Signature Dictionary 'Filter'

I have a question about the 'filter' in the signature dictionary. It is defined as (taken from PDF 1.4 due to PDF/A):
Filter name (Required; inheritable) The name of the signature handler to be used for authenticating the field’s contents, such as Adobe.PPKLite, Entrust.PPKEF, CICI.SignIt, or VeriSign.PPKVS.
1.) A plugin is used to validate signatures, right? (please correct me if i am wrong here)
2.) Can the subfilter (like adbe.pkcs7.detached or adbe.pkcs7.sha1) also be used with other filters than adobe.ppklite?
2) The Adobe.PPKLite is the "default" plugin? (which every reader since 5.0 or so has)
3.) The other handlers are also part of acrobat? (such as entrust, verisign etc.)
4.) What must i do to register my own handler?
5.) What would happen if one would set the filter which is not existent?
Thanks for clarification,
ToM

1 - Yes, handlers are implemented in plugins.
2 - The subfilter really defines the details of the signature - its' the important piece of information in the signature dictionary (well short of the Contents). The Filter is more of a recommendation of what technology to use to handle the subfilter. So yes, it can and yes, PPKLite is the default since Acrobat 4 (when DigSig was introduced).
3 - Other handlers MAY be provided or they may be in 3rd party plugins that a user would need to install. There are numerous 3rd party DigSig plugins.
4 - Follow the instructions in the Acrobat SDK for building a DigSig plugin and Annex E of the PDFReference.
5 - If the subfilter is a standard value (say adbe.pkcs7.detached), then Acrobat/Reader will process it accordingly. If you also have a customer subfilter, then you'll get message for the user to download a plugin.

Similar Messages

IPS custom signature to filter email domain

Using IPS 5.0.
I'm creating custom signature on SMTP using State Name: SMTP Commands.
My question:
1. On the Regex String, what should i key in to disable any users from the sex.com domain to send me email. I have keyin
[Mm][Aa][Ii][Li][\t][Ff][Rr][Oo][Mm]:^.@[Ss][Ee][Xx].[Cc][Oo][Mm]
but i don't think this is corrent...am i ??
2. In the State Name(SMTP), they have
Abort, Mail Body, Mail Header, SMTP Commands and Start. Can anyone provide the information (URL) and example of how to use these....
Thanks in advance...

The documentation for 5.1 is located at:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_guide_book09186a008055de07.html
I believe the regex you want is:
[Mm][Aa][Ii][Ll][\t][Ff][Rr][Oo][Mm][:][\x21-\x7E]+[@][Ss][Ee][Xx].[Cc][Oo][Mm]
The + field allows for any printable characters (but there must be at least 1) in the senders email address. You should use the SMTP state machine with the SMTP Commands state set, direction to service port 25.

How can i set signature creation/modification time at signature creation?

Hi,
I have an acrobat plugin (PubSec), written using sdk 9 and running on acrobat x. i have noticed that after creating a new signature using my plugin the signing time i put in the signature appearance is different from the "M:" entry in signature dictionary. I tried the same process (i.e signature creation) using adobe's default plugin but this time there was no discrepency in datetime values.
The time difference is variable, usually a couple of seconds. I have tried to set the "M:" entry in signature dictionary "V" via the following code in the
SigGetProperties() callback:
void DSEngine::sigGetSigProperties( PSSigSigPropParams params )
      std::string dateString = "20110518163011+04'00'";    // here i have used current time as well but doesnt work
      // used "D:
20110518163011+04'00'
" version as well but no use.
          ASText dateText = ASTextFromScriptText ((const char*)dateString.c_str(), kASRomanScript);
          ASCabPutText(params->outNewSigPropCab, PROP_SigProp_Date, dateText);
Please help me remove this time difference.
Who sets "M:" value and at which point during signature creation (i mean in which callback)?
Is above code the right way to set "M:" entry (i.e. signing time) of signature dictionary "V"?
Is the sigGetSigProperties() callback the right place to put this code?
Thanks

As far as I'm aware GarageBand for iPad only supports 4/4 time, at least in it's present form.
tt2

