Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Signature not intact after signing with Google Cloud KMS HSM #161

New issue
New issue
Closed
Closed
Signature not intact after signing with Google Cloud KMS HSM#161
@jeanbaptistemora

Description

@jeanbaptistemora
jeanbaptistemora
opened on Feb 20, 2024

Hello,

I'm using endesive==2.17.0.

Up until now, I have successfully been using the "simple" signing and certifying with a pkcs12 key+certs (ETSI 319 411-1 LCP = RGS * in France).

I had to upgrade to use a ETSI 319 411-2 QCP-l (RGS** in France) where the private key is on a Google Cloud KMS HSM, to obtain the AdES level with a trusted certificate chain.

The code in /examples/pdf-sign-cms-hsm-google.py is working well. I'm using exactly what's in there

dct = {
        'sigflags': 3,
        'contact': '[email protected]',
        'location': 'England',
        'signingdate': date.encode(),
        'reason': 'Test',
}

And everything else, I just added the digest_crc32c and signature_crc32c checks (as per https://github.com/GoogleCloudPlatform/python-docs-samples/blob/main/kms/snippets/sign_asymmetric.py but the result is the same without it).
No complaints from anywhere on execution.

However the final document seems to have a "broken" signature and the DSS validation (https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation) shows a "SIG_CRYPTO_FAILURE" (https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/apidocs/eu/europa/esig/dss/enumerations/SubIndication.html#SIG_CRYPTO_FAILURE) :

The signature validation process results into TOTAL-FAILED because the signature value in the signature could not be verified using the signer's public key in the signing certificate.

And Master PDF Editor (I'm on Linux, I have not been able to test on Adobe Reader yet) says :

The document has been altered or corrupted since the signatures was applied.

Here is an example you can use yourself on the DSS validation :
F-2024-02-15-M-4.pdf
F-2024-02-15-M-4_hsm_signed.pdf

I've read a lot of the code in cms/signer to try and understand what could be wrong but I have to admit I'm a little bit out of my depth here, regarding the internal structures of PDFs especially... 🥲

Has anyone been successful in this use-case ?
@Arbitrage0 maybe, since you wrote the Google HSM code ?

Does anyone has any ideas of what could be the problem, or ideas of thing to test further on my end ?

I'm pretty much stuck 😞

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions