PDF signature marked as "altered or "corrupted" with external CMS

[Henribou]

Hello and thank you for this project !
In my project, I want my users to be able to use their certificate from their computer easily. I use for that https://fortifyapp.com/, this part specifically https://fortifyapp.com/examples#signing.

To reproduce it, you need to install Fortify. Then, in a index.html

<link href="https://fonts.googleapis.com/css2?family=Open+Sans:wght@400;600&display=swap" rel="stylesheet">  
  
<!-- Components -->  
<script type="module" src="https://cdn.jsdelivr.net/npm/@peculiar/fortify-webcomponents/dist/peculiar/peculiar.esm.js"></script>  
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@peculiar/fortify-webcomponents/dist/peculiar/peculiar.css">  
  
<!-- Crypto -->  
<script src="https://fortifyapp.com/external/pvtsutils/pvtsutils.js"></script>  
<script src="https://fortifyapp.com/external/asn1js/asn1.min.js"></script>  
<script src="https://fortifyapp.com/external/pkijs/pki.min.js"></script>  
  
<style>  
  body {  
    height: 100vh;  
    background: #6D7D87;  
  }  
  
  section {  
    max-width: 660px;  
    width: calc(100% - 20px);  
    margin: 20px auto;  
  }  
</style>  
  
<section>  
  <br>  
  <pre><code id="output"></code></pre>  
</section>  
  
<script>  
  function formatPEM (raw, tag) {  
    var pemString = pvtsutils.Convert.ToBase64(raw);  
    var stringLength = pemString.length;  
    var resultString = "";  
  
    for (var i = 0, count = 0; i < stringLength; i++, count++) {  
      if (count > 63) {  
        resultString = resultString + '\n';  
        count = 0;  
      }  
  
      resultString = resultString + pemString[i];  
    }  
  
    return '-----BEGIN ' + tag.toUpperCase() + '-----\n' + resultString + '\n-----END ' + tag.toUpperCase() + '-----\n';  
  }  
  
  async function continueHandler(event) {  
    try {  
        // Read the base64 file content  
        const response = await fetch('./inputbase64.txt');  
        const base64Content = await response.text();  
      var demoData = pvtsutils.Convert.FromString(base64Content);  
      var provider = await event.detail.socketProvider.getCrypto(event.detail.providerId);  
  
      provider.sign = provider.subtle.sign.bind(provider.subtle);  
  
      pkijs.setEngine(  
        "newEngine",  
        provider,  
        new pkijs.CryptoEngine({  
          name: "",  
          crypto: provider,  
          subtle: provider.subtle,  
        })  
      );  
  
      var cert = await provider.certStorage.getItem(event.detail.certificateId);  
      var privateKey = await provider.keyStorage.getItem(event.detail.privateKeyId);  
      var certRawData = await provider.certStorage.exportCert('raw', cert);  
  
      var pkiCert = new pkijs.Certificate({  
        schema: asn1js.fromBER(certRawData).result,  
      });  
  
      var signedData = new pkijs.SignedData({  
        version: 1,  
        encapContentInfo: new pkijs.EncapsulatedContentInfo({  
          eContentType: "1.2.840.113549.1.7.1", // "data" content type  
        }),  
        signerInfos: [  
          new pkijs.SignerInfo({  
            version: 1,  
            sid: new pkijs.IssuerAndSerialNumber({  
              issuer: pkiCert.issuer,  
              serialNumber: pkiCert.serialNumber,  
            }),  
          }),  
        ],  
        certificates: [pkiCert],  
      });  
  
      var contentInfo = new pkijs.EncapsulatedContentInfo({  
        eContent: new asn1js.OctetString({  
          valueHex: demoData,  
        }),  
      });  
  
      signedData.encapContentInfo.eContent = contentInfo.eContent;  
  
      await signedData.sign(privateKey, 0, "sha-256");  
  
      var cms = new pkijs.ContentInfo({  
        contentType: "1.2.840.113549.1.7.2",  
        content: signedData.toSchema(true),  
      });  
      var result = cms.toSchema().toBER(false);  
      var pem = formatPEM(result, "CMS");  
  
      output.innerHTML = pem;  
    } catch (error) {  
      alert('Failed to sign CMS');  
      console.error(error);  
    }  
  }  
</script>  
<script>  
  var fortifyCertificates = document.createElement('peculiar-fortify-certificates');  
  // All possible propertiest you can find on the documentation page  
  // https://fortifyapp.com/docs/webcomponents/fortify-certificates/readme#properties  
  fortifyCertificates.debug = true;  
  fortifyCertificates.filters = {  
    //   onlySmartcards: false,  
    //   expired: false,    onlyWithPrivateKey: true,  
    //   subjectDNMatch: 'apple',  
    //   subjectDNMatch: new RegExp(/apple/),    //   issuerDNMatch: 'demo',    //   issuerDNMatch: new RegExp(/demo/),    //   providerNameMatch: 'MacOS',    //   providerNameMatch: new RegExp(/MacOS/),    keyUsage: ['digitalSignature'],  
    //   certificateIdMatch: 'test',  
  };  
  
  fortifyCertificates.addEventListener('selectionCancel', function() {  
    alert('selectionCancel');  
  });  
  
  fortifyCertificates.addEventListener('selectionSuccess', continueHandler);  
  
  document.getElementsByTagName('section')[0].prepend(fortifyCertificates);  
</script>

