;
while ((count = inputStream.read(b)) > 0) {
digest.update(b, 0, count);
}
byte[] hashBytes = digest.digest();
byte[] derEncoded = getAuthenticatedAttributeSet(hashBytes,
calendar).getEncoded(ASN1Encoding.DER);
List<String> hash = Arrays.asList(new
String(org.bouncycastle.util.encoders.Base64.encode(derEncoded)));
byte[] signedHash = getSignedHash(hash,
cscCredentialOptions.getAuthorizationContext().getAccessToken(),
cscCredentialOptions.getCredentialId(),
cscCredentialOptions.getCredentialAuthParameters().getPin(), signAlgo);
return signedHash;
} catch (Exception e) {
LOG.error(e.getMessage());
}
}
@Override
public OutputStream getOutputStream() {
return stream;
}
@Override
public AlgorithmIdentifier getAlgorithmIdentifier() {
return new AlgorithmIdentifier(new
ASN1ObjectIdentifier("1.2.840.113549.1.1.11"));
}
};{code}
{code:java}
public DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar
signingTime) {
ASN1EncodableVector attribute = new ASN1EncodableVector();
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.3"));
v.add(new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1")));
attribute.add(new DERSequence(v));
v = new ASN1EncodableVector();
v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5"));
v.add(new DERSet(new DERUTCTime(signingTime.getTime())));
attribute.add(new DERSequence(v));
v = new ASN1EncodableVector();
v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.4"));
v.add(new DERSet(new DEROctetString(secondDigest)));
attribute.add(new DERSequence(v));
return new DERSet(attribute);
}{code}
was:
I am trying to do external signing. For that we use to calculate hash of pdf
and get it sign using some external trust service provider. Now our use case is
that instead of signing hash bytes we need to do signing over DER encoding
signing attributes. But after generating signed hash and embedding it to
document we are getting document corrupted error.
Code of content signer is
{code:java}
ContentSigner contentSigner = new ContentSigner() {
private MessageDigest digest = MessageDigest.getInstance("SHA-256");
private OutputStream stream = OutputStreamFactory.createStream(digest);
@SneakyThrows
@Override
public byte[] getSignature() {
try {
byte[] b = new byte[4096];
int count;
while ((count = inputStream.read(b)) > 0) {
digest.update(b, 0, count);
}
byte[] hashBytes = digest.digest();
byte[] derEncoded = getAuthenticatedAttributeSet(hashBytes,
calendar).getEncoded(ASN1Encoding.DER);
List<String> hash = Arrays.asList(new
String(org.bouncycastle.util.encoders.Base64.encode(derEncoded)));
byte[] signedHash = getSignedHash(hash,
cscCredentialOptions.getAuthorizationContext().getAccessToken(),
cscCredentialOptions.getCredentialId(),
cscCredentialOptions.getCredentialAuthParameters().getPin(), signAlgo);
return signedHash;
} catch (Exception e) {
LOG.error(e.getMessage());
}
}
@Override
public OutputStream getOutputStream() {
return stream;
}
@Override
public AlgorithmIdentifier getAlgorithmIdentifier() {
return new AlgorithmIdentifier(new
ASN1ObjectIdentifier("1.2.840.113549.1.1.11"));
}
};{code}
{code:java}
public DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar
signingTime) {
ASN1EncodableVector attribute = new ASN1EncodableVector();
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.3"));
v.add(new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1")));
attribute.add(new DERSequence(v));
v = new ASN1EncodableVector();
v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5"));
v.add(new DERSet(new DERUTCTime(signingTime.getTime())));
attribute.add(new DERSequence(v));
v = new ASN1EncodableVector();
v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.4"));
v.add(new DERSet(new DEROctetString(secondDigest)));
attribute.add(new DERSequence(v));
boolean haveCrl = false;
return new DERSet(attribute);
}{code}
> Getting document corrupted while signing hash which has DER encoded signed
> attributes
> -------------------------------------------------------------------------------------
>
> Key: PDFBOX-5709
> URL: https://issues.apache.org/jira/browse/PDFBOX-5709
> Project: PDFBox
> Issue Type: Bug
> Components: Signing
> Reporter: Tanmay Sharma
> Priority: Critical
>
> I am trying to do external signing. For that we use to calculate hash of pdf
> and get it sign using some external trust service provider. Now our use case
> is that instead of signing hash bytes we need to do signing over DER encoding
> signing attributes. But after generating signed hash and embedding it to
> document we are getting document corrupted error.
> Code of content signer is
> {code:java}
> ContentSigner contentSigner = new ContentSigner() {
> private MessageDigest digest = MessageDigest.getInstance("SHA-256");
> private OutputStream stream = OutputStreamFactory.createStream(digest);
> @SneakyThrows
> @Override
> public byte[] getSignature() {
> try {
> byte[] b = new byte[4096];
> int count;
> while ((count = inputStream.read(b)) > 0) {
> digest.update(b, 0, count);
> }
> byte[] hashBytes = digest.digest();
> byte[] derEncoded = getAuthenticatedAttributeSet(hashBytes,
> calendar).getEncoded(ASN1Encoding.DER);
> List<String> hash = Arrays.asList(new
> String(org.bouncycastle.util.encoders.Base64.encode(derEncoded)));
> byte[] signedHash = getSignedHash(hash,
> cscCredentialOptions.getAuthorizationContext().getAccessToken(),
> cscCredentialOptions.getCredentialId(),
> cscCredentialOptions.getCredentialAuthParameters().getPin(), signAlgo);
> return signedHash;
> } catch (Exception e) {
> LOG.error(e.getMessage());
> }
> }
> @Override
> public OutputStream getOutputStream() {
> return stream;
> }
> @Override
> public AlgorithmIdentifier getAlgorithmIdentifier() {
> return new AlgorithmIdentifier(new
> ASN1ObjectIdentifier("1.2.840.113549.1.1.11"));
> }
> };{code}
> {code:java}
> public DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar
> signingTime) {
> ASN1EncodableVector attribute = new ASN1EncodableVector();
> ASN1EncodableVector v = new ASN1EncodableVector();
> v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.3"));
> v.add(new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1")));
> attribute.add(new DERSequence(v));
> v = new ASN1EncodableVector();
> v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5"));
> v.add(new DERSet(new DERUTCTime(signingTime.getTime())));
> attribute.add(new DERSequence(v));
> v = new ASN1EncodableVector();
> v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.4"));
> v.add(new DERSet(new DEROctetString(secondDigest)));
> attribute.add(new DERSequence(v));
> return new DERSet(attribute);
> }{code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org