Verifying digital signatures in PDF documents

I'm working on verifying PDFs digital signatures.
I know that when a PDF is signed, a byterange is defined, the certificates get embedded, and from what i've read, the signed message digest and the timestamp are also stored in the PDF.
I already can extract the certificates and validate them. Now I'm trying to validate the pdf's integrity and my problem is I don't know where the signed message digest is located.
In this sample signed pdf (http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf), I can clearly identify the digest since it is down below the embedded certificates: /DigestMethod/MD5/DigestValue/ (line 1520).
But that PDF sample seems to be from 2009, and I suspect the message digest is stored in a different way now, because I signed a PDF with Adobe Reader and I can't find any message digest field like the previous one. Can someone tell if the digests are now stored in a different way? Where are they located?
Anyway, for now I'm using that sample document, and trying to verify its integrity. I'm getting the document's bytes to be signed acording to the specified byterange, and digesting them with MD5 algorithm, but the digest value I get doesn't match with the one from the message digest field... Am I doing something wrong? Is the digest also signed with the signer's private key?
I appreciate any help.

You cannot rely on the digest to be in a certain place in PDF. If you want to manually verify the digest in a PDF signature here's what you need to do.
1. Open PDF in a Text Editor.
2. Find Signature Dictionary for your signature.
3. Get the Hex String which is the value of the /Contents entry in the Signature Dictionary.
4. Convert Hex String to binary string and discard trailing zeros. Remember that in a Hex string each byte is represented with two characters and the last one might be a zero. So, when you discard zeros make sure that what you get left has even number of bytes.
5. Use one of the commercially available BER Viewers (you can find free BER Viewers on the Web) to convert the binary string to ANSI.1 representation.
6. Analyze the BER-decoded PKCS#7 signature object (RFC 2315 describes it) and find the digest that you are looking for in it. It is an OCTET STRING.
If you want to programmatically validate a signature, you need to write code that does all that. Signature validation includes much more than checking the digest. You need to build chain, validate each certificate in the chain, check revocation for each certificate in the chain, etc. RFC 5280 is the guide what to do.
Good luck!

PDF digital signatures for beginners

I am developing a PHP application that automatically signs pdf files and I am very confused about certain aspects. I read the PDF specifications and managed through the part of adding annotation, objects, empty signature field, etc but I don't seem to understand anything about computing the hash for the /Contents in the signature dictionary. The documentation is pretty vague about this part. Here's what I am interested in:
what specific hash algorithm do I have to apply to the newly generated pdf file with the dummy signature?
(I should mention that I am inclining using for the /SubFilter adbe.pkcs7.detached or adbe.pkcs7.sha1,)
what is the content of the pkcs7 envelope and how do I generate it?
how to convert the pkcs7 envelope to hex?
I must mention I have no training in cryptography and I've come to this forum after a few days of documenting on the subject without any succes.

I am at the point where I have a certificate, a private key (in PEM or DER format) and a binary string (the data that needs to be hashed). I would be helpfull if someone could explain me (in plain english, like telling a story) what to do to obtain the final value of the signature that's going to go in the final version of the file (ie: the value for the /Contents).
I must say that I've tried a work-around: tried openssl_pkcs7_sign that signs an S/MIME message and tried to extract the signature from there and I got to the point where when opening the file in Acrobat I get the message that the signature is invalid because the document has been altered or corrupted since it was applied. Since this doesn't work I am ready to implement the hashing function from 0, but I didn't find anywhere an example, structure or any other information on the pkcs7 envelope for pdf files. I am glad for any help, even if it means just some reading suggestions (with titles, maybe links, not just saying that I need to do more reading, please).
I am also attaching a file and maybe someone can analyze it and tell me what is wrong with it. I know there is some unnecesary data n the file, but I believe it has nothing to do with the signature.

Acrobat/Reader and PADES (Digital Signatures)

I've read the document that James King of Adobe published and made the configurations to make Acrobat PADES compliant. However when I sign a document and inspect the generated CMS package inside the PDF, the signing-certificate value in Signed-Attributes is not present. So I'm assuming that the signature is still not PADES-BES compliant. Is there anything I can do to make Acrobat put a PADES-BES signature?
Also, I for verification, I made a test. I've externally signed a PDF with a CMS packet that has signing-certificate signed attribute. The signature has been validated in Acrobat. After that, I've intentionally put a random value as signing-certificate value. When I opened that PDF, it still validated fine in Acrobat. Therefore I understand that Acrobat doesn't do full PADES-BES validation. Is this right? Is there a configuration that can make Acrobat make a full PADES validation?
I'm using 9.1.3 version of Acrobat under Windows.
Thanks in advance

