Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » iText »

[iText-questions] Invalid or Corrupt Signature

Chris C

2005-06-06

Replies:

Apologies for the long post.

I am using iText (Version 1.3) to sign existing signatures fields in
a PDF Document (using the Windows Certificate Security method). The
signature fields were originally created using iText as well. I am
getting an intermittent problem when creating the signatures. One of
the following three situations occurs.

1. Signature is created and is valid in Acrobat
2. IllegalArgumentException is thrown with message "The key /Contents
is too big"
3. Signature appears to be created successfully, but is invalid in
acrobat (document has changed or has been corrupted).

I am using the same input document and key. The only parameter that
changes is the signing time. Having looked at the iText source I think
the problem is occurring when the digital signature is created. In the
getEncodedPKCS7 method in the PdfPKCS7 class, the digest is set to the
result of the sign method called on the Signature object. However, the
length of the byte array returned varies from 46 to 47 bytes. This
causes a problem because the getEncodedPKCS7 method is called twice
when generating the signature. It is called once during the
setSignInfo method and again during the getSignerContents method in
the PdfSigGenericPKCS class.

The setSignInfo method is called during the preClose method of the
PdfSignatureAppearance. The getSignerContents method is called from
the PdfStamper close method. The problem occurs when the returned
signatures are not the same length. The length of the /Contents key is
determined by the length of the signature generated during the
setSignInfo call. The actual byte value set in the PDF document
appears to be the one generated during the PdfStamper close method. If
both signatures are the same length, situation 1 occurs. If the first
signature is shorter than the second, situation 2 occurs. If the first
signature is longer than the second, situation 3 occurs.

There doesn't appear to be any way of predicting what will happen. It
can work 8 or 9 times in a row and then fail. Or it can fail on the
first try. I have tried two different documents and different
certificates. I have also tried using both the SunJCE and the
BouncyCastle one. The problem only occurs when using a DSA signature.

The following is the code I'm using to create the signatures:

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.util.ArrayList;

import com.lowagie.text.pdf.AcroFields;
import com.lowagie.text.pdf.PdfReader;
import com.lowagie.text.pdf.PdfSignatureAppearance;
import com.lowagie.text.pdf.PdfStamper;

public class Example {

 public static void main(String[] args) {
   
     try {
       FileOutputStream fos = new FileOutputStream("c:/out.pdf");
       
       KeyStore ks = KeyStore.getInstance("PKCS12");
       
       ks.load(new FileInputStream("c:/testdsa.p12"),
"password".toCharArray());
       String alias = (String) ks.aliases().nextElement();

       //Get the private key and certificate chain
       PrivateKey key = (PrivateKey) ks.getKey(alias,
"password".toCharArray());
       Certificate[] chain = ks.getCertificateChain(alias);
       PdfReader _reader = new PdfReader("c:/signature.pdf");
       
       //Find the signature fields
       AcroFields af = _reader.getAcroFields();
       ArrayList names = af.getSignatureNames();
       PdfStamper stp = null;

       if (names.size() == 0) {
         stp = PdfStamper.createSignature(_reader, fos, '\0');
       } else {
         stp = PdfStamper.createSignature(_reader, fos, '\0', null,
true);
       }

       PdfSignatureAppearance sap = stp.getSignatureAppearance();
       sap.setCrypto(key, chain, null,
PdfSignatureAppearance.WINCER_SIGNED);
       sap.setReason("");
       sap.setLocation("");
       sap.setVisibleSignature("mysig");
       sap.setAcro6Layers(true);
       stp.close();
       
     }catch(Exception e){
       e.printStackTrace(System.out);
     }
     
   
 }
}


Is this a problem with my set-up or a bug?



Regards

Chris



-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
iText-questions mailing list
iText-questions@(protected)
https://lists.sourceforge.net/lists/listinfo/itext-questions
©2008 junlu.com - Jax Systems, LLC, U.S.A.