The file inputbase64.txt is needed : for that, choose a pdf and do the following :

def from_file_to_base64(path_file_pdf):  
    with open(path_file_pdf, "rb") as pdf_file:  
        encoded_string = base64.b64encode(pdf_file.read())  
    with open("inputbase64.txt", "wb") as file:  
        file.write(encoded_string)

Then run the server with the follinwing :

python -m http.server -b 127.0.0.1 3000

On the page http://127.0.0.1:3000/, you can now select a Certificate from your computer and sign the PDF.
You will receive the string :

-----BEGIN CMS-----
MIMBmeYGCSqGSIb3DQEHAqCDAZnWMIMBmdECAQExDzANBglghkgBZQMEAgEFADCD
AZHOBgkqhkiG9w0BBwGggwGRviSDAZG5BIMBAABKVkJFUmkweExqUU5KZUxqejlN
TkNqWWdNQ0J2WW1vZ1BEd3ZUR2x1WldGeWFYcGxaQ0F4TDB3Z056Y3hNak12VHlB
NEwwVWdOekk1TURjdlRpQXhMMVFnTnpZNU5UY3ZTQ0JiSURnNU5pQXlNRE5kUGo0
TlpXNWtiMkpxRFNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0RR.....
RoCtx8+pZL1NDcjwhhMIOxCioJ2lMXPMwO9j+LNcWC9OtJsWgM2G32
yHUPCXCORAHixzk=
-----END CMS-----

Copy this complete CMS to the file : outputcms.txt

Now, that is where PyHanko is needed : I got the complete CMS, I would like to sign the PDF.

import base64  
from asn1crypto import cms  
from pyhanko import stamp  
from pyhanko.keys import load_certs_from_pemder  
from pyhanko.pdf_utils import images  
from pyhanko.sign import signers  
from pyhanko_certvalidator import (  
    ValidationContext,  
    CertificateValidator,  
    ValidationPath,  
)  
from pyhanko_certvalidator.registry import CertificateStore
def get_cms_from_frontend(path_file: str) -> bytes:  
    with open(path_file, 'r') as file:  
        base64_data = file.read().strip()  
    cleaned_base64_data = (  
        base64_data.replace('\n', '').replace('\r', '').replace(' ', '')  
    )  
    cms_bytes = base64.b64decode(cleaned_base64_data)  
    return cms_bytes

def create_detached_cms(cms_bytes):  
    signed_data = cms.ContentInfo.load(cms_bytes)['content']  
  
    # Create a new SignedData object  
    new_signed_data = cms.SignedData(  
        {            'version': signed_data['version'],  
            'digest_algorithms': signed_data['digest_algorithms'],  
            'encap_content_info': {  
                'content_type': signed_data['encap_content_info']['content_type'],  
                'content': None,  # This makes it detached  
            },  
            'certificates': signed_data['certificates'],  
            'signer_infos': signed_data['signer_infos'],  
        }  
    )  
    # Only add 'crls' if it's present in the original SignedData  
    if signed_data['crls'].native is not None:  
        new_signed_data['crls'] = signed_data['crls']  
  
    # Wrap it in ContentInfo  
    new_cms = cms.ContentInfo(  
        {'content_type': 'signed_data', 'content': new_signed_data}  
    )  
    return new_cms

class CustomExternalSigner(signers.ExternalSigner):  
    def __init__(self, cms_bytes):  
        self._signature_value = cms_bytes  
  
        # Extract information from the CMS  
        signed_data = cms.ContentInfo.load(cms_bytes)['content']  
        signer_info = signed_data['signer_infos'][0]  
        signature_mechanism = signer_info['signature_algorithm']  
        self.digest_algorithm = signer_info['digest_algorithm']  
        signing_cert = signed_data['certificates'][0]  
  
        # Convert the certificate to a format that has the public_key method  
        cert_der = signing_cert.dump()  
        # cert = x509.load_der_x509_certificate(cert_der)  
        # Put the bytes on a file        with open('cert.der', 'wb') as f:  
            f.write(cert_der)  
  
        cert_generator = load_certs_from_pemder(  
            [                'cert.der',  
            ]  
        )        certs = list(cert_generator)  
        cert = certs[0]  
        # Get the public key  
        # Determine the key type and set appropriate attributes        super().__init__(  
            signature_mechanism=signature_mechanism,  
            signing_cert=cert,  
            cert_registry=None,  
            signature_value=bytes(256),  
        )
  
async def sign_pdf_with_external_cms(path_file_cms: str):  
    from pyhanko.sign import fields  
    from pyhanko_certvalidator import ValidationContext  
  
