Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

External signing with Google Cloud KMS #926

Unanswered
arashnikoo asked this question in Q&A
Discussion options

I am working on a PoC to use ExternalSignature with Google Cloud KMS Asymmetric signing. My efforts have ended up creating corrupt signatures. Doesn't any one have any idea how to resolve this issue?

 @Override
 public byte[] sign(byte[] message) throws GeneralSecurityException {
 try {
 String encoded = Base64.getEncoder().encodeToString(message);
 System.out.println(encoded);;
 
 // Create SHA-256 MessageDigest instance
 MessageDigest sha256Digest = MessageDigest.getInstance("SHA256");
 
 // Hash the input message
 byte[] hashedMessage = sha256Digest.digest(message);
 Digest digest = Digest.newBuilder().setSha256(ByteString.copyFrom(hashedMessage)).build();
 // Set the GCP credentials
 KeyManagementServiceSettings settings = KeyManagementServiceSettings.newBuilder()
 .build();
 try (KeyManagementServiceClient client = KeyManagementServiceClient.create(settings)) {
 AsymmetricSignResponse response = client.asymmetricSign(keyId, digest);
 return response.getSignature().toByteArray();
 }
 } catch (Exception e) {
 throw new GeneralSecurityException("Error while signing PDF", e);
 }
 }

My signature has the following error:

image

You must be logged in to vote

Replies: 6 comments

Comment options

More info about the signature:
image

You must be logged in to vote
0 replies
Comment options

Can you share an example PDF signed by your poc for analysis?

That being said, you talk about ExternalSignature - that sounds like an interface from OpenPDF5, not OpenPDF...
You must be logged in to vote
0 replies
Comment options

Thanks, @mkl-public. Here is the signed file: signed-document-1.pdf

You must be logged in to vote
0 replies
Comment options

There are two certificates embedded:

  • Subject: CN=Bob's key,O=Dealer A,L=Agoura Hills,ST=California,C=US
    Issuer: C=US,ST=California,L=Agoura Hills,O=Vitu,OU=IT,CN=Vitu Trust
    Serial: 2579306353
  • Subject: C=US,ST=California,L=Agoura Hills,O=Vitu,OU=IT,CN=Vitu Trust
    Issuer: C=US,ST=California,L=Agoura Hills,O=Vitu,OU=IT,CN=Vitu Trust
    Serial: 1689184570

The claimed signer certificate is the first one but validation succeeds with the second one.

Thus, you appear to call KMS for the wrong private key, the wrong keyId.
You must be logged in to vote
0 replies
Comment options

Hi @arashnikoo , any feedback if the problem still unsolved?
You must be logged in to vote
0 replies
Comment options

I haven't had time to test that again. I'll try again and report it here.
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /