search

m32 / endesive

en-crypt, de-crypt, si-gn, ve-rify - smime, pdf, xades and plain files in pure python
MIT License
239 stars 92 forks source link

pdfsig choking #16

Closed replabrobin closed 5 years ago

replabrobin commented 5 years ago

This library has helped me in signing files made by reportlab. I found that the signed bytes should not include the < > markers in the /Content part of the file. Acrobat reader says the signature is corrupted if those bytes are made part of the signature so thanks for all the work.

However, I find that the pdfsig utility from poppler doesn't like the files produced by endesive I see this `$ pdfsig pdf-signed-fpdf.pdf Digital Signature Info of: pdf-signed-fpdf.pdf Signature #1:

If I modify pdf-sign-fpdf.py to use my test p12 file which is based on letsencrypt's chain (I have my cert + the letsencrypt intermediate).

`$ pdfsig pdf-signed-fpdf.pdf Digital Signature Info of: pdf-signed-fpdf.pdf Signature #1:

m32 commented 5 years ago

use other software than poppler' pdfsig, eg: apache pdfbox

mak@tw520:~$ ShowSignature "" pdf-signed-cms.pdf Signature found Signature covers whole document Modified: 31.07.2018 08:26:42 certFromSignedData: [ [ Version: V3 Subject: CN=USER 1 Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits params: null modulus: 27593122970324828393148015662278483774178105885814514844872684578988370088170479611958191510162184012390817116996325869898626358278712467164802857608115330565330893474792824888590259045617061627216882797904454911650100989334883667758478188887957920320977693420484927932172404569017526513366248181679899552529660575550111500440054761590965411407636396796187660396606840941741056171214365637751507847303881094715508099343923342027619993439561071528091268890104746243027170278289960701092409021019566943924526662416427694669652005929843457848612681520537764561853338758978739261541046213541261873915542899585530545803261 public exponent: 65537 Validity: [From: Fri Apr 26 19:38:18 CEST 2019, To: Sat Apr 25 19:38:18 CEST 2020] Issuer: CN=CA SerialNumber: [ d999e0a3 955e4735 aaa8ff51 b8a2f4ab]

Certificate Extensions: 3 [1]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 9E F5 CA 35 80 C6 65 3B 63 8A C2 12 35 51 1E C9 ...5..e;c...5Q.. 0010: D9 C8 4E F0 ..N. ] ]

[2]: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ]

[3]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment ]

] Algorithm: [SHA256withRSA] Signature: 0000: 7A C5 87 F7 E9 63 8D 3B E7 CA DB 47 07 61 E7 3D z....c.;...G.a.= 0010: 0E 99 88 40 40 F7 49 3E FF 93 4C 49 FE F1 D1 75 ...@@.I>..LI...u 0020: 26 37 12 A4 CD 1C 2B 8B 6A 9C AE 43 BA 12 E2 61 &7....+.j..C...a 0030: BE EF F3 65 E6 C9 77 3C 91 4F 48 C6 C2 25 0A 29 ...e..w<.OH..%.) 0040: CB C7 61 11 E7 2C 4E 6D 6D AB F6 15 CC 4E CA A5 ..a..,Nmm....N.. 0050: E2 2D 26 A3 B1 34 01 9A 43 CA E4 0C 66 0B B6 9B .-&..4..C...f... 0060: 26 40 64 83 C7 0E 5F DD 83 DE F7 1A 1C BF D5 D1 &@d..._......... 0070: 1B 2A A8 8B 55 DE 9A 75 4B A6 8D 71 84 A9 78 5A ...U..uK..q..xZ 0080: 7F 24 3A 01 ED AF 37 09 9A 50 0C 19 2A 0F 48 CE .$:...7..P...H. 0090: 10 8C 83 5A DC 5F 56 C6 95 87 9B 35 15 F0 37 2D ...Z.V....5..7- 00A0: B5 9D AA BF 87 A5 A4 D3 8A 25 88 E2 FD 56 03 A2 .........%...V.. 00B0: 9B 0F EE BE 40 BD 9B 02 B6 71 F1 91 4C 76 24 56 ....@....q..Lv$V 00C0: 28 F9 5A 57 62 CF 01 36 41 A9 6E 12 82 2B 4F 5F (.ZWb..6A.n..+O 00D0: 76 2B 4E 5C 24 5E 96 54 A8 A0 25 D2 77 27 F9 9D v+N\$^.T..%.w'.. 00E0: 83 50 8B C4 7A DB D4 69 FD B5 9B 3E 6C C8 E5 DA .P..z..i...>l... 00F0: 7D 58 92 6B 9B D8 74 4B AF 18 77 3C 76 19 A2 24 .X.k..tK..w<v..$

] Certificate not yet valid at signing time Certificate valid at signing time: Sat May 18 23:46:07 CEST 2019 Signature verified Certificate is not self-signed Exception in thread "main" org.apache.pdfbox.examples.signature.cert.CertificateVerificationException: No root certificate in the chain at org.apache.pdfbox.examples.signature.cert.CertificateVerifier.verifyCertificate(CertificateVerifier.java:142) at org.apache.pdfbox.examples.signature.ShowSignature.verifyCertificateChain(ShowSignature.java:493) at org.apache.pdfbox.examples.signature.ShowSignature.verifyPKCS7(ShowSignature.java:445) at org.apache.pdfbox.examples.signature.ShowSignature.showSignature(ShowSignature.java:185) at org.apache.pdfbox.examples.signature.ShowSignature.main(ShowSignature.java:110)

because my test certificate isn't known to java apps

m32 commented 5 years ago

Let's Encrypt does not currently offer S/MIME certificates. See https://community.letsencrypt.org/t/s-mime-certificates/153 for a thread explaining why you can't use their SSL/TLS certificates for S/MIME.

in this case S/MIME means signing PDF's too

m32 commented 5 years ago

https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx Their certificates are also useful for signing other documents.

replabrobin commented 5 years ago

Hi Grzegorz, thanks for all the information. Really useful. Sorry for wrong headed issue.

On Sat, 18 May 2019 at 22:45, Grzegorz Makarewicz notifications@github.com wrote:

https://www.actalis.it/products/certificates-for-secure-electronic-mail.aspx Their certificates are also useful for signing other documents.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/m32/endesive/issues/16?email_source=notifications&email_token=AATKGHXOMCDARM5TGQPQUPTPWB2IJA5CNFSM4HNWJJPKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVWWRGY#issuecomment-493709467, or mute the thread https://github.com/notifications/unsubscribe-auth/AATKGHSIRRPRSBIZ4F4LAK3PWB2IJANCNFSM4HNWJJPA .

-- Robin Becker