Quantcast

Sign and PDF with SmartCard and web browser only

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
52 messages Options
123
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Sign and PDF with SmartCard and web browser only

madmax

I am in need for some guidance. I have a scenario where I am required to sign PDFs using a smartcard.  The catch is that it needs to be done on a server (Jboss) and the only interaction allowed is via a web browser (Microsoft IE). I found several threads but I am unable to put it all together for a final solution.  This is way out of my comfort zone and I have just started learning this.

In my first design I was hoping to leverage access of the smartcard private key using the ActiveX CAPICOM but that proved useless.  I suspect there is some type of mechanisms that prevents me to do that otherwise it would be too easy. Although I was able to display what  appears to be a key in the browser using  Signer.Certificate.PrivateKey.

This is my second design after the first one crashed and burned:

1)      The user interacts with IE and selects  the PDF that need to signed (The PDFs are stored in SQL server). The process in initiated by the user via an AJAX call

 

2)      The Java servlet receives the AJAX call and requests the PDF from the SQL server and uses iText to begin the process of signing the document. Here are some high-level  steps (based on examples  form itext and the forums but the main inspiration was from http://itext-general.2136553.n4.nabble.com/HASH-SMARTCARD-and-PKCS-7-detached-td3047252.html)

a.       creates a PdfStamper,

b.      uses the setExternaldigest

c.       preCloses the stamper

d.      creates digest and sends it back to the browser via AJAX

e.      Place the PdfStampre object in session so that it can be reused for the final step

 

3)      The client browser receives the digest and uses the internal CAPICOM ActiveX control  using javascript ( ActiveXObject("CAPICOM.SignedData") ) ) Idea came from  http://bozhobg.wordpress.com/2009/04/16/how-to-create-a-digital-signing-solution-with-only-javascript/

a.       The user is asked via the browser to enter their smartcarcd and their pin

b.      Set the digest that came from the server  to the SignedData.Content of the activex

c.       Call the CAPICOM activex  SignedData.Sign(Signer, false, CAPICOM_ENCODE_BASE64) which returns the signed hash

d.      Return he signed hash to the server to sign the PDF via another AJAX call

 

4)      This is where things break down I cannot figure what I should do next

a.        I have the signed hash

b.       I convert it to byte[] data = Base64.decodeBase64(signedHash.trim().getBytes());

c.       I get the PdfSamper back from session

d.      I invoke PdfSigGenericPKCS sg = appearance.getSigStandard() but it’sNULL.

Now I am not sure if this is even possible or what I am doing wrong. I also saw a c# example that addressed the smartcard but I was not able to fully comprehend and could not find and equivalent in Java since it was using the .net framework.

Has anyone solved this type of problem with just Java, a browser and some server side code? Sample code or ideas would be greatly appreciated?

 

Thanks in advance

max

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

wang31894
Interesting, I am having some similar issues with your case, can some help us?  Many Thanks
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

madmax
This post was updated on .
So I tinkered with it a little more and I was able to somewhat sign the PDF. But things are never as simple as we would like them to be. I can see the signature on a separate page but when I try to validate it acrobat it returns the following error:

Error during signature verification. Error encountered while validating: Internal cryptographic library error. Error Code: 0x2726

When I try to look at the signature via the “signature panel” it says “an error occurred while attempting to validate the signature”

I tried to goggle for a clue but I had no luck so far. Could any of the experts provide some guidance, ideas?

Thanks again

max
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

wang31894
This post has NOT been accepted by the mailing list yet.
In reply to this post by madmax
Hi Guys, please help?  or we should try other forums?  Any help is greatly appreciated.  thx
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

mkl
max,
wang31894 wrote
Hi Guys, please help?  or we should try other forums?  Any help is greatly appreciated.  thx
Maybe you simply didn't give us the information required. First you give some implementation ideas (item 1 through 3 of your list), but then in your item 4c you say
I invoke PdfSigGenericPKCS sg = appearance.getSigStandard() but it’sNULL.
which is an issue description on the code level.

As it depends on the prior code details whether or not SigStandard is set, we need some code to help you. Obviously, though, the code of your whole construct is too much. Thus, reduce it to a simple failing sample and probably we can help. Or, of course, you locate the culprit yourself during simplification...

