Thanks for the answer.I don't like this behavior, I want that the signing's PIN is asked once, so I tried to use external hash and signature.
I need to use PdfSignatureAppearance.WINCER_SIGNED (PKCS#7 signature).A solution with an external dictionary using Bouncy Castle works for me: the signing's PIN is aked once and the resulting signed PDF contains valid signature. But this solution isn't the one I prefer because I'm developing a signing applet interacting with a smartcard and I want to minimize as possibile the libraries that are downloaded on the client (iText and BC are a bit "heavy"). Hence I tried the external hash and signature's example and it doesn't work for me (invalid signature due to "SigDict /Contents illegal data"). The code I used follows. As you can see the only difference is the instantiation of the Signature with a specific provider for the smartcard to be used to sign.
PdfReader reader = new PdfReader(isPdfToSign);
PdfStamper writer = PdfStamper.createSignature(reader, osSignedPdf, '\0');
PdfSignatureAppearance psa = writer.getSignatureAppearance();
psa.setReason("a reason");
psa.setLocation("here");
psa.setCrypto(key, chain, null, PdfSignatureAppearance.WINCER_SIGNED);
psa.setExternalDigest(new byte[128], new byte[20], "RSA");
psa.preClose();
MessageDigest dig = MessageDigest.getInstance("SHA1");
byte[] buffer = new byte[8192];
int n;
InputStream isrs = psa.getRangeStream();
while ((n = isrs.read(buffer)) > 0) dig.update(buffer);
byte[] hash = dig.digest();
PdfSigGenericPKCS sg = psa.getSigStandard();
PdfLiteral slit = (PdfLiteral)sg.get(PdfName.CONTENTS);
byte[] outc = new byte[(slit.getPosLength() - 2) / 2];
PdfPKCS7 sig = sg.getSigner();
Signature signature = Signature.getInstance("SHA1withRSA",
"SunPKCS11-Actalis");
signature.initSign(key); signature.update(hash); sig.setExternalDigest(signature.sign(), hash, "RSA"); byte[] ssig = sig.getEncodedPKCS7(); PdfDictionary dic = new PdfDictionary(); outc = Arrays.copyOf(ssig, ssig.length); dic.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true)); psa.close(dic); What am I doing wrong? -----Original Message----- To:[email protected] <mailto:[email protected]> Subject: Re: [iText-questions] Signing with external provider
That's to expected. The first time is to get the signature size and the second time is to actually sign. This will be changed (as all the signing process) but for the time being that's how it works. Paulo -----Original Message----- From: Roberto Coppi [mailto:[email protected] <mailto:[email protected]>] Sent: Tuesday, November 30, 2010 2:10 PM To:[email protected] <mailto:[email protected]> Subject: [iText-questions] Signing with external provider Hi all! I'm new to iText and I'm developing (in Java) a class to sign PDF documents with a smartcard. I'm using Sun PKCS11 provider to access certificates and keys on the smartcard. I've tried to set the external cryptographic provider in the PdfSignatureAppearance and the signing process is working, but there is a small problem: the authentication's PIN is correctly asked once (to gain access to Keystore), while the signing's PIN is asked 2 times instead of once. Why? I don't believe it's a provider's configuration related problem because I used the same configuration to sign documents with Bouncy Castle in PKCS#7 format. The relevant part of source code follows. PdfReader reader = new PdfReader(isPdfToSign); PdfStamper writer = PdfStamper.createSignature(reader, osPdfSigned, '\0'); PdfSignatureAppearance psa = writer.getSignatureAppearance(); psa.setReason("a reason"); psa.setLocation("here"); psa.setCrypto(privateKey, chain, null, PdfSignatureAppearance.WINCER_SIGNED); psa.setProvider("SunPKCS11-Actalis"); writer.close(); Thanks to anyone can support me Aviso Legal: Esta mensagem é destinada exclusivamente ao destinatário. Pode conter informação confidencial ou legalmente protegida. A incorrecta transmissão desta mensagem não significa a perca de confidencialidade. Se esta mensagem for recebida por engano, por favor envie-a de volta para o remetente e apague-a do seu sistema de imediato. É proibido a qualquer pessoa que não o destinatário de usar, revelar ou distribuir qualquer parte desta mensagem. Disclaimer: This message is destined exclusively to the intended receiver. It may contain confidential or legally protected information. The incorrect transmission of this message does not mean the loss of its confidentiality. If this message is received by mistake, please send it back to the sender and delete it from your system immediately. It is forbidden to any person who is not the intended receiver to use, distribute or copy any part of this message.
<<attachment: roberto_coppi.vcf>>
------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
