Invalid IdMessageDigest

[dhruvvarde]

When we create the signed PDF based on the certificate provided by the Brazilian Government and when we verify it on this site: https://verificador.iti.gov.br/

It gives the error of verification mentioning:

Invalid. Failed to build the attribute: 1.2.840.113549.1.9.4 - Problems getting the hash

When we use the same certificate on some other C# library, it works perfectly fine. Can you please check the same and provide the feedback on this.

Because of the privacy issues, I cannot share the certificate but it indeed does not work with this Node Library. Will look forward to the solution.

[vbuch]

Cannot help with the BR gov thing. I think there was some special thing about Brazil's implementation? The whole signing is done here: https://github.com/vbuch/node-signpdf/blob/develop/src/signpdf.js#L85

Edit: I remembered why I read about Brzil's certificates. The reason was this issue https://github.com/vbuch/node-signpdf/issues/34 Edit 2: This is the OID of the message digest: https://github.com/digitalbazaar/forge/blob/master/lib/oids.js#L62 I don't know what "Problems getting the hash means". You are giving no example at all. First try to sign a document, once you do, check if it is signed with Adobe Reader or something else that verifies the signature. Then use the legal certificate you have issued by BR Gov to sign a document and check it in that site. If any of the previous steps failed, the last step is doubtfully going to succeed.

[dhruvvarde]

@vbuch

Following is the steps I did: For the PDF Created with PDF Sign:

• Signed a document using the library.
• Verified the same with Adobe where it showed the sign is proper.
• To validate I uploaded the signed document on https://verificador.iti.gov.br/ where it failed with the error: Invalid. Failed to build the attribute: 1.2.840.113549.1.9.4 - Problems getting the hash

Usage with Adobe Directly:

• Open a PDF.
• Sign the PDF with the same certificate.
• Upload the signed PDF on https://verificador.iti.gov.br/
• It says the certificate is valid.

If you can share your email I can provide those PDF to check. Because of privacy concerns, I cannot post the same publicly.

I appreciate your quick response. Thanks!

[vbuch]

@dhruvvarde send it over to.. I'll see if I can find anything.

[PCcunha]

Its not just the Brazillian one.

The EU official verification tool is also complaining about the signature digest. I ran into the exact same error now.

Check a file at: https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation

<BasicSignature>
    <EncryptionAlgoUsedToSignThisToken>RSA</EncryptionAlgoUsedToSignThisToken>
    <KeyLengthUsedToSignThisToken>2048</KeyLengthUsedToSignThisToken>
    <DigestAlgoUsedToSignThisToken>SHA256</DigestAlgoUsedToSignThisToken>
    <SignatureIntact>**false**</SignatureIntact>
     <SignatureValid>**false**</SignatureValid>
</BasicSignature>
<SigningCertificate Certificate="C-A1A13A03A2B7BAA8787431BBA81D21138E98BB26DBBA1627D0F7AE978E29E18F">
   <AttributePresent>**false**</AttributePresent>
   <DigestValuePresent>**false**</DigestValuePresent>
   <DigestValueMatch>**false**</DigestValueMatch>
   <IssuerSerialMatch>**false**</IssuerSerialMatch>
</SigningCertificate>

I dont know how acrobat is not complaining about it.

[dhruvvarde]

@PCcunha It is working with the PDFs signed with Adobe. I confirmed myself by validating both the PDF generated by the library and via Adobe. Definitely looking forward to a solution.

[dipedro]

@dhruvvarde you are using a A1 certificate?

[vbuch]

I'll have a look when I have the time to do so. Meanwhile, if you want to debug, I think this here would contain some logic that verifies the signatures: https://github.com/ninja-labs-tech/verify-pdf This could be useful for understanding what is going on in that signature and what is missing.

[PCcunha]

@dhruvvarde you are using a A1 certificate?

I can reply for him :) Yes. A1. In brazil A3 means software certificate. Is impossible to use an A3 (generated on hardware device) certificate as it is not exportable to pfx or p12.

[divyeshgohil85]

I suspect the signer is not attaching/setting the Digest value at this line https://github.com/vbuch/node-signpdf/blob/7145a7e2265d5063ef2647f286c5644abbf21a7d/src/signpdf.js#L143

[vbuch]

The digest it attached by node-forge. I havent had the time to debug the examples @dhruvvarde sent me. I looked at how PKCS7 is done in node-forge and all looks fine there to me. node-signpdf was only meant for digitally signing PDFs. It does that. But people now expect it to be PAdES compliant and that's not true (See #71). I guess you can team up and provide what's missing for PAdES.

[ghost]

I managed to fix this issue. I'll update my fork and submit a PR later today or tomorrow.

[dhruvvarde]

Thank you! @Alph4Four I will have a check as soon as you commit.

[ghost]

PR made https://github.com/vbuch/node-signpdf/pull/72

There are some extra changes I made besides the Brasil A1 certificates fix but you can check that in the PR and I'll revert the other stuff if you don't want it in the main build.

[vbuch]

@dhruvvarde did @Alph4Four 's proposition fix your issue? I haven't had the time to investigate, but since I promised, if that doesn't work for you, I will try and find the time in the weekend to check what's up with this issue.

[dhruvvarde]

@vbuch I had been trying multiple ways to tackle one error I was facing with this code.

The signing did work but if we use plainAddPlaceholder it gives this error: https://github.com/vbuch/node-signpdf/issues/35

If I use pdfkitAddPlaceholder, it works and also provides a valid certificate (which I integrated with my project) but the Signature is not visible on the PDF. When opened the PDF with Adobe Viewer it does show that a signing certificate is present but it is not visible on the PDF that I had sent you over the email.

[dipedro]

@dhruvvarde this library does not mark the PDF, it only signs! So this behavior:

If I use pdfkitAddPlaceholder, it works and also provides a valid certificate (which I integrated with my project) but the Signature is not visible on the PDF. When opened the PDF with Adobe Viewer it does show that a signing certificate is present but it is not visible on the PDF that I had sent you over the email.

is correct! You can view this issue for make a mark visible: https://github.com/vbuch/node-signpdf/issues/26#issuecomment-506511199

[dhruvvarde]

Okay @dipedro but prior it did display the sign on Adobe so I wasn't sure. Can you confirm this if the sign won't display on Adobe as well? Technically the signing is working correctly with this PR.

@PCcunha can you also please confirm if the same PR works for you? You were also facing a similar issue so I wanted to confirm.

[stale[bot]]

This issue has been automatically marked as stale because it has not had activity in the past 90 days. It will be closed if no further activity occurs. Thank you for your contributions.

[sanchezandoni]

@dhruvvarde, @Alph4Four , were you finally able to sign a pdf with the AdES standard? Can you explain how? Was the PR finally merged into this repository? Or should I use the forked one?

I think i'm facing the same difficulties you faced. I would be very grateful of yout help.

Thanks a million!

Thanks @vbuch too for this awesome and so well documented repository!

[victorgrodriguesm7]

Hey, I was able to fix this changing the order of the AuthenticatedAttributes to content type, signing time, message digest here: https://github.com/vbuch/node-signpdf/blob/7145a7e2265d5063ef2647f286c5644abbf21a7d/src/signpdf.js#L138

[cmjunior]

Hey guys, I'd implemented this solution, and was able to validate the PDF on ICP Brasil Validator. Do you guys can show me some example on how to show a signature seal on document? With the certificate information, like CN of the certificate, or CPF for example?