Regards,   Michael
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

madmax
This post was updated on .
Hi Michael my apologize I was trying to avoid dumping a bunch of code and turning everyone off but you are right with no code it’s kind of hard to get help or direction. So here is some code fragments, there is aJSP, the CAPICOM activex control and a servlet.

Step 1:
JSP makes an AJAX call to servlet
HTML/Javascript  Fragments

	// Get the PDF digest (1st AJAX Call)
	function getPdfDigest(action, digest) {
		ajaxCall(servletUrl, action, digest)
	}
	// Sign the PDF based on the signed hash of the digest (2nd AJAX Call)
	function signPdf(action, digest) {
		ajaxCall(servletUrl, action, digest, $('digest').value);
	}
	//Prototype JS AJAX call
	function ajaxCall(url, action, digest, content) {
		var myAjax = new Ajax.Request(
			url, 
			{
				method: 'post',  
				parameters: {action: action,
							 pdf: getDocuments(),
							 digest: digest,
							 content: content},
				onSuccess: signDigest
			}
		);		
	}
	function signDigest(originalRequest) {
		if (isSignDigest) {
			isSignDigest = false;
			$('digest').value = originalRequest.responseText;	
			var signDigest = sign_IE(originalRequest.responseText);
			$('data').value = signDigest;
			signPdf('signPdf', signDigest);
		}
		else {
			isSignDigest = true;
		}
	}
	
	//CAPICOM Activex/javascript code to sign text with browser and Smartcard is at 
	//http://bozhobg.wordpress.com/2009/04/16/how-to-create-a-digital-signing-solution-with-only-javascript/
	// In a nutshell the magic occurs below but ther is additional code that need to run  		
	// Do the Sign operation
            var szSignature = SignedData.Sign(Signer, false, CAPICOM_ENCODE_BASE64);
	
	<input type="radio" name="pdf" id="pdf-1" value="sample-1.pdf" /> Sample PDF-1<br/>
	<input onclick="getPdfDigest('getDigest')" type="button" value="Apply External Signature" /></p>
Step 2:
Servlet is invoked by ajax call to get the PDF digest

    private String getDigest(String path, String fileName, HttpServletRequest request) {
        HttpSession session = request.getSession();
        log.info("getDigest (begin)...");
       
        try {
             //1. Convert cert chain string to certificate class SHA256withRSA the cert chain is just a fragment that I posted
            String myChain = "-----BEGIN CERTIFICATE----- MIIG6DCCBdCgAwIBAgICAZowDQ ........ -----END CERTIFICATE-----";
            Certificate[] certChain = {getCertificate(myChain)};
           
            //2.Initialize reader, stamper.
            PdfReader reader = new PdfReader(path + "/" + fileName);
            int page = reader.getNumberOfPages() + 1;            
            PdfStamper stamper = PdfStamper.createSignature(reader, new FileOutputStream(OUT_DIR + fileName), '\0');
            PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
           
            //3.Configure SignatureAppearance
            appearance.setSignDate(new GregorianCalendar());
            appearance.setCrypto(null, certChain, null, PdfSignatureAppearance.WINCER_SIGNED);
            appearance.setReason("Digitally Signed");
            appearance.setLocation("Some Place");
            appearance.setContact("madmax");
            appearance.setAcro6Layers(true);
            appearance.setSignatureGraphic(Image.getInstance(SIG_DIR + "/madmax-sig.jpg"));
            appearance.setRenderingMode(PdfSignatureAppearance.RenderingMode.GRAPHIC_AND_DESCRIPTION);

           
            stamper.insertPage(page, new Rectangle (160,732, 232, 780));
            appearance.setVisibleSignature(new Rectangle (160,732, 232, 780), page,  "my_sig");
            appearance.setExternalDigest(new byte[513], new byte[20], "RSA");

            //4. Create signature dictionary
            PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_DETACHED);
            dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certChain[0]).getField("CN"));
            if (appearance.getSignDate()!= null) dic.setDate(new PdfDate(appearance.getSignDate()));
            if (appearance.getReason()!= null) dic.setReason(appearance.getReason());
            if (appearance.getLocation() != null) dic.setLocation(appearance.getLocation());
            if (appearance.getContact() != null) dic.setContact(appearance.getContact());
            appearance.setCryptoDictionary(dic);
           
            //5. Reserve space for CONTENTS
            int csize = 15000;
            HashMap<PdfName, Integer> exc = new HashMap();
            exc.put(PdfName.CONTENTS, csize * 2 + 2);
            appearance.preClose(exc);

            //6. Calculate content stream digest
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            byte buf[] = new byte[8192];
            int n;
            InputStream inp = appearance.getRangeStream();

            while ((n = inp.read(buf)) > 0) {
                messageDigest.update(buf, 0, n);
            }

            byte hash[] = messageDigest.digest();
            session.setAttribute("stamper", stamper);
            session.setAttribute("hash", new String(hash));

            log.info("getDigest (end)...");
            return new String(hash);
        }
        catch (FileNotFoundException e) {
            e.printStackTrace();
        }
        catch (IOException e) {
            e.printStackTrace();
        }
        catch (DocumentException e) {
            e.printStackTrace();
        }
        catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
       
        log.info("getDigest (end)...");
        return null;
    }

Step 3:
The digest is returned to the JSP Servlet and calls the CAPICOM activex control and calls the "SignedData" method which then return to the servlet a second time calling the method to finalize the signature


    private void signPdf(String path, String fileName, String digest, HttpServletRequest request) {
        HttpSession session = request.getSession();
        stamper = (PdfStamper) session.getAttribute("stamper");
        appearance = stamper.getSignatureAppearance();
       
        //1. Convert cert chain string to certificate class SHA256withRSA the cert chain is just a fragment that I posted
        String myChain = "-----BEGIN CERTIFICATE----- MIIG6DCCBdCgAwIBAgICAZowDQ ........ -----END CERTIFICATE-----";
        Certificate[] certChain = {getCertificate(myChain)};
       
        PdfStamper stamper;
        PdfSignatureAppearance appearance;
        PdfDictionary dic = appearance.getCryptoDictionary();
 
                //1. Sign the PDF
        byte[] hash = ((String) session.getAttribute("hash")).getBytes();
        log.info("signPdf with Digest (begin)...");
        try {
            byte[] data = Base64.decodeBase64(digest.trim().getBytes());
            log.info(">> " + digest.length());
           
            Calendar cal = appearance.getSignDate();
            byte[] ocsp = null;
           
            PdfPKCS7 sig = new PdfPKCS7(null, certChain, null, "SHA-256", null, false);
            sig.setExternalDigest(hash, data, "RSA");
           
            PdfLiteral pdfLiteral = (PdfLiteral) dic.get(PdfName.CONTENTS);
            byte[] outc = new byte[(pdfLiteral.getPosLength() - 2) / 2];

            byte[] ssig = sig.getEncodedPKCS7(null, cal, null, ocsp);
            Arrays.fill(outc,(byte)0);
            System.arraycopy(ssig, 0, outc, 0, ssig.length);
            PdfDictionary dic2 = new PdfDictionary();
            dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
            appearance.close(dic2);
        }

        catch (IOException e) {
            e.printStackTrace();
        }
        catch (DocumentException e) {
            e.printStackTrace();
        }
        catch (Exception e) {

            e.printStackTrace();
        }
        log.info("signPdf with Digest (end)...");

    }
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

mkl
max,
madmax wrote
Hi Michael my apologize I was trying to avoid dumping a bunch of code and turning everyone off but you are right with no code it’s kind of hard to get help or direction. So here is some code fragments, there is aJSP, the CAPICOM activex control and a servlet.
Good. I'm missing the code, though, in which you according to your initial posting "invoke PdfSigGenericPKCS sg = appearance.getSigStandard() but it’sNULL."

