Hi, It's probably better to ask this on SO, because mkl doesn't read here.
Tilman On 02.07.2024 17:47, Milan Markovic wrote:
Milan Markovic <milan.markovic....@gmail.com> 5:39 PM (8 minutes ago) to users-help Hi, I need some support, and hope that this is the correct address. I am working on java app which will digitaly sign PDF document, using pdfbox libraries. Private key is on smartcard and is not exportable. The goal is not to use any OS middleware (smartcard driver). So far, I followed comments from this link: https://stackoverflow.com/questions/41767351/create-pkcs7-signature-from-file-digest. In order to sign data, I need correct CMSSignedData. I analysed APDU messages that other official apps are sending to smarcard, signing document when middleware (driver) for smartcard is present, so I do know what is going on between app and smartcard. What I do not know, is what exactly to send, to smartcard. I thought that should be PDF document digest, DER encoded, but in fact, some other DER encoded hash is sent to smartcard, and digital signature (when returned from smartcard) contain that other hash (I can check it with public key). So, I do have digest of the document (following link that I mentioned), but sending this digest (DER encoded) is wrong. My question is then: what I should sent to smartcard, in order to be digitaly signed by private key? If I use code provided by https://stackoverflow.com/users/1729265/mkl as answer on mentioned question, then with demo certificates that is part of pdfbox examples, I can produce signed PDF document, that is perfectly OK. If I look at data produced during that code, I can see following: SHA-256 digest of working PDF document: 137c110914d20694a2e420324295814cd1881f0172b006147a91b75ebca55806 this digest is present at ASN.1 representation of signed document digital signature, as message Digest value (32-byte OCTET STRING). But this digest is not part of the signature value, which is: 590174cac26b9e46a713a1eefa8ac14318546ba1252216da479a0450361c7c605363a8a43ee43721bb88d927a03c2a5f8cb05586fcab6615ed5df07daced30e499d058e8e0598cbfd5ab31260b14fa3e9445fe8378941945fd4d592429c0702b401c47c05dd84e3f3336b8fb93424a0ec193147cbc40908d63e85f6fb8faeb0ffd04614d366981c9474199e4c8bd69194377e75a14603bdcb6e5f412dbbb4177177084fa2e3b7582d055029a93bd3281eb6049e0e2a622291ee36a1766250dca720e9351589edd132a155490be9e539161e7e5f1f9cc4d67cf77e5910e978e923b022a4ec6b57f3cb6d87112711a67b4e22cc97b14146e43c55efbd940e7cb81 If I verify this signature value, with demo public key, I can find following DER encoded value: 3031300d0609608648016503040201050004200a594bbd7c300f201ee7bee5ba47a62463c8823bb933e3355e1b93f5f7f14692 So 32 bytes from thie DER encoded value: 0a594bbd7c300f201ee7bee5ba47a62463c8823bb933e3355e1b93f5f7f14692 seems to be what I am looking for, as similar happens when signing PDF doc with my smartcard (using official app), as 32-byte digest of PDF document is not part of singature info, but some other 32-byte hash. Any idea, where from comes this other DER encoded hash? is it some calculation of document digest value? If so, how to get that value, as I need that other value to be sent to my smartcard, during digital signing APDU/RAPDU exchange. Hope that my explanation is clear. Milan
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
