Re: [iText-questions] Is there a way to digitally sign a PDF withiText using SHA-256/SHA-384/SHA-512?

Sun, 26 Jul 2009 16:47:09 -0700 

FWIW - as of Acrobat 9.1, we now use SHA-256 by default.  You may wish to do 
the same...

Leonard

-----Original Message-----
From: Paulo Soares [mailto:[email protected]] 
Sent: Sunday, July 26, 2009 7:04 PM
To: Post all your questions about iText here
Subject: Re: [iText-questions] Is there a way to digitally sign a PDF withiText 
using SHA-256/SHA-384/SHA-512?

The standard filters use SHA-1. You have examples in 
http://itextpdf.sourceforge.net/howtosign.html on how to use others 
algorithms as an external signature.

Paulo

----- Original Message ----- 
From: "Tomas García-Merás Capote" <[email protected]>
To: "Lista iText" <[email protected]>
Sent: Sunday, July 26, 2009 9:00 PM
Subject: Re: [iText-questions] Is there a way to digitally sign a PDF 
withiText using SHA-256/SHA-384/SHA-512?



> Why do you need to modify iText classes if in the latest release
> SHA-512/384/256 and RIPEMD are supported?

Nice!

But how (Java)? It seems that when you set the Filter/SubFilter, 
PdfSignatureAppearance instantiates one of the 3 predefined classes:

            if (PdfName.ADOBE_PPKLITE.equals(getFilter()))
                sigStandard = new PdfSigGenericPKCS.PPKLite(getProvider());
            else if (PdfName.ADOBE_PPKMS.equals(getFilter()))
                sigStandard = new PdfSigGenericPKCS.PPKMS(getProvider());
            else if (PdfName.VERISIGN_PPKVS.equals(getFilter()))
                sigStandard = new PdfSigGenericPKCS.VeriSign(getProvider());
            else
                throw new IllegalArgumentException("Unknown filter: " + 
getFilter());

But all of them uses a fixed hash algorithm:

        public PPKLite() {
            super(PdfName.ADOBE_PPKLITE, PdfName.ADBE_X509_RSA_SHA1);
            hashAlgorithm = "SHA1";
            put(PdfName.R, new PdfNumber(65541));
        }

        [...]

        public VeriSign() {
            super(PdfName.VERISIGN_PPKVS, PdfName.ADBE_PKCS7_DETACHED);
            hashAlgorithm = "MD5";
            put(PdfName.R, new PdfNumber(65537));
        }

        [...]

        public PPKMS() {
            super(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_SHA1);
            hashAlgorithm = "SHA1";
        }

So... How do i set a different hash algorithm?

I create the signatures with some code like this (keyEntry is a 
PrivateKeyEntry):

  PdfReader pdfReader = new PdfReader(file);
  ByteArrayOutputStream baos = new ByteArrayOutputStream();
  PdfStamper stp = 
PdfStamper.createSignature(pdfReader,baos,'\0',null,true);
  PdfSignatureAppearance sap = stp.getSignatureAppearance();
  sap.setCrypto(
    keyEntry.getPrivateKey(),
    keyEntry.getCertificateChain(),
    null,
    PdfSignatureAppearance.SELF_SIGNED
  );
  stp.close();

And I save the bytes from "baos" (the ByteArrayOutputStream) to disk as a 
signed PDF file.

AFIAK, a combination of Filter PdfName.ADOBE_PPKLITE and SubFilter 
PdfName.ADBE_X509_RSA_SHA1 or PdfName.ADBE_PKCS7_DETACHED should work with 
SHA-2, but don't know how to change the default algorithm.

Is there any example anywhere? Can anyone please help?

Thanks a lot!!


> From: [email protected]
> To: [email protected]
> Date: Sun, 26 Jul 2009 14:43:04 +0100
> Subject: Re: [iText-questions] Is there a way to digitally sign a PDF with 
> iText using SHA-256/SHA-384/SHA-512?
>
> Why do you need to modify iText classes if in the latest release
> SHA-512/384/256 and RIPEMD are supported?
>
> Paulo
>
> ----- Original Message ----- 
> From: "Tomas García-Merás Capote"
> To:
> Sent: Sunday, July 26, 2009 1:51 PM
> Subject: [iText-questions] Is there a way to digitally sign a PDF with 
> iText
> using SHA-256/SHA-384/SHA-512?
>
>
>
> Hello,
>
> I'm trying to modify some iText classes to allow SHA-2 hashes on the
> digital signatures, but Adobe Reader 9.1.2 always finds problems with the
> generated PDF (BER decoding error, etc.), no matter if using iText to
> generate the PKCS#7, inserting an externally generated PKCS#7... Is there 
> an
> easy way for using SHA-512/384/258 on digital signatures with iText? Now
> that it uses a complete BouncyCastle for such things it should be
> possible...
>
> Thx!!


------------------------------------------------------------------------------
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Buy the iText book: http://www.1t3xt.com/docs/book.php
Check the site with examples before you ask questions: 
http://www.1t3xt.info/examples/
You can also search the keywords list: http://1t3xt.info/tutorials/keywords/

------------------------------------------------------------------------------
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Buy the iText book: http://www.1t3xt.com/docs/book.php
Check the site with examples before you ask questions: 
http://www.1t3xt.info/examples/
You can also search the keywords list: http://1t3xt.info/tutorials/keywords/

Reply via email to