Hi Bram, you're trapped by an old bug in the PKCS1 implementation discovered just some days ago. I would strongly recommend to use the PKCS7 samples.
Moreover there seems to be problems gettings a valid OCSP from the belgian root authority. @Julien : Did you manage to get a useful response from the belgian root authority ? Greetings Andreas ----- original Nachricht -------- Betreff: [iText-questions] Signing PDF with Belgian EID card: issuing certificates missing from path Gesendet: Mo, 21. Feb 2011 Von: Bram<[email protected]> > > Hi, > > I want to sign a PDF file using the signature certificate of a Belgian EID > card. I also want this signature to be considered valid if the root > certificate (Belgium Root CA, or Belgium Root CA 2) is trusted on the > computer where the PDF file is opened. > > My Java code is based on the example from this website: > http://itext.ugent.be/articles/eid-pdf/index.php?page=3#recipient > The main adjustment is that an array of three certificates is passed to the > setCrypto() method, instead of only one. I believe this is necessary to > include the certificate chain in the signed PDF. (Correct?) > > Unfortunately, when I open the signed PDF file in Adobe Reader, the issuing > certificates (Citizen CA and Belgium Root CA 2) are not included in the > certificate path. All I can see is the signing certificate. > Is there something obvious I'm doing wrong? > > I found another thread that looks related to this, but I'm not sure if it > is, or what it means exactly: > http://itext-general.2136553.n4.nabble.com/Another-spec-question-regarding-a > -PKCS1-detail-tp3264914p3264914.html > Does this mean there's a bug in iText and that it's impossible to include > the certificate chain in a PDF? Or is there another way to sign a PDF that > doesn't have these problems? > > Thank you, > Bram > > _______________________________________________ > > public void exportToSignedPdf(JasperPrint jasperPrint, String fileName) > throws Throwable { > byte[] pdfBytes = > JasperExportManager.exportReportToPdf(jasperPrint); > PdfReader reader = new PdfReader(pdfBytes); > FileOutputStream fout = new FileOutputStream(fileName); > PdfStamper stamper = PdfStamper.createSignature(reader, fout, > '\0'); > PdfSignatureAppearance sap = stamper.getSignatureAppearance(); > > BelpicCard scd = new BelpicCard(""); > X509Certificate[] certs = new X509Certificate[3]; > certs[0] = scd.getNonRepudiationCertificate(); > certs[1] = scd.getCertificationAuthorityCertificate(); > certs[2] = scd.getRootCertificationAuthorityCertificate(); > > sap.setCrypto(null, certs, null, > PdfSignatureAppearance.SELF_SIGNED); > sap.setVisibleSignature(new Rectangle(350, 65, 470, 95), 1, null); > sap.setExternalDigest(new byte[128], new byte[20], "RSA"); > sap.preClose(); > > PdfPKCS7 sig = sap.getSigStandard().getSigner(); > > byte[] content = streamToByteArray(sap.getRangeStream()); > byte[] hash = MessageDigest.getInstance("SHA-1").digest(content); > byte[] signatureBytes = scd.generateNonRepudiationSignature(hash); > > sig.setExternalDigest(signatureBytes, null, "RSA"); > PdfDictionary dic = new PdfDictionary(); > dic.put(PdfName.CONTENTS, new PdfString(sig.getEncodedPKCS1()) > .setHexWriting(true)); > sap.close(dic); > } > > public static byte[] streamToByteArray(InputStream stream) throws > Throwable { > if (stream == null) { > return null; > } else { > ByteArrayOutputStream byteArray = new ByteArrayOutputStream(); > byte buffer[] = new byte[1024]; > int c = 0; > while ((c = stream.read(buffer)) > 0) { > byteArray.write(buffer, 0, c); > } > byteArray.flush(); > return byteArray.toByteArray(); > } > } > -- > View this message in context: > http://itext-general.2136553.n4.nabble.com/Signing-PDF-with-Belgian-EID-card > -issuing-certificates-missing-from-path-tp3317042p3317042.html > Sent from the iText - General mailing list archive at Nabble.com. > > ---------------------------------------------------------------------------- > -- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > iText-questions mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Many questions posted to this list can (and will) be answered with a > reference to the iText book: http://www.itextpdf.com/book/ > Please check the keywords list before you ask for examples: > http://itextpdf.com/themes/keywords.php > --- original Nachricht Ende ---- ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
