Quantcast
iText - General

Problem to sign using Sha256

classic Classic list List threaded Threaded
12 messages Options
Rocco David
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Problem to sign using Sha256

Rocco David
Hi,
 
I have used this http://itextpdf.sourceforge.net/howtosign.html#signextitextsharp1  to sign a pdf  file with smart cart
and HashAlgorithm sha = new SHA1CryptoServiceProvider();
 
But when i try to sign a pdf file with HashAlgorithm Sha256 and  so i change
 
HashAlgorithm sha = new SHA1CryptoServiceProvider();
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_SHA1);  
 
in
 
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED);
HashAlgorithm sha = new SHA256Managed();
 
When i open the pdf signed in this case my signature is invalid and i see this message
"The document has been altered or corrupted since it was signed".
 
Can i have some help for this.
 
Regards
Rocco David

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

mkl
Rocco David,
Rocco David wrote
But when i try to sign a pdf file with HashAlgorithm Sha256 and  so i change

HashAlgorithm sha = new SHA1CryptoServiceProvider();
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKMS,
PdfName.ADBE_PKCS7_SHA1);

in

PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE,
PdfName.ADBE_PKCS7_DETACHED);
HashAlgorithm sha = new SHA256Managed();
Switching from ADBE_PKCS7_SHA1 to ADBE_PKCS7_DETACHED implies more differences than the hashing algorithm alone. Especially the document hash is inserted at a different position in the signature container.

Therefore, you had better have a look at the ADBE_PKCS7_DETACHED samples on the web page you refered to in your original mail and replace your signature container creation code accordingly.

Regards,   Michael
Rocco David
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Rocco David
hi,

as you said to me , i see again the web page I refered  and in exactly
http://itextpdf.sourceforge.net/howtosign.html#signextitextsharp2 this exemple.

I force the DigestAlgorithm of CmsSigner but when it  ComputeSignature  i have this message:
Invalid algorithm specified.

     System.Security.Cryptography.Pkcs.ContentInfo contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo(msg);

            //  Instantiate SignedCms object with the ContentInfo above.
            //  Has default SubjectIdentifierType IssuerAndSerialNumber.
            SignedCms signedCms = new SignedCms(contentInfo, detached);


            //  Formulate a CmsSigner object for the signer.
            CmsSigner cmsSigner = new CmsSigner(signerCert);

             Oid oid = new Oid();
            oid.FriendlyName = "SHA256";
            cmsSigner.DigestAlgorithm = oid; 
       
            // Include the following line if the top certificate in the
            // smartcard is not in the trusted list.
            cmsSigner.IncludeOption = X509IncludeOption.EndCertOnly;

            //  Sign the CMS/PKCS #7 message. The second argument is
            //  needed to ask for the pin.
            signedCms.ComputeSignature(cmsSigner, false);

Can I have some help please
Paulo Soares-4
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Paulo Soares-4
The detached method doesn't use an external hash, just the one defined
in the signature (RsaWithSha256 for example). This means that you
don't have any hash and supply the cms with the full doc. See the
detached example.

Paulo

On Tue, Mar 20, 2012 at 3:23 PM, Rocco David <[hidden email]> wrote:

> hi,
>
> as you said to me , i see again the web page I refered  and in exactly
> http://itextpdf.sourceforge.net/howtosign.html#signextitextsharp2 this
> exemple.
>
> I force the DigestAlgorithm of CmsSigner but when it  ComputeSignature  i
> have this message:
> Invalid algorithm specified.
>
>     System.Security.Cryptography.Pkcs.ContentInfo contentInfo = new
> System.Security.Cryptography.Pkcs.ContentInfo(msg);
>
>            //  Instantiate SignedCms object with the ContentInfo above.
>            //  Has default SubjectIdentifierType IssuerAndSerialNumber.
>            SignedCms signedCms = new SignedCms(contentInfo, detached);
>
>
>            //  Formulate a CmsSigner object for the signer.
>            CmsSigner cmsSigner = new CmsSigner(signerCert);
>
>            * Oid oid = new Oid();
>            oid.FriendlyName = "SHA256";
>            cmsSigner.DigestAlgorithm = oid;*
>
>            // Include the following line if the top certificate in the
>            // smartcard is not in the trusted list.
>            cmsSigner.IncludeOption = X509IncludeOption.EndCertOnly;
>
>            //  Sign the CMS/PKCS #7 message. The second argument is
>            //  needed to ask for the pin.
>            signedCms.ComputeSignature(cmsSigner, false);
>
> Can I have some help please
>
> --
> View this message in context: http://itext-general.2136553.n4.nabble.com/Problem-to-sign-using-Sha256-tp4471288p4489189.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> iText(R) is a registered trademark of 1T3XT BVBA.
> Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Rocco David
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Rocco David
What does it mean That I
 do not have any hash and supply the cms with the full doc?

 I am using a smart card to obtain the signature, could you please be more clear about sha256?

 At what
 detached example are you referring?


 thanks
Paulo Soares-4
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Paulo Soares-4
See http://itextpdf.sourceforge.net/howtosign.html#signextitextsharp2
and SignDetached().

Paulo

On Tue, Mar 20, 2012 at 5:06 PM, Rocco David <[hidden email]> wrote:

> What does it mean /That I
>  do not have any hash and supply the cms with the full doc/?
>
>  I am using a smart card to obtain the signature, could you please be more
> clear about sha256?
>
>  At what
>  detached example are you referring?
>
>
>  thanks
>
> --
> View this message in context: http://itext-general.2136553.n4.nabble.com/Problem-to-sign-using-Sha256-tp4471288p4489587.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> iText(R) is a registered trademark of 1T3XT BVBA.
> Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Rocco David
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Rocco David
I see that example and I try him.It's ok for sha1 but it doesn't work when I try to force digest algorithm.
The problem is that cmsSigner.DigestAlgorithm  is sha1 by  default (i see it with debug into Visual Studio).
 In my previous post I said that when trying to set it to sha256  at line signedCms.ComputeSignature (CmsSigner, false);

 I could return Invalid algorithm specified.

 Could you please describe more clearly what you mean by:
 "The detached method Does not use an external hash, just the one defined
 in the signature (RsaWithSha256 for example). This Means That You
 do not have any hash and supply the cms with the full doc "
 Thanks again for the availability
Paulo Soares-4
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Paulo Soares-4
You want to put a sha256 where it doesn't fit. Forget about it! There
are two ways of signing in PDF using a CMS container (without going
into CAdES): adbe.pkcs7.detached and adbe.pkcs7.sha1. If using
adbe.pkcs7.sha1 the digest that goes into the data section in the CMS
must use sha1. If using detached the digest used depend on the
signature in the certificate and you can't chose it. If you still want
to use sha256 you'll have to ask someone else as I've no idea what
you're talking about.

Paulo

On Tue, Mar 20, 2012 at 10:50 PM, Rocco David <[hidden email]> wrote:

> I see that example and I try him.It's ok for sha1 but it doesn't work when I
> try to force digest algorithm.
> The problem is that *cmsSigner.DigestAlgorithm * is sha1 by  default (i see
> it with debug into Visual Studio).
>  In my previous post I said that when trying to set it to sha256  at line
> signedCms.ComputeSignature (CmsSigner, false);
>
>  *I could return Invalid algorithm specified*.
>
>  Could you please describe more clearly what you mean by:
>  "/The detached method Does not use an external hash, just the one defined
>  in the signature (RsaWithSha256 for example). This Means That You
>  do not have any hash and supply the cms with the full doc /"
>  Thanks again for the availability
>
> --
> View this message in context: http://itext-general.2136553.n4.nabble.com/Problem-to-sign-using-Sha256-tp4471288p4490624.html
> Sent from the iText - General mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> This SF email is sponsosred by:
> Try Windows Azure free for 90 days Click Here
> http://p.sf.net/sfu/sfd2d-msazure
> _______________________________________________
> iText-questions mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/itext-questions
>
> iText(R) is a registered trademark of 1T3XT BVBA.
> Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
> Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
iText-questions mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/itext-questions

iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Rocco David
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Rocco David
hi

 if i use this http://itextpdf.sourceforge.net/howtosign.html # signextitextsharp2 (Detached)

