Signature is invalid for pdf

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Signature is invalid for pdf

Alexander Raitskin
Hello,

When I try to sign this file:
I get an error when I open it in Acrobat Reader 9.

Error during signature verification.  

Unexpected byte range values defining scope of signed data.
Details: The signature byte range is invalid

What is wrong with this file?

Here is how it looks with the signature:

All other files are signed perfectly.





------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

mkl
Alexander,
Raitskin Alexander wrote
Error during signature verification.  

Unexpected byte range values defining scope of signed data.
Details: The signature byte range is invalid

What is wrong with this file?

http://www.darina.us/code/peles1.pdf
The /ByteRange values correctly describe the ranges right before and after the signature /Contents value as sensibly enforced by Acrobat and Reader.

One thing surprises me, though, there are no trailing 00 entries in that value. Also you have reserved space for less than 3 KB for the signature container which is not much for a PKCS#7 container. Could it be that the signature container did not completely fit into the reserved space?

Regards,   Michael.
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

mkl
In reply to this post by Alexander Raitskin
Alexander,
Raitskin Alexander wrote
Error during signature verification.  

Unexpected byte range values defining scope of signed data.
Details: The signature byte range is invalid

What is wrong with this file?

http://www.darina.us/code/peles1.pdf
Now in office I could have a closer look at your document.

My assumption from the other mail (that the PKCS#7 signature container was cut off somewhere) seems to be wrong, your signature container seems to just fit.

The signature container itself is incorrect, though:

The ASN.1 Dump Utility points to the following commonName entry:

 330 31   31:               SET {
 332 30   29:                 SEQUENCE {
 334 06    3:                   OBJECT IDENTIFIER commonName (2 5 4 3)
            :                     (X.520 id-at (2 5 4))
 339 13   22:                   PrintableString 'Test Test ID_111111118'
            :                   Error: PrintableString contains illegal character(s).
            :                   }
            :                 }

A PrintableString may only contain the following characters (cf. ISO/IEC 8824-1:2003, X.680-0207):

A, B, ..., Z
a, b, ..., z
0, 1, ..., 9
(space) ' ( ) + , - . / : = ?

Thus, the underscore in there is invalid.

The utility actually mentions 6 errors but only this one is highlighted like this. You may want to inspect your signature concerning such basic ASN.1 errors.


There are additional (not so basic) errors, though, e.g.:

In your certificatePolicies attribute you have the following policy qualifier

 983 30  486:                             SEQUENCE {
 987 06    8:                               OBJECT IDENTIFIER
            :                                 unotice (1 3 6 1 5 5 7 2 2)
            :                                 (PKIX policy qualifier)
 997 30  472:                               SEQUENCE {
1001 30   14:                                 SEQUENCE {
1003 16    7:                                   IA5String 'ComSign'
1012 30    3:                                   SEQUENCE {
1014 02    1:                                     INTEGER 11
            :                                     }
            :                                   }
1017 1A  452:                                 VisibleString
            :                   ' .áòì äúòåãä æåää ôðéí àì ôðéí òì ñîê úòåãåú å/à'
            :                   'å îéãò îæää àçø. òì äùéîåù áúòåãä æå éçåìå ðäìé '
            :                   '÷åîñééïäùéîåù áúòåãä òì éãé îåøùä çúéîä áúàâéã/î'
            :                   'åñã öéáåøé, ëôåó ìðåäìé æëåéåú äçúéîä áúàâéã/îåñ'
            :                   'ã öéáåøé áäúàîäçáåú åàçøéåú ÷åîñééï îåâáìåú ëîôå'
            :                   'øè áðäìé ÷åîñééï (CPS). äàçøéåú äëåììú ùì þ÷åîñé'
            :                   'éï åðöéâéä ëìôé ëì àãí áòðééï úòåãä ñôöéôéú úäà '
            :                   'îåâáìú ìñëåí ùìà éòìä òì ñëåí ùì 10,000 (òùøú àì'
            :                           [ Another 68 characters skipped ]
            :                                 }
            :                               }

This VisibleString is 452 bytes long while only 200 characters are allowed here (cf. RFCs 5280, 3280, 2459):

   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }



So a number of entries in your certificates violate current standards. I'm not sure whether Adobe Acrobat and Reader reject your signature due to them. Our software here does.

Therefore, I would advice you to re-check your certificates and PKI in general.

Regards,   Michael.
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

mkl
In reply to this post by Alexander Raitskin
Alexander,
Raitskin Alexander wrote
When I try to sign this file:
http://www.darina.us/code/peles.pdf
I get an error when I open it in Acrobat Reader 9.
BTW, I just noticed that Acrobat wants to save both the original and the signed document when closing. This seems to indicate that there is some error in it. Unfortunately Preflight does not find any PDF syntax error.

Maybe this is the reason why Acrobat and Reader have trouble with the signed version.

Still I would recommend that you review your certificates and PKI in general as the problems mentioned in the message before are real.

Regards,   Michael.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

Alexander Raitskin
In reply to this post by mkl
But how then you explain that I can sign other documents with the same signature without any errors?
I'll publish another (correct) pdf as an example on Sunday.



-----Original Message-----
From: mkl <[hidden email]>
To: [hidden email]
Sent: Fri, Oct 29, 2010 10:59 am
Subject: Re: [iText-questions] Signature is invalid for pdf


Alexander,

Raitskin Alexander wrote:
> Error during signature verification.  
> 
> Unexpected byte range values defining scope of signed data.
> Details: The signature byte range is invalid
> 
> What is wrong with this file?
> 
> http://www.darina.us/code/peles1.pdf

Now in office I could have a closer look at your document.

My assumption from the other mail (that the PKCS#7 signature container was
cut off somewhere) seems to be wrong, your signature container seems to just
fit.

The signature container itself is incorrect, though:

The ASN.1 Dump Utility points to the following commonName entry:

 330 31   31:               SET {
 332 30   29:                 SEQUENCE {
 334 06    3:                   OBJECT IDENTIFIER commonName (2 5 4 3)
            :                     (X.520 id-at (2 5 4))
 339 13   22:                   PrintableString 'Test Test ID_111111118'
            :                   Error: PrintableString contains illegal
character(s).
            :                   }
            :                 }

A PrintableString may only contain the following characters (cf. ISO/IEC
8824-1:2003, X.680-0207):

A, B, ..., Z
a, b, ..., z
0, 1, ..., 9
(space) ' ( ) + , - . / : = ?

Thus, the underscore in there is invalid.

The utility actually mentions 6 errors but only this one is highlighted like
this. You may want to inspect your signature concerning such basic ASN.1
errors.


There are additional (not so basic) errors, though, e.g.:

In your certificatePolicies attribute you have the following policy
qualifier

 983 30  486:                             SEQUENCE {
 987 06    8:                               OBJECT IDENTIFIER
            :                                 unotice (1 3 6 1 5 5 7 2 2)
            :                                 (PKIX policy qualifier)
 997 30  472:                               SEQUENCE {
1001 30   14:                                 SEQUENCE {
1003 16    7:                                   IA5String 'ComSign'
1012 30    3:                                   SEQUENCE {
1014 02    1:                                     INTEGER 11
            :                                     }
            :                                   }
1017 1A  452:                                 VisibleString
            :                   ' .áòì äúòåãä æåää ôðéí àì ôðéí òì ñîê
úòåãåú å/à'
            :                   'å îéãò îæää àçø. òì äùéîåù áúòåãä æå éçåìå
ðäìé '
            :                   '÷åîñééïäùéîåù áúòåãä òì éãé îåøùä çúéîä
áúàâéã/î'
            :                   'åñã öéáåøé, ëôåó ìðåäìé æëåéåú äçúéîä
áúàâéã/îåñ'
            :                   'ã öéáåøé áäúàîäçáåú åàçøéåú ÷åîñééï îåâáìåú
ëîôå'
            :                   'øè áðäìé ÷åîñééï (CPS). äàçøéåú äëåììú ùì
þ÷åîñé'
            :                   'éï åðöéâéä ëìôé ëì àãí áòðééï úòåãä ñôöéôéú
úäà '
            :                   'îåâáìú ìñëåí ùìà éòìä òì ñëåí ùì 10,000
(òùøú àì'
            :                           [ Another 68 characters skipped ]
            :                                 }
            :                               }

This VisibleString is 452 bytes long while only 200 characters are allowed
here (cf. RFCs 5280, 3280, 2459):

   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }



So a number of entries in your certificates violate current standards. I'm
not sure whether Adobe Acrobat and Reader reject your signature due to them.
Our software here does.

Therefore, I would advice you to re-check your certificates and PKI in
general.

Regards,   Michael.
-- 
View this message in context: http://itext-general.2136553.n4.nabble.com/Signature-is-invalid-for-pdf-tp3017509p3018723.html
Sent from the iText - General mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Many questions posted to this list can (and will) be answered with a reference 
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

mkl
Alexander,
Raitskin Alexander wrote
But how then you explain that I can sign other documents with the same signature without any errors?
As mentioned in another reply to your initial message in this thread, the behaviour of Acrobat seems to indicate that there already is some PDF error in the original document http://www.darina.us/code/peles.pdf which might cause Acrobat and Reader to always reject the signature of the signed document. Unfortunately Preflight does not find any PDF syntax error.

Still I would recommend that you review your certificates and PKI in general as the problems mentioned in the message before are real.

Regards,   Michael.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

Alexander Raitskin
As you see, when you apply this signature (call it SigA) on peles.pdf you get the error mentioned here.

Here are two more documents: 
In this document I tried another siganture (call it SigB) on peles.pdf and it seems to be OK (it was signed with another code)

And in this document I tried the SigA on another document, and here again it is OK:

So the problem is probably not with the document and not with the signature.. but with the way I put it there...




-----Original Message-----
From: mkl <[hidden email]>
To: [hidden email]
Sent: Fri, Oct 29, 2010 4:31 pm
Subject: Re: [iText-questions] Signature is invalid for pdf


Alexander,

Raitskin Alexander wrote:
> But how then you explain that I can sign other documents with the same
> signature without any errors?

As mentioned in another reply to your initial message in this thread, the
behaviour of Acrobat seems to indicate that there already is some PDF error
in the original document http://www.darina.us/code/peles.pdf which might
cause Acrobat and Reader to always reject the signature of the signed
document. Unfortunately Preflight does not find any PDF syntax error.

Still I would recommend that you review your certificates and PKI in general
as the problems mentioned in the message before are real. 

Regards,   Michael. 
-- 
View this message in context: http://itext-general.2136553.n4.nabble.com/Signature-is-invalid-for-pdf-tp3017509p3019205.html
Sent from the iText - General mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Many questions posted to this list can (and will) be answered with a reference 
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

Alexander Raitskin
In reply to this post by mkl
I've managed to sign it at last, but without setting the "appendable" flag..
When this argument is true in: PdfStamper.CreateSignature(reader, outstream, '\0', null, false);
it fails.
Here is a successful signature: 

Any ideas?

Raitskin Alexander
Software Developer
054-4795048


-----Original Message-----
From: mkl <[hidden email]>
To: [hidden email]
Sent: Fri, Oct 29, 2010 4:31 pm
Subject: Re: [iText-questions] Signature is invalid for pdf


Alexander,

Raitskin Alexander wrote:
> But how then you explain that I can sign other documents with the same
> signature without any errors?

As mentioned in another reply to your initial message in this thread, the
behaviour of Acrobat seems to indicate that there already is some PDF error
in the original document http://www.darina.us/code/peles.pdf which might
cause Acrobat and Reader to always reject the signature of the signed
document. Unfortunately Preflight does not find any PDF syntax error.

Still I would recommend that you review your certificates and PKI in general
as the problems mentioned in the message before are real. 

Regards,   Michael. 
-- 
View this message in context: http://itext-general.2136553.n4.nabble.com/Signature-is-invalid-for-pdf-tp3017509p3019205.html
Sent from the iText - General mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Many questions posted to this list can (and will) be answered with a reference 
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

mkl
Alexander,
Raitskin Alexander wrote
I've managed to sign it at last, but without setting the "appendable" flag..
When this argument is true in: PdfStamper.CreateSignature(reader, outstream, '\0', null, false);
it fails.

Any ideas?
Acrobat has problems with your original file. If you sign in append mode, the original remains verbatim part of the signed pdf and Acrobat remains unhappy. If on the other hand you don't use append mode while signing, iText rearranges the internal pdf objects which seems to result in the pdf error being fixed and therefore Acrobat being happy.

I don't have all my tools available at home, therefore I just can guess now. I'll look at your new samples next week after the holiday.

Regards, Michael.
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

mkl
In reply to this post by Alexander Raitskin
Alexander,
Raitskin Alexander wrote
In this document I tried another siganture (call it SigB) on peles.pdf and it seems to be OK (it was signed with another code)
http://www.darina.us/code/peles_ok.pdf
This other signature was applied without using the append mode. Just as in the case of your sample http://www.darina.us/code/peles_orig1.pdf from your other mail today, this seems to have fixed the PDF problem Acrobat is upset about.
Raitskin Alexander wrote
And in this document I tried the SigA on another document, and here again it is OK:
http://www.darina.us/code/test1.pdf
The other original seems to not have contained PDF errors. Therefore, Acrobat is happy with the signature even though it was applied in append mode.

Regards,   Michael.
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

mkl
In reply to this post by Alexander Raitskin
Alexander,
Raitskin Alexander wrote
In this document I tried another siganture (call it SigB) on peles.pdf and it seems to be OK (it was signed with another code)
http://www.darina.us/code/peles_ok.pdf
FYI: The certificate used in that file looks healthier than the certificate you used in all your other samples.

Otherwise, without substantial effort, I unfortunately can not spot the reason why Acrobat is unhappy with your original document (http://www.darina.us/code/peles.pdf). It is not merely a broken xref table (which iText would have spotted, BTW).

But this unhappyness is the cause why Acrobat and Reader will fail to verify any signature applied to that document in append mode.

Regards, Michael.

PS: Leonard, this Acrobat 9 behavior IMO is quite unfortunate --- Acrobat and Reader should show a message to the effect that the signature itself is correct but that Acrobat/Reader found PDF errors which might make it display the file differently from how the signer intended it to be displayed.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Signature is invalid for pdf

goperundevi
This post has NOT been accepted by the mailing list yet.
In reply to this post by mkl
Hi,

My digital signature is invalid while validate the signature after signing the pdf document by using digital signature.But I have used this same DSC for all the PF and ESI registrations and its invalid while signing the document by using DSC.

Herewith I have attached the link, Please check and give me a solution. Its very urgent for tender participation purpose.
 
http://ireps.gov.in/ireps/upload/files//1000423909/0015279076/SPECACC.pdf
Loading...