Sign PDF with custom CMS via SignedDataCreator (PKCS#11)

[nanowind]

Hello @gettalong,

Recently, i trying to sign a PDF with private key from Hardware Security Management (PKCS#11) and HexaPDF via SignedDataCreator, but i dont understand the quotes " # If the #key attribute is not set, the digest algorithm and the already digested data to be # signed is yielded and the block needs to return the signature. ". Could you please make an example for this.

I've tried to make one. It's successful to sign and return the PDF file, but I can't verify the signature. It's also successful to sign PKCS#11 and return the signature I expect, but I can't embed it into the PDF. signature form PKCS#11 sign function in my case has size equal to 128.
Here is my code:

require 'pkcs11'
require 'openssl'
require 'hexapdf'
require HexaPDF.data_dir + '/cert/demo_cert.rb'

class PdfSignaturesController < ApplicationController
  PKCS11_LIB_PATH = 'C:\\Windows\\System32\\viettel-ca_v6.dll'
  PREFIX = [
    0x30, 0x31, 0x30, 0x0d,
    0x06, 0x09, 0x60, 0x86,
    0x48, 0x01, 0x65, 0x03,
    0x04, 0x02, 0x01, 0x05,
    0x00, 0x04, 0x20
  ].pack('C*')

  def new

  end

  def create
    pdf_file = params[:pdf]
    token_pin = '12345678910'
    if pdf_file.nil? || token_pin.nil?
      flash[:error] = "Please upload a PDF and enter the token PIN."
      redirect_to new_pdf_signature_path
      return
    end
    begin
      signed_pdf_path = sign_pdf(pdf_file.path, token_pin)
      if File.exist?(signed_pdf_path)
       send_file signed_pdf_path, type: 'application/pdf', disposition: 'attachment', filename: "signed_#{pdf_file.original_filename}"
      else
       flash[:error] = "Signed PDF not created."
       redirect_to new_pdf_signature_path
      end

    end
  end

  def list_certificates
    #token_pin = params[:pin]
    token_pin = '12345678910'
    if token_pin.nil?
      flash[:error] = "Please enter the token PIN."
      return
    end
    begin
      @certificates = load_certificates_from_token(token_pin)
    end
  end
  private
  def load_certificates_from_token(token_pin)
    pkcs11 = PKCS11::Library.new
    pkcs11.load_library(PKCS11_LIB_PATH)
    pkcs11.C_GetFunctionList
   #pkcs11.C_Finalize
   pkcs11.C_Initialize
  rescue PKCS11::Error => e
  slots = pkcs11.slots
    certificates = []
    slots.each do |slot|
      token_info = slot.token_info rescue nil
      next if token_info.nil?
      session = nil
      begin
        session = slot.open(PKCS11::CKF_SERIAL_SESSION | PKCS11::CKF_RW_SESSION)
        session.login(PKCS11::CKU_USER, token_pin)
       rescue PKCS11::Error => e
        session.find_objects({ PKCS11::CKA_CLASS => PKCS11::CKO_CERTIFICATE }).each do |object|
          certificate_value = get_attribute_value(object, [PKCS11::CKA_VALUE])
          certificate = OpenSSL::X509::Certificate.new(certificate_value)
          certificates << {
            subject: certificate.subject.to_s,
            issuer: certificate.issuer.to_s,
            serial: certificate.serial.to_s,
            valid_from: certificate.not_before,
            valid_to: certificate.not_after
          }
        end
        session.logout
        session.close
      end
    end
    pkcs11.close
    certificates
  end
  def find_object(session, object_class,id)
    session.find_objects({ PKCS11::CKA_CLASS => object_class }).each do |obj|
      attrs = get_attribute_value(obj, [PKCS11::CKA_ID])
      return obj if attrs.first[:value] == id
    end
    nil
  end
 def get_attribute_value(object, attribute_type)
    attribute = object.C_GetAttributeValue(attribute_type).first
    attribute.value
  rescue PKCS11::Error => e
    puts "Failed to get attribute value: #{e.message}"
    raise
  end
  def ignore_exception
    begin
      yield
    rescue Exception
    end
 end

  def sign_pdf(pdf_path, token_pin)
    pkcs11 = PKCS11::Library.new
    pkcs11.load_library(PKCS11_LIB_PATH)
    pkcs11.C_GetFunctionList
    pkcs11.C_Initialize
    rescue PKCS11::Error => e
    slot = pkcs11.active_slots.first
    session = slot.open(PKCS11::CKF_SERIAL_SESSION | PKCS11::CKF_RW_SESSION)
    session.login(PKCS11::CKU_USER, token_pin) #bật tắt

      certificates= nil
      cert_x509 = []
      user_certificate = nil
      ca_certificates = []
      certificates = session.find_objects({ PKCS11::CKA_CLASS => PKCS11::CKO_CERTIFICATE })

      # Lọc các chứng chỉ hợp lệ / Filter the valid certificate
      valid_certificates = certificates.select do |cert|
        cert_der = get_attribute_value(cert, [PKCS11::CKA_VALUE])
        cert_x509 = OpenSSL::X509::Certificate.new(cert_der)
        if cert_x509.subject == cert_x509.issuer
          ca_certificates << cert_x509
        else
          user_certificate = cert_x509
        end
        cert_x509.not_after > Time.now
      end
      certificate_chain = [user_certificate] + ca_certificates
      certificate = cert_x509 #the valide one

