Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I was developing a PDF signing tool. For this I will get a signed sha256 data of PDF in PKCS#1 format and a certificate from a device, I need to use these two to embed inside the PDF. Most of the PDF reader only support PKCS#7 signature.
Is there any way to convert a PKCS#1 signature to PKCS#7 signature (using certificate file) ?
I knew that PKCS#7 = Certificate + Optional raw data + Signature in PKCS#1 format
Your question somewhat oversimplifies the situation.
Concerning PKCS#7 <-> PKCS#1:
Yes, a PKCS#7 signature container contains SignerInfo objects which respectively essentially contain a PKCS#1 style signature and some attributes. BUT this PKCS#1 style signature generally is NOT merely signing the document data but instead is signing a structure of so called “signed attributes”. One of these is a document hash, others can be the signing time, a link to the signer certificate, and other information; these extra information is required in many use cases. Only the most primitively built SignerInfo structures sign the document data directly.
In general, therefore, if you simply take a PKCS#1 signature of some data and wrap it in a PKCS#7 container, that signature container won’t be accepted.
For details see RFC 3852.
Concerning integrated PDF signatures:
Your description of your implementation-to-be is somewhat vague. You seem to think that the document hash to sign is a hash of the original PDF. In case of integrated PDF signatures this is wrong: In order to create an integrated PDF signature, you first extend the PDF by some data which envelop a placeholder for the PKCS#7 signature container (recommended by the specification) or the PKCS#1 signature to integrate. Then you need to hash this extended PDF except the placeholder. (By the current PDF specification you could hash less than that but this won’t be accepted by the current Adobe Acrobat/Reader and shouldn’t be accepted by any serious verifier).
For details see ISO 32000-1:2008 as published by Adobe
Depending on the legal requirements you may also have to take into account PDF Advanced Electronic Signatures (PAdES) as specified by ETSI, cf. ETSI standard for EU-compliant electronic signatures. These will become part of ISO 32000-2, aka PDF 2.0.
So, are you still sure your use case allows for those very simple PKCS#7 signatures you have in mind, and are your PKCS#1 source signatures created for the right document? In that case building those containers is easily done by looking at RFC 3852.
Anyways, you should have a look at the whitepaper Digital Signatures for PDF documents by Bruno Lowagie (iText Software).