Hi Julien,
I could guess the problem is caused y the way the certificates are included in
the PDF. You're using the rsa_sha1 variant, where the certrificates are not
part of e PKCS7 container but are transported in the signature dictionary using
the key 'Cert'. As far as I can see all certificates are streamed into one byte
array. From the spec I would guess there should be an array of strings ... Does
your code manage this detail ?
Moreover I see a strange problem with the OCSP response from the belgium root
CA. The nonce of the response doesn't match the value of the request !?!
Anyone aware of this 'feature' ? Or is it a bug of the CA ? Afaik the Reader is
very picky about nonces ...
Greetings
Andreas
----- original Nachricht --------
Betreff: [iText-questions] PDF Signature : validity unknown - belgium eid :
Signature problem in a PDF, with a certificate chain (MyCertificate ->
CitizenCA -> BelgiumRootCA)
Gesendet: Mi, 29. Dez 2010
Von: Vroonen Julien
Hi List,
Concerning :
« validity unknown » displayed by Adobe Reader (tested in version 7 and 9,
)
Using itext to sign a pdf document
With a smart card : the belgium eid (identity card)
Using an external signature
With PdfSignatureAppearance.SELF_SIGNED option
When I consult a signed PDF with iText (I made the signature myself, based on
the example found here : http://itextpdf.sourceforge.net/howtosign.html), on my
computer, where all my certificates are registered, everything is displayed
correctly in Adobe Reader : the signature is displayed as valid.
However, when I try to read this PDF on another computer, the validity of the
signature is displayed as validity unknown.
I figured out that it could be :
Point 1) because the certificate chain is not included in the PDF.
Point 2) because the Belgium Root CA is not imported as trusted CA in
windows
Point 3) because the Citizen CA is not imported as trusted CA in windows
Point 1 :
I made the signature, passing the certificate chain extracted from the smart
card.
In debug mode, every certificate is there, and the complete chain is passed to
the API call : sap.setCrypto(null, certs, null,
PdfSignatureAppearance.SELF_SIGNED);.
So, this does not seem to be the problem (but I could not check it for sure) :
on my PC, the certificate chain is well displayed by adobe reader
And when I call this API at the end of the signature process : Certificate[]
certsInPdf = stamper.getSignatureAppearance().getCertChain();, a Certificate[]
is returned, containing the 3 certificates.
Point 2 :
I installed the Belgium Root CA, exported from my PC and imported on the pc
displaying validity unknown.
I tried this installation twice : in automatic mode, and in the certification
store named Trusted Root CA.
But it did not change anything to the display made by Adobe Reader
Point 3 :
THIS was the solution !
I installed this certificate, using the same procedure from Belgium Root CA,
and, after that, the signature appeared as valid !
HOWEVER, due to the number of existing Citizen CA
(http://repository.eid.belgium.be/FR/CitizenCA.htm), it is not possible to do
this on every pc where the signed PDF will be consulted.
So, my question is
Obviously, signature is well displayed if the 3 points are done.
Why is point 3 necessary ?
I can understand (the users could accept) the necessity of point 2, but I can
NOT ask every user to do the same with every existing Citizen CA.
Any help, suggestion, explanation is welcome!
Best regards,
Julien.
Julien Vroonen - [email protected]
Business Analyst
NSI IT Software & Services
Chaussée de Bruxelles, 174 A
B-4340 Awans
Tél. Direct : +32 (0)4 239 91 60
Tél. Général : +32 (0)4 239 91 50
Fax : +32 (0)4 246 13 08
www.nsi-sa.be
--- original Nachricht Ende ----
--- original Nachricht Ende ----
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
