I suggest you doing a bit of research how to validate X.509 signatures, you need the whole certificate chain in java (bc) to validate the (math) signature and the certificate itsel.
--- Fionn Ziegler <[EMAIL PROTECTED]> wrote: > > Hi all, > i just managed correct signing for PDF-Document with > an extern smardcard. > Now i want to verify it, but i get the following > message: > Certificate failed: Cannot be verified against the > KeyStore or the > certificate chain > This is a Debug from the > http://itextpdf.sourceforge.net/howtosign.html#howtoverify > howtosign > examples(howtoverify). > Here is the code for signing: > > // get certificate > X509Certificate tSigningCertificate = > Gov2SmartCardHelper.getInstance() > .getSignatureX509Certificate(); > > PdfStamper tStamper = > PdfStamper.createSignature(tReader, tOutStream, > '\0'); > PdfSignatureAppearance tSignatureAppearance = > tStamper.getSignatureAppearance(); > > // set certificate from smardcard to the signed > document > tSignatureAppearance.setCrypto(null, > new Certificate[] > { tSigningCertificate}, > null, > > PdfSignatureAppearance.WINCER_SIGNED); > > // Show signature in PDF-File > tSignatureAppearance.setVisibleSignature(new > Rectangle(100, 100, 400, > 130), tReader > .getNumberOfPages(), null); > tSignatureAppearance.setExternalDigest(new > byte[512], new byte[20], > "RSA"); > Calendar cal = Calendar.getInstance(); > tSignatureAppearance.setSignDate(cal); > System.out.println("set SignDate: > "+cal.getTime().toLocaleString()); > > tSignatureAppearance.preClose(); > > // Get the bytes from the pdf-document that must > be signed. > InputStream tInputStream = > tSignatureAppearance.getRangeStream(); > byte tMessagesDigest[] = > getMessageDigest(tInputStream); > > // get signature dictionary from PDF-Document to > add an external > sugnature > PdfSigGenericPKCS tDocumentSignatureDic = > tSignatureAppearance.getSigStandard(); > tDocumentSignatureDic.setDate(new > PdfDate(Calendar.getInstance())); > // get content-literal to get the size > PdfLiteral tPDFLiteral = (PdfLiteral) > tDocumentSignatureDic.get(PdfName.CONTENTS); > byte[] tOutBytes = new > byte[(tPDFLiteral.getPosLength() - 2) / 2]; > > // Gets actual signing class instance to set > extern bytes > PdfPKCS7 tSigner = > tDocumentSignatureDic.getSigner(); > > // get signature from smard-card > byte[] tSignedBytes = > Gov2SmartCardHelper.getInstance().sign(tMessagesDigest); > > // set our digest to the signature > tSigner.setExternalDigest(tSignedBytes, > tMessagesDigest, "RSA"); > byte[] tFinishedSignature = > tSigner.getEncodedPKCS7(); > // copy > System.arraycopy(tFinishedSignature, 0, > tOutBytes, 0, > tFinishedSignature.length); > > PdfDictionary tPDFDic = new PdfDictionary(); > tPDFDic.put(PdfName.CONTENTS, new > PdfString(tOutBytes).setHexWriting(true)); > tSignatureAppearance.close(tPDFDic); > > here the verify-code: > > KeyStore kall = PdfPKCS7.loadCacertsKeyStore(); > PdfReader reader = new PdfReader(aFile); > AcroFields af = reader.getAcroFields(); > ArrayList names = af.getSignatureNames(); > for (int k = 0; k < names.size(); ++k) { > String name = (String)names.get(k); > System.out.println("Signature name: " + name); > System.out.println("Signature covers whole > document: " + > af.signatureCoversWholeDocument(name)); > System.out.println("Document revision: " + > af.getRevision(name) + " of > " + af.getTotalRevisions()); > // Start revision extraction > FileOutputStream out = new > FileOutputStream("revision_" + > af.getRevision(name) + ".pdf"); > byte bb[] = new byte[8192]; > InputStream ip = af.extractRevision(name); > int n = 0; > while ((n = ip.read(bb)) > 0) > out.write(bb, 0, n); > out.close(); > ip.close(); > // End revision extraction > PdfPKCS7 pk = af.verifySignature(name); > Calendar cal = pk.getSignDate(); > System.out.println("SignDate: > "+cal.getTime().toLocaleString()); > Certificate pkc[] = pk.getCertificates(); > System.out.println("Subject: " + > PdfPKCS7.getSubjectFields(pk.getSigningCertificate())); > System.out.println("Document modified: " + > !pk.verify()); > Object fails[] = > PdfPKCS7.verifyCertificates(pkc, kall, null, cal); > if (fails == null) > System.out.println("Certificates verified > against the KeyStore"); > else > System.out.println("Certificate failed: " + > fails[1]); > } > > Output: > set SignDate: 18.10.2007 15:11:46 correct time!! > sign data: null - SHA1withRSA > verify: > Signature name: Signature1 > Signature covers whole document: true > Document revision: 1 of 1 > SignDate: 18.10.2007 16:11:46 one hour later, why?? > Subject: {CN=[NKS 05 A 01489], C=[DE]} > Document modified: false > Certificate failed: Cannot be verified against the > KeyStore or the > certificate chain > complete > > here some output if i change fails[1] to -> > fails[0]: > > Certificate failed: [ > [ > Version: V3 > Subject: OID.0.2.262.1.10.7.20=1 + CN=XXX, C=XXX > Signature Algorithm: 1.3.36.3.3.1.2, OID = > 1.3.36.3.3.1.2 > > Key: SunJSSE RSA public key: > public exponent: > 40000081 > modulus: > 88d3add9 053cac58 5a244d21 d271cc6d 3e09ad46 > 40820d9b 7df9586c 1b67ad43 > 02b10008 b4f60f45 ec1350aa 61c3b35b 09a12d89 > cb51329e c685dd08 c92fac69 > 0215958c 2507d7ff 4195a100 4d4a596e 019250f4 > 4be23704 0e9dba18 faad3530 > 9ae56878 57a35f6d 71c590f3 cb31f2f0 1589cbc2 > eaa11081 8e07fb46 360d9b9f > Validity: [From: Mon Jan 10 11:47:17 CET 2005, > To: Thu Jan 10 11:47:17 CET 2008] > Issuer: OID.XXX=1 + CN=XXXCA 31:PN, O=XXX, C=XXX > SerialNumber: [ d45f57] > > Certificate Extensions: 1 > [1]: ObjectId: 2.5.29.15 Criticality=true > KeyUsage [ > DigitalSignature > Non_repudiation > ] > > ] > Algorithm: [1.3.36.3.3.1.2] > Signature: > 0000: 3B 3A EB 12 85 AF 0B 64 2E 5A A1 73 D7 AC 7A > A6 ;:.....d.Z.s..z. > 0010: F3 87 C9 63 BD 6A 5A 68 55 8C D4 CD 57 F4 9B > 09 ...c.jZhU...W... > 0020: 86 AA 48 66 3C CF 7F 09 B4 FD 98 CC D2 D4 49 > 36 ..Hf<.........I6 > 0030: 26 C1 D7 09 BA 70 30 A5 AF D0 F2 73 40 80 25 > 4D &[EMAIL PROTECTED] > 0040: 35 3C 27 20 7A BE E5 6D C1 4B 03 AA DA F5 37 > 49 === message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://itext.ugent.be/itext-in-action/