Hi Stewen,
Thank you for your answer.
I've took the value of Contents dictionary value and inspected it with an ASN.1 viewer. You're right, the signing certificate is on the PKCS7 (CMS) package. However, PaDES doesn't suffice with that. It requires a signing-certificate value in the signed attributes inside SignerInfo sequence in CMS. Also, the subfilter value should say ETSI.CAdES.detached as mandated in ETSI TS 102 708-3 V.1.1.1 page 8.
e) The signature dictionary shall contain a value of ETSI.CAdES.detached for the key SubFilter.
Since we are mandated by EU guidelines our customers require ETSI compatibility.
Thanks for you help

/Contents entry in digital signatures

Hi All,
I have problem in making /Contents entry while trying to sign a PDF document. Infact there is problem in Calculating ByteRange digest and then encrypting it.
I have seen cryptographic message syntax v1.5. So I am using Signed-Data content type. I am not using any authenticated attributes so there is only content field of ContentInfo.
Now please tell what is included in content field? My assumption is that only ByteRAnge Message is included. then I calculate DER encoding of ByteRange message and calculate the hash of it using SHA1 algorithm. Please tell me whether I am right or wrong?
Best Regards
Muhammad Akmal

Dear Bernd Alheit
Infact I am working on "PDF File Generator" using .net framework. If you
have any idea of signature dictionary and PDF language then please help me
out in this regard..
thanks
Best Regards

How to use time from external source as signature time?

Hi,
I have a PubSec based acrobat X plugin for signature creation and verification. So far i knew that acrobat was using my local system time to get signing time and saved that time in the signature dictionary. Now i have to get the signing time from an NTP server, which is different from my local system time, and I want to put this time in the signingTime (M) of the Signature dictioniary. But so far i am unable to modify the (M) dictionary value.
Can you please guide me to achieve this goal?
thanks

thanks for your prompt reply.
actually, using timestamps is not an option. Machine time can be changed and my requirement is to use NTP time during signing and set this time as signing time in the signature dictionary. I have tried adding the time in M dictionary in SigGetSigProperties() and SigGetSigValue() callbacks, but it has no effect.
My question is, is it possible to use time other, than machine time, as signing time in a signature (in signature dictionary) ?
If yes, then can i achieve this, a hint or a point in the right direction can suffice.
if no, then is this limitation part of the new plugin framework? because as far as i remember, it was allowed in digsig plugins.
Finally, can i achieve my goal in an unorthodox way?
thanks

JDWP reference implementation does not return anonymous nested classes?

Using
$ java -version
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) Client VM (build 17.1-b03, mixed mode, sharing)
it appears that when I connect with JDWP and issue a NestedTypes command, the result does not include anonymous nested types. The only references to this that I could find is a comment in a svn commit at apache (http://mail-archives.apache.org/mod_mbox/harmony-commits/200611.mbox/%[email protected]%3E)
Is this intentional and desired? Is there a way to get all of the nested types, including the anonymous ones? I could do ClassesBySignature with "package.ClassName$*" as the signature and filter out doubly nested classes, but that seems overly complicated.

exept, you can NOT have an implementation of an
abstract class (which foundPlugin) is without an
implementation of all it's subclasses (such as
argsObject) You're mistaken in a couple of ways here.
First, a nested class is not the same as a subclass.
Second, a concrete class must have implementations for all its methods, but it can still have an abstract nested class.
Third, you can have an instance of a concrete class that has abstract subclasses. Object is concrete and has many concrete subclasses. Classes don't know anything about their subclasses.
This compiles.
public abstract class AbOut {
public abstract class AbIn { public abstract void bar(); }
public class ConcOut extends AbOut {
public abstract class AbIn2 { public abstract void foo();}
foundPlugin MUST have an implementation
of argsObject, according to the rules of java,And you think this because...?
You read it in the JLS? Citation please.
You tried to compile and it failed? My sample above demonstrates the countereample. If I'm misunderstanding what you're talking about, please post an example
Or maybe you just thought it had to be that way because that seemed the most intuitive and when it wasn't, rather than trying to understand or adjust your thinking, you figured it would be more fun to throw a hissy fit and call Java "stupid"?

