HASH, SMARTCARD and PKCS#7 detached

>
> Hello Guys,
>
> I've reviewed the whole mailing list but couldn't locate any thread where
> people could sign a PDF properly
> working with Java and using a smart card without direct access to the both:
> private key and middleware. All
>  threads I've found have the final message like "Please, help!".
>
> Of course, I've read and used all ideas proposed at
> http://itextpdf.sourceforge.net/howtosign.html.
> I've bought the book iText in Action, Second Edition - there is no real
> explanation how to sign without private key.
>
> "Page 404 Listing 12.19
> Let’s pretend you don’t have access to the private key, so you pass null to
> the set-
> Crypto() method . You use the setExternalDigest() method to reserve space in
> the
> signature dictionary for keys whose content isn’t known yet. You don’t close
> the Pdf-
> Stamper, but you preClose() the signature appearance. Then you create a
> Signature
> object using the private key;"
>
> How can we operate with private key if we assumed "Let’s pretend you don’t
> have access to the private key"? Or did I miss something?
>
> Please notice I do not claim. The book is really good and I am happy that
> I've bought this one.
> I just want to understand can I really use iText for working with smart
> card?
>
> I have an OMNI smart card which doesn't have any middleware for Java except
> .so module.
> So, I've written a PERL script which actually gets the hash, copies it to
> the smart card,
> signes it with private key (RSA2048), outputs the result - just a signed
> digest which is not in PKCS#7 format.
>
> My Java application does following:
>
> 1. Load certificates SHA256withRSA
>
> CertificateFactory factory = CertificateFactory.getInstance("X509");
> X509Certificate certificate1
> =(X509Certificate)factory.generateCertificate(new
> FileInputStream(certPath1));
> Certificate[] certs = new Certificate[2];
> certs[0] = certificate1;
> X509Certificate certificate2
> =(X509Certificate)factory.generateCertificate(new
> FileInputStream(certPath2));
> certs[1] = certificate2;
>
> 2.Initialize reader, stamper.
>
> PdfReader reader = new PdfReader(fileIn);
> PdfStamper stamper = PdfStamper.createSignature(reader, fout, '\0',  null,
> true);
> PdfSignatureAppearance sap = stamper.getSignatureAppearance();
>
> 3.Configure SignatureAppearance
>
> sap.setSignDate(new GregorianCalendar());
> sap.setCrypto(null, certs, null,
> PdfSignatureAppearance.SELF_SIGNED/*WINCER_SIGNED*/);
> sap.setReason("Debugging the signing process");
> sap.setLocation("Location");
> sap.setContact("Contact address");
> sap.setExternalDigest(new byte[513], new byte[20], "RSA");
> sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWE
> D);
>
> 4. Create signature dictionary
>
> PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE,
> PdfName.ADBE_PKCS7_DETACHED);
> dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certs[0]).getField("C
> N"));
> if (sap.getSignDate()!= null) dic.setDate(new PdfDate(sap.getSignDate()));
> if (sap.getReason()!= null) dic.setReason(sap.getReason());
> if (sap.getLocation() != null) dic.setLocation(sap.getLocation());
> if (sap.getContact() != null) dic.setContact(sap.getContact());
> sap.setCryptoDictionary(dic);
>
> 5. Reserve space for CONTENTS
>
> int csize = 15000;
> HashMap<PdfName, Integer> exc = new HashMap();
> exc.put(PdfName.CONTENTS, csize * 2 + 2);
> sap.preClose(exc);
>
> 6. Calculate content stream digest
>
> MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
> byte buf[] = new byte[8192];
> int n;
> InputStream inp = sap.getRangeStream();
> while ((n = inp.read(buf)) > 0) {
>  messageDigest.update(buf, 0, n);
>  fTmp1.write(buf, 0, n);//tmp - data for digest
> }
>
> byte hash[] = messageDigest.digest();
>
> 7.  Running PERL script and get the value of signed hash as is (not in
> PKCS#7 format)
> byte[] signedHashBytes = Base64.decodeBase64(signedHash);
>
> 8. And the most interesting part - create PKCS#7 object
>
> Calendar cal = sap.getSignDate();
> byte[] ocsp = null;
> String url = PdfPKCS7.getOCSPURL((X509Certificate) certs[0]);
> if (url != null && url.length() > 0) {
>      final OcspClientBouncyCastle ocspClient = new
> OcspClientBouncyCastle((X509Certificate) certs[0],
>      (X509Certificate) certs[1], url);
>      ocsp = ocspClient.getEncoded();
> }
>
>
> PdfPKCS7 sig = new PdfPKCS7(null, certs, null, "SHA256", null, false);
> sig.setExternalDigest(hash, signedHashBytes, "RSA");
>
> PdfLiteral pdfLiteral = (PdfLiteral) dic.get(PdfName.CONTENTS);
> byte[] outc = new byte[(pdfLiteral.getPosLength() - 2) / 2];
>
> byte[] ssig = sig.getEncodedPKCS7(null, cal, null, ocsp);
>
> Arrays.fill(outc,(byte)0);
>
> System.arraycopy(ssig, 0, outc, 0, ssig.length);
> PdfDictionary dic2 = new PdfDictionary();
> dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
> sap.close(dic2);
>
> 9.Result
>
> And as the result this code output PDF which Adobe believes was modified and
> hence signature is not valid:
> "The document has been altered or corrupted since it was signed"
>
> Can you advice what's wrong with code?
>
> Any help would be appreciated!
>
> Kind regards,
> Andriy.
>
>
>
>
> --
> View this message in context:
> http://itext-general.2136553.n4.nabble.com/HASH-SMARTCARD-and-PKCS-7-detache
> d-tp3047252p3047252.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
> ----------------------------------------------------------------------------
> --
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> Many questions posted to this list can (and will) be answered with a
> reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples:
> http://itextpdf.com/themes/keywords.php

