[Q] How to detach signed data from pkcs7 ?
[try]
從要傳送的資料的角度來看 簽章(signature)一般是附隨(attached)的 也就是跟著要傳送的資料一起送出去
但是也可以將簽章與資料分開送 通常是因為原始資料已經擺在檔案的某個地方 經過簽章之後無須將資料與簽章一起打包 只要將簽章放進包包(PKCS7, S/MIME, ... )中即可
"...
Digital signatures are normally attached to the message. However, ...
A detached signature may be stored and transmitted separately from the message it signs.
...
In an S/MIME message with a detached signature, the signature is calculated over on the entire payload data, in addition to its MIME headers.
... detached signature
PKCS#7: Includes the signature and certificate without the signed data.
RNIF1.1: Uses PKCS#7 and a detached format.
S/MIME2: May include a MIME multipart message consisting of the original data in one segment
and a binary format signature or a base64-encoded signature in a second segment.
...
..."
pseudo code in C# :
public byte[] createPkcs7WithDetachedSig()
{
ContentInfo content = new ContentInfo(data);
SignedCms signedCms = new SignedCms(content, bDetached=true);
CmsSigner signer = new CmsSigner(...)
signedCms.ComputeSignature(signer);
//xxx signedCms.ContentInfo = null;
//xxx signedCms.Detached = true;
return signedCms.Encode();
}
[ref]
http://docs.sun.com/app/docs/doc/820-1228/6nctp1mqb?l=zh_TW&a=view
Friday, May 28, 2010
Pdf signature
0. Signature appearance add/edit by "Edit -> Preferences-> Security -> Appearance" in Acrobat
1. Filter/subfilter of signature dictionary in pdf file :
pkcs#7: adbe.pkcs7.detached , adbe.pkcs7.sha1,
pkcs#1: adbe.x509.rsa.sha1
adbe.x509.rsa.sha1 is not recommended?
"detached" means signature value and data are separated?
".sha1" is not required to be SHA1!?
"...
The SHA1 in the name is misleading as you can use other hash functions, depending on ....
For example, for true PDF/A-1 compatibility you should not use SHA256 since it didn't exist in PDF 1.4 (on which PDF/A-1 is based)
..."
2. 針對同一份文件同一個版本 賦予多個簽章 e.g. 股長 主任 處長 協理 ...
"...
The normal way to do this would be to have multiple SignerInfo's inside a single signature - this is called parallel signatures. PDF, however, does not support this - and in fact, ETSI TS 102778 (PAdES) explicitly forbids it.
..."
"...
Parallel signatures in the PDF context are realized using serial signatures, an acceptable solution as long as the document isn't to be signed sumultaneously at the same time by different persons.
..."
"...
ETSI/ESI STF364 is going to be working on the “parallel signatures problem” during Phase 3 of their work. The current thoughts to address the problem revolve around the use of multiple signerInfos inside of a single PKCS#7 block, just as it is done in CAdES.
..."
"...
Instead of inventing the wheel time and time again, simply reserving enough space for a signature container containing multiple signerInfo blocks sounds most reasonable.
..."
[ref]
http://learn.adobe.com/wiki/download/attachments/52658564/samplesignatures.pdf?version=1
http://forums.adobe.com/thread/530277?tstart=0
http://stackoverflow.com/questions/1807432/signing-pdf-multiple-signatures-with-a-single-revision
http://itext-general.2136553.n4.nabble.com/Uncommon-ByteRange-entry-in-signature-dictionary-td2168822.html#a2168822
http://itext-general.2136553.n4.nabble.com/Multiple-signatures-and-multiple-revisions-td2171996.html#a2171996
1. Filter/subfilter of signature dictionary in pdf file :
pkcs#7: adbe.pkcs7.detached , adbe.pkcs7.sha1,
pkcs#1: adbe.x509.rsa.sha1
adbe.x509.rsa.sha1 is not recommended?
"detached" means signature value and data are separated?
".sha1" is not required to be SHA1!?
"...
The SHA1 in the name is misleading as you can use other hash functions, depending on ....
For example, for true PDF/A-1 compatibility you should not use SHA256 since it didn't exist in PDF 1.4 (on which PDF/A-1 is based)
..."
2. 針對同一份文件同一個版本 賦予多個簽章 e.g. 股長 主任 處長 協理 ...
"...
The normal way to do this would be to have multiple SignerInfo's inside a single signature - this is called parallel signatures. PDF, however, does not support this - and in fact, ETSI TS 102778 (PAdES) explicitly forbids it.
..."
"...
Parallel signatures in the PDF context are realized using serial signatures, an acceptable solution as long as the document isn't to be signed sumultaneously at the same time by different persons.
..."
"...
ETSI/ESI STF364 is going to be working on the “parallel signatures problem” during Phase 3 of their work. The current thoughts to address the problem revolve around the use of multiple signerInfos inside of a single PKCS#7 block, just as it is done in CAdES.
..."
"...
Instead of inventing the wheel time and time again, simply reserving enough space for a signature container containing multiple signerInfo blocks sounds most reasonable.
..."
[ref]
http://learn.adobe.com/wiki/download/attachments/52658564/samplesignatures.pdf?version=1
http://forums.adobe.com/thread/530277?tstart=0
http://stackoverflow.com/questions/1807432/signing-pdf-multiple-signatures-with-a-single-revision
http://itext-general.2136553.n4.nabble.com/Uncommon-ByteRange-entry-in-signature-dictionary-td2168822.html#a2168822
http://itext-general.2136553.n4.nabble.com/Multiple-signatures-and-multiple-revisions-td2171996.html#a2171996
Subscribe to:
Comments (Atom)
