jackd,
jackd wrote
> I'm running into the same issue where some pdfs are reported as modified,
> even when they haven't been modified.
>
> Here's a sample:
> https://docs.google.com/file/d/0B_Yi6q-Fwp_Ad3VWcWxES2tFeVk/edit?usp=sharing
> <https://docs.google.com/file/d/0B_Yi6q-Fwp_Ad3VWcWxES2tFeVk/edit?usp=sharing>
>
Having run your signature through a different verification engine I got an
error message:
> validateSignature failed :UserNotice: Asn1Exception: Element
> visibleString.getLength() with value 423 violates defined constraint.
Upon closer inspection it turns out that one of the certificates used in
your signature indeed contains a certificate policy element with a user
notice having an explicit text of 423 characters:
813 04 508: OCTET STRING, encapsulates {
<30 82 01 F8>
817 30 504: SEQUENCE {
<30 82 01 F4>
821 30 500: SEQUENCE {
<06 09>
825 06 9: OBJECT IDENTIFIER '1 2 840 113583 1
2 1'
<30 82 01 E5>
836 30 485: SEQUENCE {
<30 26>
840 30 38: SEQUENCE {
<06 08>
842 06 8: OBJECT IDENTIFIER
: cps (1 3 6 1 5 5 7 2 1)
: (PKIX policy qualifier)
<16 1A>
852 16 26: IA5String
'http://www.entrust.net/cps'
: }
<30 82 01 B9>
880 30 441: SEQUENCE {
<06 08>
884 06 8: OBJECT IDENTIFIER
: unotice (1 3 6 1 5 5 7 2 2)
: (PKIX policy qualifier)
<30 82 01 AB>
894 30 427: SEQUENCE {
<1A 82 01 A7>
898 1A 423: VisibleString
: 'The Certification Practice Statement (CPS)
for A'
: 'dobe Certified Document Services (CDS)
available'
: ' at www.entrust.net/CPS is hereby
incorporated i'
: 'nto your use or reliance on this
Certificate. Th'
: 'is CPS contains limitations on warranties
and li'
: 'abilities. Reliance on a CDS-signed
document is '
: 'only permitted if verified on a Supported
Platfo'
: 'rm (as identified in the Adobe Certificate
Polic'
: [ Another 39 characters skipped ]
: }
: }
: }
: }
: }
: }
: }
According to the RFCs, though:
> An explicitText field includes the textual statement directly in the
> certificate. The explicitText field is a string with a maximum size of
> 200 characters.
Thus, in some cases your signature will be rejected as it does not conform
to the standards
Furthermore the use of VisibleString here is somewhat troublesome.
Up to RFC 3280 (April 2002) inclusively any DisplayText choice (ia5String,
visibleString, bmpString, and utf8String) could be used.
Since RFC 5280 (May 2008) this choice was restricted to ia5String and
utf8String:
> An explicitText field includes the textual statement directly in the
> certificate. The explicitText field is a string with a maximum size of
> 200 characters. Conforming CAs SHOULD use the UTF8String encoding for
> explicitText, but MAY use IA5String. Conforming CAs MUST NOT encode
> explicitText as VisibleString or BMPString. The explicitText string
> SHOULD NOT include any control characters (e.g., U+0000 to U+001F and
> U+007F to U+009F). When the UTF8String encoding is used, all character
> sequences SHOULD benormalized according to Unicode normalization form C
> (NFC) [NFC].
Only very recently RFC 6818 (January 2013) changed this restriction
somewhat:
> An explicitText field includes the textual statement directly in the
> certificate. The explicitText field is a string with a maximum size of
> 200 characters. Conforming CAs SHOULD use the UTF8String encoding for
> explicitText. VisibleString or BMPString are acceptable but less
> preferred alternatives. Conforming CAs MUST NOT encode explicitText as
> IA5String. The explicitText string SHOULD NOT include any control
> characters (e.g., U+0000 to U+001F and U+007F to U+009F). When the
> UTF8String or BMPString encoding is used, all character sequences SHOULD
> be normalized according to Unicode normalization form C (NFC) [NFC].
Thus, only since January this year VisibleString used as in your signature
became a valid choice again for SOTA certificate encoding.
This all being said, I don't think this causes your troubles in concert wird
iText as BouncyCastle generally ignores such subtleties which sometimes is
good and sometimes bad.
Regards, Michael
--
View this message in context:
http://itext-general.2136553.n4.nabble.com/iText-PdfPKCS7-verify-somethig-wrong-tp4657188p4658002.html
Sent from the iText - General mailing list archive at Nabble.com.
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
