Michael, OK, I see now where you are coming from. If the signer used another hash to calculate the hash of the PDF content (stored in encContentInfo) than was used to create the signature, then current iText code will fail.
Not sure why the signer would choose to do that, but if happen for some reason.... I thing the right for messageDigest is to: 1) collect all hash algorithms from digestAlgorithms from SignedData in an Array of MessageDigest. 2) Having the update() method loading all hash algorithm choices with the to-be-signed data buffer 3) in verify() compare RSAdata with all hash choices. Succeed upon one match. Or is there any better source inside the PDF structure to get me the one hash I need to use for messageDigest? If my approach is acceptable, then I could easily provide a backwards compatible patch for this. /Stefan On 11-08-10 4:36 PM, "mkl" <m...@wir-sind-cool.org> wrote: >Stefan, > >Stefan Santesson wrote: >> I think the fix is right. > >I think so, too. My remark was about additional issues to fix in the code. > >I think that your fix does use the correct algorithm for encContDigest, >but >the original code in some cases doesn't for messageDigest! > >When handling a adbe.pkcs7.sha1 signature, the byte ranges have to be >hashed >using SHA1, no matter which is the CMS digest algorithm. The PdfPKCS7 code >uses the CMS digest algorithm here, too, though. At least if I read the >code >correctly. I'm not exactly a fan of this kind of bouncy castle asn1 >juggling... > >Regards, Michael. > >-- >View this message in context: >http://itext-general.2136553.n4.nabble.com/Signature-validation-bug-in-iTe >xt-5-1-1-tp3729972p3733089.html >Sent from the iText - General mailing list archive at Nabble.com. > >-------------------------------------------------------------------------- >---- >uberSVN's rich system and user administration capabilities and model >configuration take the hassle out of deploying and managing Subversion >and >the tools developers use with it. Learn more about uberSVN and get a free >download at: http://p.sf.net/sfu/wandisco-dev2dev >_______________________________________________ >iText-questions mailing list >iText-questions@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/itext-questions > >iText(R) is a registered trademark of 1T3XT BVBA. >Many questions posted to this list can (and will) be answered with a >reference to the iText book: http://www.itextpdf.com/book/ >Please check the keywords list before you ask for examples: >http://itextpdf.com/themes/keywords.php ------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
