search

esig / dss-demonstrations

Examples of DSS integration
GNU Lesser General Public License v2.1
92 stars 70 forks source link

PDF_NOT_ETSI error while trying to verify a signature with DSS Validation Tool #53

Closed IonutCorbu closed 7 months ago

IonutCorbu commented 8 months ago

Hello! I finally ended my PAdES signature creation using PDFNet and OPENSSL and it is recognized by Adobe PDF Reader, but I have a problem while trying to verify it is DSS validation tool. I received the following error: image and in the detailed version, I saw this problem: image

I tried to compare the signature with one realised with DSS tool, but I was not able to see the difference between those 2.

I attach here both signatures decoded from DER using Cyberchef: -my signature my_signature.txt -dss signature dss_signature.txt

Could you help me? Best Wishes, Ionut Corbu

bsanchezb commented 8 months ago

Could you please provide a complete PDF file for analysis?

IonutCorbu commented 8 months ago

Sure! Here is the file signed with DSS file: file_signed.pdf and here is the file obtained using my solution: file_signed.pdf

I verified the signed attributes, but i don't know if the problem is there or not.

bsanchezb commented 8 months ago

Your CMS contains an empty eContent attribute, which shall not be present for a CMS within a PDF signature. The CMS in PDF shall be of a detached format, while your signature "commits" that it covers the encapsulated content, thus DSS invalidates the signature. This is your signature: image and below is a CMS created by DSS: image

As you see, DSS omits the eContent attribute when creating a signature.

Adobe, apparently, does not check the attribute, which is, in fact, invalid. See ISO 32000-1 for adbe.pkcs7.detached subFilter:

12.8.3.3 CMS (PKCS #7) signatures
...
No data shall be encapsulated in the CMSSignedData field.
...

And ETS EN 319 142-1:

4.1 General requirements for PAdES signatures based on PDF signatures

NOTE: Given that PAdES signatures are enveloped inside a PDF document and are detached in the sense of a CMS signature, the signature placement is implied by ISO 32000-1 [1]. In ISO 32000-1 [1], section 12.8.3.3.1 reads "No data shall be encapsulated in the PKCS#7 SignedData field".

Remove the encapsulated content and your signature should be valid (unless there is any other issue).

bsanchezb commented 7 months ago

Closed