Sorry, There was an error in the link to the referenced documents.
The correct links are:
http://aaa-sec.com/pub/iTextDiscuss/SE330055.pdf
http://aaa-sec.com/pub/iTextDiscuss/SE330055_DSS_signed.pdf
http://aaa-sec.com/pub/iTextDiscuss/SE330055-iText530_signed.pdf
/Stefan
From: Stefan Santesson <[email protected]>
Date: Thursday, December 20, 2012 1:21 AM
To: Post all your questions about iText here
<[email protected]>, Leonard Rosenthol
<[email protected]>
Subject: iText signature bug - Non conformance to ISO 32000-1?
> Hi,
>
> I want to report a suspected bug in iText. I'll provide a short summary and
> some more elaborate details below:
>
> Reference material:
> http://aaa-sec.com/pub/iTextDiscuss/SE330055.pdf
> http://aaa-sec.com/pub/iTextDiscuss/SE330055_DSS_signed.pdf
> http://aaa-sec.com/public_html/pub/iTextDiscuss/SE330055-iText530_signed.pdf
>
> Short summary:
> iText seems to produce a non-standard conforming signature when signing the
> referenced pdf (SE330055.pdf) with dynamic form content.
> The file SE33055DSSsigned.pdf is signed using the EU-Commission open source
> tool based on iText 2.1.7.
> The file SE33055iiText530_signed is signed using the Swedish prototype for a
> national signing service (https://eid2cssp.3xasecurity.com), which currently
> is using iText 5.3.0.
>
> The latter can be verified using a test signature validation service for the
> Swedish infrastructure located at: https://tsltrust.3xasecurity.com
> However, opening any of the signed pdf files using Adobe/Acrobat Reader, then
> the documents appear to be unsigned.
>
> Primary investigation suggests that this is because iText, for this particular
> type of documents, produces a signature in way that is in violation with ISO
> 32000-1.
>
>
> More info:
> I have developed the referenced Swedish tools, so I have done the hands on
> integration with iText for those signing tools, and it's more ore less a
> standard iText sign process.
> I'm consultant working for the EU commission, helping them to evaluate the
> development of their DSS tool (which is developed by ARHS). I have examined
> their implementation, which implements a modified version of iText 2.1.7.
> None of their modifications should have any impact on the present subject.
>
> First I confronted Leonard Rosenthol form Adobe, asking why Acrobat Reader
> would not recognise the signature.
>
> After some research, Leonard concluded that the reason is that the iText
> produced signatures violates ISO 32000-1.
>
> This was Leonard's conclusion:
>
> "There are two types of forms technology in PDF - AcroForms and XFA. Normally
> you have a PDF that uses only one of the technology, however there are cases
> where you can mix them. Digital Signatures is the best example, because they
> are based on the former type (AcroForms) while your PDF is based on the latter
> (XFA). However, when you mix them you must do it in a special (and fully
> documented) manner.
>
> The service in question, however, does NOT special case the XFA-based PDFs and
> therefore signs ALL PDFs in the same way. Unfortunately, as described in the
> PDF standard (ISO 32000-1), that is NOT the correct thing to do. That is why
> Acrobat/Reader (and I, originally) don't see your signatures, because they
> don't actually exist when the PDF is properly parsed according to the spec.
> However, if you look at the PDF in a non-standard fashion (as your validation
> tool is doing, and as some specialized tools of mine did), then you DO see the
> signature.
>
> Bottom line - they need to fix their servers to comply with the relevant
> standards (ISO 32000-1:2008 and PAdES)."
>
> To me this seems like a serious interop problem.
> Government authorities in Sweden depends on being able to sign these types of
> forms using the Swedish signature infrastructure, and it is essential that the
> resulting signature is visible in other PDF readers, such as Acrobat.
>
> Best regards
> Stefan Santesson
>
> 3xA Security AB
> Scheelevägen 17, 223 70, Lund
> http://AAA-sec.com
> [email protected]
> +46-767 861337
>
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
