Timestamp error

[Zoltan Lippai]

Hello everybody,

I have a problem with jsignpdf and I was hoping maybe I could find the solution here.

I am trying to sign and timestamp a document on Linux CLI, but it fails for some reason.

Here is the code I am using:

java -jar /root/cron/jsignpdf/JSignPdf.jar \

/home/zolcsi/CG.pdf \

--certification-level CERTIFIED_NO_CHANGES_ALLOWED \

--crl \

--out-directory /home/zolcsi/ \

--disable-assembly \

--disable-fill \

--disable-modify-annotations \

--disable-modify-content \

--hash-algorithm SHA256 \

--keystore-file /root/cron/privateKeys/interpont.p12 \

--keystore-type PKCS12 \

--keystore-password ******* \

--ocsp \

--out-suffix "-signed" \

--tsa-server-url "https://btsa.e-szigno.hu/tsa" \

--tsa-authentication PASSWORD \

--tsa-user "********" \

--tsa-password "********"

And here is the output of jsignpdf:

INFO  Checking input and output PDF paths.

INFO  Getting key alias

INFO  Used key alias: gregor tamás's microsec ltd. id

INFO  Loading private key

INFO  Getting certificate chain

INFO  Opening input PDF file: /home/zolcsi/CG.pdf

INFO  Creating output PDF file: /home/zolcsi/CG-signed.pdf

INFO  Creating signature

INFO  Updating PDF version info 1.3 -> 1.6

INFO  Setting certification level

INFO  Processing (it may take a while) ...

INFO  Reading CRLs

INFO  Reading CRL distribution points from certificate 2.5.4.5=#131c312e332e362e312e342e312e32313532382e322e322e322e35333833,1.2.840.113549.1.9.1=#16136774616d617340696e746572706f6e742e6875,CN=Gregor Tamás,O=InterPont Plus Kft.,L=Budapest,C=HU

INFO  Found CRL URL in distribution point: http://crl.e-szigno.hu/a2ca2009.crl

INFO  Downloading CRL from http://crl.e-szigno.hu/a2ca2009.crl

INFO  Size of downloaded CRL: 24389

INFO  Creating TSA client.

ERROR Problem occured

ExceptionConverter: java.lang.Exception: Invalid TSA 'https://btsa.e-szigno.hu/tsa' response, code 128

at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)

at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)

at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(Unknown Source)

       at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:375)

  at net.sf.jsignpdf.Signer.signFiles(Signer.java:242)

   at net.sf.jsignpdf.Signer.main(Signer.java:137)

INFO  Finished: Creating of signature failed.

Does anybody know, what this error 128 mean?

Thanks in advance!

Zoltan

[Zoltan Lippai]

One more thing I'd like to add: Previously this was working fine with a different TSA provider. The only difference is, that it didn't need authentication.

[Rajendra Prasad]

Hi,
Are you using JSignPDF 1.5.3 . As this version have some problem with TSA. Kindly use JSignPDF 1.5.4 .
Rajendra

[Zoltan Lippai]

Unfortunately I already upgraded to 1.5.4

[207] root@aragorn:/home/zolcsi# java -jar /root/cron/jsignpdf/JSignPdf.jar -v
JSignPdf version 1.5.4

Previously I was using 1.5.1, which was also working fine, but after switching TSA provider and realizing that the timestamping is not working, I upgraded to 1.5.4.

[Rajendra Prasad]

There are some more free TSA, can you test it with and see whether it is working with them.

http://dse200.ncipher.com/TSS/HttpTspServer
http://tsa.starfieldtech.com
https://timestamp.geotrust.com/tsa

Rajendra

On Tuesday, June 24, 2014 7:20:36 PM UTC+5:30, Zoltan Lippai wrote:

[Zoltan Lippai]

Hi Rajendra,

thanks for your tip. I tried all three of them and they are all working fine.

The only thing that I can think of at the moment is that maybe something is wrong with the password authentication in jsignpdf.

I know for a fact that the timestamp server is working, because I was able to sign and timestamp a document using a windows software.

Do you know about tsa servers that need credentials? Maybe I could try those to see if my theory is correct.

Thanks again for your help!

Best regards,

Zoltan

[Josef Cacek]

Hi Zoltan,

there are 2 main conditions for the TSA used in JSignPdf, which you
should check by e-szigno.hu operator:

1) the time-staping server has to be based on RFC 3161 "Time-Stamp
Protocol (TSP)" - http://www.ietf.org/rfc/rfc3161.txt
2) SHA-1 has to be supported as the hash algorithm

The response code 128 from the program output means "unrecognized or
unsupported Algorithm Identifier", so maybe the 2nd condition could be
the problem.

-- josef

> --
> You received this message because you are subscribed to the Google Groups
> "JSignPdf" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jsignpdf+u...@googlegroups.com.
> To post to this group, send email to jsig...@googlegroups.com.
> Visit this group at http://groups.google.com/group/jsignpdf.
> For more options, visit https://groups.google.com/d/optout.

[Zoltan Lippai]

Hi Josef,

I am certain, that the provider uses SHA256. SHA1 was discontinued a few years ago. So that might explain the problem.

However, the strange thing is, that the previous TSA also used SHA256.

I have attached a file, that was signed using jsignpdf (1.5.1) and it seems to me, that the timestamp on it is SHA256. Can you confirm it?

Thanks!

[Josef Cacek]

TSA hash algorithm in your document is SHA-1

Signature: Signature1
TimeStampToken.getTimeStampInfo().getHashAlgorithm()
.getAlgorithm(): 1.3.14.3.2.26

[Zoltan Lippai]

Ah, OK, thanks for clearing that up.

I am guessing, that jsignpdf doesn't support SHA256 because of the itext library. If I am right, then does it mean, that I have to look for a new CLI tool that supports SHA256 TSA providers?

[Josef Cacek]

Have a look at this test version:
http://sourceforge.net/projects/jsignpdf/files/test/JSignPdf%201.5.5-a1/JSignPdf-1.5.5-a1.zip/download

There is a new configuration property named tsa.hashAlgorithm in
conf/conf.properties file. Change its value from SHA-1 to SHA-256 (or
whatever is supported by your TSA) and let me know if it helped.

Thanks,

-- josef

[Zoltan Lippai]

Dear Josef,

thank you very much, that did trick.

Using 1.5.5 it is working perfectly.

Thanks again!

Best regards,

Zoltan