Hello there, I am using PDFBox for signing PDF documents with signatures created by a third party service. That service also gives me the OCSP and CRL content to embed in the documents, in order to get PAdES LTV signatures. With 99% of the PDFs everything works OK, I get in the end valid LTV signatures in Adobe Acrobat and in ETSI PAdES Signature Conformance Checker.
I have an issue, though, with a PDF/A - 3A compliant PDF that I am trying to sign (this results in valid signature) and then embed the OCSP and CRL content (this results in invalidating the signature from first step). My process, generally speaking, is this: * I open the PDF, I create the hash for signing (data to be signed) * I call the 3rd party service for getting back the digital signature * In the service response I also get the OCSP and CRL content that I need to embed in the PDF for LTV quality * I embed the signature in the PDF * I save the document to memory, then I reopen it for embedding the OCSP and CRL * I embed the OCSP and CRL items, creating the respective DSS and VRI dictionaries * I save the PDF to disk The code for signing is here: https://github.com/SwisscomTrustServices/pdfbox-ais/blob/main/src/main/java/com/swisscom/ais/client/impl/PdfDocument.java And the code for embedding OCSP and CRL is here: https://github.com/SwisscomTrustServices/pdfbox-ais/blob/main/src/main/java/com/swisscom/ais/client/impl/CrlOcspExtender.java Sample PDF documents here: https://cloud.mocanu.ws/index.php/s/BmLHYaXC7sP9mTs The original is the PDF/A-3A unsigned, then there are the PDFBox signed one (invalid) and the iText7 one (signed). I also noticed that just by doing: document.load(inputStream); document.save(outputStream); I break the signature. From my tests, the actual embedding is not really the cause of the issue, but just the fact that I reopen the PDF after embedding the signature and save it back to disk. My research so far shows that somehow PDFBox is breaking the order of the elements when loading the PDF after signature embedding. It hints at this issue with loading and saving documents, though for ALL the other PDFs I do the same process and Adobe Acrobat does not complain about the signature. I also tried with PDFBox 2.1.0-SNAPSHOT and 3.0.0-SNAPSHOT, hoping that the issue is related to ordering of elements in PDF and it was fixed. Still, I get the same results. Thanks for reading this far and checking this issue! Any help is appreciated! --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