      # Kiểm tra nếu không có chứng chỉ hợp lệ / check empty certificate on token
      if valid_certificates.empty?
        raise "No valid certificates found on the token"
      end

      valid_certificate = valid_certificates.first
      id = get_attribute_value(valid_certificate, [PKCS11::CKA_ID]) #take ID for private_key

      # Lấy khóa riêng (private key) tương ứng với chứng chỉ hợp lệ / find and take PKCS11 Private Key
      # private_key = find_objects(session, PKCS11::CKO_PRIVATE_KEY, id)
      private_key = nil
      key = session.find_objects({ PKCS11::CKA_CLASS => PKCS11::CKO_PRIVATE_KEY }).each do |key|
      key_id = get_attribute_value(key, [PKCS11::CKA_ID])

      if key_id == id
        private_key = key
      end
    end

#Create temp for extract Data, prevent duplicate use temp_pdf
    temp_pdf_path = pdf_path.sub('.pdf', '_temp.pdf')
    signed_pdf_path = pdf_path.sub('.pdf', '_signed.pdf')
    pdf_temp = HexaPDF::Document.open(pdf_path) #gọi pdf_temp để lấy dữ liệu bỏ vào data trước, tránh ký 2 lần


 # Prepare the document for embedding of the digital signature, not oke
    data = nil # Used for storing the to-be-signed data
    signing_mechanism = lambda do |io, byte_range|
      io.pos = byte_range[0]
      data = io.read(byte_range[1])
      io.pos = byte_range[2]
      data << io.read(byte_range[3])
      ""
    end
    pdf_temp.sign(temp_pdf_path, signature_size: 10_000, external_signing: signing_mechanism)



    begin
      rsa_key = PKCS11RSAPrivateKey.new(session, private_key)
    rescue => e
      puts "Error creating PKCS11RSAPrivateKey: #{e.message}"
      puts e.backtrace
    end

    signing_mechanism = lambda do |digest_method, data|
    rsa_key.sign_raw(digest, data)
    end
    byebug
    pdf = HexaPDF::Document.open(pdf_path) #
    pdf.sign(signed_pdf_path, external_signing: signing_mechanism,
                          certificate: cert_x509,
                          certificate_chain: certificate_chain)
  session.logout
  session.close
  return signed_pdf_path
  raise "No valid private key found on the token"
end


  class PKCS11RSAPrivateKey
  def initialize(session, key)
    @session = session
    @key = key
  end
   def private?
    true
  end

  def public?
    false
  end
  def sign(digest, data)
    sign_raw(data, digest)
  end
  def sign_raw(digest_name, data)
    mechanism = digest_name
    hash = OpenSSL::Digest::SHA256.new
    md = hash.digest(data)
    buf =  buf = PREFIX + md
    @session.sign(:SHA256_RSA_PKCS, @key, buf )
  end
  def export
    raise NotImplementedError, "PKCS#11 keys cannot be exported"
  end
  def to_der
    raise NotImplementedError, "PKCS#11 keys cannot be exported"
  end

  def to_pem
    raise NotImplementedError, "PKCS#11 keys cannot be exported"
  end

  def public_key
    raise NotImplementedError, "PKCS#11 keys cannot be exported"
  end
  def digest_algorithm
    'SHA256'
  end
  def encryption_algorithm
    'RSA'
  end
end
end

[gettalong]

It does exactly what it says: If the certificate key is not provider, HexaPDF can't sign the digest. Therefore it yields the digest algorithm that is used by the signed data creator and the hash that should be signed. The responsible of the caller is that it returns the signed hash. A simple implementation where key is an OpenSSL private key would be this:

external_signing = lambda do |digest_algorithm, hash|
  key.sign_raw(digest_algorithm, hash)
end

From what I see from your code you are already doing this with PKCS11RSAPrivateKey. One thing I don't understand in your code is the creation of the pdf_temp part. This is not necessary as it would mean that you are signing the PDF twice.

Could you provide an original PDF and the signed version for inspection?

[nanowind]

Thank you for your reply,

For the "pdf_temp" part, i created this in order to extract the data (which already caculated the byte range) and use it for later, and not touch the original pdf file, otherwise it will sign the original file twice. You are right, it is not necessary. This is because i wanted to create a custom OpenSSL::PKCS#7 and embed it to the original pdf (using "HexaPDF::DigitalSignature::Signing.embed_signature")

• This is my original PDF: byte_range_demo.pdf
• And the signed one with my app code i mentioned before, which is fail to verify: byte_range_demo_signed(fail).pdf

I used byebug track to this code in Signature.rb
signature[:Contents] = handler.sign(io, signature[:ByteRange].value) (line 166)
which i think it would call for function #sign in DefaultHandler.rb

def sign(io, byte_range)
          if certificate
            io.pos = byte_range[0]
            data = io.read(byte_range[1])
            io.pos = byte_range[2]
            data << io.read(byte_range[3])
            SignedDataCreator.create(data,
                                     type: signature_type,
                                     certificate: certificate, key: key,
                                     digest_algorithm: digest_algorithm,
                                     timestamp_handler: timestamp_handler,
                                     certificates: certificate_chain, &external_signing).to_der
          else
            external_signing.call(io, byte_range)
          end
        end

So in my case the function #sign will use external_signing.call(io, byte_range) right?

[nanowind]

From your reply

Therefore it yields the digest algorithm that is used by the signed data creator and the hash that should be signed

I just found the bug, PKCS#11 will digest the hash again, so i need to use the mechanism (::RSA_PKCS) that wont do the digest for signing and prefix the hash before signning.

My signed is valid now.

Thank you