Hi!
I don't think that model is too unusual, you are likely to find it whereever
you have heterogenous load-balancing signature card farms instead of
workstations with individual card terminals, and have to cope with an API that
decides just in time which signature card to use, e.g. in medium-volume
e-billing contexts.
amarianoelaide,
the second possibility you mention can not work as data from the certificate is
integrated into the signed data. The first possibility only works if each user
has one and only one certificate that might be chosen for him; this might not
be a realistic assumption in the long run considering scalability issues.
You might want to try something like this, at least if the signature creation
and manipulation APIs you use allow you to create signatures in PKCS#7 format
for a given hash:
pdfStamper = PdfStamper.createSignature(pdfReader, null, '\0', targetPdfFile,
true);
pdfSigApp = pdfStamper.getSignatureAppearance();
pdfSigApp.setVisibleSignature(new Rectangle(area[0], area[1], area[2],
area[3]), signaturePage, signatureLabel);
pdfSigApp.setImage(Image.getInstance(imageUrl));
pdfSigApp.setLayer2Text("");
PdfSignature sigDic = new PdfSignature(PdfName.ADOBE_PPKMS,
PdfName.ADBE_PKCS7_DETACHED);
sigDic.put(PdfName.FT, PdfName.SIG);
sigDic.setDate(new PdfDate(calendar));
sigDic.setReason(signingReason);
sigDic.setLocation(location);
sigDic.setContact(signerContactInfo);
//sigDic.setName(signerName);
pdfSigApp.setCryptoDictionary(sigDic);
pdfSigApp.setAcro6Layers(true);
HashMap exclusions = new HashMap();
exclusions.put(PdfName.CONTENTS, new Integer(containerPlaceHolderSize*2+2));
pdfSigApp.preClose(exclusions);
then hash pdfSigApp.getRangeStream() and create a PKCS#7 signature container in
a byte[] signatureContent, then
PdfDictionary updates = new PdfDictionary();
byte out[] = new byte[containerPlaceHolderSize];
System.arraycopy(signatureContent, 0, out, 0, signatureContent.length);
updates.put(PdfName.CONTENTS, new PdfString(out).setHexWriting(true));
pdfSigApp.close(updates);
As you don't know beforehand which certificate will be used for the signature
you obviously can't include data about the certificate in signature
representation. Simply use an image descriptive enough; details about the
certificate are visible in the signature properties.
Regards, Michael.
-----Original Message-----
From: Leonard Rosenthol [mailto:[email protected]]
Sent: Monday, February 16, 2009 3:35 PM
To: Post all your questions about iText here
Subject: Re: [iText-questions] signing pdf with external signature
I think the only way you are going to solve your problem cleanly is to modify
iText and provide an alternative set of signing APIs that work in your model,
which as Paulo points out, is quite unusual.
Leonard
-----Original Message-----
From: amarianoelaide [mailto:[email protected]]
Sent: Monday, February 16, 2009 5:31 AM
To: [email protected]
Subject: Re: [iText-questions] signing pdf with external signature
I'm sorry for the lack of clearness of my thread and also of my english.
I'll try at my best to explain again what I need.
Obviusly I need to sign a pdf.
I am able to do it with this code:
//get the certificate used to sign, call it certificate
PdfReader reader = new PdfReader("pdf_to_be_signed.pdf");
FileOutputStream fout = new FileOutputStream("signed_pdf.pdf");
PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0');
PdfSignatureAppearance sap = stp.getSignatureAppearance();
sap.setCrypto(null, new Certificate[]{certificate}, null,
PdfSignatureAppearance.SELF_SIGNED);
sap.setReason("Hello");
sap.setLocation("Italy");
sap.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1, null);
sap.setExternalDigest(new byte[128], new byte[20], null);
sap.preClose();
MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
byte buf[] = new byte[8192];
int n;
InputStream inp = sap.getRangeStream();
while ((n = inp.read(buf)) > 0)
{
messageDigest.update(buf, 0, n);
}
byte hash[] = messageDigest.digest();
//sign this hash with an external procedure that gives me signed_hash
PdfPKCS7 sig = sap.getSigStandard().getSigner();
sig.setExternalDigest(signed_hash, null, "RSA");
PdfDictionary dic2 = new PdfDictionary();
dic2.put(PdfName.CONTENTS, new
PdfString(sig.getEncodedPKCS1()).setHexWriting(true));
sap.close(dic2);
Call this piece of code CASE1.
So what's the problem?
The problem is that to use the CASE1 I need to observe a strict order for
the operations:
1-get the certificate to use for the signature operation
2-use a PDFReader to read the pdf to sign
3-use a PDFStamper to modify the pdf creating the signed one
4-use PdfSignatureAppearance to create the "signature field"
5-fill this signature filed with certificate, reason, location etc....
6-get the hash to be signed
7-sign it with an external proc
8-add the signature
The problem is the first point. I have the certificate only at the point 7.
It means that I don't choose the certificate used to sign. It's the external
signature procedure that,
on the base of the user that does the login, uses a certificate rather than
another and returns to me the
signature and the certificate used to sign.
QUESTION 1:
Is it possible to change the code of the CASE1, so to not have the need of a
certificate during the creation of the
PdfSignatureAppearance object and so to add it only after the point 7?
If yes, could you help me with a sample code?
If the answer to the question 1 is no, the only thing I can do is to use a
"fake" certificate.
Doing so, I obtain a pdf signed with the wrong certificate and then I need
to replace into the
signed pdf signature and certificate with the right ones.
I think there are 2 possibilities:
1-sign the pdf once simply to obtain the certificate and then sign again to
obtain the real signed pdf.
2-sign the pdf once simply to obtain the certificate and then replace into
the signed pdf the certificate and the signature with the right ones.
If the solution is the second one, I have no idea about the way to do it.
In this case it would be great a sample code to drive me step by step.
--
Psssst! Schon vom neuen GMX MultiMessenger gehört? Der kann`s mit allen:
http://www.gmx.net/de/go/multimessenger01
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
Buy the iText book: http://www.1t3xt.com/docs/book.php
