Hi Leonard,
Thanks for your answer, I'll review my code and I'll tell if I have
succeeded.
Regards,
On Thu, Feb 25, 2010 at 6:15 PM, Leonard Rosenthol <[email protected]>wrote:
> Here is what one of our signature engineers had to say:
>
>
>
> I see several problems.
> 1. /VRI dict for the signature DOES NOT CONTAIN /TS entry which specifies
> the timestamp. So, no wonder that Acrobat does not find the timestamp.
> 2. /VRI dict does not contain /TU entry either. One of the two (/TS or /TU)
> needs to be there but this is not mandatory.
> 3. When I open this PDF Acrobat cannot build the chain (it shows only
> end-entity in the Certificate Viewer) even though there is /Certs entry in
> /DSS. It looks like certs are not properly encoded but I did not look into
> that in detail.
> 4. /VRI dict contains only one VRI entry, presumably, for the main
> signature. It should also contain VRI entries for CRLs. This is not
> mandatory but their absence defeats the purpose of DSS. For the real LTV if
> needs to contain LTV info for ALL signed signature cimponents.
>
>
> Hope that helps!
>
>
>
> *From:* Albert Ciffone [mailto:[email protected]]
> *Sent:* Thursday, February 25, 2010 11:41 AM
> *To:* Post all your questions about iText here; Leonard Rosenthol
> *Subject:* Re: [iText-questions] PAdES-LTV
>
>
>
> Hi Leonard,
>
>
>
> I create the DSS structure correctly, and acrobat recognize this part. I
> have the problem when I try to sign the document and DSS structure with a
> timestamp. The code that I posted was not correct so forget it. Anyway I
> think that now I have a correct PAdES-LTV but acrobat not recognize the
> timestamp (I'm using acrobat version 9.3.0). I post the PDF sample.
>
>
>
> Thanks in advance,
>
>
>
> On Wed, Feb 24, 2010 at 6:30 PM, Leonard Rosenthol <[email protected]>
> wrote:
>
> I’m confused. Are you creating DSS or are you creating a document
> timestamp signature?
>
>
>
> Can you post an actual PDF sample?
>
>
>
> Leonard
>
>
>
> *From:* Albert Ciffone [mailto:[email protected]]
> *Sent:* Wednesday, February 24, 2010 4:45 AM
> *To:* [email protected]
> *Subject:* [iText-questions] PAdES-LTV
>
>
>
> Hi,
>
>
>
> I'm trying to make a PAdES-LTV with iText but I'm not sure that the
> generated timeStamp which signs the whole document (first revision with
> original signature and DSS structure which contains certificate and
> revocation data) is correct because adobe can't recognize it. To do this
> timeStamp i'm using the class PdfSignerDemo that i found in this list with a
> little modifications. The code is showed below:
>
>
>
> PdfSigner
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
> /**
>
> * Demo using iText to digitally sign PDF document with a valid time-stamp
>
> * Demo dependecies:
>
> * SignerKeystore - interface providing signing certificate access
>
> * SignerKeystorePKCS12 - implemnation importing PKCS12 (.pfx) certificate
>
> */
>
> public class PdfSigner {
>
>
>
> private SignerKeystore sks;
>
>
>
> public PdfSigner (SignerKeystore sks) throws Exception {
>
> this.sks = sks;
>
> }
>
>
>
> public void signPDF (PdfStamper stp, TSAClient tsc){
>
> try {
>
>
>
> PdfSignatureAppearance sap =
> stp.getSignatureAppearance();
>
> setAppearance(sap);
>
>
>
> // Create a pdfTimeStamp
>
> PdfSignature dic = new PdfTimeStamp();
>
> dic.put(PdfName.V,new PdfNumber(0));
>
> sap.setCryptoDictionary(dic);
>
>
>
> // Estimate signature size, creating a
> 'fake' one using fake data
>
> byte[] estSignature =
> genPKCS7Signature(new ByteArrayInputStream("fake".getBytes()), null);
>
> int contentEst = estSignature.length
> +((tsc == null) ? 0 : tsc.getTokenSizeEstimate());
>
>
>
> // Preallocate excluded byte-range for
> the signature content (hex encoded)
>
> HashMap exc = new HashMap();
>
> exc.put(PdfName.CONTENTS, new
> Integer(contentEst * 2 + 2));
>
> sap.preClose(exc);
>
>
>
> // Get the true data signature,
> including a true time stamp token
>
> byte[] encodedSig =
> genPKCS7Signature(sap.getRangeStream(), tsc);
>
> if (contentEst + 2 < encodedSig.length)
> {
>
> throw new
> Exception("Timestamp size estimate " + contentEst +
>
> "
> is too low for actual " +
>
>
> encodedSig.length);
>
> }
>
>
>
> // Copy signature into a zero-filled
> array, padding it up to estimate
>
> byte[] paddedSig = new
> byte[contentEst];
>
> System.arraycopy(encodedSig, 0,
> paddedSig, 0, encodedSig.length);
>
>
>
> // Finally, load zero-padded signature
> into the signature field /Content
>
> PdfDictionary dic2 = new
> PdfDictionary();
>
> dic2.put(PdfName.CONTENTS, new
> PdfString(paddedSig).setHexWriting(true));
>
> sap.close(dic2);
>
>
>
> } catch (Throwable t) {
>
> System.out.println("Signing failed" +
> t);
>
> t.printStackTrace();
>
> }
>
> }
>
>
>
> /**
>
> * Setup signature appearance. Override to define specifics.
>
> * @param sap PdfSignatureAppearance
>
> */
>
> protected void setAppearance(PdfSignatureAppearance sap) {
>
> // Make this an invisible signature
>
> sap.setVisibleSignature(new Rectangle(0, 0, 0, 0),
> 1, "Signature"); // empty makes field invisible
>
> }
>
>
>
>
>
> /**
>
> * Generate the PKCS7 encoded signature
>
> * @param data InputStream - data to digest
>
> * @param doTimestamp boolean - true to include time-stamp
>
> * @return byte[]
>
> * @throws Exception
>
> */
>
>
>
> protected byte[] genPKCS7Signature(InputStream data, TSAClient
> tsc) throws Exception {
>
>
>
> // assume sub-filter is adobe.pkcs7.sha1
>
> PdfPKCS7 sgn = new PdfPKCS7(sks.getPrivateKey(),
> sks.getChain(), null,"SHA1", sks.getProvider().getName(), true);
>
>
>
> byte[] buff = new byte[2048];
>
> int len = 0;
>
> while ((len = data.read(buff)) > 0) {
>
> sgn.update(buff, 0, len);
>
> }
>
> return sgn.getEncodedPKCS7(null, null, tsc,null);
>
> }
>
>
>
> }
>
> }
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> PdfSigner
>
>
>
>
>
> Thanks in advance,
>
>
>
> Regards.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> iText-questions mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> Buy the iText book: http://www.1t3xt.com/docs/book.php
> Check the site with examples before you ask questions:
> http://www.1t3xt.info/examples/
> You can also search the keywords list:
> http://1t3xt.info/tutorials/keywords/
>
>
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
Buy the iText book: http://www.1t3xt.com/docs/book.php
Check the site with examples before you ask questions:
http://www.1t3xt.info/examples/
You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