Problem signing PDF from smart card - BouncyCastle, IAIK Wrapper, iText

Hello!
I need to sign and timestamp a PDF document with a smartcard. I'm using Java 1.6, iText to manage PDF, BouncyCastle to deal with cryptography and the free IAIK WRAPPER to access the smartcard.
I've already searched the Internet to solve my problem, read the PDF specifications about the signature and followed snippets that should've worked, but after a couple of weeks I still don't have working code, not even for the signature. All the tries I made yield messages like "Signature has been corrupted" or "Invalid signature" (I can't remember the exact messages, but they're not in English anyway :D ) when I verify the signature in Adobe Reader.
My first goal was to use an encapsulated signature, using filter Adobe.PPKLITE, subfilter adbe.pkcs7.sha1 and a DER-Encoded PKCS#7 object as content.
Among the tries I made, I used code such as (I don't include all modifications, just the ones I deem closer to the right approach):
     // COMMON - START
     ///// selectedKey is a iaik.pkcs.pkcs11.objects.Key instance of the private key I'm taking from the SC
     RSAPrivateKey signerPrivKey=(RSAPrivateKey)selectedKey;
     CertificateFactory certificateFactory=CertificateFactory.getInstance("X.509");
     ///// correspondingCertificate is a iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate instance of the certificate I'm taking from the SC
     byte[] derEncodedCertificate=correspondingCertificate.getValue().getByteArrayValue();
     X509Certificate signerCert=(X509Certificate)certificateFactory.generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
     Provider provider=new BouncyCastleProvider();
     Security.addProvider(provider);
     ///// session is an instance of iaik.pkcs.pkcs11.Session
     session.signInit(Mechanism.SHA1_RSA_PKCS, signerPrivKey);
     File theFile = new File("C:\\toSign.pdf");
     FileInputStream fis = new FileInputStream(theFile);
     byte[] contentData = new byte[(int) theFile.length()];
     fis.read(contentData);
     fis.close();
     PdfReader reader = new PdfReader(contentData);
     ByteArrayOutputStream baos = new ByteArrayOutputStream();
     PdfStamper stp = PdfStamper.createSignature(reader, baos, '\0');
     PdfSignatureAppearance sap = stp.getSignatureAppearance();
     // COMMON - END
     java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
     CertificateFactory factory=CertificateFactory.getInstance("X.509");
     certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
     sap.setSignDate(new GregorianCalendar());
     sap.setCrypto(null, certs, null, null);
     sap.setReason("This is the reason");
     sap.setLocation("This is the Location");
     sap.setContact("This is the Contact");
     sap.setAcro6Layers(true);
     PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_SHA1);
     dic.setDate(new PdfDate(sap.getSignDate()));
     dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certs[0]).getField("CN"));
     sap.setCryptoDictionary(dic);
     int csize = 4000;
     HashMap exc = new HashMap();
     exc.put(PdfName.CONTENTS, new Integer(csize * 2 + 2));
     sap.preClose(exc);
     MessageDigest md = MessageDigest.getInstance("SHA1");
     InputStream s = sap.getRangeStream();
     int read = 0;
     byte[] buff = new byte[8192];
     while ((read = s.read(buff, 0, 8192)) > 0)
          md.update(buff, 0, read);
     byte[] signature=session.sign(buff);
     CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
     ArrayList list = new ArrayList();
     for (int i = 0; i < certs.length; i++)
          list.add(certs);
     CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), provider);
     generator.addCertificatesAndCRLs(chainStore);
     CMSProcessable content = new CMSProcessableByteArray(md.digest());
     CMSSignedData signedData = generator.generate(CMSSignedDataGenerator.ENCRYPTION_RSA, content, true, provider);
     byte[] pk = signedData.getEncoded();
     byte[] outc = new byte[csize];
     PdfDictionary dic2 = new PdfDictionary();
     System.arraycopy(pk, 0, outc, 0, pk.length);
     dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
     sap.close(dic2);
     File newOne = new File("C:\\signed.pdf");
     FileOutputStream fos = new FileOutputStream(newOne);
     fos.write(baos.toByteArray());
     fos.close();
I figured this is the right approach, but I need a way to generate the CMSSignedData instance, which can't be done using addSigner (the only documented way I found), since the private key is not extractable from a smart card...
Then I decided to give up and try with a detached signature:
     // COMMON - START
     // Same as above
     // COMMON - END
     sap.setSignDate(new GregorianCalendar());
     java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
     CertificateFactory factory=CertificateFactory.getInstance("X.509");
     certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
     sap.setCrypto(null, certs, null, PdfSignatureAppearance.SELF_SIGNED);
     sap.setSignDate(java.util.Calendar.getInstance());
     sap.setExternalDigest (new byte[8192], new byte[20], "RSA");
     sap.preClose();
     MessageDigest messageDigest = MessageDigest.getInstance ("SHA1");
     byte buff[] = new byte[8192];
     int n;
     InputStream inp = sap.getRangeStream ();
     while ((n = inp.read (buff)) > 0)
          messageDigest.update (buff, 0, n);
     byte hash[] = messageDigest.digest();
     byte[] signature=session.sign(hash);
     PdfSigGenericPKCS sg = sap.getSigStandard ();
     PdfLiteral slit = (PdfLiteral)sg.get (PdfName.CONTENTS);
     byte[] outc = new byte[(slit.getPosLength () - 2) / 2];
     PdfPKCS7 sig = sg.getSigner ();
     sig.setExternalDigest (session.sign(hash), hash, "RSA");
     PdfDictionary dic = new PdfDictionary ();
     byte[] ssig = sig.getEncodedPKCS7();
     System.arraycopy (ssig, 0, outc, 0, ssig.length);
     dic.put (PdfName.CONTENTS, new PdfString (outc).setHexWriting(true));
     sap.close (dic);
     File newOne = new File("C:\\signed.pdf");
     FileOutputStream fos = new FileOutputStream(newOne);
     fos.write(baos.toByteArray());
     fos.close();
I'm still stuck to the signature process, can anyone please tell me what I'm doing wrong and help me (snippets would be deeply appreciated), maybe even changing approach in order to be able to add a digital timestamp?
Thank you very much in advance!
PS: I had also tried to use the SunPKCS11 provider to access the smart card, I gave up for similar problems, but if someone has suggestions using it, they're welcome! :D