  I sign the document correctly but the hash algorithm is sha1. (not in compliance with Italian regulations)

 Enclosed I send you the details of the certificate in which you would draw attention to:


 Signature Algorithm: sha256RSA
 Thumbprint Algorithm: sha1

 Are you sure that the hash algorithm is set by my temporary certificate in the store windows contained in the smart card?
 Obviously if I use such a program FileProtector I see in adobe a hash sha256, so my certificate should have no problem to sign sha256, not by chance that it is a limit itexsharp (c # version)?.

 Instead If i use this http://itextpdf.sourceforge.net/howtosign.html # signextitextsharp2 (Hashed)
 how can I change these 2 lines of code to get a signature sha256?
  December PdfSignature = new PdfSignature (PdfName.ADOBE_PPKMS, PdfName.ADBE_PKCS7_SHA1);
 
 HashAlgorithm SHA1CryptoServiceProvider sha = new ();

Thanks
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

mkl
Rocco David,

as Paulo and I have said multiple times in this thread, you should not simply replace PdfName.ADBE_PKCS7_SHA1 by ADBE_PKCS7_DETACHED and every use of SHA1 by a SHA2 algorithm and expect everything to work. It won't.

Thus, let's work based on this http://itextpdf.sourceforge.net/howtosign.html#signextitextsharp2 (Detached).

If I understand you correctly, you are using a smart card (which you think can sign using SHA2 hash algorithms) and cannot tweak CmsSigner to use SHA-256 instead of SHA1. You attempt that using this code:

            Oid oid = new Oid();
            oid.FriendlyName = "SHA256";
            cmsSigner.DigestAlgorithm = oid;  

So essentially your problem is getting .NET System.Security.Cryptography classes do what you want; this most likely is a question better suited for MS cryptography forums.

Two ideas, though:

 * Have you checked whether your smart card has multiple signing application? There are a number of smart cards which have multiple ones, and not all of these applications support SHA2 digests. Maybe you have to select the right one.
 * Is "SHA256" really a friendly name recognized by that .NET Oid class? (I'm doing Java and don't know the .NET libraries in detail...) Have you tried using the OID string instead?

Regards,   Michael
Rocco David
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

Rocco David
So it seems the only way to be able to sign sha256 smart card is:
 http://itextpdf.sourceforge.net/howtosign.html # signextitextsharp2 (Detached).

 But be sure that you can sign in using the SignDetached sha256 () the link above?

 There is no other way to calculate the hash to 256 and then maybe sign with iTextSharp so you do not have a digest sha1 by default?

 Can someone tell me exactly if this signing issue with hash sha256 is solvable with iTexsharp and BouncyCastle?
mkl
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate
star

Re: Problem to sign using Sha256

mkl
Rocco David,

the sample now so often referred to contains that separate static method SignMsg which encapsulates the actual CMS signature container creation. Obviously you can exchange it with any implementation of that task using a security library of your choice as long as it works according to the parameters given.

I think, though, that System.Security.Cryptography is as capable as any other such library to create a SHA2-based signature.

Maybe you should address the problem the other way around. Write some code which can create a CMS signature container with a SHA2 signature for a byte[] using your smart card and then insert that very code in the SignMsg method.

Regards,   Michael

PS: Obviously afterwards some more optimization work is necessary. Holding the whole file as byte[] in memory is not a good idea in production environments after all.
Loading...
Powered by Nabble Edit this page