Sorry for the delay, I was on another problem.
In fact I did not write this algorithm, and I just changed (without success) a detail. I see that the signature to be created contains a huge ByteRange, that is adjusted in the " visitFromDictionary ()" to the real value. Later this value is used in doWriteSignature() to write the ByteRange... I just changed the length of the /ByteRange directive... There was no more any error, but It did not work because the previous Perms/UR3 signature was broken. I've tried to reproduce this signature with jPDFSign, but I could not reproduce the bug, even building a very small signed file, that is later annotated with huge volume (multiplying size by >x10) and then signed with DSS... The document that failed seems to include an Adobe signature protecting a software license for Acrobat... " Exchange-Pro" 9.0.0 and "ARE Acrobat Product v8.0 P23 0002337". I don't understand what it is exactly, and how it was generated. By the way, do you know a tool that can parse a PDF and helps to navigate in the dictionaries, to guess what happened. Maybe I can report part of the document here, that way. Alain COETMEUR Interne -----Message d'origine----- De : Marc Kaufman <kauf...@cs.stanford.edu> Envoyé : jeudi 4 septembre 2025 21:13 À : users@pdfbox.apache.org Objet : Re: Error "Can't write new byteRange … not enough space…" signing with PADES a document having user's rights protected by Perms/UR3 [EMETTEUR EXTERNE] : Soyez vigilant avant d’ouvrir les pièces-jointes ou de cliquer sur les liens. En cas de doute, signalez le message via le bouton « Signaler un courriel suspect ». I'm missing something here. The ByteRange entry for a signature is initially set to something big enough to hold the eventual actual ByteRange e.g.: "/ByteRange[1000000000 1000000000 1000000000 1000000000] " followed by the /Contents<...> area. After determining the correct ByteRange values, you _overwrite _the /ByteRange entry in the file with a correct ByteRange. The size of the overwrite must be exactly the size of the ByteRange entry starting. Adding spaces at the end to ensure that the /Content area starts at exactly the byte number that it started before, e.g: "/ByteRange[ 0 4527 9361 34523] " For any given signature you only need to consider the ByteRange for that signature. I don't understand why you think you need to check /ByteRange entries for any other signature. With respect to this signature, the others are just data and part of the hash. Now you hash the entire file based on the /ByteRange you have specified. Generate the signature, and put it into the preallocated /Contents area (via _overwrite_) All of this is done after (incrementally) saving the file. Moving anything around will break the Xref table. Marc On 9/4/2025 5:07 AM, Coetmeur, Alain wrote: > I succeed in making the saveIncremental() work, but the signature is invalid, > because of the /ByteRange is not consistent (Acrobat Reader and DSS do moan > when verifying)... > > <Indication>FAILED</Indication> > <SubIndication>HASH_FAILURE</SubIndication> > <Errors Key="BBB_FC_IBRV_ANS">The /ByteRange dictionary is not > consistent!</Errors> <Errors Key="BBB_CV_IRDOI_ANS">The reference data > object is not intact!</Errors> > > So I'm wrong (before signing PDF say the file is OK, so it must be my patch). > > My modification, base on 4.0.0-SNAPSHOT trunk is, just taking the maximum for > byteRangeLength , thus in fact always 35: ... Ce message et toutes les pièces jointes (ci-après le «message») sont confidentiels et établis à l’intention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et d’en avertir immédiatement l’expéditeur. Internet ne permettant pas de garantir l’intégrité de ce message, la Caisse des Dépôts et Consignations décline toute responsabilité au titre de ce message s’il a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments (“the email”) are confidential and intended only for the recipient(s) indicated. If you are not an intended recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without prior written consent of Caisse des Depots et Consignations. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secure, and Caisse des Depots et Consignations declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
