PAdES signatures in iText and the road ahead

PAdES signatures in iText

and the road ahead

Paulo Soares

2012-03-29 iText Summit 2

About the speaker

Paulo Soares

M.Sc. Electronics and Telecomunications

Hardware background in military comunication systems

Works for www.glintt.com

Healthcare software (pharmacies, hospitals, clinics, laboratories)

Industrial control, automation

Software architect

iText co-developer since 2000

http://www.glintt.com/


Some acronyms

OSI - Open Systems Interconnection

ASN.1 - Abstract Syntax Notation One

BER - Basic Encoding Rules

DER - Distinguished Encoding Rules

IETF - Internet Engineering Task Force

RFC – Request For Comments

CMS – Cryptographic Message Syntax

CAdES - CMS Advanced Electronic Signatures

PAdES - PDF Advanced Electronic Signature

Profiles


What is PAdES

In July 2009, ETSI (European Telecommunications Standard Institute) has published a new standard that will facilitate secure paperless transactions throughout Europe, in conformance with European legislation. The standard defines a series of profiles for PAdES — Advanced Electronic Signatures for PDF documents — that meet the requirements of the European Directive on a Community framework for electronic signatures (Directive 1999/93/EC).

The new standard was developed by ETSI's Electronic Signatures and Infrastructure (ESI) Technical Committee in collaboration with PDF experts. PDF is defined in a standard ISO 32000-1, so the ETSI activity included reviewing and documenting how ISO 32000-1 can satisfy the European Directive. The resulting PAdES standard, ETSI Technical Specification (TS) 102 778, also introduces a number of adaptations and extensions to PDF to satisfy the Directive's requirements.


PAdES summary

Part 1: "PAdES Overview - a framework document

for PAdES";

Part 2: "PAdES Basic - Profile based on ISO 32000-

1";

Part 3: "PAdES Enhanced - PAdES-BES and

PAdES-EPES Profiles";

Part 4: "PAdES Long Term - PAdES-LTV Profile";

Part 5: "PAdES for XML Content - Profiles for XAdES

signatures".


PAdES Part 1

Provides a general description of support

for signatures in PDF documents

including use of XML signatures to

protect XML data in PDF documents;

Lists the features of the PDF profiles

specified in other parts of the document;

Describes how the profiles may be used

in combination.


PAdES Part 2

Profiles the use of PDF signatures, as

described in ISO 32000-1 and based on

CMS, for its use in any application areas

where PDF is the appropriate technology

for exchange of digital documents

including interactive forms.


PAdES Part 2

SubFilter value

adbe.pkcs7.detached adbe.pkcs7.sha1 adbe.x509.rsa.sha1a

Message Digest SHA1 (PDF 1.3)

SHA256 (PDF 1.6)

SHA384 (PDF 1.7)

SHA512 (PDF 1.7)

RIPEMD160 (PDF 1.7)

SHA1 (PDF 1.3)b SHA1 (PDF 1.3)

SHA256 (PDF 1.6)

SHA384 (PDF 1.7)

SHA512 (PDF 1.7)

RIPEMD160 (PDF 1.7)

RSA Algorithm Support Up to 1024-bit (PDF 1.3)

Up to 2048-bit (PDF 1.5)

Up to 4096-bit (PDF 1.5)

See adbe.pkcs7.detached See adbe.pkcs7.detached

DSA Algorithm Support Up to 4096-bits (PDF 1.6) See adbe.pkcs7.detached No

a Despite the appearance of sha1 in the name of this SubFilter value, supported encodings shall not be limited to the SHA1 algorithm. The PKCS#1

object contains an identifier that indicates which algorithm shall be used.

b Other digest algorithms may be used to digest the signed-data field; however, SHA1 shall be used to digest the data that is being signed.


PAdES Part 3

Profiles the use of PDF Signatures specified in ISO

32000-1 with an alternative signature encoding to support

signature formats equivalent to the signature forms

CAdES-BES, CAdES-EPES and CAdES-T as Specified in

TS 101 733.

The PAdES-BES profile supports basic CMS (RFC 3852)

signature features as specified TS 102 778-2 with the

additional protection against signing certificate

substitution.

The PAdES-EPES profile extends the PAdES-BES profile

to include signature policies.


PAdES Part 4

Profiles the electronic signature formats found in ISO

32000-1 [1] to support Long Term Validation (LTV) of

PDF Signatures

Specifies how to include validation information in a PDF

Document and to further protect the document using

time-stamps so that it is possible to subsequently verify a

PDF Signature long after it was signed. This profile may

be used to support long term validation of:

• PDF Signatures to profiles specified in TS 102 778-2




PAdES Part 4


PAdES Part 5

Defines four profiles that together profile

the usage of XAdES signatures, as

defined in TS 101 903, for signing XML

content within the PDF containers.