Hello!
I need to sign and timestamp a PDF document with a smartcard. I'm using Java 1.6, iText to manage PDF, BouncyCastle to deal with cryptography and the free IAIK WRAPPER to access the smartcard.
I've already searched the Internet to solve my problem, read the PDF specifications about the signature and followed snippets that should've worked, but after a couple of weeks I still don't have working code, not even for the signature. All the tries I made yield messages like "Signature has been corrupted" or "Invalid signature" (I can't remember the exact messages, but they're not in English anyway :D ) when I verify the signature in Adobe Reader.
My first goal was to use an encapsulated signature, using filter Adobe.PPKLITE, subfilter adbe.pkcs7.sha1 and a DER-Encoded PKCS#7 object as content.
Among the tries I made, I used code such as (I don't include all modifications, just the ones I deem closer to the right approach):
     // COMMON - START
     ///// selectedKey is a iaik.pkcs.pkcs11.objects.Key instance of the private key I'm taking from the SC
     RSAPrivateKey signerPrivKey=(RSAPrivateKey)selectedKey;
     CertificateFactory certificateFactory=CertificateFactory.getInstance("X.509");
     ///// correspondingCertificate is a iaik.pkcs.pkcs11.objects.X509PublicKeyCertificate instance of the certificate I'm taking from the SC
     byte[] derEncodedCertificate=correspondingCertificate.getValue().getByteArrayValue();
     X509Certificate signerCert=(X509Certificate)certificateFactory.generateCertificate(new ByteArrayInputStream(derEncodedCertificate));
     Provider provider=new BouncyCastleProvider();
     Security.addProvider(provider);
     ///// session is an instance of iaik.pkcs.pkcs11.Session
     session.signInit(Mechanism.SHA1_RSA_PKCS, signerPrivKey);
     File theFile = new File("C:\\toSign.pdf");
     FileInputStream fis = new FileInputStream(theFile);
     byte[] contentData = new byte[(int) theFile.length()];
     fis.read(contentData);
     fis.close();
     PdfReader reader = new PdfReader(contentData);
     ByteArrayOutputStream baos = new ByteArrayOutputStream();
     PdfStamper stp = PdfStamper.createSignature(reader, baos, '\0');
     PdfSignatureAppearance sap = stp.getSignatureAppearance();
     // COMMON - END
     java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
     CertificateFactory factory=CertificateFactory.getInstance("X.509");
     certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
     sap.setSignDate(new GregorianCalendar());
     sap.setCrypto(null, certs, null, null);
     sap.setReason("This is the reason");
     sap.setLocation("This is the Location");
     sap.setContact("This is the Contact");
     sap.setAcro6Layers(true);
     PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_SHA1);
     dic.setDate(new PdfDate(sap.getSignDate()));
     dic.setName(PdfPKCS7.getSubjectFields((X509Certificate)certs[0]).getField("CN"));
     sap.setCryptoDictionary(dic);
     int csize = 4000;
     HashMap exc = new HashMap();
     exc.put(PdfName.CONTENTS, new Integer(csize * 2 + 2));
     sap.preClose(exc);
     MessageDigest md = MessageDigest.getInstance("SHA1");
     InputStream s = sap.getRangeStream();
     int read = 0;
     byte[] buff = new byte[8192];
     while ((read = s.read(buff, 0, 8192)) > 0)
          md.update(buff, 0, read);
