The unsigned file is 144951 bytes long
I suspect that the form was filled then user's-rights-locked by the client
using Adobe Pro, using a certificate...
It's probably not really a signature like PADES is, even if technically it's
similar... but I'm not competent about PDF format...
In fact, for the Byterange, the first may not be the best to chose, since maybe
if there are multiple signature in sequence, I suspect the last, in the
AcroForm/Fields, will be the longest ?
The problem seems to be that Perms/UR3 is visited after the AcroForm/Fields in
this rare case...
But I suspect that since the fields are probably in temporal sequence, it works
well ?
Maybe comparing the dates ?
Is it better to take the longest ? but I see that the new signature use a very
long dummy ByteRange, which make it 32 bytes long, always...
Maybe taking the longest, excluding the dummy " COSArray{[COSInt{0},
COSInt{1000000000}, COSInt{1000000000}, COSInt{1000000000}]}"...
Or just taking this 32bytres length, which is safe but overkill ?
it seems tricky...
Thanks for the santander form, I will try to reproduce the bug with that form,
at least to understand why it works better...
The romanian form seems to work as well... I will investigate.
Alain COETMEUR
Interne
-----Message d'origine-----
De : Tilman Hausherr <thaush...@t-online.de>
Envoyé : lundi 1 septembre 2025 13:37
À : users@pdfbox.apache.org
Objet : Re: Error "Can't write new byteRange … not enough space…" signing with
PADES a document having user's rights protected by Perms/UR3
[EMETTEUR EXTERNE] : Soyez vigilant avant d’ouvrir les pièces-jointes ou de
cliquer sur les liens. En cas de doute, signalez le message via le bouton «
Signaler un courriel suspect ».
Hi,
I do understand it somewhat, the problem is that for some reason several
signatures are in the incremental part. It doesn't happen with
https://issues.apache.org/jira/secure/attachment/12744153/santander_freistellungsauftrag.pdf
from https://issues.apache.org/jira/browse/PDFBOX-2858 .
We could change the code so that only the first one reached is considered.
However, how do we know that the correct one is reached first?
I may have an idea:
> The previous Perms/UR3 signature seems to cover much less, and is thus
> shorter COSArray{[COSInt{0}, COSInt{1569}, COSInt{11103},
> COSInt{160382}]}
What is the exact length of the unsigned file?
Tilman
Am 01.09.2025 um 10:25 schrieb Coetmeur, Alain:
> Hello,
>
> I have a problem using PDFBox 3.05 via DSS6.3.
> When I try to sign some documents, it fails on a ByteRange serialization
> “Can't write new byteRange … not enough space…”.
> I’ve investigated and I think I found the problem.
> I’m not at all expert in PDF, so I may be wrong.
>
> This document “User’s Rights” are signed with a root/Perms/UR3 signature :
> Type=Sig
> Filter=Adobe.PPKLite
> SubFilter=adbe.pkcs7.detached
> Name=ARE Acrobat Product v8.0 P23 0002337
>
> It’s a Form that is filled by a client (I cannot send it to you sadly,
> sorry). Maybe that explains the problem.
> I suspect the Form was signed by a company, before the client filled it,
> making it much longer than what the UR3 signed.
>
> DSS tries to add a classic PADES signature in root/AcroForm/Fields/V
> Type=Sig Filter=Adobe.PPKLite SubFilter=ETSI.CAdES.detached
>
> The problem happens in
> org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(OutputStream)
>
> I’ve traced that first, PdfBox visits the ByteRange of the PADES signature in
> AcroFrom/Fields, THEN in Perms/UR3.
> org.apache.pdfbox.pdfwriter.COSWriter.visitFromDictionary(COSDictionar
> y) Each times, it store the latest value of ByteRange in an instance
> variable “byteRangeArray”
>
> The new PADES signature has a ByteRange still undetermined set as
> COSArray{[COSInt{0}, COSInt{1000000000}, COSInt{1000000000},
> COSInt{1000000000}]}
>
> The previous Perms/UR3 signature seems to cover much less, and is thus
> shorter COSArray{[COSInt{0}, COSInt{1569}, COSInt{11103},
> COSInt{160382}]}
>
> Thus at the end
> this.byteRangeArray is COSArray{[COSInt{0}, COSInt{1569},
> COSInt{11103}, COSInt{160382}]}
>
> Finally the method
> org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature()
> is called and fails with an IO Exception:
> Can't write new byteRange '0 145478 164424 26017]' not enough space:
> byteRange.length(): 22, byteRangeLength: 20, byteRangeOffset: 180045
>
> it tries to write the real ByteRange for the PADES Signature which is
> COSArray{[COSInt{0}, COSInt{145478}, COSInt{164424}, COSInt{26017}]}
> Which is longer than the last UR3 signature visited and set into
> byteRangeArray
>
> I can give more detail on the stacktrace, but probably it’s enough. I don’t
> know the subtleties of PDF format, so maybe I miss an important point.
