Re: Error "Can't write new byteRange … not enough space…" signing with PADES a document having user's rights protected by Perms/UR3

[Tilman Hausherr]

Sadly, the length 144951 does NOT confirm what I expected. The "bad" 
byte range (offset1 len1 offset2 len2) is [0 1569 11103 160382], so the 
second segment is longer than the original file. This means that this 
isn't an "old" value, it was created at some time during the signing 
process. The code has "if (br2 + br3 > incrementalInput.length())" which 
avoids messing with old signatures.
What happens if you don't use DSS to sign, but the CreateSignature 
example of PDFBox?
Tilman

Am 01.09.2025 um 14:09 schrieb Coetmeur, Alain:
The unsigned file is 144951 bytes long
I suspect that the form was filled then user's-rights-locked by the client 
using Adobe Pro, using a certificate...
It's probably not really a signature like PADES is, even if technically it's 
similar... but I'm not competent about PDF format...


In fact, for the Byterange, the first may not be the best to chose, since maybe 
if there are multiple signature in sequence, I suspect the last, in the 
AcroForm/Fields, will be the longest ?
The problem seems to be that Perms/UR3 is visited after the AcroForm/Fields in 
this rare case...
But I suspect that since the fields are probably in temporal sequence, it works 
well ?
Maybe comparing the dates ?

Is it better to take the longest ? but I see that the new signature use a very 
long dummy ByteRange, which make it 32 bytes long, always...
Maybe taking the longest, excluding the dummy " COSArray{[COSInt{0}, 
COSInt{1000000000}, COSInt{1000000000}, COSInt{1000000000}]}"...
Or just taking this 32bytres length, which is safe but overkill ?
it seems tricky...


Thanks for the santander form, I will try to reproduce the bug with that form, 
at least to understand why it works better...
The romanian form seems to work as well... I will investigate.

Alain COETMEUR


Interne
-----Message d'origine-----
De : Tilman Hausherr<thaush...@t-online.de>
Envoyé : lundi 1 septembre 2025 13:37
À :users@pdfbox.apache.org
Objet : Re: Error "Can't write new byteRange … not enough space…" signing with 
PADES a document having user's rights protected by Perms/UR3

[EMETTEUR EXTERNE] : Soyez vigilant avant d’ouvrir les pièces-jointes ou de 
cliquer sur les liens. En cas de doute, signalez le message via le bouton « 
Signaler un courriel suspect ».

Hi,

I do understand it somewhat, the problem is that for some reason several 
signatures are in the incremental part. It doesn't happen with
https://issues.apache.org/jira/secure/attachment/12744153/santander_freistellungsauftrag.pdf
fromhttps://issues.apache.org/jira/browse/PDFBOX-2858 .

We could change the code so that only the first one reached is considered. 
However, how do we know that the correct one is reached first?

I may have an idea:

The previous Perms/UR3 signature seems to cover much less, and is thus
shorter COSArray{[COSInt{0}, COSInt{1569}, COSInt{11103},
COSInt{160382}]}
What is the exact length of the unsigned file?

Tilman


Am 01.09.2025 um 10:25 schrieb Coetmeur, Alain:
Hello,

I have a problem using PDFBox 3.05 via DSS6.3.
When I try to sign some documents, it fails on a ByteRange serialization “Can't 
write new byteRange … not enough space…”.
I’ve investigated and I think I found the problem.
I’m not at all expert in PDF, so I may be wrong.

This document “User’s Rights” are signed with a root/Perms/UR3 signature :
Type=Sig
Filter=Adobe.PPKLite
SubFilter=adbe.pkcs7.detached
Name=ARE Acrobat Product v8.0 P23 0002337

It’s a Form that is filled by a client (I cannot send it to you sadly, sorry). 
Maybe that explains the problem.
I suspect the Form was signed by a company, before the client filled it, making 
it much longer than what the UR3 signed.

DSS tries to add a classic PADES signature in root/AcroForm/Fields/V
Type=Sig Filter=Adobe.PPKLite SubFilter=ETSI.CAdES.detached

The problem happens in
org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(OutputStream)

I’ve traced that first, PdfBox visits the ByteRange of the PADES signature in 
AcroFrom/Fields, THEN in Perms/UR3.
org.apache.pdfbox.pdfwriter.COSWriter.visitFromDictionary(COSDictionar
y) Each times, it store the latest value of ByteRange in an instance
variable “byteRangeArray”

The new PADES signature has a ByteRange still undetermined set as
COSArray{[COSInt{0}, COSInt{1000000000}, COSInt{1000000000},
COSInt{1000000000}]}

The previous Perms/UR3 signature seems to cover much less, and is thus
shorter COSArray{[COSInt{0}, COSInt{1569}, COSInt{11103},
COSInt{160382}]}

Thus at the end
this.byteRangeArray is COSArray{[COSInt{0}, COSInt{1569},
COSInt{11103}, COSInt{160382}]}

Finally the method
org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature()
is called and fails with an IO Exception:
Can't write new byteRange '0 145478 164424 26017]' not enough space:
byteRange.length(): 22, byteRangeLength: 20, byteRangeOffset: 180045

it tries to write the real ByteRange for the PADES Signature which is
COSArray{[COSInt{0}, COSInt{145478}, COSInt{164424}, COSInt{26017}]}
Which is longer than the last UR3 signature visited and set into
byteRangeArray

I can give more detail on the stacktrace, but probably it’s enough. I don’t 
know the subtleties of PDF format, so maybe I miss an important point.


