Error signing pdf with PHP's openssl_pkcs7_sign

1
votes

I am using TCPDF to generate a pdf document and sign it. TCPDF itself just calls PHP's openssl_pkcs7_sign function, which seems to me to be calling C's PKCS7_sign function based on source code.

Until recently things were working fine. Then I changed certificate provider. I just updated the private key, the certificate, and the certificate chain :

$pdf->setSignature(
                $this->public_certificate_path, 
                $this->private_key_path, 
                $this->private_key_password, 
                $this->extra_certificates_path, 
                1);

I copied the new root certificate and intermediate certificate in PEM format inside the extra_certificates_path file. I verified this file using openssl and it seems fine.

Now when I open a signed PDF in Adobe Reader, it shows these errors :

  • While opening the file, it says

    This file is damaged but is being repaired

  • The blue ribbon on top says

    Certification by is invalid

  • When I open the signature panel, it says

    Certified by %s

  • Details of errors say

    There are errors in the formatting or information contained in this signature (support information: SigDict /Contents illegal data)

  • When I click on "Certificate details", nothing happens

See screenshot below.

Any idea what could be wrong ?

enter image description here

1
opensslcryptographypdf-generationtcpdfphp-openssl
Can you share an example PDF so signed?mkl
The size of the signature container embedded into your document exceeds the size originally reserved for it. I don't know the TCPDF details here but most likely it would suffice to reserve more space for injecting the signature container to start with.mkl
As mentioned above I don't know the TCPDF details here. At first glance, though, PKCS7_sign appears to only create the CMS signature container, reserving a placeholder in the pdf for that container must have happened before the PKCS7_sign call.mkl
Shoudln't there be some error message / exception / error return when the size is exceeded? Either this should be in your code (then you should add it, because it could happen in the future if you change something else), or in TCPDF (then you should tell them).Tilman Hausherr
@TilmanHausherr, yes this should definitely be in TCPDF's code. I have submitted an issue : github.com/tecnickcom/tc-lib-pdf/issues/31 Thanks for suggesting itVic Seedoubleyew

1 Answers

3
votes

Analyzing the example file shared by the OP one can understand the problem: The signature container embedded into the document exceeds the size originally reserved for it.

Thus, the solution is to reserve more space for the signature container.

And indeed, the OP confirmed:

Indeed there was a place that specified the max signature length. I changed it, and it works.

Furthermore, the OP indicated his interest how to identify the problem to start with.

For many PDF problems one starts by inspecting the PDF using a PDF internals browser like iText RUPS or PDFBox PDFDebugger. In this case, though, a text viewer and a hex viewer suffices.

Using the text viewer one finds the signature value dictionary (pretty-printed here, the Contents entry shortened):

10 0 obj
<<
  /Type /Sig
  /Filter /Adobe.PPKLite
  /SubFilter /adbe.pkcs7.detached
  /ByteRange[0 78679 90423 6699]
  /Contents<308217b7...563934bf>
  /Reference [
  <<
    /Type /SigRef
    /TransformMethod /DocMDP
    /TransformParams << /Type /TransformParams /P 1 /V /1.2 >>
  >> ]
  /M (D:20171129170713+00'00')
>>
endobj

The ByteRange entry indicates that the Contents value (the hex encoded signature container) should reach from file offset 78679 to 90423-1. Using the hex viewer one quickly verifies that the starting index of the Contents value (<308217b7...563934bf>) matches but the end index is at a later index than expected.

There you are, a too big signature container was embedded. ;)