>
>
> I’ve tried to generate a similar file with JSignPDF 2.3.0, starting
> from a XFA forms
> https://mfin/
> ante.gov.ro%2Fdocuments%2F2552173%2F2552377%2F31.OrdinPlataElectronic_
> 2023_05_19_A2.0.26%2B.pdf%2F5acf3ff7-7ff1-aa2c-283c-151d49af0d8b%3Ft%3
> D1684492636871%26download%3Dtrue&data=05%7C02%7Calain.coetmeur%40caiss
> edesdepots.fr%7C20084da056af4d25fafc08dde94c098c%7C6eab6365819449c6a4d
> 0e2d1a0fbeb74%7C0%7C0%7C638923234971222665%7CUnknown%7CTWFpbGZsb3d8eyJ
> FbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpb
> CIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=qBxee%2BAdyrClPfxVQuYGzX175lXeb
> QAfLu4d4GHDSGA%3D&reserved=0
> found in this Post:
> https://stac/
> koverflow.com%2Fquestions%2F76736428%2Fprogramatically-fill-government
> -pdf-xfa-dynamic&data=05%7C02%7Calain.coetmeur%40caissedesdepots.fr%7C
> 20084da056af4d25fafc08dde94c098c%7C6eab6365819449c6a4d0e2d1a0fbeb74%7C
> 0%7C0%7C638923234971237784%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnR
> ydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D
> %3D%7C0%7C%7C%7C&sdata=2wvdvj1x3MP8ARiXJZAQ%2BfEW5mpKb2AIuE4w5Gc9juc%3
> D&reserved=0 and I succeeded in creating an UR3 signature (sign with a
> PKCS12, asking “No Certification” as “certification level”, and adding a
> owner password for encryption), but I could not reproduce the bug. Sorry.
>
> I can test some correction proposal, but I cannot give the document.
>
> Hope this helps.
> Best regards.
> Ce message et toutes les pièces jointes (ci-après le «message») sont
> confidentiels et établis à l’intention exclusive de ses destinataires. Toute
> utilisation de ce message non conforme à sa destination, toute diffusion ou
> toute publication, totale ou partielle, est interdite, sauf autorisation
> expresse. Si vous recevez ce message par erreur, merci de le détruire sans en
> conserver de copie et d’en avertir immédiatement l’expéditeur. Internet ne
> permettant pas de garantir l’intégrité de ce message, la Caisse des Dépôts et
> Consignations décline toute responsabilité au titre de ce message s’il a été
> modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
> précautions prises pour éviter la présence de virus dans nos envois, nous
> vous recommandons de prendre, de votre côté, les mesures permettant d'assurer
> la non-introduction de virus dans votre système informatique. This email
> message and any attachments (“the email”) are confidential and intended only
> for the recipient(s) indicated. If you are not an intended recipient, please
> be advised that any use, dissemination, forwarding or copying of this email
> whatsoever is prohibited without prior written consent of Caisse des Depots
> et Consignations. If you have received this email in error, please delete it
> without saving a copy and notify the sender immediately. Internet emails are
> not necessarily secure, and Caisse des Depots et Consignations declines
> responsibility for any changes that may have been made to this email after it
> was sent. While we take all reasonable precautions to ensure that viruses are
> not transmitted via emails, we recommend that you take your own measures to
> prevent viruses from entering your computer system.
>
> Interne
>
Т ХF V
7V'67& &R �R � â W6W'2 V 7V'67& &T �Ff& ���6 R &pФf "��FF F � �6 � G2
�R � â W6W'2ֆV � �Ff& ���6 R &pР
Ce message et toutes les pièces jointes (ci-après le «message») sont
confidentiels et établis à l’intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion ou
toute publication, totale ou partielle, est interdite, sauf autorisation
expresse. Si vous recevez ce message par erreur, merci de le détruire sans en
conserver de copie et d’en avertir immédiatement l’expéditeur. Internet ne
permettant pas de garantir l’intégrité de ce message, la Caisse des Dépôts et
Consignations décline toute responsabilité au titre de ce message s’il a été
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique. This email message
and any attachments (“the email”) are confidential and intended only for the
recipient(s) indicated. If you are not an intended recipient, please be advised
that any use, dissemination, forwarding or copying of this email whatsoever is
prohibited without prior written consent of Caisse des Depots et Consignations.
If you have received this email in error, please delete it without saving a
copy and notify the sender immediately. Internet emails are not necessarily
secure, and Caisse des Depots et Consignations declines responsibility for any
changes that may have been made to this email after it was sent. While we take
all reasonable precautions to ensure that viruses are not transmitted via
emails, we recommend that you take your own measures to prevent viruses from
entering your computer system.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
