Hi Hans,
I attach a patch for fixing the issue with hash wrong validation in
signed documents (and another minor typo).
Sorry for the long explanation, but I think this is required, since
these is a sensible topic.
A sample source:
\setupinteraction[state=start]
\definefield[signature][signed]
\defineoverlay[signature][my signature]
\starttext
\startTEXpage[offset=1ts,frame=on,framecolor=darkblue]
sign: \inframed[background=signature,framecolor=darkred]
{\fieldbody[signature][width=3cm,option=hidden]}
\stopTEXpage
\stoptext
After compiling it with ConTeXt, I run:
mtxrun --script pdf --sign --certificate=c.pfx --password=ABCabc a.pdf
(Certificate attached, passphrase is ABCabc.)
I get a signed PDF document, but both pdfsig and mutool sign complain
about disgest mismatch (as already mentioned on the other list).
After investigating the issue, I realized that the /ByteRange was wrong
calculated.
Using a binary editor ("neovim -b", for that matter), I jumped to the
final range of the first byte (value of n1 from getbyteranges()).
I saw that the first byte range ended in the s of /Contents, but there
was a blank space after it (before the hex string value).
This causes the digest mismatch, because the tmpfile contained an extra
space excluded in the first byte range.
I modified the sigfile manually adding one more byte to the byte length
and both pdfsig and mutool sign detected a valid signature.
The patch was simple and now I realize the wrong byterange may have been
well a typo in n1. (Excuse my verbose explanation in that case š
.)
Outputs from both pdfsig and mutool sign are fine after the patch:
$ pdfsig a.pdf
Digital Signature Info of: a.pdf
Signature #1:
- Signature Field Name: signature
- Signer Certificate Common Name: John Doe
- Signer full Distinguished Name: CN=John Doe,O=No Brainer [...]
- Signing Time: Jun 09 2024 11:50:53
- Signing Hash Algorithm: SHA-256
- Signature Type: adbe.pkcs7.detached
- Signed Ranges: [0 - 6426], [10524 - 10909]
- Total document signed
- Signature Validation: Signature is Valid.
- Certificate Validation: Certificate issuer isn't Trusted.
$ mutool sign -v a.pdf
Verifying signature 3:
Distinguished name: cn=John Doe, o=No Brainer, ou=, email=, c=XX
Certificate error: Self-signed certificate.
The document is unchanged since signing.
I think the patch may be considered to be included in next latest.
Many thanks for your help,
Pablo
