You must put the smartcard public key in the java keystore or in other
keystore used to verify.
Paulo
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Fionn Ziegler
> Sent: Thursday, October 18, 2007 2:44 PM
> To: itext-questions@lists.sourceforge.net
> Subject: [iText-questions] Certificate failed: Cannot be
> verified against the KeyStore or the certificate chain
>
>
> Hi all,
> i just managed correct signing for PDF-Document with an
> extern smardcard.
> Now i want to verify it, but i get the following message:
> Certificate failed: Cannot be verified against the KeyStore or the
> certificate chain
> This is a Debug from the
> http://itextpdf.sourceforge.net/howtosign.html#howtoverify howtosign
> examples(howtoverify).
> Here is the code for signing:
>
> // get certificate
> X509Certificate tSigningCertificate =
> Gov2SmartCardHelper.getInstance()
> .getSignatureX509Certificate();
>
> PdfStamper tStamper = PdfStamper.createSignature(tReader,
> tOutStream,
> '\0');
> PdfSignatureAppearance tSignatureAppearance =
> tStamper.getSignatureAppearance();
>
> // set certificate from smardcard to the signed document
> tSignatureAppearance.setCrypto(null,
> new Certificate[] {
> tSigningCertificate},
> null,
>
> PdfSignatureAppearance.WINCER_SIGNED);
>
> // Show signature in PDF-File
> tSignatureAppearance.setVisibleSignature(new
> Rectangle(100, 100, 400,
> 130), tReader
> .getNumberOfPages(), null);
> tSignatureAppearance.setExternalDigest(new byte[512], new
> byte[20],
> "RSA");
> Calendar cal = Calendar.getInstance();
> tSignatureAppearance.setSignDate(cal);
> System.out.println("set SignDate:
> "+cal.getTime().toLocaleString());
>
> tSignatureAppearance.preClose();
>
> // Get the bytes from the pdf-document that must be signed.
> InputStream tInputStream = tSignatureAppearance.getRangeStream();
> byte tMessagesDigest[] = getMessageDigest(tInputStream);
>
> // get signature dictionary from PDF-Document to add an external
> sugnature
> PdfSigGenericPKCS tDocumentSignatureDic =
> tSignatureAppearance.getSigStandard();
> tDocumentSignatureDic.setDate(new
> PdfDate(Calendar.getInstance()));
> // get content-literal to get the size
> PdfLiteral tPDFLiteral = (PdfLiteral)
> tDocumentSignatureDic.get(PdfName.CONTENTS);
> byte[] tOutBytes = new byte[(tPDFLiteral.getPosLength() - 2) / 2];
>
> // Gets actual signing class instance to set extern bytes
> PdfPKCS7 tSigner = tDocumentSignatureDic.getSigner();
>
> // get signature from smard-card
> byte[] tSignedBytes =
> Gov2SmartCardHelper.getInstance().sign(tMessagesDigest);
>
> // set our digest to the signature
> tSigner.setExternalDigest(tSignedBytes, tMessagesDigest, "RSA");
> byte[] tFinishedSignature = tSigner.getEncodedPKCS7();
> // copy
> System.arraycopy(tFinishedSignature, 0, tOutBytes, 0,
> tFinishedSignature.length);
>
> PdfDictionary tPDFDic = new PdfDictionary();
> tPDFDic.put(PdfName.CONTENTS, new
> PdfString(tOutBytes).setHexWriting(true));
> tSignatureAppearance.close(tPDFDic);
>
> here the verify-code:
>
> KeyStore kall = PdfPKCS7.loadCacertsKeyStore();
> PdfReader reader = new PdfReader(aFile);
> AcroFields af = reader.getAcroFields();
> ArrayList names = af.getSignatureNames();
> for (int k = 0; k < names.size(); ++k) {
> String name = (String)names.get(k);
> System.out.println("Signature name: " + name);
> System.out.println("Signature covers whole document: " +
> af.signatureCoversWholeDocument(name));
> System.out.println("Document revision: " +
> af.getRevision(name) + " of
> " + af.getTotalRevisions());
> // Start revision extraction
> FileOutputStream out = new FileOutputStream("revision_" +
> af.getRevision(name) + ".pdf");
> byte bb[] = new byte[8192];
> InputStream ip = af.extractRevision(name);
> int n = 0;
> while ((n = ip.read(bb)) > 0)
> out.write(bb, 0, n);
> out.close();
> ip.close();
> // End revision extraction
> PdfPKCS7 pk = af.verifySignature(name);
> Calendar cal = pk.getSignDate();
> System.out.println("SignDate: "+cal.getTime().toLocaleString());
> Certificate pkc[] = pk.getCertificates();
> System.out.println("Subject: " +
> PdfPKCS7.getSubjectFields(pk.getSigningCertificate()));
> System.out.println("Document modified: " + !pk.verify());
> Object fails[] = PdfPKCS7.verifyCertificates(pkc, kall,
> null, cal);
> if (fails == null)
> System.out.println("Certificates verified against
> the KeyStore");
> else
> System.out.println("Certificate failed: " + fails[1]);
> }
>
> Output:
> set SignDate: 18.10.2007 15:11:46 correct time!!