    # Get the CMS bytes and create detached signature  
    cms_bytes = get_cms_from_frontend(path_file_cms)  
    cms_detached = create_detached_cms(cms_bytes)  
    signer = CustomExternalSigner(cms_detached.dump())  
  
    # Write the content of inputbase64.txt to input.pdf  
    with open("inputbase64.txt", "rb") as file:  
        encoded_string = file.read()  
    with open("inputoriginal.pdf", "wb") as pdf_file:  
        decoded_bytes = base64.b64decode(encoded_string)  
        pdf_file.write(decoded_bytes)  
  
    vc = ValidationContext(  
        allow_fetching=True,  
        trust_roots=[signer.signing_cert],  
    )  
  
    # Create PDF signer with proper metadata  
    pdf_signer = signers.PdfSigner(  
        signers.PdfSignatureMetadata(  
            field_name='Sig1',  
            md_algorithm='sha256',  
            subfilter=fields.SigSeedSubFilter.ADOBE_PKCS7_DETACHED,  
            validation_context=vc,  
            certify=False,  
            signer_key_usage={  
                'digital_signature',  
            },  
        ),  
        signer=signer,  
    )  
  
    # Open and prepare the document for signing  
    with open("inputoriginal.pdf", 'rb') as doc:  
        w = IncrementalPdfFileWriter(doc)  
  
        # Get the document digest and other necessary components  
        (  
            prepared_digest,  
            tbs_document,  
            output_handle,  
        ) = await pdf_signer.async_digest_doc_for_signing(w, bytes_reserved=16384)  
  
        # Get the signature CMS  
        sig_cms = cms_detached.dump()  
  
        # Simple signing without PAdES (use this if you don't need PAdES-LT/LTA)  
        prepared_digest.fill_with_cms(output_handle, sig_cms)  
  
        # Write the signed document  
        with open('signed.pdf', 'wb') as outf:  
            output_handle.seek(0)  
            outf.write(output_handle.read())
        

You need to call the function sign_pdf_with_external_cms with the outputcms.txt path as input.
At the end, I got 2 files : inputoriginal.pdf, which is my initial PDF sent to Fortify; signed.pdf, the signed PDF by the Certificate choosen in Fortify.

But unfortunatily, the signature is invalid because the "document has been altered or corrupted since it was signed" according to Adobe Reader.

Any help is welcome ! Thanks

[MatthiasValvekens]

Hi @Henribou,

I haven't tried your code, but I can already tell you that your approach is doomed to fail without running it ;).

Unfortunately, a PDF signature is not computed by simply hashing the entire file and computing a signature over that hash. The mathematical process of calculating the signature itself is intertwined with the actual embedding of the signature in the file: you have to first render the visual appearance of the signature, allocate a "hole" in the PDF data stream that will house the CMS container, then hash everything outside the hole, and compute your signature over that hash. The result of that gets put back in the hole to create a signed PDF. In other words, you can't fully decouple the process of putting the signature in the PDF from the actual signing process.

This embedding process is a bit convoluted, and automating that is where tools like pyHanko come in. You can integrate pyHanko with external signature providers, but you have to let it handle all the PDF-level state management either way. I'll refer you to the documentation for more info on the ways in which you can onboard external signers (see in particular the parts on the interrupted signing flow and extending the Signer API).

[Henribou]

Thanks a lot @MatthiasValvekens for your help and your time.

Here are my modifications, I managed to get the file signed but the problem persists : the signature is invalid because the "document has been altered or corrupted since it was signed" according to Adobe Reader.

Based on https://pyhanko.readthedocs.io/en/latest/lib-guide/signing.html#basic-interrupted-signing-example and #453 and #97, here is what I did :

validation_context = ValidationContext(allow_fetching=True)
  
def instantiate_external_signer(sig_value: bytes, certificate=None, cert_registry=None):  
    return ExternalSigner(  
        # note the 'None's  
        signing_cert=certificate,  
        cert_registry=cert_registry,  
        signature_value=sig_value,  
        signature_mechanism=SignedDigestAlgorithm({"algorithm": "sha256_rsa"}),  
    )

async def prep_document(w: BasePdfFileWriter):  
    ext_signer = instantiate_external_signer(bytes(256))  
    pdf_signer = signers.PdfSigner(  
        # Specifying a digest algorithm (or signature mechanism)  
        # is necessary if the signing cert is not available     
        signers.PdfSignatureMetadata(  
            field_name='Sig1',  
            # embed_validation_info=True,  
            # use_pades_lta=True,            
            # subfilter=fields.SigSeedSubFilter.PADES,            
            # validation_context=validation_context,            
            md_algorithm='sha256',  
        ),  
        signer=ext_signer,  
        # timestamper=default_timestamper,  
        stamp_style=stamp.StaticStampStyle(  
            border_width=0, background=images.PdfImage('signature.png')  
        ),  
    )  
  
