使用PHP的openssl_pkcs7_sign签名pdf时出错 [英] Error signing pdf with PHP's openssl_pkcs7_sign

问题描述

我正在使用TCPDF生成pdf文档并签名。 TCPDF本身只是调用PHP的 openssl_pkcs7_sign 函数，在我看来，这是基于

解决方案

分析OP共享的示例文件可以理解该问题：签名容器

因此，解决方案是为签名容器保留更多空间。

确实，OP确认：

确实有一个地方指定了最大签名长度。我对其进行了更改，并且可以使用。

此外，OP表示他有兴趣从一开始就确定问题。

>

对于许多PDF问题，首先要使用iText RUPS或PDFBox PDFDebugger等PDF内部浏览器检查PDF。不过，在这种情况下，文本查看器和十六进制查看器就足够了。

使用文本查看器可以找到签名值字典（此处打印精美，内容条目已缩短）：

  10 0 obj 
<< 
 /类型/ Sig 
 /过滤器/Adobe.PPKLite 
 / SubFilter /adbe.pkcs7.detached 
 / ByteRange [0 78679 90423 6699] 
 / Contents <308217b7 ... 563934bf> 
 /参考[
<< 
 /类型/ SigRef 
 / TransformMethod / DocMDP 
 / TransformParams<< / Type / TransformParams / P 1 / V /1.2>> 
>> ] 
 / M（D：20171129170713 + 00’00’）
>> 
 endobj 
  

ByteRange 条目表示内容值（十六进制编码的签名容器）应从文件偏移量78679到90423-1。使用十六进制查看器，可以快速验证 Contents 值的起始索引（< 308217b7 ... 563934bf> ）是否匹配

您在那里，嵌入了一个太大的签名容器。 ;）

I am using TCPDF to generate a pdf document and sign it. TCPDF itself just calls PHP's openssl_pkcs7_sign function, which seems to me to be calling C's PKCS7_sign function based on source code.

Until recently things were working fine. Then I changed certificate provider. I just updated the private key, the certificate, and the certificate chain :

$pdf->setSignature(
                $this->public_certificate_path, 
                $this->private_key_path, 
                $this->private_key_password, 
                $this->extra_certificates_path, 
                1);

I copied the new root certificate and intermediate certificate in PEM format inside the extra_certificates_path file. I verified this file using openssl and it seems fine.

Now when I open a signed PDF in Adobe Reader, it shows these errors :

• While opening the file, it says

  This file is damaged but is being repaired

• The blue ribbon on top says

  Certification by is invalid

• When I open the signature panel, it says

  Certified by %s

• Details of errors say

  There are errors in the formatting or information contained in this signature (support information: SigDict /Contents illegal data)

• When I click on "Certificate details", nothing happens

See screenshot below.

Any idea what could be wrong ?

解决方案

Analyzing the example file shared by the OP one can understand the problem: The signature container embedded into the document exceeds the size originally reserved for it.

Thus, the solution is to reserve more space for the signature container.

And indeed, the OP confirmed:

Indeed there was a place that specified the max signature length. I changed it, and it works.

Furthermore, the OP indicated his interest how to identify the problem to start with.

For many PDF problems one starts by inspecting the PDF using a PDF internals browser like iText RUPS or PDFBox PDFDebugger. In this case, though, a text viewer and a hex viewer suffices.

Using the text viewer one finds the signature value dictionary (pretty-printed here, the Contents entry shortened):

10 0 obj
<<
  /Type /Sig
  /Filter /Adobe.PPKLite
  /SubFilter /adbe.pkcs7.detached
  /ByteRange[0 78679 90423 6699]
  /Contents<308217b7...563934bf>
  /Reference [
  <<
    /Type /SigRef
    /TransformMethod /DocMDP
    /TransformParams << /Type /TransformParams /P 1 /V /1.2 >>
  >> ]
  /M (D:20171129170713+00'00')
>>
endobj

The ByteRange entry indicates that the Contents value (the hex encoded signature container) should reach from file offset 78679 to 90423-1. Using the hex viewer one quickly verifies that the starting index of the Contents value (<308217b7...563934bf>) matches but the end index is at a later index than expected.

There you are, a too big signature container was embedded. ;)

这篇关于使用PHP的openssl_pkcs7_sign签名pdf时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！