> sign data: null - SHA1withRSA
> verify:
> Signature name: Signature1
> Signature covers whole document: true
> Document revision: 1 of 1
> SignDate: 18.10.2007 16:11:46 one hour later, why??
> Subject: {CN=[NKS 05 A 01489], C=[DE]}
> Document modified: false
> Certificate failed: Cannot be verified against the KeyStore or the
> certificate chain
> complete
>
> here some output if i change fails[1] to -> fails[0]:
>
> Certificate failed: [
> [
> Version: V3
> Subject: OID.0.2.262.1.10.7.20=1 + CN=XXX, C=XXX
> Signature Algorithm: 1.3.36.3.3.1.2, OID = 1.3.36.3.3.1.2
>
> Key: SunJSSE RSA public key:
> public exponent:
> 40000081
> modulus:
> 88d3add9 053cac58 5a244d21 d271cc6d 3e09ad46 40820d9b
> 7df9586c 1b67ad43
> 02b10008 b4f60f45 ec1350aa 61c3b35b 09a12d89 cb51329e
> c685dd08 c92fac69
> 0215958c 2507d7ff 4195a100 4d4a596e 019250f4 4be23704
> 0e9dba18 faad3530
> 9ae56878 57a35f6d 71c590f3 cb31f2f0 1589cbc2 eaa11081
> 8e07fb46 360d9b9f
> Validity: [From: Mon Jan 10 11:47:17 CET 2005,
> To: Thu Jan 10 11:47:17 CET 2008]
> Issuer: OID.XXX=1 + CN=XXXCA 31:PN, O=XXX, C=XXX
> SerialNumber: [ d45f57]
>
> Certificate Extensions: 1
> [1]: ObjectId: 2.5.29.15 Criticality=true
> KeyUsage [
> DigitalSignature
> Non_repudiation
> ]
>
> ]
> Algorithm: [1.3.36.3.3.1.2]
> Signature:
> 0000: 3B 3A EB 12 85 AF 0B 64 2E 5A A1 73 D7 AC 7A A6
> ;:.....d.Z.s..z.
> 0010: F3 87 C9 63 BD 6A 5A 68 55 8C D4 CD 57 F4 9B 09
> ...c.jZhU...W...
> 0020: 86 AA 48 66 3C CF 7F 09 B4 FD 98 CC D2 D4 49 36
> ..Hf<.........I6
> 0030: 26 C1 D7 09 BA 70 30 A5 AF D0 F2 73 40 80 25 4D
> &[EMAIL PROTECTED]
> 0040: 35 3C 27 20 7A BE E5 6D C1 4B 03 AA DA F5 37 49 5<'
> z..m.K....7I
> 0050: AF 5B 38 88 1E 3E E9 74 20 5A BE 11 F0 CC B0 82
> .[8..>.t Z......
> 0060: 75 53 74 05 45 15 86 5F 14 C9 D2 4A 15 81 97 9A
> uSt.E.._...J....
> 0070: 63 3C B4 A4 E2 78 14 29 F8 11 6D 8F C7 AD 16 FC
> c<...x.)..m.....
>
> ]
>
>
>
> Whats going wrong?:confused: Any Tips? The Certificate is
> valid!About any
> kind of help i would be appreciated!
>
>
> -----
> Thanks,
> Fionn Ziegler hmmm Bier :)
Aviso Legal:
Esta mensagem é destinada exclusivamente ao destinatário. Pode conter
informação confidencial ou legalmente protegida. A incorrecta transmissão desta
mensagem não significa a perca de confidencialidade. Se esta mensagem for
recebida por engano, por favor envie-a de volta para o remetente e apague-a do
seu sistema de imediato. É proibido a qualquer pessoa que não o destinatário de
usar, revelar ou distribuir qualquer parte desta mensagem.
Disclaimer:
This message is destined exclusively to the intended receiver. It may contain
confidential or legally protected information. The incorrect transmission of
this message does not mean the loss of its confidentiality. If this message is
received by mistake, please send it back to the sender and delete it from your
system immediately. It is forbidden to any person who is not the intended
receiver to use, distribute or copy any part of this message.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
Buy the iText book: http://itext.ugent.be/itext-in-action/
