Hi Michael,
I think the fix is right.
The digest algorithm to use when calculating the hash of the encapsulated
content info is the signers hash algorithm (RFC 5652 section 5).
The signers hash algorithm is extracted from SigenrInfo (index 2 in the
sequence)
This is extracted from signerInfo in the field digestAlgorithm.
digestAlgorithm = ((DERObjectIdentifier) ((ASN1Sequence)
signerInfo.getObjectAt(2)).getObjectAt(0)).getId();
The message digest algorithm the fix selects for digesting the contentInfo
for comparison with the messageDigest signed attribute is the same
algorithm (user hash algorithm):
encContDigest = MessageDigest.getInstance(getHashAlgorithm());
public String getHashAlgorithm() {
return getDigest(digestAlgorithm);
}
So I think this is correct. If we are still in doubt about the CMS
standard I can post a question to the right IETF sources to make an extra
check.
/Stefan
On 11-08-10 12:05 PM, "mkl" <m...@wir-sind-cool.org> wrote:
>Stefan, Bruno,
>
>Stefan Santesson wrote:
>> The consequence is that iText fails validation of perfectly valid signed
>> PDF documents containing encapsulated content info (as when using the
>> adbe.pkcs7.sha1 subfilter).
>>
>> [...]
>> messageDigest =
>> MessageDigest.getInstance(getHashAlgorithm());
>
>I'm not sure the code now is fixed entirely for the adbe.pkcs7.sha1 case
>(which BTW anyway isn't the format which should be used): In this case the
>byte range must be hashed using SHA1 while the CMS hashing algorithm may
>be
>different. But the current (and also the former) PdfPKCS7 code to me seems
>to use the CMS hashing algorithm for calculating both hashes.
>
>As we don't use the adbe.pkcs7.sha1 subfilter here (SHA1 has not been a
>valid choice for qualified signatures here for some time), though, I am
>not
>too deep into this use case. Thus, I may be abysmally wrong on this
>subject.
>
>Regards, Michael.
>
>--
>View this message in context:
>http://itext-general.2136553.n4.nabble.com/Signature-validation-bug-in-iTe
>xt-5-1-1-tp3729972p3732474.html
>Sent from the iText - General mailing list archive at Nabble.com.
>
>--------------------------------------------------------------------------
>----
>uberSVN's rich system and user administration capabilities and model
>configuration take the hassle out of deploying and managing Subversion
>and
>the tools developers use with it. Learn more about uberSVN and get a free
>download at: http://p.sf.net/sfu/wandisco-dev2dev
>_______________________________________________
>iText-questions mailing list
>iText-questions@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/itext-questions
>
>iText(R) is a registered trademark of 1T3XT BVBA.
>Many questions posted to this list can (and will) be answered with a
>reference to the iText book: http://www.itextpdf.com/book/
>Please check the keywords list before you ask for examples:
>http://itextpdf.com/themes/keywords.php
------------------------------------------------------------------------------
uberSVN's rich system and user administration capabilities and model
configuration take the hassle out of deploying and managing Subversion and
the tools developers use with it. Learn more about uberSVN and get a free
download at: http://p.sf.net/sfu/wandisco-dev2dev
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