I’ve tried to generate a similar file with JSignPDF 2.3.0, starting
from a XFA forms
https://mfin/
ante.gov.ro%2Fdocuments%2F2552173%2F2552377%2F31.OrdinPlataElectronic_
2023_05_19_A2.0.26%2B.pdf%2F5acf3ff7-7ff1-aa2c-283c-151d49af0d8b%3Ft%3
D1684492636871%26download%3Dtrue&data=05%7C02%7Calain.coetmeur%40caiss
edesdepots.fr%7C20084da056af4d25fafc08dde94c098c%7C6eab6365819449c6a4d
0e2d1a0fbeb74%7C0%7C0%7C638923234971222665%7CUnknown%7CTWFpbGZsb3d8eyJ
FbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpb
CIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=qBxee%2BAdyrClPfxVQuYGzX175lXeb
QAfLu4d4GHDSGA%3D&reserved=0
found in this Post:
https://stac/
koverflow.com%2Fquestions%2F76736428%2Fprogramatically-fill-government
-pdf-xfa-dynamic&data=05%7C02%7Calain.coetmeur%40caissedesdepots.fr%7C
20084da056af4d25fafc08dde94c098c%7C6eab6365819449c6a4d0e2d1a0fbeb74%7C
0%7C0%7C638923234971237784%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnR
ydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D
%3D%7C0%7C%7C%7C&sdata=2wvdvj1x3MP8ARiXJZAQ%2BfEW5mpKb2AIuE4w5Gc9juc%3
D&reserved=0 and I succeeded in creating an UR3 signature (sign with a
PKCS12, asking “No Certification” as “certification level”, and adding a owner 
password for encryption), but I could not reproduce the bug. Sorry.

I can test some correction proposal, but I cannot give the document.

Hope this helps.
Best regards.
Ce message et toutes les pièces jointes (ci-après le «message») sont 
confidentiels et établis à l’intention exclusive de ses destinataires. Toute 
utilisation de ce message non conforme à sa destination, toute diffusion ou 
toute publication, totale ou partielle, est interdite, sauf autorisation 
expresse. Si vous recevez ce message par erreur, merci de le détruire sans en 
conserver de copie et d’en avertir immédiatement l’expéditeur. Internet ne 
permettant pas de garantir l’intégrité de ce message, la Caisse des Dépôts et 
Consignations décline toute responsabilité au titre de ce message s’il a été 
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les 
précautions prises pour éviter la présence de virus dans nos envois, nous vous 
recommandons de prendre, de votre côté, les mesures permettant d'assurer la 
non-introduction de virus dans votre système informatique. This email message 
and any attachments (“the email”) are confidential and intended only for the 
recipient(s) indicated. If you are not an intended recipient, please be advised 
that any use, dissemination, forwarding or copying of this email whatsoever is 
prohibited without prior written consent of Caisse des Depots et Consignations. 
If you have received this email in error, please delete it without saving a 
copy and notify the sender immediately. Internet emails are not necessarily 
secure, and Caisse des Depots et Consignations declines responsibility for any 
changes that may have been made to this email after it was sent. While we take 
all reasonable precautions to ensure that viruses are not transmitted via 
emails, we recommend that you take your own measures to prevent viruses from 
entering your computer system.

Interne

Т                                                                     ХF  V 7V'67& &R R   â W6W'2 V 
7V'67& &T Ff&   6 R  &pФf "FF F    6    G2 R   â W6W'2ֆV  Ff&   6 R  &pР
Ce message et toutes les pièces jointes (ci-après le «message») sont 
confidentiels et établis à l’intention exclusive de ses destinataires. Toute 
utilisation de ce message non conforme à sa destination, toute diffusion ou 
toute publication, totale ou partielle, est interdite, sauf autorisation 
expresse. Si vous recevez ce message par erreur, merci de le détruire sans en 
conserver de copie et d’en avertir immédiatement l’expéditeur. Internet ne 
permettant pas de garantir l’intégrité de ce message, la Caisse des Dépôts et 
Consignations décline toute responsabilité au titre de ce message s’il a été 
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les 
précautions prises pour éviter la présence de virus dans nos envois, nous vous 
recommandons de prendre, de votre côté, les mesures permettant d'assurer la 
non-introduction de virus dans votre système informatique. This email message 
and any attachments (“the email”) are confidential and intended only for the 
recipient(s) indicated. If you are not an intended recipient, please be advised 
that any use, dissemination, forwarding or copying of this email whatsoever is 
prohibited without prior written consent of Caisse des Depots et Consignations. 
If you have received this email in error, please delete it without saving a 
copy and notify the sender immediately. Internet emails are not necessarily 
secure, and Caisse des Depots et Consignations declines responsibility for any 
changes that may have been made to this email after it was sent. While we take 
all reasonable precautions to ensure that viruses are not transmitted via 
emails, we recommend that you take your own measures to prevent viruses from 
entering your computer system.

---------------------------------------------------------------------
To unsubscribe, e-mail:users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail:users-h...@pdfbox.apache.org