     byte[] signature=session.sign(buff);
     CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
     ArrayList list = new ArrayList();
     for (int i = 0; i < certs.length; i++)
          list.add(certs);
     CertStore chainStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(list), provider);
     generator.addCertificatesAndCRLs(chainStore);
     CMSProcessable content = new CMSProcessableByteArray(md.digest());
     CMSSignedData signedData = generator.generate(CMSSignedDataGenerator.ENCRYPTION_RSA, content, true, provider);
     byte[] pk = signedData.getEncoded();
     byte[] outc = new byte[csize];
     PdfDictionary dic2 = new PdfDictionary();
     System.arraycopy(pk, 0, outc, 0, pk.length);
     dic2.put(PdfName.CONTENTS, new PdfString(outc).setHexWriting(true));
     sap.close(dic2);
     File newOne = new File("C:\\signed.pdf");
     FileOutputStream fos = new FileOutputStream(newOne);
     fos.write(baos.toByteArray());
     fos.close();
I figured this is the right approach, but I need a way to generate the CMSSignedData instance, which can't be done using addSigner (the only documented way I found), since the private key is not extractable from a smart card...
Then I decided to give up and try with a detached signature:
     // COMMON - START
     // Same as above
     // COMMON - END
     sap.setSignDate(new GregorianCalendar());
     java.security.cert.X509Certificate[] certs=new java.security.cert.X509Certificate[1];
     CertificateFactory factory=CertificateFactory.getInstance("X.509");
     certs[0]=(X509Certificate)factory.generateCertificate(new ByteArrayInputStream(correspondingCertificate.getValue().getByteArrayValue()));
     sap.setCrypto(null, certs, null, PdfSignatureAppearance.SELF_SIGNED);
     sap.setSignDate(java.util.Calendar.getInstance());
     sap.setExternalDigest (new byte[8192], new byte[20], "RSA");
     sap.preClose();
     MessageDigest messageDigest = MessageDigest.getInstance ("SHA1");
     byte buff[] = new byte[8192];
     int n;
     InputStream inp = sap.getRangeStream ();
     while ((n = inp.read (buff)) > 0)
          messageDigest.update (buff, 0, n);
     byte hash[] = messageDigest.digest();
     byte[] signature=session.sign(hash);
     PdfSigGenericPKCS sg = sap.getSigStandard ();
     PdfLiteral slit = (PdfLiteral)sg.get (PdfName.CONTENTS);
     byte[] outc = new byte[(slit.getPosLength () - 2) / 2];
     PdfPKCS7 sig = sg.getSigner ();
     sig.setExternalDigest (session.sign(hash), hash, "RSA");
     PdfDictionary dic = new PdfDictionary ();
     byte[] ssig = sig.getEncodedPKCS7();
     System.arraycopy (ssig, 0, outc, 0, ssig.length);
     dic.put (PdfName.CONTENTS, new PdfString (outc).setHexWriting(true));
     sap.close (dic);
     File newOne = new File("C:\\signed.pdf");
     FileOutputStream fos = new FileOutputStream(newOne);
     fos.write(baos.toByteArray());
     fos.close();
I'm still stuck to the signature process, can anyone please tell me what I'm doing wrong and help me (snippets would be deeply appreciated), maybe even changing approach in order to be able to add a digital timestamp?
Thank you very much in advance!
PS: I had also tried to use the SunPKCS11 provider to access the smart card, I gave up for similar problems, but if someone has suggestions using it, they're welcome! :D

