search

m32 / endesive

en-crypt, de-crypt, si-gn, ve-rify - smime, pdf, xades and plain files in pure python
MIT License
241 stars 93 forks source link

regression from >1.4.x (Python3.8) #56

Closed ccwienk closed 3 years ago

ccwienk commented 4 years ago

There was an incompatible change for versions of endesive > 1.4.5 (starting with 1.5.0).

working code for 1.4.5:

now = datetime.datetime.now().isoformat().encode('utf-8')
signature = endesive.pdf.cms.sign(
    pdf_bytes,
    {
        b'sigflags': 3,
        b'sigbutton': True,
        b'contact': b'example@example.org',
        b'location': b'example',
        b'signingdate': now,
        b'reason': b'signed as an example',
      },
     pk.to_cryptography_key(), # loaded with OpenSSL.crypto.load_privatekey
     cert.to_cryptography(), # loaded with OpenSSL.crypto.load_certificate
     [],
     'sha256',
)

starting with 1.5.0, the dict values are expected as strs - no problem, changed that.

After doing those adjustments, however, the resulting PDF signature is significantly smaller than with 1.4.x. They are no longer recognised, e.g. by LibreOffice Impress.

After looking through the inline-documentation + Code, I could not figure out what else I need to adjust. So my assumption is that this is a bug

m32 commented 4 years ago

Yes, the changes are big. The PyPDF2 library is used to create pdf files, and it requires strings, not bytestrings - now you can use ttfs to create a signature with national characters.

There is one more parameter "aligned" and if it is equal to 0, the signature has a minimum size, set this parameter to e.g. 16384, you will get a similar file size as in the previous version but you have to take care of the size of this buffer yourself.

Try to sign with examples/pdf-sign-cms.py, if you still have errors send both files - signed and unsigned. I don't know anything without them.

ccwienk commented 4 years ago

hi @m32 ; I can confirm that setting the aligned e.g. to the suggested 16384 (as also suggested in cms.py), the size of the signature is again bigger.

However, the signature will still not be recognised by e.g. LibeOffice Impress; looking into the sources of the output PDF, it looks right.

I tried adding all of the optional parameters to the dict, but this did not make any difference. I suppose, I will have to stay on 1.4.5 for the time being :-(

m32 commented 4 years ago

Add demo2_ca.crt.pem to trusted certificates in your browser. Without this, the document shows up as a blank page and libreoffice says the sign is ok, but it cannot be verified.