Thanks for the answer Paulo.
I don't like this behavior, I want that the signing's PIN is asked
once, so I tried to use external hash and signature.
I need to use PdfSignatureAppearance.WINCER_SIGNED (PKCS#7 signature).
A solution with an external dictionary using Bouncy Castle works for
me: the signing's PIN is aked once and the resulting signed PDF
contains valid signature.
But this solution isn't the one I prefer because I'm developing a
signing applet interacting with a smartcard and I want to minimize as
possibile the libraries that are downloaded on the client (iText and
BC are a bit "heavy").
Hence I tried the external hash and signature's example and it doesn't
work for me (invalid signature due to "SigDict /Contents illegal
data").
The code I used follows. As you can see the only difference is the
instantiation of the Signature with a specific provider for the
smartcard to be used to sign.
PdfReader reader = new PdfReader(isPdfToSign);
PdfStamper writer = PdfStamper.createSignature(reader, osSignedPdf, '\0');
PdfSignatureAppearance psa = writer.getSignatureAppearance();
psa.setReason("a reason");
psa.setLocation("here");
psa.setCrypto(key, chain, null, PdfSignatureAppearance.WINCER_SIGNED);
psa.setExternalDigest(new byte[128], new byte[20], "RSA");
psa.preClose();
MessageDigest dig = MessageDigest.getInstance("SHA1");
byte[] buffer = new byte[8192];
int n;
InputStream isrs = psa.getRangeStream();
while ((n = isrs.read(buffer)) > 0) dig.update(buffer);
byte[] hash = dig.digest();
PdfSigGenericPKCS sg = psa.getSigStandard();
PdfLiteral slit = (PdfLiteral)sg.get(PdfName.CONTENTS);
byte[] outc = new byte[(slit.getPosLength() - 2) / 2];
PdfPKCS7 sig = sg.getSigner();
Signature signature = Signature.getInstance("SHA1withRSA", "SunPKCS11-Actalis");
signature.initSign(key);
signature.update(hash);
sig.setExternalDigest(signature.sign(), hash, "RSA");
byte[] ssig = sig.getEncodedPKCS7();
PdfDictionary dic = new PdfDictionary();
outc = Arrays.copyOf(ssig, ssig.length);
dic.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
psa.close(dic);
What am I doing wrong?
-----Original Message-----
To: [email protected]
Subject: Re: [iText-questions] Signing with external provider
That's to expected. The first time is to get the signature size and
the second time is to actually sign. This will be changed (as all the
signing process) but for the time being that's how it works.
Paulo
------------------------------------------------------------------------------
Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
http://p.sf.net/sfu/intelisp-dev2dev
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
