Pdf client side signing via ITextSharp
Question
I want to simulate client side signing via iTextSharp.
I have valid certificate, which were exported in 2 files - .cer file (public key) and .pfx file (with private key), pfx file is used as keystore. Public key used on "server".
Also I have a pdf file - for example https://yadi.sk/i/6vuDlEPXi7oYz . My code copied in this gist: https://gist.github.com/alex-t0/f446ccb5ca5e8936b778 .
In a nutshell, there are 3 methods:
- ServerSidePrepare (prepare hashes, public key used)
- ClientSideSign (signing via private key)
- SaveSignedDocumentOnServer (combining signature into pdf on server).
But this code generates pdf document, which signature is not valid. When used method MakeSignature.SignDetached signature in pdf is valid, all ok.
How to debug this and find problem? Or may be other examples of pdf client side signing? With server part, in c#.
1 answers
solution1
2 ACCPTED 2015-07-28 10:10:04
You use the wrong digest in your GetEncodedPKCS7 call.
When first building the authenticated attributes you (correctly) use
sgn.getAuthenticatedAttributeBytes(messageHash, now, null, null, CryptoStandard.CMS)
but later when actually building the PKCS7 signature container you do
result.Sign.GetEncodedPKCS7(result.Hash, result.Now, null, null, null, CryptoStandard.CMS);
The parameters of these two calls must be identical (with the exception of the additional ITSAClient argument in the latter call). Otherwise the final authenticated attributes (built in GetEncodedPKCS7 ) are different from the original ones (built in getAuthenticatedAttributeBytes ) and would require a different signature value.
Thus, you should include the byte[] messageHash in your DTO and use it in SaveSignedDocumentOnServer .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.