Hi,
I want to report a suspected bug in iText. I'll provide a short summary and
some more elaborate details below:
Reference material:
http://aaa-sec.com/pub/iTextDiscuss/SE330055.pdf
http://aaa-sec.com/pub/iTextDiscuss/SE330055_DSS_signed.pdf
http://aaa-sec.com/public_html/pub/iTextDiscuss/SE330055-iText530_signed.pdf
Short summary:
iText seems to produce a non-standard conforming signature when signing the
referenced pdf (SE330055.pdf) with dynamic form content.
The file SE33055DSSsigned.pdf is signed using the EU-Commission open source
tool based on iText 2.1.7.
The file SE33055iiText530_signed is signed using the Swedish prototype for a
national signing service (https://eid2cssp.3xasecurity.com), which currently
is using iText 5.3.0.
The latter can be verified using a test signature validation service for the
Swedish infrastructure located at: https://tsltrust.3xasecurity.com
However, opening any of the signed pdf files using Adobe/Acrobat Reader,
then the documents appear to be unsigned.
Primary investigation suggests that this is because iText, for this
particular type of documents, produces a signature in way that is in
violation with ISO 32000-1.
More info:
I have developed the referenced Swedish tools, so I have done the hands on
integration with iText for those signing tools, and it's more ore less a
standard iText sign process.
I'm consultant working for the EU commission, helping them to evaluate the
development of their DSS tool (which is developed by ARHS). I have examined
their implementation, which implements a modified version of iText 2.1.7.
None of their modifications should have any impact on the present subject.
First I confronted Leonard Rosenthol form Adobe, asking why Acrobat Reader
would not recognise the signature.
After some research, Leonard concluded that the reason is that the iText
produced signatures violates ISO 32000-1.
This was Leonard's conclusion:
"There are two types of forms technology in PDF - AcroForms and XFA.
Normally you have a PDF that uses only one of the technology, however there
are cases where you can mix them. Digital Signatures is the best example,
because they are based on the former type (AcroForms) while your PDF is
based on the latter (XFA). However, when you mix them you must do it in a
special (and fully documented) manner.
The service in question, however, does NOT special case the XFA-based PDFs
and therefore signs ALL PDFs in the same way. Unfortunately, as described
in the PDF standard (ISO 32000-1), that is NOT the correct thing to do.
That is why Acrobat/Reader (and I, originally) don't see your signatures,
because they don't actually exist when the PDF is properly parsed according
to the spec. However, if you look at the PDF in a non-standard fashion (as
your validation tool is doing, and as some specialized tools of mine did),
then you DO see the signature.
Bottom line - they need to fix their servers to comply with the relevant
standards (ISO 32000-1:2008 and PAdES)."
To me this seems like a serious interop problem.
Government authorities in Sweden depends on being able to sign these types
of forms using the Swedish signature infrastructure, and it is essential
that the resulting signature is visible in other PDF readers, such as
Acrobat.
Best regards
Stefan Santesson
3xA Security AB
Scheelevägen 17, 223 70, Lund
http://AAA-sec.com
[email protected]
+46-767 861337
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
