pdfProof is also a ncipher solution, which works alongside the dse200 to digitally sign + timestamp pdf docs.
Unfortunetely it works only as a adobe plug-in ... i can't be used to programatically automate signing of pdf documents.
But if pdfProof can sign the pdf using the timestamped signature given by the dse200, then hopefully it should also b possible by using iText ... fingers crossed :)
cheers
chico
| "Paulo Soares"
<[EMAIL PROTECTED]>
22/10/2004 15:01 |
|
From the source code I can't tell if it works although if there's a product called pdfProof to work with the dse200 I can assume that there's a way to do it.
Best Regards,
Paulo Soares
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 22, 2004 2:15 PM
To: Paulo Soares; [EMAIL PROTECTED]
Subject: RE: [iText-questions] digital signature incorporated back into existing pdf - Can PdfStamper help me?
thx for the clarification :)
I'll eagerly await for the enhancement.
cheers
chico
ps. just as an add-on here's a snippet of the sample code that comes with the dse200 sdk, on how i get the time-stamped signature. Might make it easier to understand what I'm tryin to work with.
// Open input stream for file to be time-stamped - This would be the original PDF contents
try {
fis = new FileInputStream( args[1] );
} catch ( FileNotFoundException e ) {
System.out.println("File " + args[1] + " does not exist");
System.exit(3);
}
byte[] digestBuf = null;
byte[] encodedTSQ = null;
DigestInputStream dis;
// Create digest of file and time-stamp request
try {
digestBuf = new byte[4096];
dis = new DigestInputStream( fis, MessageDigest.getInstance("SHA") );
while ( digestBuf.length == dis.read( digestBuf, 0, digestBuf.length ) );
// The DataImprint object is the "data to be time-stamped"
DataImprint dataImprint = new DataImprint();
dataImprint.setHashAlgorithm( new AlgorithmIdentifier( AlgorithmIdentifier.sha_1 ) );
dataImprint.setHashedData( dis.getMessageDigest().digest() );
TimeStampRequest tsq = new TimeStampRequest();
tsq.setDataImprint( dataImprint );
// Set the nonce. It allows the client to verify the timeliness
// of the response when no trusted local clock is available.
Random rand = new Random( new Date().getTime() );
tsq.setNonce( BigInteger.valueOf( rand.nextLong() ) );
// Request that the TSA signer certificate be included in the TimeStampToken.
// This allows a TimeStampToken signature to be verified without an
// external TSA certificate.
tsq.setCertReq( true );
// Set the request policy under which this TimeStampToken should be issued.
tsq.setReqPolicy( new PolicyIdentifier( PolicyIdentifier.serviceClass ) );
// Create the encoded request.
encodedTSQ = tsq.encodeRequest();
}
catch ( EncodingException e ) {
System.out.println( "Error encoding the request: " + e.getMessage() );
e.printStackTrace();
System.exit(1);
}
// encodedTST will contain the PKCS#7 Signed Data
byte[] encodedTST = null;
try {
// Send the request to the Trusted Time StampServer
// and get the response (an encoded TimeStampToken)
TimeStampServerTCP tss = new TimeStampServerTCP( args[0] );
encodedTST = tss.submitRequest( encodedTSQ, REQUEST_TIMEOUT );
....
| "Paulo Soares"
<[EMAIL PROTECTED]>
22/10/2004 10:58 |
|
Let's clarify a bit how signatures work. In this context a PKCS#7 is a way to encapsulate a PKCS#1 signature and that's what we are interested in.
To generate a PKCS#1 signature an hash and a PK algorithm is needed. The data is hashed and after padding is encrypted with the private key. The data here is the (usually) two byte ranges in the pdf. You have two options:
- provide the encryptor with the data
- provide the encryptor with the hash understanding that it's the hash in the PKCS#1 and not some other hash that will be interpreted as data by the PKCS#1
I'm currently developing a way to insert either the PKCS#1 or the PKCS#7 in the PDF for outside signing. It should be ready by the end of the month.
Best Regards,
Paulo Soares
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, October 22, 2004 10:09 AM
To: [EMAIL PROTECTED]; Paulo Soares
Subject: Re: [iText-questions] digital signature incorporated back into existing pdf - Can PdfStamper help me?
kewl, i've found and downloaded itext-paulo-139 ... checkin that out now.
I send an encoded request over to the dse200 server, which contains a SHA-1 digest of the data to be time-stamped. The dse200 server then returns me an encoded time-stamp token (timestamped digital signature as a byte array) which is a PKCS #7 SignedData object. And according to the documentation the signature can then be verified with any cryptographic toolkit that supports PKCS #7.
I dont think I can use PdfStamper directly as is, but maybe i can extend it and change the close method to suit my needs. Do you think this is possible? If so, any suggestions on I may do that?
thx :)
chico
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, October 21, 2004 16:23
Subject: [iText-questions] digital signature incorporated back into existing
pdf - Can PdfStamper help me?
> Hi,
>
> I've looked at the document http://itextpdf.sourceforge.net/howtosign.html
> and I've got some questions about it.
>
> First, I cant find the following method:
> PdfStamper.createInvisibleSignature().
> Has this been changed??
>
You'll need itext-paulo-139.
>
> That aside, what I'm more interested in solving is the following:
>
> I'm using iText to generate a sample pdf, but then I'm using a third-party
> tool (ncipher dse200 - http://www.ncipher.com/dse/index.html) to generate
> me a time-stamped digital signature for that sample pdf.
> I then want to incorporate this generated time-stamped digital signature
> back into the original pdf using iText. Can i do this using PdfStamper?
>
Maybe. It depends on what you feed to the machine and if you can get a
PKCS#1 object from it.
Best Regards,
Paulo Soares
> cheers
> chico
