Hi, I want to sign a PDF file using the signature certificate of a Belgian EID card. I also want this signature to be considered valid if the root certificate (Belgium Root CA, or Belgium Root CA 2) is trusted on the computer where the PDF file is opened.
My Java code is based on the example from this website: http://itext.ugent.be/articles/eid-pdf/index.php?page=3#recipient The main adjustment is that an array of three certificates is passed to the setCrypto() method, instead of only one. I believe this is necessary to include the certificate chain in the signed PDF. (Correct?) Unfortunately, when I open the signed PDF file in Adobe Reader, the issuing certificates (Citizen CA and Belgium Root CA 2) are not included in the certificate path. All I can see is the signing certificate. Is there something obvious I'm doing wrong? I found another thread that looks related to this, but I'm not sure if it is, or what it means exactly: http://itext-general.2136553.n4.nabble.com/Another-spec-question-regarding-a-PKCS1-detail-tp3264914p3264914.html Does this mean there's a bug in iText and that it's impossible to include the certificate chain in a PDF? Or is there another way to sign a PDF that doesn't have these problems? Thank you, Bram _______________________________________________ public void exportToSignedPdf(JasperPrint jasperPrint, String fileName) throws Throwable { byte[] pdfBytes = JasperExportManager.exportReportToPdf(jasperPrint); PdfReader reader = new PdfReader(pdfBytes); FileOutputStream fout = new FileOutputStream(fileName); PdfStamper stamper = PdfStamper.createSignature(reader, fout, '\0'); PdfSignatureAppearance sap = stamper.getSignatureAppearance(); BelpicCard scd = new BelpicCard(""); X509Certificate[] certs = new X509Certificate[3]; certs[0] = scd.getNonRepudiationCertificate(); certs[1] = scd.getCertificationAuthorityCertificate(); certs[2] = scd.getRootCertificationAuthorityCertificate(); sap.setCrypto(null, certs, null, PdfSignatureAppearance.SELF_SIGNED); sap.setVisibleSignature(new Rectangle(350, 65, 470, 95), 1, null); sap.setExternalDigest(new byte[128], new byte[20], "RSA"); sap.preClose(); PdfPKCS7 sig = sap.getSigStandard().getSigner(); byte[] content = streamToByteArray(sap.getRangeStream()); byte[] hash = MessageDigest.getInstance("SHA-1").digest(content); byte[] signatureBytes = scd.generateNonRepudiationSignature(hash); sig.setExternalDigest(signatureBytes, null, "RSA"); PdfDictionary dic = new PdfDictionary(); dic.put(PdfName.CONTENTS, new PdfString(sig.getEncodedPKCS1()) .setHexWriting(true)); sap.close(dic); } public static byte[] streamToByteArray(InputStream stream) throws Throwable { if (stream == null) { return null; } else { ByteArrayOutputStream byteArray = new ByteArrayOutputStream(); byte buffer[] = new byte[1024]; int c = 0; while ((c = stream.read(buffer)) > 0) { byteArray.write(buffer, 0, c); } byteArray.flush(); return byteArray.toByteArray(); } } -- View this message in context: http://itext-general.2136553.n4.nabble.com/Signing-PDF-with-Belgian-EID-card-issuing-certificates-missing-from-path-tp3317042p3317042.html Sent from the iText - General mailing list archive at Nabble.com. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
