Am 08.06.2016 um 13:27 schrieb Andrea Canu:
Hi guys
I want to ask you about the correct way to get the signed-content from the
signature.
Since now I've used the PDSignature class's method:
signature.getSignedContent ( *pdfInputStream *)
With this method I'm able to extract from the *pdfInputStream *the
byte-array of the signed-content based on the signature's ByteRange.
I've noticed that if I try to verify the signature based on that
byte-array, the verification sometime unexpectedly fails!
Hello Andrea,
Can you share the PDF (upload it)?
I doubt your theory re: bug in COSParser. I'd rather search if there is
a bug in COSFilterInputStream.
If you can't share the PDF, then please download the bytes "the hard way":
// download the signed content, described in
/ByteRange COSArray:
// [offset1 len1 offset2 len2]
int[] byteRange = sig.getByteRange();
byte[] buf = new byte[byteRange[1] + byteRange[3]];
RandomAccessFile raf = new RandomAccessFile(infile,
"r");
raf.seek(byteRange[0]);
raf.readFully(buf, byteRange[0], byteRange[1]);
raf.seek(byteRange[2]);
raf.readFully(buf, byteRange[1], byteRange[3]);
raf.close();
This code is not fully correct, because /ByteRange might have more than
4 elements. So have a look at it to be sure.
Then compare the byte array "buf" with the one from getSignedContent.
Another possibility that it fails might be that there are different
signature methods. See the code at
https://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java?view=markup
I didn't use getsignedContent() there but I think I should. So I'd be
very interested to find out if there is a bug there.
Tilman
Now, looking at the COSParser class I've found this method :
COSParser.parseHeader
This method, trying to find the correct document's header, is able to skip
some garbage in the PDF document looking for the markers "%PDF-" and
"%FDF-".
So, I've noticed that the signature verification succeed if I skip that
garbage during the signed-content extraction.
My question is:
Why this garbage-management is not present also into the getSignedContent
code?
The workaround I found is to skip that garbage manually from the
*pdfInputStream*, but now the problem is the correct way to calculate the
offset for the *pdfInputStream.*
Any suggestion?
Kinds regards
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