    # Since estimation is disabled without a certificate  
    # available, bytes_reserved becomes mandatory.
    prep_digest, tbs_document, output = await pdf_signer.async_digest_doc_for_signing(  
        w, bytes_reserved=8192  
    )  
    return prep_digest, tbs_document, output, ext_signer

def get_certificate_from_output_cms(cms_b64: base64):  
    signature = base64.b64decode(cms_b64)  
    signed_data = cms.ContentInfo.load(signature)['content']  
    cert_der = signed_data['certificates'][0].dump()  
    with open('cert.der', 'wb') as f:  
        f.write(cert_der)  
  
    cert_generator = load_certs_from_pemder(  
        [            'cert.der',  
        ]  
    )    certs = list(cert_generator)  
    cert = certs[0]  
    return cert, signature

  
async def main(path_file):  
    with open(path_file, 'rb') as doc:  
        w = IncrementalPdfFileWriter(doc)  
        prep_digest, tbs_document, output, ext_signer = await prep_document(w)  
    data_b64_to_send_to_external_signer = base64.b64encode(  
        hashlib.sha256(prep_digest.document_digest).digest()  
    )  
    # OR according to [https://github‡qqq.com/MatthiasValvekens/pyHanko/discussions/97](https://github.com/MatthiasValvekens/pyHanko/discussions/97)  
    # signed_attrs = await ext_signer.signed_attrs(    #     prep_digest.document_digest, 'sha256', use_pades=False    # )    # data_b64_to_send_to_external_signer = base64.b64encode(signed_attrs.dump())    
    print(str(data_b64_to_send_to_external_signer))  
    cms_bytes_from_external_signer = use_fortify_to_get_cms(data_b64_to_send_to_external_signer)  
    cert_obj, signature = get_certificate_from_output_cms(  
        cms_bytes_from_external_signer  
    )  
    prep_digest.fill_with_cms(output, signature)  
    # await sign_pdf(signature, prep_digest)  
    with open("dummy_signed.pdf", "wb") as signed_doc:  
        output.seek(0)  
        signed_doc.write(output.read())

I tried, according to https://github‡qqq.com/MatthiasValvekens/pyHanko/discussions/97, to replace data_b64_to_send_to_external_signer by :

signed_attrs = await ext_signer.signed_attrs(  
    prep_digest.document_digest, 'sha256', use_pades=False  
)  
data_b64_to_send_to_external_signer = base64.b64encode(signed_attrs.dump())

I also tried the add the function :

async def finish_signing(output, prep_digest, signature, certificate):  
    digest = hashlib.sha256(prep_digest.document_digest).digest()  
    cert_registry = SimpleCertificateStore()  
    cert_registry.register(certificate)  
    signer = instantiate_external_signer(signature, certificate, cert_registry)  
    signed_attrs = await signer.signed_attrs(  
        digest,  
        "sha256",  
        use_pades=True,  
    )  
    sig_cms = await signer.async_sign_prescribed_attributes(  
        "sha256",  
        signed_attrs,  
    )  
    prep_digest.fill_with_cms(output, sig_cms)  
  
    with open("dummy_signed.pdf", "wb") as signed_doc:  
        output.seek(0)  
        signed_doc.write(output.read())

but in vain.
Is my approach still the wrong one ?

[MatthiasValvekens]

You still seem to be pregenerating the signature, no? Because that can't work for the reasons I pointed out in my first comment.

Basically, if you're doing any signature math before even invoking pyHanko, the result is pretty much guaranteed to be an invalid signature. To use the interrupted signing flow correctly, you need to let pyHanko tell you what to sign.

[Henribou]

No, I am not pregenerating the signature : in the function main, I call the function prep_document.
In it, I call the function

def instantiate_external_signer(sig_value: bytes, certificate=None, cert_registry=None):  
    return ExternalSigner(  
        # note the 'None's  
        signing_cert=certificate,  
        cert_registry=cert_registry,  
        signature_value=sig_value,  
        signature_mechanism=SignedDigestAlgorithm({"algorithm": "sha256_rsa"}),  
    )

with certificate empty (None) and cert_registry empty (None).

It is pyHanko that tells me what to sign here :

data_b64_to_send_to_external_signer = base64.b64encode(  
        hashlib.sha256(prep_digest.document_digest).digest()  
    )

I send that back to the external signer