One initial observation, though:
Step 2:
Servlet is invoked by ajax call to get the PDF digest

[...]
            //4. Create signature dictionary
            PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_DETACHED);
            dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certChain[0]).getField("CN"));
            if (appearance.getSignDate()!= null) dic.setDate(new PdfDate(appearance.getSignDate()));
            if (appearance.getReason()!= null) dic.setReason(appearance.getReason());
            if (appearance.getLocation() != null) dic.setLocation(appearance.getLocation());
            if (appearance.getContact() != null) dic.setContact(appearance.getContact());
            appearance.setCryptoDictionary(dic);
SigStandard is only set to a non-null value during preClose() if CryptoDictionary is null. Therefore, you "invoke PdfSigGenericPKCS sg = appearance.getSigStandard() but it’sNULL."

Regards,   Michael

PS: This has been discussed here quite recently, cf. http://itext-general.2136553.n4.nabble.com/sap-SigStandard-Signer-is-null-tp4310088p4312763.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

Keith O-2
In reply to this post by madmax
Hi max,

On Sun, Jan 22, 2012 at 11:32 PM, madmax <[hidden email]> wrote:

> Now I am not sure if this is even possible or what I am doing wrong. I also
> saw a c# example that addressed the smartcard but I was not able to fully
> comprehend and could not find and equivalent in Java since it was using the
> .net framework.

Would you share the link to the c# example?

thanks - keith

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

madmax
Hey Keith here are the c# examples I found  that I was refering about in the post

http://itextpdf.sourceforge.net/howtosign.html#signextitextsharp1 

max
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

madmax
This post was updated on .
In reply to this post by mkl
Michael,

I am no longer invoking that line of code at the time I was just trying to kind of debug the problem and understand what might be going on.

The code fragments that I posted actually puts a signature on the PDF but now I have a problem when I open the PDF and try to verify the signature I get this error from adobe

Error during signature verification. Error encountered while validating: Internal cryptographic library error. Error Code: 0x2726

See attached screen shots of what I see when I try to verify a the signature via adobe

Does this make sense? Any ideas? Sorry to continue to pester you but I am clueless a this point.

Regards,
max
1-30-2012_22-50-28.png
1-30-2012_22-52-07.png
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

mkl
Max,
madmax wrote
The code fragments that I posted actually puts a signature on the PDF but now I have a problem when I open the PDF and try to verify the signature I get this error from adobe

Error during signature verification. Error encountered while validating: Internal cryptographic library error. Error Code: 0x2726
In that case please also supply a sample pdf signed by your code. It is almost always easiest to analyse such problems by looking at the output first.

Regards, michael
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

Raffaele
Hi mkl,
i've the same problem with te error 0x2726 when open the PDF File.

Any suggestion??

THX in advance
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

mkl
Raffaele,
Raffaele wrote
i've the same problem with te error 0x2726 when open the PDF File.

Any suggestion??
Yes. The same as I gave to max:
mkl wrote
In that case please also supply a sample pdf signed by your code. It is almost always easiest to analyse such problems by looking at the output first.
Regards,   Michael
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

Keith O-2
In reply to this post by madmax
Hi max,

On Tue, Jan 31, 2012 at 4:13 AM, madmax <[hidden email]> wrote:
> Hey Keith here are the c# examples I found  that I was refering about in the
> post
>
> http://itextpdf.sourceforge.net/howtosign.html#signextitextsharp1

Thanks, I've seen that t you had found something else. Thank you for
the JavaScript links :)

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

madmax
This post was updated on .
In reply to this post by mkl
mkl wrote
Max,
madmax wrote
The code fragments that I posted actually puts a signature on the PDF but now I have a problem when I open the PDF and try to verify the signature I get this error from adobe

Error during signature verification. Error encountered while validating: Internal cryptographic library error. Error Code: 0x2726
In that case please also supply a sample pdf signed by your code. It is almost always easiest to analyse such problems by looking at the output first.

Regards, michael

Hi Michael,

I am attaching the the signed PDF as well as the full Java and JSP code and lastly I made a recording on how it runs within internet explorer showing the interaction with the smartcard, servlet and itext.

Thanks again for your time and suggestions.

max
sample-1.pdf
x509ExternalSig.jsp
X509ServletExternalSignature.java
capture-2.swf
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

mkl
Max,
madmax wrote
I am attaching the the signed PDF as well as the full Java and JSP code and lastly I made a recording on how it runs within internet explorer showing the interaction with the smartcard, servlet and itext.

http://itext-general.2136553.n4.nabble.com/file/n4344394/sample-1.pdf
Hhmmm, this one might be of interest for Leonard, too --- after a first inspection the signature looks ok to me.

Well, yes, it does not contain any signed attributes, not even an ESS signing certificate attribute. Therefore, this signature doesn't stand a chance to fulfil any decent signature profile. But as a minimalist CMS signature it looks ok.

Regards,   Michael
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

Leonard Rosenthol-3
Yes, we do indeed fail validation.  Just not enough here to do anything
useful.

Leonard

On 1/31/12 5:33 PM, "mkl" <[hidden email]> wrote:

>Max,
>
>madmax wrote
>> I am attaching the the signed PDF as well as the full Java and JSP code
>> and lastly I made a recording on how it runs within internet explorer
>> showing the interaction with the smartcard, servlet and itext.
>>
>> http://itext-general.2136553.n4.nabble.com/file/n4344394/sample-1.pdf
>
>Hhmmm, this one might be of interest for Leonard, too --- after a first
>inspection the signature looks ok to me.
>
>Well, yes, it does not contain any signed attributes, not even an ESS
>signing certificate attribute. Therefore, this signature doesn't stand a
>chance to fulfil any decent signature profile. But as a minimalist CMS
>signature it looks ok.
>
>Regards,   Michael
>
>--
>View this message in context:
>http://itext-general.2136553.n4.nabble.com/Sign-and-PDF-with-SmartCard-and
>-web-browser-only-tp4319344p4345021.html
>Sent from the iText - General mailing list archive at Nabble.com.
>
>--------------------------------------------------------------------------
>----
>Keep Your Developer Skills Current with LearnDevNow!
>The most comprehensive online learning library for Microsoft developers
>is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>Metro Style Apps, more. Free future releases when you subscribe now!
>http://p.sf.net/sfu/learndevnow-d2d
>_______________________________________________
>iText-questions mailing list
>[hidden email]
>https://lists.sourceforge.net/lists/listinfo/itext-questions
>
>iText(R) is a registered trademark of 1T3XT BVBA.
>Many questions posted to this list can (and will) be answered with a
>reference to the iText book: http://www.itextpdf.com/book/
>Please check the keywords list before you ask for examples:
>http://itextpdf.com/themes/keywords.php


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

Andreas Kuehne-3
For curiosity I took a look at the signature, too. Here's what I got:

2012-01-31 20:04:13,281 ERROR (http-0.0.0.0-8080-7)
[de.trustable.signingserver.Verifier] Signature ERROR from signer # 0 :
javax.crypto.BadPaddingException: Invalid PKCS#1 padding: encrypted
message and modulus lengths do not match!

The decrypted signature content difinitly doesn't look like having a
padding applied:

2012-01-31 20:04:13,281 DEBUG (http-0.0.0.0-8080-7)
[de.trustable.signingserver.Verifier] unpadded decrypted
1a:e3:f9:19:c4:31:7d:9c:90:6e:0a:f3:a1:23:79:db:25:47:36:80:d6:a7:da:50:09:97:cb:ad:ab:a9:50:66:21:c0:84:f5:20:97:1e:0c:f1:40:ef:5f:58:d5:05:1a:f3:50:60:93:d6:8e:3c:78:9a:e1:fa:5b:a0:93:0f:f5:04:ef:e1:6b:43:63:27:0e:f0:c3:94:d7:9f:bf:3c:29:91:1c:f2:91:a6:7c:b0:56:b3:66:20:c2:45:80:d9:d4:c6:c1:f1:1f:c1:ab:13:ee:9e:6b:84:fe:54:2d:b4:83:61:5c:0a:43:92:28:35:d1:2f:76:ad:ed:28:89:ba:49:18:dd:88:a9:a5:89:7e:2c:cf:e4:f9:17:68:db:20:f4:c4:65:16:f6:ef:15:e5:8e:75:2d:7c:87:43:00:3d:aa:05:5a:30:50:38:0e:96:9f:4d:29:d1:1b:d9:4d:12:42:0e:f8:88:fa:40:90:a8:15:cd:46:37:bb:58:51:54:08:d1:e6:85:dc:75:f9:fb:b2:4a:d6:2d:94:54:ec:57:2b:43:8f:56:10:ac:84:eb:ce:e2:99:e7:0d:68:2c:29:c0:92:95:14:bf:fb:e4:5d:db:2f:6e:4a:dd:34:51:21:b8:6f:80:a1:0f:78:f2:8d:19:5c:99:3c:0c:cb:e1:fb:e3:

This problem usually stems from unmatching signing keys / certificates.
Up tol this point no details of the signature (signed attributes ...)
are relevant.

Greetings

Andreas K.

> Yes, we do indeed fail validation.  Just not enough here to do anything
> useful.
>
> Leonard
>
> On 1/31/12 5:33 PM, "mkl" <[hidden email]> wrote:
>
>> Max,
>>
>> madmax wrote
>>> I am attaching the the signed PDF as well as the full Java and JSP code
>>> and lastly I made a recording on how it runs within internet explorer
>>> showing the interaction with the smartcard, servlet and itext.
>>>
>>> http://itext-general.2136553.n4.nabble.com/file/n4344394/sample-1.pdf
>> Hhmmm, this one might be of interest for Leonard, too --- after a first
>> inspection the signature looks ok to me.
>>
>> Well, yes, it does not contain any signed attributes, not even an ESS
>> signing certificate attribute. Therefore, this signature doesn't stand a
>> chance to fulfil any decent signature profile. But as a minimalist CMS
>> signature it looks ok.
>>
>> Regards,   Michael
>>
>> --
>> View this message in context:
>> http://itext-general.2136553.n4.nabble.com/Sign-and-PDF-with-SmartCard-and
>> -web-browser-only-tp4319344p4345021.html
>> Sent from the iText - General mailing list archive at Nabble.com.
>>
>> --------------------------------------------------------------------------
>> ----
>> Keep Your Developer Skills Current with LearnDevNow!
>> The most comprehensive online learning library for Microsoft developers
>> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
>> Metro Style Apps, more. Free future releases when you subscribe now!
>> http://p.sf.net/sfu/learndevnow-d2d
>> _______________________________________________
>> iText-questions mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/itext-questions
>>
>> iText(R) is a registered trademark of 1T3XT BVBA.
>> Many questions posted to this list can (and will) be answered with a
>> reference to the iText book: http://www.itextpdf.com/book/
>> Please check the keywords list before you ask for examples:
>> http://itextpdf.com/themes/keywords.php
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> iText(R) is a registered trademark of 1T3XT BVBA.
> Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
>


--
Andreas Kühne
phone: +49 177 293 24 97
mailto: [hidden email]

Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868

Directors Andreas Kühne, Heiko Veit

Company UK Company No: 5218868 Registered in England and Wales


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

mkl
Andreas, Max,
Andreas Kuehne-3 wrote
For curiosity I took a look at the signature, too. Here's what I got:

2012-01-31 20:04:13,281 ERROR (http-0.0.0.0-8080-7) [de.trustable.signingserver.Verifier] Signature ERROR from signer # 0 : javax.crypto.BadPaddingException: Invalid PKCS#1 padding: encrypted message and modulus lengths do not match!
Oops, you're right of course. I didn't look into the logs here as I got back a report complaining about the untrusted root and, falsely, deduced that everything (including the signature) could be properly decoded. In the logs I now also find

javax.crypto.BadPaddingException: Data must start with zero
        at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:308)
        at ...
The decrypted signature content difinitly doesn't look like having a padding applied: This problem usually stems from unmatching signing keys / certificates.
Max uses the iText utility class PdfPKCS7:

            PdfPKCS7 sig = new PdfPKCS7(null, certChain, null, "SHA-256", null, false);
            sig.setExternalDigest(hash, data, "RSA");
            [...]
            byte[] ssig = sig.getEncodedPKCS7(null, cal, null, ocsp);

To create his data he uses

            var SignedData = new ActiveXObject("CAPICOM.SignedData");
            SignedData.Content = src;
            var Signer = FindCertificateByHash();
            [...]
            Signer.AuthenticatedAttributes.Add(TimeAttribute);
            var szSignature = SignedData.Sign(Signer, false, CAPICOM_ENCODE_BASE64);

As I don't use these classes myself, I don't know whether this usage is correct nor do I know the format of the input or output data.

