signserver-develop

Re: [SignServer-develop] Meaning of "pk" suffix in SVN tags

[Markus K. <mar...@pr...>]

On 03/29/2018 05:15 PM, Jaime Hablutzel wrote:
> What means the "pk1", "pk2", etc, suffix in SVN tags under this
> URL, https://svn.cesecore.eu/svn/signserver/tags/?. 
> 
> Is it something like RC (release candidate)?.

Hi Jaime,

Yes, the "-pkX" releases are not official releases. They could be alpha,
beta or release candidates. Note that the final release is without the
"-pkX" suffix.


Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.com for more information.
https://www.primekey.com/products/software/

[SignServer-develop] Meaning of "pk" suffix in SVN tags

[Jaime H. <hab...@gm...>]

What means the "pk1", "pk2", etc, suffix in SVN tags under this URL,
https://svn.cesecore.eu/svn/signserver/tags/?.

Is it something like RC (release candidate)?.

Thanks.


-- 
Jaime Hablutzel -  RPC 994690880

Re: [SignServer-develop] Running multiple worker of the same kind(like pdfsigner)

[Raj M. <raj...@gm...>]

Markus

Thanks for the response

My requirement is that I would like to use different keys and certificates
by using multiple workers each configured to use a specific
key/certificate. How can I accomplish it?

I have looked into the documentation but not able to figure out the exact
steps. Would appreciate if you can send a few examples/samples

Thanks
Raj..

On Sun, Jan 21, 2018 at 12:52 AM, Markus Kilås <mar...@pr...>
wrote:

> On 21 January 2018 01:41:53 CET, Raj Murtinty <raj...@gm...>
> wrote:
>>
>> Hello
>>
>> Is it possible for run multiple workers of the same kind on signserver,
>> like multiple instances of pdfsigner , each with its own configuration and
>> with a unique worker id.
>>
>> Thanks
>> Raj..
>>
>
> Hi Raj,
>
> Yes it is a common use case. Just use different worker name and id.
>
> Cheers,
> Markus
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
>

Re: [SignServer-develop] Running multiple worker of the same kind(like pdfsigner)

[Markus K. <mar...@pr...>]

On 21 January 2018 01:41:53 CET, Raj Murtinty <raj...@gm...> wrote:
>Hello
>
>Is it possible for run multiple workers of the same kind on signserver,
>like multiple instances of pdfsigner , each with its own configuration
>and
>with a unique worker id.
>
>Thanks
>Raj..

Hi Raj,

Yes it is a common use case. Just use different worker name and id.

Cheers,
Markus
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

[SignServer-develop] Running multiple worker of the same kind(like pdfsigner)

[Raj M. <raj...@gm...>]

Hello

Is it possible for run multiple workers of the same kind on signserver,
like multiple instances of pdfsigner , each with its own configuration and
with a unique worker id.

Thanks
Raj..

Re: [SignServer-develop] End Process/Cancel signing function

[Jennifer K. <je...@ne...>]

Hi Markus,

If a user wants to cancel the signing process either due to a mistake (like wrong file or wrong process) or when the files are large and it takes time to do the signing process and the user decides to end it, it would be nice to have an "End the Process" option. Mostly due to issues that might occur during the signing of large files.


Also, how do I do a file check to find out if the file is already digitally signed without having to look at the watermark or validating the signature. Is there a marker I can look for in the metadata of the file?


Thank you,

Jennifer

________________________________
From: Markus Kilås <mar...@pr...>
Sent: Tuesday, January 9, 2018 5:42:30 AM
To: sig...@li...
Subject: Re: [SignServer-develop] End Process/Cancel signing function

On 12/26/2017 11:18 AM, Jennifer Kalidoss wrote:
> Hi,
>
>
> I'm looking for information on a function to end/cancel the signing
> process while its being carried out. I'm looking for commands or
> function that I can integrate with a custom user interface.
>
>
> If there is one, please direct me to one.
>
>
> Thank you,
>
> Jenn
>

Hi Jenn,

I am not aware of a way to cancel the signing process after that it has
started. When a worker in SignServer has received the request and any
Authorizer and Accounter (if used) allows the worker will proceed to
perform the signing operation and after that return the results.

What would be the reason you want to be able to cancel the signing?


Cheers,
Markus

PrimeKey Solutions

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
SignServer-develop mailing list
Sig...@li...
https://lists.sourceforge.net/lists/listinfo/signserver-develop

Re: [SignServer-develop] End Process/Cancel signing function

[Markus K. <mar...@pr...>]

On 12/26/2017 11:18 AM, Jennifer Kalidoss wrote:
> Hi,
> 
> 
> I'm looking for information on a function to end/cancel the signing
> process while its being carried out. I'm looking for commands or
> function that I can integrate with a custom user interface. 
> 
> 
> If there is one, please direct me to one.
> 
> 
> Thank you,
> 
> Jenn
> 

Hi Jenn,

I am not aware of a way to cancel the signing process after that it has
started. When a worker in SignServer has received the request and any
Authorizer and Accounter (if used) allows the worker will proceed to
perform the signing operation and after that return the results.

What would be the reason you want to be able to cancel the signing?


Cheers,
Markus

PrimeKey Solutions

[SignServer-develop] End Process/Cancel signing function

[Jennifer K. <je...@ne...>]

Hi,


I'm looking for information on a function to end/cancel the signing process while its being carried out. I'm looking for commands or function that I can integrate with a custom user interface.


If there is one, please direct me to one.


Thank you,

Jenn

Re: [SignServer-develop] https://www.dropbox.com/s/j26utpb9adsjwgr/Neutrno_demo_10_27.mov?dl=0

[Jaime H. E. <hab...@gm...>]

Isn't the WS call to adm:addAuthorizedClient equivalent to the CLI command
"signserver addauthorizedclient"?.

Anyway, you could be missing to add the CA that issued your client
certificate to JBoss truststore.jks, see
https://www.signserver.org/doc/current/manual/installguide.html#JBoss_7EAP_6_SSL_configuration

Sent from Android.

On Nov 7, 2017 1:13 AM, "Raj Murtinty" <raj...@gm...> wrote:

Hi,

I'm trying to test the web services call using SOAPui to the sign server
and I've come across the following error:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:adm="http://adminws.signserver.org/">
   <soapenv:Header/>
   <soapenv:Body>
      <adm:addAuthorizedClient>
         <workerId>1</workerId>
         <!--Optional:-->
         <authClient>
            <!--Optional:-->
            <certSN>client certSN</certSN>      (In yellow are client
certificate credentials)
            <!--Optional:-->
            <issuerDN>C=.., O=...., CN=....</issuerDN>
         </authClient>
      </adm:addAuthorizedClient>
   </soapenv:Body>
</soapenv:Envelope>


Response:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Server</faultcode>
         <faultstring>Administrator not authorized to resource. Client
certificate authentication required.</faultstring>
         <detail>
            <ns1:AdminNotAuthorizedException xmlns:ns1="http://adminws.
signserver.org/"/>
         </detail>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

I also have myClient certificate in the SSL settings in SOAPui.


Also I have added myClient.pem to the signserver using the signserver
addauthorizedclient
command

I'd like to know, which credentials need to be given and are there
additional information to be added in the soap body apart from the above
parameters.

Thanks
Raj..



------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
SignServer-develop mailing list
Sig...@li...
https://lists.sourceforge.net/lists/listinfo/signserver-develop

Re: [SignServer-develop] Client certificate authentication required - AdminWS

[Markus K. <mar...@pr...>]

On 11/08/2017 02:50 PM, Raj Murtinty wrote:
> Markus 
>
> I am looking for the steps to integrate the signserver(for example
> test the PDFsigner demo) with my application using the API interface. 
> My application is a PHP based. As far as I understood there are 3 ways
> you can make the calls. 
>
> a) Client Web Service(WSDL)
> b) Java Client API 
> c) Web Server Interface

Yes, + there is also the Client Command Line Interface, "signclient".

>
> I want to use the Client Web service (WSDL interface) and make
> appropriate API calls to be able to accomplish the pdf signing task.
Ok.

> I am able to see the WSDL file located at the following
> address http://<hostname>:8080/signserver/ClientWSService/ClientWS?wsdl 
> When I am invoking the API as listed by the WSDL file, I am getting
> the user authentication error. I am using port 8080 and not port
> 8442/8443 for the experiment.

What error is it exactly that you get?
What AUTHTYPE have you configured the worker with?
With AUTHTYPE=NOAUTH, you should not get any error. But if you don't
have an AUTHTYPE property or if you have chosen to use client
certificate authentication, then you need to use port 8443.
Also check the server.log for the exact error message.

>
> Also does signserver support REST interface ?

Currently no. The closes we have is the HTTP/web server interface where
a signing request can be sent using a simple HTTP POST.

We will eventually add a REST interface. If you have any suggestion for
how it should look like we are happy for any contributions or design ideas.

Cheers,
Markus
PrimeKey Solutions

Re: [SignServer-develop] Client certificate authentication required - AdminWS

[Raj M. <raj...@gm...>]

Markus

I am looking for the steps to integrate the signserver(for example test the
PDFsigner demo) with my application using the API interface.
My application is a PHP based. As far as I understood there are 3 ways you
can make the calls.

a) Client Web Service(WSDL)
b) Java Client API
c) Web Server Interface

I want to use the Client Web service (WSDL interface) and make appropriate
API calls to be able to accomplish the pdf signing task.
I am able to see the WSDL file located at the following address http://
<hostname>:8080/signserver/ClientWSService/ClientWS?wsdl
When I am invoking the API as listed by the WSDL file, I am getting the
user authentication error. I am using port 8080 and not port 8442/8443 for
the experiment.

Also does signserver support REST interface ?


Thanks
Raj..

On Tue, Nov 7, 2017 at 12:17 AM, Markus Kilås <mar...@pr...>
wrote:

> On 11/07/2017 07:13 AM, Raj Murtinty wrote:
>
> Hi,
>
> Hi Raj,
>
> (I removed the dropbox URL from the subject as it was not mentioned in the
> mail body what it was about and thus looked like spam)
>
> I'm trying to test the web services call using SOAPui to the sign server
> and I've come across the following error:
>
>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:adm="http://adminws.signserver.org/">
>    <soapenv:Header/>
>    <soapenv:Body>
>       <adm:addAuthorizedClient>
>          <workerId>1</workerId>
>          <!--Optional:-->
>          <authClient>
>             <!--Optional:-->
>             <certSN>client certSN</certSN>      (In yellow are client
> certificate credentials)
>             <!--Optional:-->
>             <issuerDN>C=.., O=...., CN=....</issuerDN>
>          </authClient>
>       </adm:addAuthorizedClient>
>    </soapenv:Body>
> </soapenv:Envelope>
>
>
> Response:
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>    <soap:Body>
>       <soap:Fault>
>          <faultcode>soap:Server</faultcode>
>          <faultstring>Administrator not authorized to resource. Client
> certificate authentication required.</faultstring>
>          <detail>
>             <ns1:AdminNotAuthorizedException xmlns:ns1="http://adminws.
> signserver.org/"/>
>          </detail>
>       </soap:Fault>
>    </soap:Body>
> </soap:Envelope>
>
> I also have myClient certificate in the SSL settings in SOAPui.
>
> Also I have added myClient.pem to the signserver using the signserver addauthorizedclient
> command
>
> I'd like to know, which credentials need to be given and are there
> additional information to be added in the soap body apart from the above
> parameters.
>
>
> Are you using an endpoint URL with a port that requires client-certificate
> authentication?
> In our installation guide that would be port 8443. Please make sure you
> invoke port 8443 and that the WSDL that you get from the server contains an
> endpoint URL with 8443.
>
> Thanks
> Raj..
>
>
> Cheers,
> Markus
> PrimeKey Solutions
>
> Save time and money with an Enterprise support subscription. Please see
> www.primekey.com for more information.
> https://www.primekey.com/products/software/
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>
>

