We are filling in a PDF and signing it using an external digest. The code
sample for doing this works fine in the normal flow where everything is done
at one time. We have an unusual scenario, though where we must do the
signing in a separate VM than the generation is done. I have separated the
code into the beginning part that generates the hash. This hash then gets
sent to the other code for signing. Then the beginning code is re-executed
and the stamping finished.
Here's the code:
pdfDocument = new ByteArrayOutputStream();
PdfStamper stp = PdfStamper.createSignature(reader, pdfDocument, '\0',
null, true);
PdfSignatureAppearance sap = stp.getSignatureAppearance();
sap.setCrypto(null, chain, null,
PdfSignatureAppearance.WINCER_SIGNED);
sap.setReason(reason);
sap.setLocation(location);
sap.setExternalDigest(new byte[keyLength], new byte[20], "RSA");
sap.preClose();
InputStream inp = sap.getRangeStream();
byte[] hash = SystemUtils.createSHA1Hash(inp);
The first problem I'm seeing is that the hash (given all other identical
inputs) comes out different from one execution to the next.
This materializes to the client with an ArrayIndexOutOfBoundsException
during the array copy portion of the code:
PdfSigGenericPKCS sg = sap.getSigStandard();
PdfLiteral slit = (PdfLiteral)sg.get(PdfName.CONTENTS);
byte[] outc = new byte[(slit.getPosLength() - 2) / 2];
PdfPKCS7 sig = sg.getSigner();
sig.setExternalDigest(signature, hash, "RSA");
logger.debug("after call to setExternalDigest");
PdfDictionary dic = new PdfDictionary();
byte[] ssig = sig.getEncodedPKCS7();
// This is the FAILURE point
System.arraycopy(ssig, 0, outc, 0, ssig.length);
dic.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
sap.close(dic);
Is there something I can change to guarantee consistent results in the
hashing algorithm such that every execution with the same inputs would give
the same hash? Also, is the ArrayIndexOutOfBoundsException related to the
hash problem or is it just another weird issue?
The truly strange part is that this goes through some of the time. I assume
the resulting document signature is invalid due to the mismatched hash, but
the exception isn't thrown all the time.
Thanks for any help/insight anyone can provide.
--
Mike
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
