Hi, If someone is interested, here is a working sample application for signing and timestamping (!!!) PDF with PDFBox:
https://github.com/vicziani/jtechlog-signpdf/tree/master/jtechlog-signpdf-pdfbox/src/main/java/jtechlog/signpdf -- Viczián István 2013/12/22 István Viczián <[email protected]>: > Hello Thomas, > > Thank you for your very detailed answers! It helps me a lot! > > I don't work work with encripted documents, so I can upgrade the BC > version to 1.50. The signing and the timestamping works fine! > My solution: > - Using setPreferedSignatureSize method - thank you, thank you :) > - Using CMSSignedDataGenerator (http://www.cryptoworkshop.com/guide/) > - Using TimeStampResponse.getTimeStampToken().getEncoded() instead of > TimeStampResponse.getEncoded() > - Using the hash of the signature to timestamp instead of the digest > of the document. For example: > http://p2p.wrox.com/book-beginning-cryptography-java/76182-problems-while-verifying-embedded-timestamp-signature.html > - Foxit reader don't support BER encoding. You should transcode to DER: > > ByteArrayOutputStream baos = new ByteArrayOutputStream(); > new DEROutputStream(baos).writeObject(signedData.toASN1Structure()); > return baos.toByteArray(); > > Only one problem left: > - My document is signed, but not certificated. How can I set the > certification level? (Equivalent to > appearance.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED); > in iText) > -- > Viczián István > > > 2013/12/19 Thomas Chojecki <[email protected]>: >> >> Zitat von István Viczián <[email protected]>: >> >>> Hello, >> >> Hi, >> >> >>> >>> I'm trying to sign and timestamp my PDF document. >>> pdfbox 1.8.3 >>> bcmail-jdk15on 1.50 >>> The signing works fine, the Adobe Acrobat Reader shows the certificate >>> correctly. >> >> >> pdfbox 1.8.3 normally require bc in the version 1.44. I think newer will >> also work if you do not work with encrypted documents. You can also try to >> work with the pdfbox 2.0.0 snapshot if you need to use bc in version 1.46 or >> newer. The signing code is identical, so you will have the same results with >> 1.8.3 and 2.0.0. >> >> https://repository.apache.org/content/groups/snapshots/org/apache/pdfbox/pdfbox/2.0.0-SNAPSHOT/ >> >> >>> Based on the the sample app: >>> http://media-nation.de/~rayman2200/PDFBox-SignExample.zip >> >> This example was updated and ported a while ago into the pdfbox-examples. >> You can find it in the svn. Just checkout the src from: >> >> svn checkout http://svn.apache.org/repos/asf/pdfbox/trunk/ >> >> But I haven't add any timestamp examples yet. >> >> >>> (But the Foxit Reader not! Signing with other PDF library - you know >>> which - the Foxit Reader shows the certificate right.) >>> >>> But the timestamping does not work. Calling >>> .setSignedAttributeGenerator I don't see any timestamp, the size of >>> the pdf doesn't change. >> >> >> How did you created the timestamp? which format you are using (RFC3161 works >> for me)? You can also try to do a signature timestamp instead of a content >> timestamp. Maybe the foxit reader does not support content timestamps. >> >> >>> With gen.generate(msg, true); the exception is: >>> >>> java.io.IOException: Can't write signature, not enough space >>> >>> How can I add space for signature? >> >> >> This exception is a good point. So your timestamp was added to the cms >> structure but it was too large to fit into the predefined gap. >> >> You can increase the size with setPreferedSignatureSize(...) inside the >> SignatureOptions. For the right size of the signature you need to >> experiment. A good start is to take the size of the certificates / >> certificate chain you are adding into the signature and all additional >> attributes like the timestamp. >> >> >>> >>> I don't find any example for timestamping pdf. Could you send me one? >> >> >> I don't have any example right now, but you can search the net for creating >> cms signatures with timestamp. I found one for itext >> >> https://www.mail-archive.com/[email protected]/msg40287.html >> >> or this one >> >> http://bouncy-castle.1462172.n4.nabble.com/Insert-Time-stamp-into-CMS-Signed-Data-td1464065.html >> >> So try to use unsigned attribute for a signature timestamp or signed >> attribute for a content timestamp. >> >> >>> (I can post my source code, if it is necessary.) >>> >>> Same with BouncyCastle 1.49 with deprecated addSigner method. >>> >>> -- >>> Viczián István >> >> >> I hope this will help you a bit. If you have questions, just ask. >> >> Best regards >> Thomas >>