Re: [SignServer-develop] Client certificate authentication required - AdminWS

[Markus K. <mar...@pr...>]

On 11/07/2017 07:13 AM, Raj Murtinty wrote:
>
> Hi,
>
Hi Raj,

(I removed the dropbox URL from the subject as it was not mentioned in
the mail body what it was about and thus looked like spam)

> I'm trying to test the web services call using SOAPui to the sign
> server and I've come across the following error:
>
>
> <soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:adm="http://adminws.signserver.org/">
>    <soapenv:Header/>
>    <soapenv:Body>
>       <adm:addAuthorizedClient>
>          <workerId>1</workerId>
>          <!--Optional:-->
>          <authClient>
>             <!--Optional:-->
>             <certSN>client certSN</certSN>      (In yellow are client
> certificate credentials)
>             <!--Optional:-->
>             <issuerDN>C=.., O=...., CN=....</issuerDN>
>          </authClient>
>       </adm:addAuthorizedClient>
>    </soapenv:Body>
> </soapenv:Envelope>
>
>
> Response:
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>    <soap:Body>
>       <soap:Fault>
>          <faultcode>soap:Server</faultcode>
>          <faultstring>Administrator not authorized to resource. Client
> certificate authentication required.</faultstring>
>          <detail>
>             <ns1:AdminNotAuthorizedException
> xmlns:ns1="http://adminws.signserver.org/"/>
>          </detail>
>       </soap:Fault>
>    </soap:Body>
> </soap:Envelope>
>
> I also have myClient certificate in the SSL settings in SOAPui.
>
> Also I have added myClient.pem to the signserver using the
> signserver addauthorizedclient  command
>
> I'd like to know, which credentials need to be given and are there
> additional information to be added in the soap body apart from the
> above parameters.
>

Are you using an endpoint URL with a port that requires
client-certificate authentication?
In our installation guide that would be port 8443. Please make sure you
invoke port 8443 and that the WSDL that you get from the server contains
an endpoint URL with 8443.

> Thanks
> Raj..

Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.com for more information.
https://www.primekey.com/products/software/

[SignServer-develop] https://www.dropbox.com/s/j26utpb9adsjwgr/Neutrno_demo_10_27.mov?dl=0

[Raj M. <raj...@gm...>]

Hi,

I'm trying to test the web services call using SOAPui to the sign server
and I've come across the following error:


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:adm="http://adminws.signserver.org/">
   <soapenv:Header/>
   <soapenv:Body>
      <adm:addAuthorizedClient>
         <workerId>1</workerId>
         <!--Optional:-->
         <authClient>
            <!--Optional:-->
            <certSN>client certSN</certSN>      (In yellow are client
certificate credentials)
            <!--Optional:-->
            <issuerDN>C=.., O=...., CN=....</issuerDN>
         </authClient>
      </adm:addAuthorizedClient>
   </soapenv:Body>
</soapenv:Envelope>


Response:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Server</faultcode>
         <faultstring>Administrator not authorized to resource. Client
certificate authentication required.</faultstring>
         <detail>
            <ns1:AdminNotAuthorizedException xmlns:ns1="
http://adminws.signserver.org/"/>
         </detail>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

I also have myClient certificate in the SSL settings in SOAPui.


Also I have added myClient.pem to the signserver using the
signserver addauthorizedclient  command

I'd like to know, which credentials need to be given and are there
additional information to be added in the soap body apart from the above
parameters.

Thanks
Raj..

Re: [SignServer-develop] GUI program equivalent to the CLI based signclient

[Markus K. <mar...@pr...>]

On 10/29/2017 01:09 AM, Jaime Hablutzel Egoavil wrote:
> Is there an official or any known unofficial GUI equivalent to CLI based
> signclient?, for example, to perform batch CMS signature from one folder
> to another?. 
> 
> I know that the CLI based signclient could be good enough, but some end
> users just don't feel comfortable with the CLI.
> 
Hi Jaime,

Not that I am aware of.

Shouldn't be too hard to create something like that though. Are you
thinking of like a desktop application and not a web GUI?

Just a crazy idea that I think was explored at some point was to have a
service that would be triggered when a file is put into a specific
folder. It would then invoke SignClient and write the output to the
other folder. That way the user could use their file browser/explorer to
copy or drag-n-drop the files to be signed.


Cheers,
Markus
PrimeKey Solutions


Save time and money with an Enterprise support subscription. Please see
www.primekey.com for more information.
https://www.primekey.com/products/software/

[SignServer-develop] GUI program equivalent to the CLI based signclient

[Jaime H. E. <hab...@gm...>]

Is there an official or any known unofficial GUI equivalent to CLI based
signclient?, for example, to perform batch CMS signature from one folder to
another?.

I know that the CLI based signclient could be good enough, but some end
users just don't feel comfortable with the CLI.

-- 
Jaime Hablutzel -  RPC 994690880

Re: [SignServer-develop] PDF Signer Sample Demo

[Markus K. <mar...@pr...>]

On 10/17/2017 12:56 AM, Raj Murtinty wrote:
> Hello
> 
> I am trying the sample PDF Signer demo and getting the following error
> 
> HTTP Status 503 - Service Temporally Unavailable
> 
> The server is currently unable to handle the request:
> *org.signserver.common.CryptoTokenOfflineException: Error trying to
> autoactivating the keystore, wrong password set? IOException PKCS12 key
> store mac invalid - wrong password or corrupted file.*
> 
> *I am using the PKCS12 option and have the following configuration*
> 
> # Sample configuration of a keystore crypto worker.
> 
> #
> 
> 
> # Type of worker
> 
> WORKERGENID1.TYPE=CRYPTO_WORKER
> 
> 
> # This worker will not perform any operations on its own and indicates
> this by
> 
> # using the worker type CryptoWorker
> 
> WORKERGENID1.IMPLEMENTATION_CLASS=org.signserver.server.signers.CryptoWorker
> 
> 
> # Uses a soft keystore:
> 
> WORKERGENID1.CRYPTOTOKEN_IMPLEMENTATION_CLASS=org.signserver.server.cryptotokens.KeystoreCryptoToken
> 
> 
> # Name for other workers to reference this worker:
> 
> WORKERGENID1.NAME <http://WORKERGENID1.NAME>=CryptoTokenP12
> 
> 
> # Type of keystore
> 
> # PKCS12 and JKS for file-based keystores
> 
> # INTERNAL to use a keystore stored in the database (tied to the crypto
> worker)
> 
> WORKERGENID1.KEYSTORETYPE=PKCS12
> 
> #WORKERGENID1.KEYSTORETYPE=JKS
> 
> #WORKERGENID1.KEYSTORETYPE=INTERNAL
> 
> 
> # Path to the keystore file (only used for PKCS12 and JKS)
> 
> WORKERGENID1.KEYSTOREPATH=/home/ubuntu/signserver/signserver-ce-4.0.0/res/test/dss10/dss10_keystore.p12
> 
> 
> # Optional password of the keystore. If specified the token is
> "auto-activated".
> 
> #WORKERGENID1.KEYSTOREPASSWORD=foo123
> 
> 
> # Optional key to test activation with. If not specified the first key
> found is
> 
> # used.
> 
> #WORKERGENID1.DEFAULTKEY=testKey
> 
> 
> Thanks
> 
> Raj..
> 

Hello Raj,

If you did not set the KEYSTOREPASSWORD property you will need to
activate the worker and then provide the password "foo123". Also in case
you missed it you need to do a reload after any change:
$ bin/signserver reload WORKERID
$ bin/signserver activatecryptotoken WORKERID

Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.com for more information.
https://www.primekey.com/products/software/

[SignServer-develop] PDF Signer Sample Demo

[Raj M. <raj...@gm...>]

Hello

I am trying the sample PDF Signer demo and getting the following error

HTTP Status 503 - Service Temporally Unavailable

The server is currently unable to handle the request:
*org.signserver.common.CryptoTokenOfflineException: Error trying to
autoactivating the keystore, wrong password set? IOException PKCS12 key
store mac invalid - wrong password or corrupted file.*
*I am using the PKCS12 option and have the following configuration*

# Sample configuration of a keystore crypto worker.

#


# Type of worker

WORKERGENID1.TYPE=CRYPTO_WORKER


# This worker will not perform any operations on its own and indicates this
by

# using the worker type CryptoWorker

WORKERGENID1.IMPLEMENTATION_CLASS=org.signserver.server.signers.CryptoWorker


# Uses a soft keystore:

WORKERGENID1.CRYPTOTOKEN_IMPLEMENTATION_CLASS=
org.signserver.server.cryptotokens.KeystoreCryptoToken


# Name for other workers to reference this worker:

WORKERGENID1.NAME=CryptoTokenP12


# Type of keystore

# PKCS12 and JKS for file-based keystores

# INTERNAL to use a keystore stored in the database (tied to the crypto
worker)

WORKERGENID1.KEYSTORETYPE=PKCS12

#WORKERGENID1.KEYSTORETYPE=JKS

#WORKERGENID1.KEYSTORETYPE=INTERNAL


# Path to the keystore file (only used for PKCS12 and JKS)

WORKERGENID1.KEYSTOREPATH=
/home/ubuntu/signserver/signserver-ce-4.0.0/res/test/dss10/dss10_keystore.p12


# Optional password of the keystore. If specified the token is
"auto-activated".

#WORKERGENID1.KEYSTOREPASSWORD=foo123


# Optional key to test activation with. If not specified the first key
found is

# used.

#WORKERGENID1.DEFAULTKEY=testKey


Thanks

Raj..

Re: [SignServer-develop] Trying change Common Name (CN, l, C . . . ) in certificate PDFSigner

[Markus K. <mar...@pr...>]

On 08/23/2017 10:37 PM, iva...@ip... wrote:
> Hello.
> 
> I'm trying to change Common Name (CN, l, C . . . )  in certificate
> PDFSigner on my PDFSigner worker. 
> 
> When I create a certificate, I specify my own fields (CN, l, C . . . ) .
> 
> But then, when I restart the worker, I get the next error:
> 
> Status of CryptoWorker with id 1 (CryptoTokenP12) is:
>    Worker status : Active
>    Token status  : Active
> 
> Status of Signer with id 2 (PDFSigner) is:
>    Worker status : Offline
>    Token status  : Active
>    Signings      : 0
> 
>    Errors: 
>       - Certificate does not match key
> 
> 
> I use my own keystore.p12. 
> 
> Who has any ideas on how to do this? Maybe I'm doing something
> wrong? And is it possible at all?
> 
> Sorry for my English. 
> 
> Thank you in advance,
> Ivan Pashchuk
> 

Hi Ivan,

The error means that the certificate configured in the PDFSigner are not
for the private key in the keystore.

If you have made changes in the keystore outside of SignServer or
changed something in CryptoTokenP12 you might have to reload the workers:
bin/signserver reload 1
bin/signserver reload 2

Also check that you have the right certificate configured in the PDF
Signer. If you replaced the keystore or created a new key the
certificate you have in the PDF signer will not match that. In that case
you can remove the certificate and certificate chain properties. If you
key store already has the right certificates you are done then otherwise
you will have to also install the new certificate that matches the key.

It could also be that you used a CSR that was not for that key when
requesting the new certificates.


Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.com for more information.
https://www.primekey.com/products/software/

[SignServer-develop] Trying change Common Name (CN, l, C . . . ) in certificate PDFSigner

[<iva...@ip...>]

Hello.

I'm trying to change Common Name (CN, l, C . . . )  in certificate PDFSigner on my PDFSigner worker. 

When I create a certificate, I specify my own fields (CN, l, C . . . ) .

But then, when I restart the worker, I get the next error:

Status of CryptoWorker with id 1 (CryptoTokenP12) is:
   Worker status : Active
   Token status  : Active

Status of Signer with id 2 (PDFSigner) is:
   Worker status : Offline
   Token status  : Active
   Signings      : 0

   Errors: 
      - Certificate does not match key


I use my own keystore.p12. 


Who has any ideas on how to do this? Maybe I'm doing something wrong? And is it possible at all?

Sorry for my English. 

Thank you in advance,
Ivan Pashchuk

[SignServer-develop] SignServer produces corrupted PDF signature

[<iva...@ip...>]

Hello.  

I am trying to sign PDF remote using a C# client application to connect to SigServer's WebAPI. I managed to receive a valid PDF document from SignServer, but the signature field is corrupt:
Error during signature verification. 
Signature contents incorrect, unrecognized, corrupted or suspicious data. 
Support information: SignDict /Contents illegal data. 

However, when I try to sign same PDF using PDF Signer demo the resulting PDF document and it’s signature look good. 

Could you pls provide any hints as to what I’m doing wrong? My C# client application code is provided below. 

We do use a custom signature image specified in SS config as base64 param. As mentioned, it works properly when signed via browser (the custom signature image is shown in PDF) but when invoked remotely via web api, the signature becomes corrupt.

Thank you in advance,
Ivan Pashchuk
--------------------------------------------------------
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net <http://system.net/>;
using System.Text;
using System.Threading.Tasks;

namespace HttpRequest {
   class Program {
       static void Main(string[] args) {
           byte[] pdfFile = File.ReadAllBytes("C:/Users/Ivan/Desktop/sample.pdf");
           WebRequest request = WebRequest.Create("http://localhost:4447/signserver/process?workerId=2 <http://localhost:4447/signserver/process?workerId=2>");
           request.Method = "POST";
           request.ContentLength = pdfFile.Length;
           request.ContentType = "application/pdf";
           Stream stream = request.GetRequestStream();
           stream.Write(pdfFile, 0, pdfFile.Length);
           stream.Close();
           HttpWebResponse response = (HttpWebResponse)request.GetResponse();
           StreamReader reader = new StreamReader(response.GetResponseStream());
           Console.WriteLine("Response code: " + response.StatusCode);
           Console.WriteLine(response.Headers);
           StreamWriter GetResponsPdf = new StreamWriter("C:/Users/Ivan/Desktop/pdf/sample.pdf", false);
           GetResponsPdf.Write(reader.ReadToEnd());
           GetResponsPdf.Flush();
           GetResponsPdf.Close();
           reader.Close();
           Console.ReadKey();
       }
   }
}

Re: [SignServer-develop] Errors when trying to use SignServer 4.0 CE Web API to sign PDF remotely

[<iva...@ip...>]

Hello. 

I fixed the error. The mistake was that I did not correctly set the ContentType HTTP header. 

Thank you for your answer to my question. I’m posting this solution in case someone else will run into the same problem.

Here is a working piece of code in C# which sends a PDF to SignServer and receives the signed version in response.

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;

namespace HttpRequest {
    class Program {
        static void Main(string[] args) {
            byte[] pdfFile = File.ReadAllBytes("C:/Users/Ivan/Desktop/sample.pdf");
            WebRequest request = WebRequest.Create("http://localhost:4447/signserver/process?workerId=2");
            request.Method = "POST";
            request.ContentLength = pdfFile.Length;
            request.ContentType = "application/pdf";
            Stream stream = request.GetRequestStream();
            stream.Write(pdfFile, 0, pdfFile.Length);
            stream.Close();
            HttpWebResponse response = (HttpWebResponse)request.GetResponse();
            StreamReader reader = new StreamReader(response.GetResponseStream());
            Console.WriteLine("Response code: " + response.StatusCode);
            Console.WriteLine(response.Headers);
            StreamWriter GetResponsPdf = new StreamWriter("C:/Users/Ivan/Desktop/pdf/sample.pdf", false);
            GetResponsPdf.Write(reader.ReadToEnd());
            GetResponsPdf.Flush();
            GetResponsPdf.Close();
            reader.Close();
            Console.ReadKey();
        }
    }
}


