[iText-questions] [SPAM] Re: Signed PDF fails to verify in iText (Java), but succeeds in iTextSharp and Acrobat Reader

[mkl]

Stephan,

Stephan Wagner (calac) wrote
> If I try to verify a digitally signed PDF with iText (5.4.2) verify() 
> always returns false (wrong result)
> If I try to verify the same PDF with iTextSharp (5.4.2) Verify() returns 
> true (expected result)
> The digital signature is also valid in Acrobat Reader (Xi) (expected
> result)
> n2013.00849449.pdf (150K)
> <http://itext-general.2136553.n4.nabble.com/attachment/4658692/0/n2013.00849449.pdf>

I inspected the CMS signature in your sample document, and to me it looks
like there is an error in the encoding of the SigningCertificate signed
attribute. It looks starts this:

5137 30  160:                 SEQUENCE {                                       
5140 30  157:                   SEQUENCE {                                     
5143 30  154:                     SEQUENCE {                                   
5146 04   20:                       OCTET STRING                               
5168 30  129:                       SEQUENCE {                                 
5171 30  109:                         SEQUENCE {                               
5173 A4  107:                           [4] {                                  
5175 30  105:                             SEQUENCE {                           
5177 30  103:                               SEQUENCE {                         
5179 31   11:                                 SET {                            
5181 30    9:                                   SEQUENCE {                     
5183 06    3:                                     OBJECT IDENTIFIER            
            :                                       countryName (2 5 4 6)      
5188 13    2:                                     PrintableString 'ch'         

The tag [4] is where from GeneralNames the choice tagged 4 is chosen. The
relevant definition excerpts:

GeneralName ::= CHOICE {                          
      [...]
      directoryName             [4] EXPLICIT Name,
      [...]

Name ::= CHOICE {            
      rdnSequence RDNSequence
      [...]

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

RelativeDistinguishedName ::= SET OF AttributeTypeAndValue 

AttributeTypeAndValue ::= SEQUENCE {
      type    OBJECT IDENTIFIER,    
      [...]

Thus, inside the explicit tag [4], there should be a SEQUENCE (RDNSequence)
in which there should be a SET (RelativeDistinguishedName).

In your case inside the explicit tag [4] there is a SEQUENCE in which is
another SEQUENCE in which is a SET.

So, unless I've read something wrong here, any application decoding this
attribute may stumble, and as this attribute is the most secure source of
information which certificate is associated to the signing key, they may
reject it.

I'm not sure whether this is the reason for your troubles but it would be
understandable.

Regards,   Michael



--
View this message in context: 
http://itext-general.2136553.n4.nabble.com/Signed-PDF-fails-to-verify-in-iText-Java-but-succeeds-in-iTextSharp-and-Acrobat-Reader-tp4658692p4658700.html
Sent from the iText - General mailing list archive at Nabble.com.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference 
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: 
http://itextpdf.com/themes/keywords.php