I’m happy to post the code, but I have yet to get it working. The biggest
change from the example code appears to be in CreateSignatureBase.sign
public byte[] sign(InputStream content) throws IOException
{
//TODO this method should be private
try
{
List<Certificate> certList = new ArrayList<>();
certList.addAll(Arrays.asList(certificateChain));
Store certs = new JcaCertStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
// This is my hash generation code, I’m presuming that content
is the part of the pdf to be signed
// create hex encoded sha256 message digest
byte[] sh =
MessageDigest.getInstance("SHA-256").digest(IOUtils.toByteArray(content));
String hexencodedDigest = new BigInteger(1, sh).toString(16);
hexencodedDigest = hexencodedDigest.toUpperCase();
final String signedHash =
certProvider.signPdfDigest(hexencodedDigest);
// This is the new code from Paresh
ContentSigner nonSigner = new ContentSigner() {
@Override
public byte[] getSignature() {
try {
return Hex.decodeHex(signedHash.toCharArray());
} catch (DecoderException e) {
e.printStackTrace();
}
//we can also base64 decode and return (used to be the
case, now it isn't)
// return Base64.decodeBase64(signedHash);
return null;
}
@Override
public OutputStream getOutputStream() {
return new ByteArrayOutputStream();
}
@Override
public AlgorithmIdentifier getAlgorithmIdentifier() {
return new
DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WithRSAEncryption");
}
};
org.bouncycastle.asn1.x509.Certificate cert =
org.bouncycastle.asn1.x509.Certificate.getInstance(certificateChain[0].getEncoded());
JcaSignerInfoGeneratorBuilder sigb = new
JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build());
//ContentSigner sha1Signer = new
JcaContentSignerBuilder("SHA256WithRSA").build(privateKey);
gen.addSignerInfoGenerator(sigb.build(nonSigner, new
X509CertificateHolder(cert)));
gen.addCertificates(certs);
CMSTypedDataInputStream msg = new CMSTypedDataInputStream(new
ByteArrayInputStream("useless_data".getBytes())); // this is never used.
//CMSProcessableInputStream msg = new
CMSProcessableInputStream(content);
CMSSignedData signedData = gen.generate(msg, false);
if (tsaClient != null)
{
signedData = signTimeStamps(signedData);
}
return signedData.getEncoded();
}
catch (GeneralSecurityException | CMSException | TSPException |
OperatorCreationException e)
{
throw new IOException(e);
} catch (SessionExpiredException | TokenExpiredException |
CertProviderException e) {
throw new IOException(e);
}
}
When I view the pdf, it says my document has bee altered or corrupted. Not
sure where I’m going wrong.
Any help greatly appreciated!
> On Oct 2, 2017, at 2:34 AM, Tilman Hausherr <[email protected]> wrote:
>
> Hi,
>
> The 0bin content has expired... if you have something useful to share (and it
> seems so) please post the entire code here so it will be archived.
>
> Tilman
>
> Am 29.09.2017 um 18:58 schrieb Paresh Chouhan:
>> that returns the signed value which was signed by external signer @Michael
>> 1. prepareToSign() - to prepare pdf for signing - this generates Hash and
>> pass it to the client (HSM) for signing (I access HSM using JS, hashtosign
>> is sent to JS script)
>> -- ANY AMOUNT OF DELAY BETWEEN THESE STEPS--
>> 2. finishSign() - takes the signed hash value and resumes to sign PDF. (PDF
>> is saved in memory while this is happening)
>>
>>
>> On Fri, Sep 29, 2017 at 3:12 AM Michael Lindsay
>> <[email protected]> wrote:
>>
>>> Hi Paresh,
>>>
>>> Thanks so much for the quick reply and the code snippets. Very helpful
>>> indeed.
>>>
>>> Couple quick questions…. There’s a reference here to
>>>
>>> final String signedHash = pdfFile.getPdfSignedHash();
>>>
>>> But I can’t find where pdfFile is created or what it’s type is.
>>>
>>> Also, can you share your generateHash method and your PDFSigner class?
>>>
>>> Thanks again,
>>> - Michael
>>>
>>>
>>>
>>>> On Sep 28, 2017, at 5:09 AM, Paresh Chouhan <[email protected]>
>>> wrote:
>>>> here's the setup for signing
>>>>
>>> https://0bin.net/paste/1hDByAx4i9dBAoGh#0CCZBX5Il0FHxsuYQUvoe7otY3-tHxtM0Zs9IYqLozG
>>>> On Thu, Sep 28, 2017 at 5:35 PM Paresh Chouhan <
>>> [email protected]>
>>>> wrote:
>>>>
>>>>> Yes, Michael I wrote that post, It is working well with an HSM,
>>>>>
>>>>>
>>> https://0bin.net/paste/iEhbQJm8y-waiV+O#2deRPmaGUdvWwg0iD+htfR4gWm3wmKUe3upyt0+3jRS
>>>>>
>>>>> On Wed, Sep 27, 2017 at 10:19 PM Michael Lindsay
>>>>> <[email protected]> wrote:
>>>>>
>>>>>> Hello List!
>>>>>>
>>>>>> I’ve got an implementation of pdfbox digital signing working fabulously
>>>>>> with a self signed cert based on the examples provided. We are trying
>>> to
>>>>>> switch over to using an HSM and I can’t seem to crack it. I believe
>>> from
>>>>>> the post here that such a thing is possible:
>>>>>>
>>> https://stackoverflow.com/questions/44196316/pdf-signing-generated-pdf-document-certification-is-invalid-using-external-si
>>>>>> <
>>>>>>
>>> https://stackoverflow.com/questions/44196316/pdf-signing-generated-pdf-document-certification-is-invalid-using-external-si
>>>>>> The signing service provides a signing certificate and ocsp which I
>>> need
>>>>>> to use to calculate the digest then pass that along to them for signing
>>>>>> with the private key. All of the examples in the documentation assume
>>> I
>>>>>> have the private key.
>>>>>>
>>>>>> Does anyone here have any example code for calculating and sending pdf
>>>>>> digest to external service to sign pdfs? Any help would be greatly
>>>>>> appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>> - Michael
>>>>> --
>>>>> Regards
>>>>> Paresh Chouhan
>>>>> https://github.com/pareshchouhan
>>>>>
>>>> --
>>>> Regards
>>>> Paresh Chouhan
>>>> https://github.com/pareshchouhan
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>> --
>> Regards
>> Paresh Chouhan
>> https://github.com/pareshchouhan
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
