[
https://issues.apache.org/jira/browse/PDFBOX-5709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782062#comment-17782062
]
Michael Klink commented on PDFBOX-5709:
---------------------------------------
>From former stack overflow questions by you I assume you use that
>{{ContentSigner}} in a {{CMSSignedDataGenerator}} that produces a CMS
>signature container for a {{ExternalSigningSupport}}-based PDF signing routine.
In that case it is completely wrong to create your own set of signed attributes
in the {{ContentSigner.getSignature}} method: The BouncyCastle
{{CMSSignedDataGenerator}} usually creates (and embeds!) its own set of such
attributes and merely asks your {{ContentSigner}} to sign it but you return a
signature for your own set which is not embedded.
You can customize the signed attributes generated by {{CMSSignedDataGenerator}}
by setting a custom SignedAttributeGenerator to the SignedInfoGenerator.
> Getting document corrupted while signing hash which has DER encoded signed
> attributes
> -------------------------------------------------------------------------------------
>
> Key: PDFBOX-5709
> URL: https://issues.apache.org/jira/browse/PDFBOX-5709
> Project: PDFBox
> Issue Type: Bug
> Components: Signing
> Reporter: Tanmay Sharma
> Priority: Critical
>
> I am trying to do external signing. For that we use to calculate hash of pdf
> and get it sign using some external trust service provider. Now our use case
> is that instead of signing hash bytes we need to do signing over DER encoding
> signing attributes. But after generating signed hash and embedding it to
> document we are getting document corrupted error.
> Code of content signer is
> {code:java}
> ContentSigner contentSigner = new ContentSigner() {
> private MessageDigest digest = MessageDigest.getInstance("SHA-256");
> private OutputStream stream = OutputStreamFactory.createStream(digest);
> @SneakyThrows
> @Override
> public byte[] getSignature() {
> try {
> byte[] b = new byte[4096];
> int count;
> while ((count = inputStream.read(b)) > 0) {
> digest.update(b, 0, count);
> }
> byte[] hashBytes = digest.digest();
> byte[] derEncoded = getAuthenticatedAttributeSet(hashBytes,
> calendar).getEncoded(ASN1Encoding.DER);
> List<String> hash = Arrays.asList(new
> String(org.bouncycastle.util.encoders.Base64.encode(derEncoded)));
> byte[] signedHash = getSignedHash(hash,
> cscCredentialOptions.getAuthorizationContext().getAccessToken(),
> cscCredentialOptions.getCredentialId(),
> cscCredentialOptions.getCredentialAuthParameters().getPin(), signAlgo);
> return signedHash;
> } catch (Exception e) {
> LOG.error(e.getMessage());
> }
> }
> @Override
> public OutputStream getOutputStream() {
> return stream;
> }
> @Override
> public AlgorithmIdentifier getAlgorithmIdentifier() {
> return new AlgorithmIdentifier(new
> ASN1ObjectIdentifier("1.2.840.113549.1.1.11"));
> }
> };{code}
> {code:java}
> public DERSet getAuthenticatedAttributeSet(byte secondDigest[], Calendar
> signingTime) {
> ASN1EncodableVector attribute = new ASN1EncodableVector();
> ASN1EncodableVector v = new ASN1EncodableVector();
> v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.3"));
> v.add(new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1")));
> attribute.add(new DERSequence(v));
> v = new ASN1EncodableVector();
> v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5"));
> v.add(new DERSet(new DERUTCTime(signingTime.getTime())));
> attribute.add(new DERSequence(v));
> v = new ASN1EncodableVector();
> v.add(new ASN1ObjectIdentifier("1.2.840.113549.1.9.4"));
> v.add(new DERSet(new DEROctetString(secondDigest)));
> attribute.add(new DERSequence(v));
> return new DERSet(attribute);
> }{code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
