Hi Michael Thanks for your analysis. I guess I have to look for the problem in either the certificate or BouncyCastle. The strange thing is that everything seems to work as expected in iTextSharp and also in Acrobat Reader.
The call that fails is when the digest is verified in the verify() method of PdfPKCS7 class: boolean sigVerify = sig.verify(digest); As far as I checked, the two digest submitted for verification are the same for both Java (iText) and .NET (iTextSharp)... Regards Stephan On 05.07.2013 16:31, mkl wrote: > Stephan, > > Stephan Wagner (calac) wrote >> If I try to verify a digitally signed PDF with iText (5.4.2) verify() >> always returns false (wrong result) >> If I try to verify the same PDF with iTextSharp (5.4.2) Verify() returns >> true (expected result) >> The digital signature is also valid in Acrobat Reader (Xi) (expected >> result) >> n2013.00849449.pdf (150K) >> <http://itext-general.2136553.n4.nabble.com/attachment/4658692/0/n2013.00849449.pdf> > I inspected the CMS signature in your sample document, and to me it looks > like there is an error in the encoding of the SigningCertificate signed > attribute. It looks starts this: > > 5137 30 160: SEQUENCE { > 5140 30 157: SEQUENCE { > 5143 30 154: SEQUENCE { > 5146 04 20: OCTET STRING > 5168 30 129: SEQUENCE { > 5171 30 109: SEQUENCE { > 5173 A4 107: [4] { > 5175 30 105: SEQUENCE { > 5177 30 103: SEQUENCE { > 5179 31 11: SET { > 5181 30 9: SEQUENCE { > 5183 06 3: OBJECT IDENTIFIER > : countryName (2 5 4 6) > 5188 13 2: PrintableString 'ch' > > The tag [4] is where from GeneralNames the choice tagged 4 is chosen. The > relevant definition excerpts: > > GeneralName ::= CHOICE { > [...] > directoryName [4] EXPLICIT Name, > [...] > > Name ::= CHOICE { > rdnSequence RDNSequence > [...] > > RDNSequence ::= SEQUENCE OF RelativeDistinguishedName > > RelativeDistinguishedName ::= SET OF AttributeTypeAndValue > > AttributeTypeAndValue ::= SEQUENCE { > type OBJECT IDENTIFIER, > [...] > > Thus, inside the explicit tag [4], there should be a SEQUENCE (RDNSequence) > in which there should be a SET (RelativeDistinguishedName). > > In your case inside the explicit tag [4] there is a SEQUENCE in which is > another SEQUENCE in which is a SET. > > So, unless I've read something wrong here, any application decoding this > attribute may stumble, and as this attribute is the most secure source of > information which certificate is associated to the signing key, they may > reject it. > > I'm not sure whether this is the reason for your troubles but it would be > understandable. > > Regards, Michael > > > > -- > View this message in context: > http://itext-general.2136553.n4.nabble.com/Signed-PDF-fails-to-verify-in-iText-Java-but-succeeds-in-iTextSharp-and-Acrobat-Reader-tp4658692p4658700.html > Sent from the iText - General mailing list archive at Nabble.com. > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > iText-questions mailing list > iText-questions@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/itext-questions > > iText(R) is a registered trademark of 1T3XT BVBA. > Many questions posted to this list can (and will) be answered with a > reference to the iText book: http://www.itextpdf.com/book/ > Please check the keywords list before you ask for examples: > http://itextpdf.com/themes/keywords.php ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