Getting Error:Digitally Signing documents using Acrobat SDK

I am using following API's to digitally sign a document using Acrobat SDK but getting error(return code -2) while making a call to folllowing API DigSigCommitSigRefDict(ASAtomFromString("DocMDP"), tempDict, &pOutRefDict);
What am i missing?
Here's my code.
    CosObj sigDict = CosNewDict(cosDoc, true, 1L);                         //Signature Dictionary Cos Object
    CosObj sigRefDict= CosNewDict(cosDoc, true, 1L);                    //Signature Reference Dictionary Cos Object
    CosDictPut(sigRefDict, ASAtomFromString("TransformMethod"), CosNewName(cosDoc, false, ASAtomFromString("DocMDP")));
    CosDictPut(sigRefDict, ASAtomFromString("Type"), CosNewName(cosDoc, false, ASAtomFromString("SigRef")));
    refArrayObj = CosNewArray(cosDoc, false, 1L);                         //Reference array object inside signature dictionary
    CosArrayInsert(refArrayObj,1, sigRefDict);
    CosDictPut(sigDict, ASAtomFromString("Reference"), refArrayObj);
    CosDictPut(sigDict, ASAtomFromString("Type"), CosNewName(cosDoc, false, ASAtomFromString("Sig")));
    CosDictPut(sigField, ASAtomFromString("V"), sigDict);               //SigField is an AcroForm object
    DSSigRefDictParamsRec myDSSigRefDictParams;
    myDSSigRefDictParams.size = sizeof(DSSigRefDictParamsRec);
    myDSSigRefDictParams.cosDoc = PDDocGetCosDoc(pdDoc);
    myDSSigRefDictParams.rootObj   = cRoot;
    myDSSigRefDictParams.sigDict   = sigDict ;
    myDSSigRefDictParams.transformMethod   = ASAtomFromString("DocMDP");
    //myDSSigRefDictParams->transformParams   =
    myDSSigRefDictParams.bIndirect    = true;
    DSSigRefDictErrParams errParams;
    DSRetCode retCode = DigSigNewSigRefDict(&myDSSigRefDictParams,errParams);
    CosObj pOutRefDict;
    retCode = DigSigCommitSigRefDict(ASAtomFromString("DocMDP"),sigDict , &pOutRefDict);
    retCode = DigSigFinishSigRefDict(ASAtomFromString("DocMDP"), sigDict , pOutRefDict,errParams);
-amit

Thanks for the tip George. I'm using Acrobat Pro X to create a form. Can you tell me how to make the form reader-enabled so that it can be digitally signed?
Josh

End user releasing own emails based on Policy/Content

Hiya all,
New to this forum and my first post so hello to all
We recently installed a couple of C360 and an M series and they all are working well.
We have also setup Profanity based filtering and as a result many swear words are being rejected.
This is setup using dictionaries.
But we are also getting a high number of false positives and as a result our Techsupport team is inundated with requests to release emails.
I know with SPAM Quarantine there is End-User Quarantine Access but I don’t see this with Policy Quarantine.
The end result I want is for end users to release their own emails blocked based on profanity.
Is this possible?
My apologies if this has been asked in the past.
Ivan.
:D :D

Welcome aboard Ivan!
The main reason there is a separation between ironport spam quarantine(isq) and policy quarantine(aka system quarantine) is that ISQ is mainly used in conjunction with the anti-spam verdict/results. While policy quarantine is used as a result of administrative/company policy(e.g. like a profanity dictionary filter in your case).
Another difference between the two is ISQ is accessible by the end user. Policy quarantine is accessibly only by the admin of the machine.
Here is a KB article that goes over their diffs.
What is the difference between IronPort Spam Quarantine and System Quarantine?
http://tinyurl.com/233qkq
Now, there is a way to tweak it so that the content filter sends it over to the ISQ. Now keep in mind by doing this, you're mixing profanity filter verdicts with anti-spam results. It may be confusing for the end user unless you preprend the profanity stuff with "[Contains profanity]" at the beginning of the subject line.
This Cisco IronPort support portal KB article goes over how to send content filter results over to the ISQ.
Can a Content Filter divert messages to the IronPort Spam Quarantine?
http://tinyurl.com/coebj3
Good luck and let me know if that doesn't address your concern.

XML Security - How to sign a single TAG

Hello there!
Well, recently I start to develp some apps, using XML Security from OSDT (Oracle Security Developer Tools), I got the sample code for:
SimpleSing
SignAndEncrypt
I understand how this works, based on W3C standard for XML Digial Signature. I can did my app works fine ...
By now, i get some doubts about some issues, It's possible to do a signature for only one TAG from the original XML, i.e.:
<?xml version="1.0"?>
<account>
<name>My Name</name>
<id>231233</id>
<amount>2313.00</amount>
<location>US</location>
<account>
I need to know if i can apply a Digital Signature for only TAG <amount>.
This is possible? I read few documents about Signatures, but i didnt get lucky.
thanks in advance
VieL.
Edited by: user2051378 on Nov 20, 2008 2:59 PM
Edited by: user2051378 on Nov 20, 2008 3:03 PM