If wild guesses are allowed, though, adding some "TimeAttribute" to those "Signer.AuthenticatedAttributes" might imply that "szSignature" not merely contains some PKCS#1 signature to include into a signature container by means of the iText PdfPKCS7 utility class but instead already a full-blown CMS signature container which can be inserted into the PDF as is.

Can anyone deny or confirm?

Regards,   Michael
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Sign and PDF with SmartCard and web browser only

Andreas Kuehne-3
Hi Michael,

the most interesting topic with this signature is the reaction of th
Adobe reader. Never seen such a kind of error message before!

But back to the signature problem itself: My wild guess is that the
ActiveXObject signs with one key but the signature contain s another
one. The usual smartcard today hosts a bunch of different certificates
and keypairs. The API will know which key/certificate to select for
signing but if you call 'getCrertificates' (or the like) the appropriate
certificate mustn't be the first one ...

Did you try to verify the signature within the signing code? If it
verifies, you're sure to have the right certificate selected.

Greeting

Andreas

> Andreas, Max,
>
> Andreas Kuehne-3 wrote
>> For curiosity I took a look at the signature, too. Here's what I got:
>>
>> 2012-01-31 20:04:13,281 ERROR (http-0.0.0.0-8080-7)
>> [de.trustable.signingserver.Verifier] Signature ERROR from signer # 0 :
>> javax.crypto.BadPaddingException: Invalid PKCS#1 padding: encrypted
>> message and modulus lengths do not match!
> Oops, you're right of course. I didn't look into the logs here as I got back
> a report complaining about the untrusted root and, falsely, deduced that
> everything (including the signature) could be properly decoded. In the logs
> I now also find
>
> javax.crypto.BadPaddingException: Data must start with zero
>         at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:308)
>         at ...
>
>> The decrypted signature content difinitly doesn't look like having a
>> padding applied: This problem usually stems from unmatching signing keys /
>> certificates.
> Max uses the iText utility class PdfPKCS7:
>
>             PdfPKCS7 sig = new PdfPKCS7(null, certChain, null, "SHA-256",
> null, false);
>             sig.setExternalDigest(hash, data, "RSA");
>             [...]
>             byte[] ssig = sig.getEncodedPKCS7(null, cal, null, ocsp);
>
> To create his data he uses
>
>             var SignedData = new ActiveXObject("CAPICOM.SignedData");
>             SignedData.Content = src;
>             var Signer = FindCertificateByHash();
>             [...]
>             Signer.AuthenticatedAttributes.Add(TimeAttribute);
>             var szSignature = SignedData.Sign(Signer, false,
> CAPICOM_ENCODE_BASE64);
>
> As I don't use these classes myself, I don't know whether this usage is
> correct nor do I know the format of the input or output data.
>
> If wild guesses are allowed, though, adding some "TimeAttribute" to those
> "Signer.AuthenticatedAttributes" might imply that "szSignature" not merely
> contains some PKCS#1 signature to include into a signature container by
> means of the iText PdfPKCS7 utility class but instead already a full-blown
> CMS signature container which can be inserted into the PDF as is.
>
> Can anyone deny or confirm?
>
> Regards,   Michael
>
> --
> View this message in context: http://itext-general.2136553.n4.nabble.com/Sign-and-PDF-with-SmartCard-and-web-browser-only-tp4319344p4347309.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> iText(R) is a registered trademark of 1T3XT BVBA.
> Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
>


--
Andreas Kühne
phone: +49 177 293 24 97
mailto: [hidden email]

Trustable Ltd. Niederlassung Deutschland Ströverstr. 18 - 59427 Unna Amtsgericht Hamm HRB 5868

Directors Andreas Kühne, Heiko Veit

Company UK Company No: 5218868 Registered in England and Wales


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
123
Loading...