arnabroy,
arnabroy wrote
> i am actually signing the document hash in the client browser by using
> capicom dll in javascript
*
> and not by itextsharp
*
> .
>
> the actual document is in the server side. so, the signed hash is embedded
> in the pdf file by using itextsharp in the server.
You claim you are /signing the document hash in the client browser/. That is
not true: The "hash" you send to the client is not the document hash but
instead:
Default.cs:
PdfPKCS7 sgn = new PdfPKCS7(null, chain, "SHA1", false);
...
byte[] sh = sgn.getAuthenticatedAttributeBytes(hash, cal.TodaysDate,
null, null, CryptoStandard.CMS);
...
hdnSignatureHash.Text = System.Text.Encoding.Unicode.GetString(sh);
Thus, you start by creating a CMS signature using iTextSharp helper classes
(PdfPKCS7), take the resulting authenticated attributes to be signed, and
try to send them to the client. I say 'try' because by interpreting them as
Unicode of some text (Unicode.GetString(sh)) you already utterly destroy
them.
But let's assume you sent them to the client in a viable manner...
Default.aspx:
var SignedData = new ActiveXObject("CAPICOM.SignedData");
SignedData.Content =
document.getElementById("FeaturedContent_hdnSignatureHash").value;
var Signer = new ActiveXObject("CAPICOM.Signer");
Signer.Certificate = cert;
var szSignature = SignedData.Sign(Signer, true, CAPICOM_ENCODE_BASE64);
SignedData.Verify(szSignature, true, CAPICOM_VERIFY_SIGNATURE_ONLY);
document.getElementById("FeaturedContent_hdnSignature").value =
szSignature;
On the client you now create a detached CMS signature of the afore-mentioned
authenticated attributes and send that signature container bas64-encoded
back to the server.
Default.cs:
Org.BouncyCastle.Cms.CmsSignedData cms = new
Org.BouncyCastle.Cms.CmsSignedData(Convert.FromBase64String(hdnSignature.Text));
byte[] encodedSig = cms.GetEncoded();
byte[] paddedSig = new byte[8192];
Array.Copy(encodedSig, 0, paddedSig, 0, encodedSig.Length);
PdfDictionary dic2 = new PdfDictionary();
dic2.Put(PdfName.CONTENTS, new
PdfString(paddedSig).SetHexWriting(true));
sap.Close(dic2);
On the server you use BouncyCastle essentially only to base64-decode the CMS
container created by the client and insert it as is into the PDF.
Thus, the data signed by the signature (the authenticated attributes
prepared by iTextSharp) are thrown away and the signature is injected into a
PDF which it hardly has anything to do with.
What you need to do first:
1. Choose what shall create the CMS SignerInfo structure, either iTextSharp
server-side, or CAPICOM client-side or BouncyCastle server-side. Adjust your
code to that choice.
2. Transfer data properly, especially don't interpret arbitrary bytes as
Unicode text but instead transfer them base64-encoded.
Furthermore the CMS container created by your way of using CAPICOM is very
minimal, it does not provide any of the authenticated attributes nowadays
required by many signature profiles but instead only signs the given data.
I don't know enough CAPICOM to tell whether it can create up-to-date
signatures. You may have to switch or do some funny de- and reassembling of
signature structures.
regards, Michael
--
View this message in context:
http://itext-general.2136553.n4.nabble.com/Sign-and-PDF-with-SmartCard-and-web-browser-only-tp4319344p4660336.html
Sent from the iText - General mailing list archive at Nabble.com.
------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds. Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