Ok, I got other solution, the elegant solution :)
I just read the [XML Signature XPath Filter 2.0|http://www.w3.org/TR/xmldsig-filter2/|XML Signature XPath Filter 2.0] recommendation and I can apply this using the OSDT API.
And I just need to specify a XPath expression (like ram* said, and without extra-steps) in the Transform Element, like this:
XSSignature sig = XSSignature.newInstance(doc, "Sig");
XSReference ref = sig.createReference();
XSAlgorithmIdentifier est = sig.createXPathTransform("dsig", XMLURI.ns_xmldsig, "{color:#ff0000}ancestor-or-self::_*aTagName*_{color}");
ref.addTransform(est);
and this generate a XML Signature like this:
<dsig:Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Id="Sig">
<dsig:SignedInfo Id="Sig.SigInfo">
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference Id="Sig.Ref" URI="">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
<dsig:XPath>{color:#ff0000}ancestor-or-self::_aTagName_{color}</dsig:XPath>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>HKlJpmpS5AhpC95I4EG9yN53vxk=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue Id="EnvelopedSig.SigValue">
GLsrWNnKR1EgVHTLgCxPZtEx/wk18MvOcG7wd2ua066jAaT5xn10qXuU66tgozt6M2AERvgbh6+ZXUwMvyNcPw==
</dsig:SignatureValue>
<dsig:KeyInfo Id="Sig.KeyInfo">
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>
xyKQm6k42cha9kAt5SlT/Lg2iZhz7t3tV3Ow7TCgoN3YH2sIIC4dEjMbIPwkLpVwMSLUDCcu0sEI6JK4bgt0EQ==
</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
The recommendation said that there are 3 kinds of Filters, intersect, substract and union. Well to can sign just a TAG I used the intersect filter.
Now, It's more easy to sign a part of a XML ...
Rgds
VieL.

PADES-LTV Document timestamp verification error

Hello,
I have a signed pdf document which includes PADES-LTV signture with a Document timestamp signature.
When I try to open the signed document with Adobe reader version 10.1.0.534, signature is validated however Document timestamp signature can not be verified. It says: At least one signature requires validating on the top bar. When I look at the Signatures section on the left, It says: Signer's identity is invalid because it has expired or is not yet valid. If I try to open the signature details of the document timestamp, Adobe reader crashes. (I submitted a bug report for this issue but I have not received any response yet)
When I open the signed document with Adobe Acrobat X pro and view the details of the document timestamp signature, this value "1970/01/01 03:00:00 +03'00'" is displayed in the signature date field. Actually, Date field should be Not available since ETSI 102 778-4 V1.1.2 says: In the document timestamp dictionary Name, M, Location, Reason and contact info should not be present.
Why does the adobe reader shows this value 1970/01/01 03:00:00 +03'00' instead of Not Available?
What can be wrong?
Thanks

Thanks for answer,
but I don't have a problem with timestamp included inside the signature.
I have a issue with creating Document Time-stamp dictionary.
Document Time-stamp dictionary is a standard Signature dictionary but with some changes.
More details in PADES LTV see specification ETSI TS 102 778-4 V1.1.1 (2009-07) page 15.

About computing object digests

Hello everyone,
I met some problems when I tried to compute object digests. I have read chapter 8 ”Digital Signature“ and appendix I "Computation of Object Digests" in PDF Reference, but still can't get a clear vision on how to compute object digest. I mean the PDF Reference does NOT give a clear instruction on some details.
For example, the note in section 8.7.1(page 731 of PDF Reference, version 1.7) says that "All transform methods exclude the signature dictionary from the object digest.", so when I encounters a signature dictionary, should I treat it as an empty dictionary(06 00 00 00 00)? Or treat it as a visited object(06 FF FF FF FF)? Or treat it as nothing?
Another exmple, table I.1 in appendix I (page 1132) tells how to process basic object types. The description on dictionary type is that "An unsigned 4-byte value(most significant) specifying the number of entries in the dictionary". I wonder "the number of entries" is the number of entries which shall be digested or the number of all entries of the dictionary?
I expect for your help. A sample of computing a blank page object digest will be better.
Thanks for reading my issue.

You should be using ISO 32000-1, the official standard for PDF. When you do so, you will see that this particular aspect of PDF (Object Digests) was removed from the language during the standardization process.
So don't bother implementing it - it's not part of PDF.

Signature Dictionary 'Filter'

Similar Messages

Maybe you are looking for