问题
I am using TCPDF to generate a pdf document and sign it. TCPDF itself just calls PHP's openssl_pkcs7_sign function, which seems to me to be calling C's PKCS7_sign function based on source code.
Until recently things were working fine. Then I changed certificate provider. I just updated the private key, the certificate, and the certificate chain :
$pdf->setSignature(
$this->public_certificate_path,
$this->private_key_path,
$this->private_key_password,
$this->extra_certificates_path,
1);
I copied the new root certificate and intermediate certificate in PEM format inside the extra_certificates_path file. I verified this file using openssl and it seems fine.
Now when I open a signed PDF in Adobe Reader, it shows these errors :
- While opening the file, it says
This file is damaged but is being repaired
- The blue ribbon on top says
Certification by is invalid
- When I open the signature panel, it says
Certified by %s
- Details of errors say
There are errors in the formatting or information contained in this signature (support information: SigDict /Contents illegal data)
- When I click on "Certificate details", nothing happens
See screenshot below.
Any idea what could be wrong ?
回答1:
Analyzing the example file shared by the OP one can understand the problem: The signature container embedded into the document exceeds the size originally reserved for it.
Thus, the solution is to reserve more space for the signature container.
And indeed, the OP confirmed:
Indeed there was a place that specified the max signature length. I changed it, and it works.
Furthermore, the OP indicated his interest how to identify the problem to start with.
For many PDF problems one starts by inspecting the PDF using a PDF internals browser like iText RUPS or PDFBox PDFDebugger. In this case, though, a text viewer and a hex viewer suffices.
Using the text viewer one finds the signature value dictionary (pretty-printed here, the Contents entry shortened):
10 0 obj
<<
/Type /Sig
/Filter /Adobe.PPKLite
/SubFilter /adbe.pkcs7.detached
/ByteRange[0 78679 90423 6699]
/Contents<308217b7...563934bf>
/Reference [
<<
/Type /SigRef
/TransformMethod /DocMDP
/TransformParams << /Type /TransformParams /P 1 /V /1.2 >>
>> ]
/M (D:20171129170713+00'00')
>>
endobj
The ByteRange entry indicates that the Contents value (the hex encoded signature container) should reach from file offset 78679 to 90423-1. Using the hex viewer one quickly verifies that the starting index of the Contents value (<308217b7...563934bf>) matches but the end index is at a later index than expected.
There you are, a too big signature container was embedded. ;)
来源:https://stackoverflow.com/questions/47673663/error-signing-pdf-with-phps-openssl-pkcs7-sign