> On Jul 12, 2017, at 12:49, Markus Kilås <mar...@pr...> wrote:
> 
> On 07/06/2017 12:44 PM, iva...@ip... wrote:
>> Hello,
>> 
>> (sorry for such a long post, this is the first time I’m trying to use
>> SignServer’s Web API )
>> 
>> I'm trying to programmatically send request to my SignServer 4.0 CE
>> instance hosted at WildFly9 to sign a PDF-file. The code is written in
>> java. I’m trying to use SignServer’s Web API.  I have tried both
>> multipart POST request and x-www-form-urlencoded request.. 
>> 
>> When I tried to embed PDF file contents using x-www-form-urlencoded
>> SignServer returned error code 400: 
>> -----
>> INFO  [org.signserver.ejb.WorkerProcessImpl] (default task-28) Illegal
>> request calling signer with id 2 : Could not sign document: PDF header
>> signature not found.
> 
> Hi Ivan,
> "PDF header signature not found" means that the first bytes of the file
> is not "PDF-".
> 
>> INFO  [org.signserver.server.log.IWorkerLogger] (default task-28)
>> AllVariablesLogger; CLIENT_IP: 10.0.0.4; XFORWARDEDFOR: 192.168.0.13;
>> PDF_PASSWORD_SUPPLIED: false; LOG_TIME: 1499336652605;
>> CLIENT_AUTHORIZED: true; EXCEPTION: Could not sign document: PDF header
>> signature not found.; WORKER_AUTHTYPE: NOAUTH; WORKER_NAME: PDFSigner;
>> KEYALIAS: Signer 1; PROCESS_SUCCESS: false; WORKER_ID: 2; CRYPTOTOKEN:
>> CryptoTokenP12; REQUEST_LENGTH: 11;
>> REQUEST_FULLURL: http://localhost:4447/signserver/process?workerId=2&data=[B@7852e922;
>> FILENAME: null; LOG_ID: 73c0e9e3-2165-4cef-86d4-c5cdff613aa5;
>> REPLY_TIME:1499336652607
> 
> "REQUEST_LENGTH: 11" means that the request you are sending is (or is
> expected to be 11 bytes long). That sounds a bit short for a PDF so it
> is probably an issue with either the "Content-Length" header that you
> are setting or the body of the HTTP message.
> 
>> ———
>> 
>> When I tried to send PDF file to SignServer as attachment using
>> multipart POST request I got HTTP code 500 with the following message:
>> 
>> Header section has more than 10240 bytes (maybe it is not properly
>> terminated)
> 
> Could it be that you are missing to terminate the header section by
> using two new lines to indicate that the body starts?
> 
>> 
>> My multipart POST client code and the complete error stack trace is
>> below. If needed I can also provide the x-www-form-urlencoded version. 
>> 
>> Please, would you be so kind to provide me with any hints on what I’m
>> doing wrong and why I cannot get SignServer to properly handle my PDF
>> sign request
> 
> I suggest that you use a tool like Wireshark to capture the output from
> when submitting a PDF from one of the demo web forms and then compare
> that with the output from when you run your code. That way you should be
> able to spot the differences.
> 
> You can also compare with our implementation in the SignServer Client
> CLI ("SignClient").
> 
> Cheers,
> Markus
> PrimeKey Solutions
> 
> Save time and money with an Enterprise support subscription. Please see
> www.primekey.com for more information.
> https://www.primekey.com/products/software/
> 
> Join PrimeKey Tech Days in September!
> https://www.primekey.com/tech-days
> 
> 
>> 
>> Thank you in advance!
>> 
>> Ivan
>> 
>> 
>> //—Main.java— MultiPart POST client
>> ——————————————————————————————————————————
>> import java.io.BufferedReader;
>> import java.io.BufferedWriter;
>> import java.io.File;
>> import java.io.FileInputStream;
>> import java.io.InputStreamReader;
>> import java.io.OutputStream;
>> import java.io.OutputStreamWriter;
>> import java.net.HttpURLConnection;
>> import java.net.URL;
>> public class Main {
>>    private final String USER_AGENT = "Mozilla/5.0";
>>    public static void main(String[] args) throws Exception {
>> //-------------- Connect to the web server endpoint
>>        URL serverUrl = new URL("http://localhost:4447/signserver/process");
>>        HttpURLConnection urlConnection = (HttpURLConnection)
>> serverUrl.openConnection();
>>        String boundaryString = "test.pdf";
>>        String fileUrl = "/Users/Ivan/Desktop/test.pdf";
>>        File FileToUpload = new File(fileUrl);
>> //-------------- Indicate that we want to write to the HTTP request body
>>        urlConnection.setDoOutput(true);
>>        urlConnection.setRequestMethod("POST");
>>        urlConnection.addRequestProperty("Content-Type",
>> "multipart/form-data; boundary=" + boundaryString);
>>        urlConnection.addRequestProperty("workerId", "2");
>>        urlConnection.addRequestProperty("fileName", "test.pdf");
>> //-------------- Indicate that we want to write some data as the HTTP
>> request body
>>        urlConnection.setDoOutput(true);
>>        OutputStream outputStreamToRequestBody =
>> urlConnection.getOutputStream();
>>        BufferedWriter httpRequestBodyWriter = new BufferedWriter(new
>> OutputStreamWriter(outputStreamToRequestBody));
>> //-------------- Include the section to describe the file
>>        httpRequestBodyWriter.write("\n--" + boundaryString + "\n");
>>        httpRequestBodyWriter.write("Content-Disposition: form-data;" +
>> "name=\"myFile\";" + "filename=\""+ FileToUpload.getName() +"\"" +
>> "\nContent-Type: text/plain\n\n");
>>        httpRequestBodyWriter.flush();
>> //-------------- Write the actual file contents
>>        FileInputStream inputStreamToFile = new
>> FileInputStream(FileToUpload);
>>        int bytesRead;
>>        byte[] dataBuffer = new byte[inputStreamToFile.available()];
>>        while((bytesRead = inputStreamToFile.read(dataBuffer)) != -1) {
>>            outputStreamToRequestBody.write(dataBuffer, 0, bytesRead);
>>        }
>>        outputStreamToRequestBody.flush();
>> //-------------- Mark the end of the multipart http request
>>        httpRequestBodyWriter.write("\n--" + boundaryString + "--\n");
>>        httpRequestBodyWriter.flush();
>> //-------------- Close the streams
>>        outputStreamToRequestBody.close();
>>        httpRequestBodyWriter.close();
>> //-------------- Read response from web server, which will trigger the
>> multipart HTTP request to be sent.
>>        BufferedReader httpResponseReader = new BufferedReader(new
>> InputStreamReader(urlConnection.getInputStream()));
>>        String lineRead;
>>        while((lineRead = httpResponseReader.readLine()) != null) {
>>            System.out.println(lineRead);
>>        }
>>    }
>> }
>> //—Responce to client——————————————————————————————————————————————
>> Exception in thread "main" java.io.IOException: Server returned HTTP
>> response code: 500 for URL: http://localhost:4447/signserver/process
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
>> at
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
>> at Main.main(signer_new.java:53)
>> //—Error on server————————————————————————————————————————————————
>> ERROR [io.undertow.request] (default task-17) UT005023: Exception
>> handling request to /signserver/process: javax.servlet.ServletException:
>> Upload failed
>> at
>> org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:266)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> at
>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:748)
>> Caused by: org.apache.commons.fileupload.FileUploadException: Header
>> section has more than 10240 bytes (maybe it is not properly terminated)
>> at
>> org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:362)
>> at
>> org.apache.commons.fileupload.servlet.ServletFileUpload.parseRequest(ServletFileUpload.java:115)
>> at
>> org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:155)
>> ... 31 more
>> Caused by:
>> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
>> Header section has more than 10240 bytes (maybe it is not properly
>> terminated)
>> at
>> org.apache.commons.fileupload.MultipartStream.readHeaders(MultipartStream.java:543)
>> at
>> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.findNextItem(FileUploadBase.java:1038)
>> at
>> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:1003)
>> at
>> org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)
>> at
>> org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)
>> ... 33 more
>> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop

Re: [SignServer-develop] Errors when trying to use SignServer 4.0 CE Web API to sign PDF remotely

[Markus K. <mar...@pr...>]

On 07/06/2017 12:44 PM, iva...@ip... wrote:
> Hello,
> 
> (sorry for such a long post, this is the first time I’m trying to use
> SignServer’s Web API )
> 
> I'm trying to programmatically send request to my SignServer 4.0 CE
> instance hosted at WildFly9 to sign a PDF-file. The code is written in
> java. I’m trying to use SignServer’s Web API.  I have tried both
> multipart POST request and x-www-form-urlencoded request.. 
> 
> When I tried to embed PDF file contents using x-www-form-urlencoded
> SignServer returned error code 400: 
> -----
> INFO  [org.signserver.ejb.WorkerProcessImpl] (default task-28) Illegal
> request calling signer with id 2 : Could not sign document: PDF header
> signature not found.

Hi Ivan,
"PDF header signature not found" means that the first bytes of the file
is not "PDF-".

> INFO  [org.signserver.server.log.IWorkerLogger] (default task-28)
> AllVariablesLogger; CLIENT_IP: 10.0.0.4; XFORWARDEDFOR: 192.168.0.13;
> PDF_PASSWORD_SUPPLIED: false; LOG_TIME: 1499336652605;
> CLIENT_AUTHORIZED: true; EXCEPTION: Could not sign document: PDF header
> signature not found.; WORKER_AUTHTYPE: NOAUTH; WORKER_NAME: PDFSigner;
> KEYALIAS: Signer 1; PROCESS_SUCCESS: false; WORKER_ID: 2; CRYPTOTOKEN:
> CryptoTokenP12; REQUEST_LENGTH: 11;
> REQUEST_FULLURL: http://localhost:4447/signserver/process?workerId=2&data=[B@7852e922;
> FILENAME: null; LOG_ID: 73c0e9e3-2165-4cef-86d4-c5cdff613aa5;
> REPLY_TIME:1499336652607

"REQUEST_LENGTH: 11" means that the request you are sending is (or is
expected to be 11 bytes long). That sounds a bit short for a PDF so it
is probably an issue with either the "Content-Length" header that you
are setting or the body of the HTTP message.

> ———
> 
> When I tried to send PDF file to SignServer as attachment using
> multipart POST request I got HTTP code 500 with the following message:
> 
> Header section has more than 10240 bytes (maybe it is not properly
> terminated)

Could it be that you are missing to terminate the header section by
using two new lines to indicate that the body starts?

> 
> My multipart POST client code and the complete error stack trace is
> below. If needed I can also provide the x-www-form-urlencoded version. 
> 
> Please, would you be so kind to provide me with any hints on what I’m
> doing wrong and why I cannot get SignServer to properly handle my PDF
> sign request

I suggest that you use a tool like Wireshark to capture the output from
when submitting a PDF from one of the demo web forms and then compare
that with the output from when you run your code. That way you should be
able to spot the differences.

You can also compare with our implementation in the SignServer Client
CLI ("SignClient").

Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.com for more information.
https://www.primekey.com/products/software/

Join PrimeKey Tech Days in September!
https://www.primekey.com/tech-days


> 
> Thank you in advance!
> 
> Ivan
> 
> 
> //—Main.java— MultiPart POST client
> ——————————————————————————————————————————
> import java.io.BufferedReader;
> import java.io.BufferedWriter;
> import java.io.File;
> import java.io.FileInputStream;
> import java.io.InputStreamReader;
> import java.io.OutputStream;
> import java.io.OutputStreamWriter;
> import java.net.HttpURLConnection;
> import java.net.URL;
> public class Main {
>     private final String USER_AGENT = "Mozilla/5.0";
>     public static void main(String[] args) throws Exception {
> //-------------- Connect to the web server endpoint
>         URL serverUrl = new URL("http://localhost:4447/signserver/process");
>         HttpURLConnection urlConnection = (HttpURLConnection)
> serverUrl.openConnection();
>         String boundaryString = "test.pdf";
>         String fileUrl = "/Users/Ivan/Desktop/test.pdf";
>         File FileToUpload = new File(fileUrl);
> //-------------- Indicate that we want to write to the HTTP request body
>         urlConnection.setDoOutput(true);
>         urlConnection.setRequestMethod("POST");
>         urlConnection.addRequestProperty("Content-Type",
> "multipart/form-data; boundary=" + boundaryString);
>         urlConnection.addRequestProperty("workerId", "2");
>         urlConnection.addRequestProperty("fileName", "test.pdf");
> //-------------- Indicate that we want to write some data as the HTTP
> request body
>         urlConnection.setDoOutput(true);
>         OutputStream outputStreamToRequestBody =
> urlConnection.getOutputStream();
>         BufferedWriter httpRequestBodyWriter = new BufferedWriter(new
> OutputStreamWriter(outputStreamToRequestBody));
> //-------------- Include the section to describe the file
>         httpRequestBodyWriter.write("\n--" + boundaryString + "\n");
>         httpRequestBodyWriter.write("Content-Disposition: form-data;" +
> "name=\"myFile\";" + "filename=\""+ FileToUpload.getName() +"\"" +
> "\nContent-Type: text/plain\n\n");
>         httpRequestBodyWriter.flush();
> //-------------- Write the actual file contents
>         FileInputStream inputStreamToFile = new
> FileInputStream(FileToUpload);
>         int bytesRead;
>         byte[] dataBuffer = new byte[inputStreamToFile.available()];
>         while((bytesRead = inputStreamToFile.read(dataBuffer)) != -1) {
>             outputStreamToRequestBody.write(dataBuffer, 0, bytesRead);
>         }
>         outputStreamToRequestBody.flush();
> //-------------- Mark the end of the multipart http request
>         httpRequestBodyWriter.write("\n--" + boundaryString + "--\n");
>         httpRequestBodyWriter.flush();
> //-------------- Close the streams
>         outputStreamToRequestBody.close();
>         httpRequestBodyWriter.close();
> //-------------- Read response from web server, which will trigger the
> multipart HTTP request to be sent.
>         BufferedReader httpResponseReader = new BufferedReader(new
> InputStreamReader(urlConnection.getInputStream()));
>         String lineRead;
>         while((lineRead = httpResponseReader.readLine()) != null) {
>             System.out.println(lineRead);
>         }
>     }
> }
> //—Responce to client——————————————————————————————————————————————
> Exception in thread "main" java.io.IOException: Server returned HTTP
> response code: 500 for URL: http://localhost:4447/signserver/process
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
> at Main.main(signer_new.java:53)
> //—Error on server————————————————————————————————————————————————
> ERROR [io.undertow.request] (default task-17) UT005023: Exception
> handling request to /signserver/process: javax.servlet.ServletException:
> Upload failed
> at
> org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:266)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.commons.fileupload.FileUploadException: Header
> section has more than 10240 bytes (maybe it is not properly terminated)
> at
> org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:362)
> at
> org.apache.commons.fileupload.servlet.ServletFileUpload.parseRequest(ServletFileUpload.java:115)
> at
> org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:155)
> ... 31 more
> Caused by:
> org.apache.commons.fileupload.MultipartStream$MalformedStreamException:
> Header section has more than 10240 bytes (maybe it is not properly
> terminated)
> at
> org.apache.commons.fileupload.MultipartStream.readHeaders(MultipartStream.java:543)
> at
> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.findNextItem(FileUploadBase.java:1038)
> at
> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:1003)
> at
> org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)
> at
> org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)
> ... 33 more
> 