>
> Hi Andreas,
>
> That's right, I've found a lot of interesting information in this topic.
>
> OMNI Smart card provides only .so module without any Java middleware.
> This smart card works using CardOS.
>
> The card support PKCS11 interface. Initially I've installed openSC however
> there is a difference in
> directories structures which openSC suppose to use comparing with the
> directories the smartcard has.
> OpenSC copies data to the card, sign it, but failed to get the result as
> output is provided in another
> directory rather than OpenSC expects. Like a rough idea OpenSC  in FAQ
> propose to format the card,
> but this won't work for me as I'll lost private key data. This card was
> supplied by the client and I cannot
> change it. This is why I've stopped to use openSC and divided signing
> process in two steps: PERL script
> that covers operation with the smartcard and updated version of JSignPDF
> for
> supporting external signed  
> digest.
>
> However, getting the signed PDF I still have the problem with Adobe reports
>  "The document has been altered or corrupted since it was signed".
>
> I would appreciate if someone can advice what's wrong with code or how can
> I
> locate the
> reason of this message from Adobe.
>
> Cheers,
> Andriy.
> --
> View this message in context:
> http://itext-general.2136553.n4.nabble.com/HASH-SMARTCARD-and-PKCS-7-detache
> d-tp3047252p3048411.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
> ----------------------------------------------------------------------------
> --
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> Many questions posted to this list can (and will) be answered with a
> reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples:
> http://itextpdf.com/themes/keywords.php
>

> Hi 0de55a
> sorry for disturb, but i think i have the same problem, but i don't know
> how
> i can convert my byte[] data to PKCS#7 format.
> Sorry, maybe it is very stupid question but i can't resolve this problem.
> Can you give me any advice?
> (I am working in c# but java it is ok)
>
> thanks in advance.
>
> --
> View this message in context:
> http://itext-general.2136553.n4.nabble.com/HASH-SMARTCARD-and-PKCS-7-detache
> d-tp3047252p3328061.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
> ----------------------------------------------------------------------------
> --
> Free Software Download: Index, Search & Analyze Logs and other IT data in
> Real-Time with Splunk. Collect, index and harness all the fast moving IT
> data
> generated by your applications, servers and devices whether physical,
> virtual
> or in the cloud. Deliver compliance at lower cost and gain new business
> insights. http://p.sf.net/sfu/splunk-dev2dev 
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> iText® is a registered trademark of 1T3XT BVBA.
> Many questions posted to this list can (and will) be answered with a
> reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples:
> http://itextpdf.com/themes/keywords.php
>

> Hi Andriy!
> Have you solved this problem?
> Thank you! Regards,
> Francesco
>
> _______________________________________________
> If you reply to this email, your message will be added to the discussion below:
> http://itext-general.2136553.n4.nabble.com/HASH-SMARTCARD-and-PKCS-7-detached-tp3047252p3850243.html
>
> To unsubscribe from HASH, SMARTCARD and PKCS#7 detached, visit реклама -----------------------------------------------------------
Никогда не покупали в интернете?
Лучшее место для покупок онлайн - http://aukro.ua