BC 1.48 has the patch in place. If it fails it's something else. I'll check.
Paulo On Thu, Apr 11, 2013 at 12:25 PM, mkl <m...@wir-sind-cool.org> wrote: > jackd, > > jackd wrote >> I'm running into the same issue where some pdfs are reported as modified, >> even when they haven't been modified. >> >> Here's a sample: >> https://docs.google.com/file/d/0B_Yi6q-Fwp_Ad3VWcWxES2tFeVk/edit?usp=sharing >> <https://docs.google.com/file/d/0B_Yi6q-Fwp_Ad3VWcWxES2tFeVk/edit?usp=sharing> > > Having run your signature through a different verification engine I got an > error message: > >> validateSignature failed :UserNotice: Asn1Exception: Element >> visibleString.getLength() with value 423 violates defined constraint. > > Upon closer inspection it turns out that one of the certificates used in > your signature indeed contains a certificate policy element with a user > notice having an explicit text of 423 characters: > > 813 04 508: OCTET STRING, encapsulates { > <30 82 01 F8> > 817 30 504: SEQUENCE { > <30 82 01 F4> > 821 30 500: SEQUENCE { > <06 09> > 825 06 9: OBJECT IDENTIFIER '1 2 840 113583 1 > 2 1' > <30 82 01 E5> > 836 30 485: SEQUENCE { > <30 26> > 840 30 38: SEQUENCE { > <06 08> > 842 06 8: OBJECT IDENTIFIER > : cps (1 3 6 1 5 5 7 2 1) > : (PKIX policy qualifier) > <16 1A> > 852 16 26: IA5String > 'http://www.entrust.net/cps' > : } > <30 82 01 B9> > 880 30 441: SEQUENCE { > <06 08> > 884 06 8: OBJECT IDENTIFIER > : unotice (1 3 6 1 5 5 7 2 2) > : (PKIX policy qualifier) > <30 82 01 AB> > 894 30 427: SEQUENCE { > <1A 82 01 A7> > 898 1A 423: VisibleString > : 'The Certification Practice Statement (CPS) > for A' > : 'dobe Certified Document Services (CDS) > available' > : ' at www.entrust.net/CPS is hereby > incorporated i' > : 'nto your use or reliance on this > Certificate. Th' > : 'is CPS contains limitations on warranties > and li' > : 'abilities. Reliance on a CDS-signed > document is ' > : 'only permitted if verified on a Supported > Platfo' > : 'rm (as identified in the Adobe Certificate > Polic' > : [ Another 39 characters skipped ] > : } > : } > : } > : } > : } > : } > : } > > According to the RFCs, though: > >> An explicitText field includes the textual statement directly in the >> certificate. The explicitText field is a string with a maximum size of >> 200 characters. > > Thus, in some cases your signature will be rejected as it does not conform > to the standards > > Furthermore the use of VisibleString here is somewhat troublesome. > > Up to RFC 3280 (April 2002) inclusively any DisplayText choice (ia5String, > visibleString, bmpString, and utf8String) could be used. > > Since RFC 5280 (May 2008) this choice was restricted to ia5String and > utf8String: > >> An explicitText field includes the textual statement directly in the >> certificate. The explicitText field is a string with a maximum size of >> 200 characters. Conforming CAs SHOULD use the UTF8String encoding for >> explicitText, but MAY use IA5String. Conforming CAs MUST NOT encode >> explicitText as VisibleString or BMPString. The explicitText string >> SHOULD NOT include any control characters (e.g., U+0000 to U+001F and >> U+007F to U+009F). When the UTF8String encoding is used, all character >> sequences SHOULD benormalized according to Unicode normalization form C >> (NFC) [NFC]. > > Only very recently RFC 6818 (January 2013) changed this restriction > somewhat: > >> An explicitText field includes the textual statement directly in the >> certificate. The explicitText field is a string with a maximum size of >> 200 characters. Conforming CAs SHOULD use the UTF8String encoding for >> explicitText. VisibleString or BMPString are acceptable but less >> preferred alternatives. Conforming CAs MUST NOT encode explicitText as >> IA5String. The explicitText string SHOULD NOT include any control >> characters (e.g., U+0000 to U+001F and U+007F to U+009F). When the >> UTF8String or BMPString encoding is used, all character sequences SHOULD >> be normalized according to Unicode normalization form C (NFC) [NFC]. > > Thus, only since January this year VisibleString used as in your signature > became a valid choice again for SOTA certificate encoding. > > This all being said, I don't think this causes your troubles in concert wird > iText as BouncyCastle generally ignores such subtleties which sometimes is > good and sometimes bad. > > Regards, Michael > > > > -- > View this message in context: > http://itext-general.2136553.n4.nabble.com/iText-PdfPKCS7-verify-somethig-wrong-tp4657188p4658002.html > Sent from the iText - General mailing list archive at Nabble.com. > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > iText-questions mailing list > iText-questions@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/itext-questions > > iText(R) is a registered trademark of 1T3XT BVBA. > Many questions posted to this list can (and will) be answered with a > reference to the iText book: http://www.itextpdf.com/book/ > Please check the keywords list before you ask for examples: > http://itextpdf.com/themes/keywords.php ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
