--timestamp does not work, Can't write signature, not enough space

Question

--timestamp does not work, Can't write signature, not enough space

gunnarhaslinger opened this issue a year ago · comments

Using open-pdf-sign with Let's Encrypt certificates works fine, but I like to timestamp those (as the LE-Certs are only valid for 90 days, so timestamping would be needed to keep the documents valid signed for a longer period).

So I tried this with several TSA-Servers like
http://timestamp.digicert.com/
http://timestamp.comodoca.com/
http://tsa.swisssign.net/

but without luck:

Exception in thread "main" eu.europa.esig.dss.model.DSSException: Unable to save a document. Reason : Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize

>java -jar open-pdf-sign.jar --input test.pdf --output test-signed.pdf --certificate fullchain41.pem --key privkey41.pem --page -1 --timestamp --tsa http://timestamp.digicert.com --timezone Europe/Vienna
Exception in thread "main" eu.europa.esig.dss.model.DSSException: Unable to save a document. Reason : Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
        at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.saveDocumentIncrementally(PdfBoxSignatureService.java:422)
        at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.checkEncryptedAndSaveIncrementally(PdfBoxSignatureService.java:406)
        at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.signDocumentAndReturnDigest(PdfBoxSignatureService.java:230)
        at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.signDocument(PdfBoxSignatureService.java:166)
        at eu.europa.esig.dss.pdf.AbstractPDFSignatureService.sign(AbstractPDFSignatureService.java:294)
        at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:218)
        at org.openpdfsign.Signer.signPdf(Signer.java:163)
        at org.openpdfsign.CLIApplication.main(CLIApplication.java:126)
Caused by: java.io.IOException: Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
        at org.apache.pdfbox.pdfwriter.COSWriter.writeExternalSignature(COSWriter.java:845)
        at org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:793)
        at org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1199)
        at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:452)
        at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1435)
        at org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1414)
        at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.saveDocumentIncrementally(PdfBoxSignatureService.java:420)
        ... 7 more

I used wireshark to check if the retrieval of the Timestamp from the TSA-Server works: YES, request + response looks valid in wireshark.

Thomas · Answer 1 · Wed Jan 18 2023 21:16:04 GMT+0800 (China Standard Time)

Hm, that's strange! Thanks for reporting!
The same certificate without the timestamp works? Would it work by using the "cert41.pem" instead of the "fullchain41" as the certificate?

Gunnar Haslinger · Answer 2 · Wed Jan 18 2023 21:26:38 GMT+0800 (China Standard Time)

Yes, without Timestamp/TSA it works:

java -jar open-pdf-sign.jar --input test.pdf --output test-signed.pdf --certificate fullchain41.pem --key privkey41.pem --page -1 --timezone Europe/Vienna

But thanks for the hint ... using "cert" instead of "fullchain" now the timestamping works too:

java -jar open-pdf-sign.jar --input test.pdf --output test-signed.pdf --certificate cert41.pem --key privkey41.pem --page -1 --timezone Europe/Vienna --timestamp --tsa http://timestamp.digicert.com

So: This works, but now the Intermediate-Cert-Chain is not embedded.

So I guess the error-message "Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize" says the truth. -> There is not enough space to both include a Timestamp and the Chain, I currently can only include either the Intermediate-Cert-Chain OR a Timestamp.

Thomas · Answer 3 · Wed Jan 18 2023 21:30:40 GMT+0800 (China Standard Time)

Thanks for the help!
I tried to increase the signature size in case of a timestamp being part of the signature.
Could you please try if this now works for you in case of timestamp + fullchain?

You can use the latest build from the dev branch: https://github.com/open-pdf-sign/open-pdf-sign/suites/10440287526/artifacts/516470579

Gunnar Haslinger · Answer 4 · Wed Jan 18 2023 21:34:51 GMT+0800 (China Standard Time)

Thanks, great! Can confirm this works now:

java -jar openpdfsign-0.1.2-dev.1+be37109c-jar-with-dependencies.jar --input test.pdf --output test-signed.pdf --certificate fullchain41.pem --key privkey41.pem --page -1 --timestamp --tsa http://timestamp.digicert.com --timezone Europe/Vienna