PAdES support in iText

Full support of PAdES Part 2

Support of PAdES Part 3 with an

external signature

Full support of PAdES Part 4

No support of PAdES Part 5


PAdES Part 2 in iText

Direct support of adbe.x509.rsa.sha1

Direct support of adbe.pkcs7.sha1

Support of adbe.pkcs7.detached as an

external signature but iText does the

signing


adbe.x509.rsa.sha1 signing

KeyStore ks = KeyStore.getInstance("pkcs12");

ks.load(new FileInputStream("my_private_key.pfx"), "my_password".toCharArray());

String alias = (String)ks.aliases().nextElement();

PrivateKey key = (PrivateKey)ks.getKey(alias, "my_password".toCharArray());

Certificate[] chain = ks.getCertificateChain(alias);

PdfReader reader = new PdfReader("original.pdf");

FileOutputStream fout = new FileOutputStream("signed.pdf");

PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0');

PdfSignatureAppearance sap = stp.getSignatureAppearance();

sap.setCrypto(key, chain, null, PdfSignatureAppearance.SELF_SIGNED);

sap.setReason("I'm the author");

sap.setLocation("Lisbon");

sap.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1, null);

stp.close();


adbe.pkcs7.sha1 signing

KeyStore ks = KeyStore.getInstance("pkcs12");

ks.load(new FileInputStream("my_private_key.pfx"), "my_password".toCharArray());

String alias = (String)ks.aliases().nextElement();

PrivateKey key = (PrivateKey)ks.getKey(alias, "my_password".toCharArray());

Certificate[] chain = ks.getCertificateChain(alias);

PdfReader reader = new PdfReader("original.pdf");

FileOutputStream fout = new FileOutputStream("signed.pdf");

PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0');


sap.setCrypto(key, chain, null, PdfSignatureAppearance.WINCER_SIGNED);

sap.setReason("I'm the author");

sap.setLocation("Lisbon");

sap.setVisibleSignature(new Rectangle(100, 100, 200, 200), 1, null);

stp.close();


adbe.pkcs7.detached signing


sap.setCrypto(null, chain, null, PdfSignatureAppearance.SELF_SIGNED);

PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, new PdfName("adbe.pkcs7.detached"));

dic.setDate(new PdfDate(sap.getSignDate()));

sap.setCryptoDictionary(dic);

HashMap<PdfName,Integer> exc = new HashMap<PdfName,Integer>();

exc.put(PdfName.CONTENTS, new Integer(contentEstimated * 2 + 2));

sap.preClose(exc);

PdfPKCS7 sgn = new PdfPKCS7(pk, chain, null, "SHA1", null, false);

InputStream data = sap.getRangeStream();

MessageDigest messageDigest = MessageDigest.getInstance("SHA1");

byte buf[] = new byte[8192]; int n;

while ((n = data.read(buf)) > 0) messageDigest.update(buf, 0, n);

byte hash[] = messageDigest.digest(); Calendar cal = Calendar.getInstance();

TSAClient tsc = new TSAClientBouncyCastle(TSA_URL, TSA_ACCNT, TSA_PASSW);

byte[] ocsp = new OcspClientBouncyCastle((X509Certificate)chain[0], (X509Certificate)chain[1],

url).getEncoded();

byte sh[] = sgn.getAuthenticatedAttributeBytes(hash, cal, ocsp);

sgn.update(sh, 0, sh.length);

byte[] encodedSig = sgn.getEncodedPKCS7(hash, cal, tsc, ocsp);

byte[] paddedSig = new byte[contentEstimated];

System.arraycopy(encodedSig, 0, paddedSig, 0, encodedSig.length);

PdfDictionary dic2 = new PdfDictionary();

dic2.put(PdfName.CONTENTS, new PdfString(paddedSig).setHexWriting(true));

sap.close(dic2);



No direct support but possible to use an

external signature

iText currently has no capabilities to

assist in the signing



Full LTV support both in Document

security Store and Timestamp



PdfReader r = new PdfReader(IN_FILE);

FileOutputStream fout = new FileOutputStream(OUT_FILE);

PdfStamper stp = PdfStamper.createSignature(r, fout, '\0', null, true);

LtvVerification v = stp.getLtvVerification();

AcroFields af = stp.getAcroFields();

for (String sigName : af.getSignatureNames()) {

v.addVerification(sigName, new OcspClientBouncyCastle(), new

CrlClientImp(), LtvVerification.CertificateOption.WHOLE_CHAIN,

LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);

}


TSAClientBouncyCastle tsa = new TSAClientBouncyCastle(TSA_URL,

TSA_ACCNT, TSA_PASSW, 6500, "sha256");

LtvTimestamp.timestamp(sap, tsa, null);


iText sign architecture

Certificate encryption

Validation – AcroFields.verifySignature()

Signing – PdfSignatureAppearance,

PdfPKCS7

Open Source – Modify at will


Shortcomings of iText signing

architecture

Monolithic

Impossible to open a certificate encrypted PDF with a smartcard with C#

Impossible to plug-in another validation engine/logic

Arbitrary signing is possible with an external signature but iText won’t assist much in the process

Open Source – no urgency in providing a decent interface


New iText signing architecture

Based on the factory pattern

Plug-in for certificate encryption,

validation and signing

Standard plug-in for detached signing

and CAdES signing

Technology

PAdES signatures in iText and the road ahead