[
https://issues.apache.org/jira/browse/PDFBOX-5066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17257725#comment-17257725
]
Tilman Hausherr commented on PDFBOX-5066:
-
1. {{certFromSignedData.getSigAlgName()}} returns "SHA256withRSA". I can change
the success line to
{code}
System.out.println(certFromSignedData.getSigAlgName() + " signature verified");
{code}
2. the check is missing, because this is based on code from another project.
Here's the segment currently:
{code}
case "adbe.x509.rsa_sha1":
{
// example: PDFBOX-2693.pdf
COSString certString = (COSString)
sigDict.getDictionaryObject(COSName.CERT);
//TODO this could also be an array.
if (certString == null)
{
System.err.println("The /Cert certificate string is missing in the
signature dictionary");
return;
}
byte[] certData = certString.getBytes();
CertificateFactory factory = CertificateFactory.getInstance("X.509");
ByteArrayInputStream certStream = new ByteArrayInputStream(certData);
Collection certs =
factory.generateCertificates(certStream);
System.out.println("certs=" + certs);
X509Certificate cert = (X509Certificate) certs.iterator().next();
// https://forums.adobe.com/thread/530277
// Contents = contains the crypted message digest
// Cert = contains the X509 certificate
// to verify signature, see code at
// https://stackoverflow.com/questions/43383859/
// inspired by:
//
https://www.programcreek.com/java-api-examples/index.php?source_dir=pades_signing_2.1.5-master/src/main/java/com/opentrust/spi/pdf/PDFEnvelopedSignature.java
//
https://github.com/OpenTrust/pades_signing_2.1.5/blob/master/src/main/java/com/opentrust/spi/pdf/PDFEnvelopedSignature.java
ASN1InputStream asn1IS = new ASN1InputStream(new
ByteArrayInputStream(contents));
ASN1Primitive asn1prim = asn1IS.readObject();
if (!(asn1prim instanceof ASN1OctetString))
{
// 276434.pdf
throw new IOException("ASN1 octet string expected, but got " +
asn1prim.getClass().getSimpleName());
}
ASN1OctetString oct = (ASN1OctetString) asn1prim;
Signature signature = Signature.getInstance("SHA1withRSA");
signature.initVerify(cert.getPublicKey());
int by;
while ((by = signedContentAsStream.read()) != -1)
{
signature.update((byte) by);
}
System.out.println("Verification result: " +
signature.verify(oct.getOctets()));
// get digest algorithm
Cipher c = Cipher.getInstance("RSA/NONE/PKCS1Padding",
SecurityProvider.getProvider());
c.init(Cipher.DECRYPT_MODE, cert.getPublicKey());
byte[] raw = c.doFinal(oct.getOctets());
DigestInfo di = DigestInfo.getInstance(raw);
String algID = di.getAlgorithmId().getAlgorithm().getId();
try
{
if (sig.getSignDate() != null)
{
cert.checkValidity(sig.getSignDate().getTime());
System.out.println("Certificate valid at signing time");
}
else
{
System.err.println("Certificate cannot be verified without signing
time");
}
}
catch (CertificateExpiredException ex)
{
System.err.println("Certificate expired at signing time");
}
catch (CertificateNotYetValidException ex)
{
System.err.println("Certificate not yet valid at signing time");
}
if (CertificateVerifier.isSelfSigned(cert))
{
System.err.println("Certificate for " +
cert.getSubjectX500Principal().getName() + " is self-signed, LOL!");
}
else
{
System.out.println("Certificate is not self-signed");
if (sig.getSignDate() != null)
{
@SuppressWarnings("unchecked")
Store store = new
JcaCertStore(certs);
SigUtils.verifyCertificateChain(store, cert,
sig.getSignDate().getTime());
}
}
break;
{code}
> ShowSignature: say which digest algorithm was used, detect forged content
> -
>
> Key: PDFBOX-5066
> URL: https://issues.apache.org/jira/browse/PDFBOX-5066
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
>Affects Versions: 2.0.23
>Reporter: Ralf Hauser
>Priority: Minor
>
> 1) SHA256 is was used by the signer to get the content digests of
> target/pdfs/notCertified_368835_Sig_en_201026090509.pdf , this should be
> mentioned like
> System.out.println("Signature found");
> so maybe
> System.out.println("Signature algorithm: "+algo);
> where 'algo' is for example "sha256WithRSAEncryption" (as per
> [http://oidref.com/1.2.840.113549.1.1.11])
> 2) for subFilter="adbe.x509.rsa_sha1" it is not detected, if the pdf content
> is altered.
>
> See also PDFBOX-4297
--
This message was sent by Atlassian Jira
(v8.3.4#803005)