Hi Andreas, Hi Bram, Hi all, The problem is suspended because our client is not interested in that solution anymore. So I stopped researches and contacts.
However, I will try to find a solution to this but I have no time to spend on this these months.. And it is not so obvious ; I tried PKCS7 signature (usage of " sig.getEncodedPKCS7()" instead of " sig.getEncodedPKCS1()") and "setExternalDigest"; but it is always marked as invalid. So I gave up for now ; I will retry this later... Since our last contact, I just discovered that : - it seems not possible to have the "valid signature" displayed on the first time. - but the application here : https://sign.belgium.be/index.action is able to store the full certificate chain in the pdf ; in a correct way ; so it is possible, in Adobe Reader, to parse the certificate chain and to add "Belgium Root CA" to trusted identities ; which solves the problem "once for all". Regards, Julien Julien Vroonen - [email protected] Business Analyst NSI IT Software & Services Chaussée de Bruxelles, 174 A B-4340 Awans Tél. Direct : +32 (0)4 239 91 60 Tél. Général : +32 (0)4 239 91 50 Fax : +32 (0)4 246 13 08 www.nsi-sa.be -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: lundi 21 février 2011 13:29 To: [email protected]; Vroonen Julien; [email protected] Subject: Re: [iText-questions] Signing PDF with Belgian EID card: issuing certificates missing from path Hi Bram, you're trapped by an old bug in the PKCS1 implementation discovered just some days ago. I would strongly recommend to use the PKCS7 samples. Moreover there seems to be problems gettings a valid OCSP from the belgian root authority. @Julien : Did you manage to get a useful response from the belgian root authority ? Greetings Andreas ----- original Nachricht -------- Betreff: [iText-questions] Signing PDF with Belgian EID card: issuing certificates missing from path Gesendet: Mo, 21. Feb 2011 Von: Bram<[email protected]> > > Hi, > > I want to sign a PDF file using the signature certificate of a Belgian > EID card. I also want this signature to be considered valid if the > root certificate (Belgium Root CA, or Belgium Root CA 2) is trusted on > the computer where the PDF file is opened. > > My Java code is based on the example from this website: > http://itext.ugent.be/articles/eid-pdf/index.php?page=3#recipient > The main adjustment is that an array of three certificates is passed > to the > setCrypto() method, instead of only one. I believe this is necessary > to include the certificate chain in the signed PDF. (Correct?) > > Unfortunately, when I open the signed PDF file in Adobe Reader, the > issuing certificates (Citizen CA and Belgium Root CA 2) are not > included in the certificate path. All I can see is the signing certificate. > Is there something obvious I'm doing wrong? > > I found another thread that looks related to this, but I'm not sure if > it is, or what it means exactly: > http://itext-general.2136553.n4.nabble.com/Another-spec-question-regar > ding-a > -PKCS1-detail-tp3264914p3264914.html > Does this mean there's a bug in iText and that it's impossible to > include the certificate chain in a PDF? Or is there another way to > sign a PDF that doesn't have these problems? > > Thank you, > Bram > > _______________________________________________ > > public void exportToSignedPdf(JasperPrint jasperPrint, String > fileName) throws Throwable { > byte[] pdfBytes = > JasperExportManager.exportReportToPdf(jasperPrint); > PdfReader reader = new PdfReader(pdfBytes); > FileOutputStream fout = new FileOutputStream(fileName); > PdfStamper stamper = PdfStamper.createSignature(reader, fout, > '\0'); > PdfSignatureAppearance sap = stamper.getSignatureAppearance(); > > BelpicCard scd = new BelpicCard(""); > X509Certificate[] certs = new X509Certificate[3]; > certs[0] = scd.getNonRepudiationCertificate(); > certs[1] = scd.getCertificationAuthorityCertificate(); > certs[2] = scd.getRootCertificationAuthorityCertificate(); > > sap.setCrypto(null, certs, null, > PdfSignatureAppearance.SELF_SIGNED); > sap.setVisibleSignature(new Rectangle(350, 65, 470, 95), 1, null); > sap.setExternalDigest(new byte[128], new byte[20], "RSA"); > sap.preClose(); > > PdfPKCS7 sig = sap.getSigStandard().getSigner(); > > byte[] content = streamToByteArray(sap.getRangeStream()); > byte[] hash = MessageDigest.getInstance("SHA-1").digest(content); > byte[] signatureBytes = > scd.generateNonRepudiationSignature(hash); > > sig.setExternalDigest(signatureBytes, null, "RSA"); > PdfDictionary dic = new PdfDictionary(); > dic.put(PdfName.CONTENTS, new PdfString(sig.getEncodedPKCS1()) > .setHexWriting(true)); > sap.close(dic); > } > > public static byte[] streamToByteArray(InputStream stream) throws > Throwable { > if (stream == null) { > return null; > } else { > ByteArrayOutputStream byteArray = new ByteArrayOutputStream(); > byte buffer[] = new byte[1024]; > int c = 0; > while ((c = stream.read(buffer)) > 0) { > byteArray.write(buffer, 0, c); > } > byteArray.flush(); > return byteArray.toByteArray(); > } > } > -- > View this message in context: > http://itext-general.2136553.n4.nabble.com/Signing-PDF-with-Belgian-EI > D-card -issuing-certificates-missing-from-path-tp3317042p3317042.html > Sent from the iText - General mailing list archive at Nabble.com. > > ---------------------------------------------------------------------- > ------ > -- > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > iText-questions mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/itext-questions > > Many questions posted to this list can (and will) be answered with a > reference to the iText book: http://www.itextpdf.com/book/ Please > check the keywords list before you ask for examples: > http://itextpdf.com/themes/keywords.php > --- original Nachricht Ende ---- ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
