: Re: [iText-questions] Signature validation bug in iText 5.1.1
Just looked into it and concluded that it is not as easy as I first
thought.
That change would affect all signature modes and hence you would have to
alter all constructors and make sure it's backwards compatible.
It would take
Just looked into it and concluded that it is not as easy as I first
thought.
That change would affect all signature modes and hence you would have to
alter all constructors and make sure it's backwards compatible.
It would take some effort to make sure that the code is not messed up
after the fix.
Stefan,
Stefan Santesson wrote:
> If my approach is acceptable, then I could easily provide a backwards
> compatible patch for this.
If I recall correctly, a completely overhauled signature api for itext
currently is being created. Therefore, I think that it is more important
that such problems a
Michael,
OK, I see now where you are coming from.
If the signer used another hash to calculate the hash of the PDF content
(stored in encContentInfo) than was used to create the signature, then
current iText code will fail.
Not sure why the signer would choose to do that, but if happen for some
r
Stefan,
Stefan Santesson wrote:
> I think the fix is right.
I think so, too. My remark was about additional issues to fix in the code.
I think that your fix does use the correct algorithm for encContDigest, but
the original code in some cases doesn't for messageDigest!
When handling a adbe.pkcs
Hi Michael,
I think the fix is right.
The digest algorithm to use when calculating the hash of the encapsulated
content info is the signers hash algorithm (RFC 5652 section 5).
The signers hash algorithm is extracted from SigenrInfo (index 2 in the
sequence)
This is extracted from signerInfo in
On 10/08/2011 12:05, mkl wrote:
> I am not too deep into this use case.
Same here.
I wasn't sure if the fix solves "all" problems (and your mail confirms
my doubt), but it seems to solve "a" problem without breaking anything.
Hence it was accepted.
--
Stefan, Bruno,
Stefan Santesson wrote:
> The consequence is that iText fails validation of perfectly valid signed
> PDF documents containing encapsulated content info (as when using the
> adbe.pkcs7.sha1 subfilter).
>
> [...]
> messageDigest =
> MessageDigest.getInstance(getHa
On 9/08/2011 15:01, Stefan Santesson wrote:
> Hi,
>
> I have discovered a serious bug in the iText 5.1.1 signature
> validation process and I have provided a patch that I would suggest
> you implement in your next release.
(...)
> These changes are tested and works like a charm.
Thanks! See the c
5:01:09 +0200
To:
Subject: [iText-questions] Signature validation bug in iText 5.1.1
> Hi,
>
> I have discovered a serious bug in the iText 5.1.1 signature validation
> process and I have provided a patch that I would suggest you implement in your
> next release.
>
> The prob
Hi,
I have discovered a serious bug in the iText 5.1.1 signature validation
process and I have provided a patch that I would suggest you implement in
your next release.
The problem is in the class "PdfPKCS7" in the method verify().
The original code compares the digest of the document with the d
11 matches
Mail list logo
