Hi Hans, I attach a patch for fixing the issue with hash wrong validation in signed documents (and another minor typo).
Sorry for the long explanation, but I think this is required, since
these is a sensible topic.
A sample source:
\setupinteraction[state=start]
\definefield[signature][signed]
\defineoverlay[signature][my signature]
\starttext
\startTEXpage[offset=1ts,frame=on,framecolor=darkblue]
sign: \inframed[background=signature,framecolor=darkred]
{\fieldbody[signature][width=3cm,option=hidden]}
\stopTEXpage
\stoptext
After compiling it with ConTeXt, I run:
mtxrun --script pdf --sign --certificate=c.pfx --password=ABCabc a.pdf
(Certificate attached, passphrase is ABCabc.)
I get a signed PDF document, but both pdfsig and mutool sign complain
about disgest mismatch (as already mentioned on the other list).
After investigating the issue, I realized that the /ByteRange was wrong
calculated.
Using a binary editor ("neovim -b", for that matter), I jumped to the
final range of the first byte (value of n1 from getbyteranges()).
I saw that the first byte range ended in the s of /Contents, but there
was a blank space after it (before the hex string value).
This causes the digest mismatch, because the tmpfile contained an extra
space excluded in the first byte range.
I modified the sigfile manually adding one more byte to the byte length
and both pdfsig and mutool sign detected a valid signature.
The patch was simple and now I realize the wrong byterange may have been
well a typo in n1. (Excuse my verbose explanation in that case 😅.)
Outputs from both pdfsig and mutool sign are fine after the patch:
$ pdfsig a.pdf
Digital Signature Info of: a.pdf
Signature #1:
- Signature Field Name: signature
- Signer Certificate Common Name: John Doe
- Signer full Distinguished Name: CN=John Doe,O=No Brainer [...]
- Signing Time: Jun 09 2024 11:50:53
- Signing Hash Algorithm: SHA-256
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 6426], [10524 - 10909]
- Total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer isn't Trusted.
$ mutool sign -v a.pdf
Verifying signature 3:
Distinguished name: cn=John Doe, o=No Brainer, ou=, email=, c=XX
Certificate error: Self-signed certificate.
The document is unchanged since signing.
I think the patch may be considered to be included in next latest.
Many thanks for your help,
Pablo
mycert.pfx
Description: application/pkcs12
--- mkxl/lpdf-sig.lmt 2024-06-09 11:07:05.553210943 +0200
+++ lpdf-sig.lmt 2024-06-09 11:03:00.550032647 +0200
@@ -37,7 +37,7 @@
local leftangle = find(signature,"<0")
local rightangle = find(signature,"0>")
local b1 = 0
- local n1 = position + leftangle - 2
+ local n1 = position + leftangle - 1
local b2 = position + rightangle + 1
local n2 = filesize - b2
return { b1, n1, b2, n2 }
@@ -255,7 +255,7 @@
return
end
if middle ~= signature then
- report("no prestine signature")
+ report("no pristine signature")
return
end
--
_______________________________________________ dev-context mailing list -- dev-context@ntg.nl To unsubscribe send an email to dev-context-le...@ntg.nl
