[ https://issues.apache.org/jira/browse/PDFBOX-5709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tanmay Sharma updated PDFBOX-5709: ---------------------------------- Description: I am trying to do external signing. For that we use to calculate hash of pdf and get it sign using some external trust service provider. Now our use case is that instead of signing hash bytes we need to do signing over DER encoding signing attributes. But after generating signed hash and embedding it to document we are getting document corrupted error. Code of content signer is {code:java} ContentSigner contentSigner = new ContentSigner() { private MessageDigest digest = MessageDigest.getInstance("SHA-256"); private OutputStream stream = OutputStreamFactory.createStream(digest); @SneakyThrows @Override public byte[] getSignature() { try { byte[] b = new byte[4096]; int count; while ((count = inputStream.read(b)) > 0) { digest.update(b, 0, count); } byte[] hashBytes = digest.digest(); byte[] derEncoded = getAuthenticatedAttributeSet(hashBytes, calendar).getEncoded(ASN1Encoding.DER); List<String> hash = Arrays.asList(new String(org.bouncycastle.util.encoders.Base64.encode(derEncoded))); byte[] signedHash = getSignedHash(hash, cscCredentialOptions.getAuthorizationContext().getAccessToken(), cscCredentialOptions.getCredentialId(), cscCredentialOptions.getCredentialAuthParameters().getPin(), signAlgo); return signedHash; } catch (Exception e) { LOG.error(e.getMessage()); } } @Override public OutputStream getOutputStream() { return stream; } @Override public AlgorithmIdentifier getAlgorithmIdentifier() { return new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.1.1.11")); } };{code} {code:java} public DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar signingTime) { ASN1EncodableVector attribute = new ASN1EncodableVector(); ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.3")); v.add(new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"))); attribute.add(new DERSequence(v)); v = new ASN1EncodableVector(); v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5")); v.add(new DERSet(new DERUTCTime(signingTime.getTime()))); attribute.add(new DERSequence(v)); v = new ASN1EncodableVector(); v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.4")); v.add(new DERSet(new DEROctetString(secondDigest))); attribute.add(new DERSequence(v)); return new DERSet(attribute); }{code} was: I am trying to do external signing. For that we use to calculate hash of pdf and get it sign using some external trust service provider. Now our use case is that instead of signing hash bytes we need to do signing over DER encoding signing attributes. But after generating signed hash and embedding it to document we are getting document corrupted error. Code of content signer is {code:java} ContentSigner contentSigner = new ContentSigner() { private MessageDigest digest = MessageDigest.getInstance("SHA-256"); private OutputStream stream = OutputStreamFactory.createStream(digest); @SneakyThrows @Override public byte[] getSignature() { try { byte[] b = new byte[4096]; int count; while ((count = inputStream.read(b)) > 0) { digest.update(b, 0, count); } byte[] hashBytes = digest.digest(); byte[] derEncoded = getAuthenticatedAttributeSet(hashBytes, calendar).getEncoded(ASN1Encoding.DER); List<String> hash = Arrays.asList(new String(org.bouncycastle.util.encoders.Base64.encode(derEncoded))); byte[] signedHash = getSignedHash(hash, cscCredentialOptions.getAuthorizationContext().getAccessToken(), cscCredentialOptions.getCredentialId(), cscCredentialOptions.getCredentialAuthParameters().getPin(), signAlgo); return signedHash; } catch (Exception e) { LOG.error(e.getMessage()); } } @Override public OutputStream getOutputStream() { return stream; } @Override public AlgorithmIdentifier getAlgorithmIdentifier() { return new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.1.1.11")); } };{code} {code:java} public DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar signingTime) { ASN1EncodableVector attribute = new ASN1EncodableVector(); ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.3")); v.add(new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"))); attribute.add(new DERSequence(v)); v = new ASN1EncodableVector(); v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5")); v.add(new DERSet(new DERUTCTime(signingTime.getTime()))); attribute.add(new DERSequence(v)); v = new ASN1EncodableVector(); v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.4")); v.add(new DERSet(new DEROctetString(secondDigest))); attribute.add(new DERSequence(v)); boolean haveCrl = false; return new DERSet(attribute); }{code} > Getting document corrupted while signing hash which has DER encoded signed > attributes > ------------------------------------------------------------------------------------- > > Key: PDFBOX-5709 > URL: https://issues.apache.org/jira/browse/PDFBOX-5709 > Project: PDFBox > Issue Type: Bug > Components: Signing > Reporter: Tanmay Sharma > Priority: Critical > > I am trying to do external signing. For that we use to calculate hash of pdf > and get it sign using some external trust service provider. Now our use case > is that instead of signing hash bytes we need to do signing over DER encoding > signing attributes. But after generating signed hash and embedding it to > document we are getting document corrupted error. > Code of content signer is > {code:java} > ContentSigner contentSigner = new ContentSigner() { > private MessageDigest digest = MessageDigest.getInstance("SHA-256"); > private OutputStream stream = OutputStreamFactory.createStream(digest); > @SneakyThrows > @Override > public byte[] getSignature() { > try { > byte[] b = new byte[4096]; > int count; > while ((count = inputStream.read(b)) > 0) { > digest.update(b, 0, count); > } > byte[] hashBytes = digest.digest(); > byte[] derEncoded = getAuthenticatedAttributeSet(hashBytes, > calendar).getEncoded(ASN1Encoding.DER); > List<String> hash = Arrays.asList(new > String(org.bouncycastle.util.encoders.Base64.encode(derEncoded))); > byte[] signedHash = getSignedHash(hash, > cscCredentialOptions.getAuthorizationContext().getAccessToken(), > cscCredentialOptions.getCredentialId(), > cscCredentialOptions.getCredentialAuthParameters().getPin(), signAlgo); > return signedHash; > } catch (Exception e) { > LOG.error(e.getMessage()); > } > } > @Override > public OutputStream getOutputStream() { > return stream; > } > @Override > public AlgorithmIdentifier getAlgorithmIdentifier() { > return new AlgorithmIdentifier(new > ASN1ObjectIdentifier("1.2.840.113549.1.1.11")); > } > };{code} > {code:java} > public DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar > signingTime) { > ASN1EncodableVector attribute = new ASN1EncodableVector(); > ASN1EncodableVector v = new ASN1EncodableVector(); > v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.3")); > v.add(new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"))); > attribute.add(new DERSequence(v)); > v = new ASN1EncodableVector(); > v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5")); > v.add(new DERSet(new DERUTCTime(signingTime.getTime()))); > attribute.add(new DERSequence(v)); > v = new ASN1EncodableVector(); > v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.4")); > v.add(new DERSet(new DEROctetString(secondDigest))); > attribute.add(new DERSequence(v)); > return new DERSet(attribute); > }{code} > > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org