--timestamp does not work, Can't write signature, not enough space
gunnarhaslinger opened this issue · comments
Using open-pdf-sign with Let's Encrypt certificates works fine, but I like to timestamp those (as the LE-Certs are only valid for 90 days, so timestamping would be needed to keep the documents valid signed for a longer period).
So I tried this with several TSA-Servers like
http://timestamp.digicert.com/
http://timestamp.comodoca.com/
http://tsa.swisssign.net/
but without luck:
Exception in thread "main" eu.europa.esig.dss.model.DSSException: Unable to save a document. Reason : Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
>java -jar open-pdf-sign.jar --input test.pdf --output test-signed.pdf --certificate fullchain41.pem --key privkey41.pem --page -1 --timestamp --tsa http://timestamp.digicert.com --timezone Europe/Vienna
Exception in thread "main" eu.europa.esig.dss.model.DSSException: Unable to save a document. Reason : Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.saveDocumentIncrementally(PdfBoxSignatureService.java:422)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.checkEncryptedAndSaveIncrementally(PdfBoxSignatureService.java:406)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.signDocumentAndReturnDigest(PdfBoxSignatureService.java:230)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.signDocument(PdfBoxSignatureService.java:166)
at eu.europa.esig.dss.pdf.AbstractPDFSignatureService.sign(AbstractPDFSignatureService.java:294)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:218)
at org.openpdfsign.Signer.signPdf(Signer.java:163)
at org.openpdfsign.CLIApplication.main(CLIApplication.java:126)
Caused by: java.io.IOException: Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
at org.apache.pdfbox.pdfwriter.COSWriter.writeExternalSignature(COSWriter.java:845)
at org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:793)
at org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1199)
at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:452)
at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1435)
at org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1414)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.saveDocumentIncrementally(PdfBoxSignatureService.java:420)
... 7 more
I used wireshark to check if the retrieval of the Timestamp from the TSA-Server works: YES, request + response looks valid in wireshark.
Hm, that's strange! Thanks for reporting!
The same certificate without the timestamp works? Would it work by using the "cert41.pem" instead of the "fullchain41" as the certificate?
Yes, without Timestamp/TSA it works:
java -jar open-pdf-sign.jar --input test.pdf --output test-signed.pdf --certificate fullchain41.pem --key privkey41.pem --page -1 --timezone Europe/Vienna
But thanks for the hint ... using "cert" instead of "fullchain" now the timestamping works too:
java -jar open-pdf-sign.jar --input test.pdf --output test-signed.pdf --certificate cert41.pem --key privkey41.pem --page -1 --timezone Europe/Vienna --timestamp --tsa http://timestamp.digicert.com
So: This works, but now the Intermediate-Cert-Chain is not embedded.
So I guess the error-message "Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize" says the truth. -> There is not enough space to both include a Timestamp and the Chain, I currently can only include either the Intermediate-Cert-Chain OR a Timestamp.
Thanks for the help!
I tried to increase the signature size in case of a timestamp being part of the signature.
Could you please try if this now works for you in case of timestamp + fullchain?
You can use the latest build from the dev
branch: https://github.com/open-pdf-sign/open-pdf-sign/suites/10440287526/artifacts/516470579
Thanks, great! Can confirm this works now:
java -jar openpdfsign-0.1.2-dev.1+be37109c-jar-with-dependencies.jar --input test.pdf --output test-signed.pdf --certificate fullchain41.pem --key privkey41.pem --page -1 --timestamp --tsa http://timestamp.digicert.com --timezone Europe/Vienna