[SignServer-develop] Invitation to PrimeKey Tech Days

[Karin T. <kar...@pr...>]

Hi,

 

As a user of SignServer Community you may have seen that we at PrimeKey are
hosting our very popular Tech Days in September. This is perhaps the only
real hard core PKI event during 2017, and you are hereby invited. The demand
for tickets is high as usual, and during previous years all tickets have
quickly sold out. In order to accommodate for the high demand Tech Days have
been moved to a larger venue, while keeping the same quality in speakers. 

 

As always, we take pride in having speakers who are of true value for our
highly technically skilled audience. So far we have released four of these
speakers: Cisco on EST, David Hook (Bouncy Castle), Siemens on Industrial
IoT and DarkMatter on PKI. Keep an eye on our LinkedIn and Twitter to see
when we release more speakers. In addition to our esteemed guest speaker we
will of course give you the latest updates on the PrimeKey product roadmaps
and insights. 

 

At PrimeKey Tech Days you will not only get to listen to many interesting
speakers but you also get the opportunity to meet and mingle with some of
the world's best minds in PKI and IT Security. This is something we know
that attendees really appreciate and we will therefore arrange a boat tour
and dinner for all attendees on the first evening of the event.

 

If you want to know more about Tech Days or register for the event, click
here: https://www.primekey.com/tech-days 

 

Date: 25 - 26 of September

Place: Stockholm, Sweden

Ticket fee: 380 Euro + VAT.

Accommodation: We recommend Berns Hotel. A special deal for Tech Days
attendees can be found here: https://www.primekey.com/tech-days  

 

Welcome!

 

Best regards,

Karin Trogstam and the PrimeKey Team

 

-- 

 



 

PrimeKey CMO

kar...@pr...

Lundagatan 16, SE-171 63 Solna, Sweden

 <https://www.primekey.com/> https://www.primekey.com 

 

Follow PrimeKey

 <https://www.linkedin.com/company/primekey-solutions-ab>
https://www.linkedin.com/company/primekey-solutions-ab

 <https://www.twitter.com/primekeyPKI> https://www.twitter.com/primekeyPKI

 

 

 

Join PrimeKey Tech Days 2017

 <https://www.primekey.com/tech-days> https://www.primekey.com/tech-days  

 

[SignServer-develop] Errors when trying to use SignServer 4.0 CE Web API to sign PDF remotely

[<iva...@ip...>]

Hello,

(sorry for such a long post, this is the first time I’m trying to use SignServer’s Web API )

I'm trying to programmatically send request to my SignServer 4.0 CE instance hosted at WildFly9 to sign a PDF-file. The code is written in java. I’m trying to use SignServer’s Web API.  I have tried both multipart POST request and x-www-form-urlencoded request.. 

When I tried to embed PDF file contents using x-www-form-urlencoded SignServer returned error code 400: 
-----
INFO  [org.signserver.ejb.WorkerProcessImpl] (default task-28) Illegal request calling signer with id 2 : Could not sign document: PDF header signature not found.
INFO  [org.signserver.server.log.IWorkerLogger] (default task-28) AllVariablesLogger; CLIENT_IP: 10.0.0.4; XFORWARDEDFOR: 192.168.0.13; PDF_PASSWORD_SUPPLIED: false; LOG_TIME: 1499336652605; CLIENT_AUTHORIZED: true; EXCEPTION: Could not sign document: PDF header signature not found.; WORKER_AUTHTYPE: NOAUTH; WORKER_NAME: PDFSigner; KEYALIAS: Signer 1; PROCESS_SUCCESS: false; WORKER_ID: 2; CRYPTOTOKEN: CryptoTokenP12; REQUEST_LENGTH: 11; REQUEST_FULLURL: http://localhost:4447/signserver/process?workerId=2&data=[B@7852e922; FILENAME: null; LOG_ID: 73c0e9e3-2165-4cef-86d4-c5cdff613aa5; REPLY_TIME:1499336652607
———

When I tried to send PDF file to SignServer as attachment using multipart POST request I got HTTP code 500 with the following message:

Header section has more than 10240 bytes (maybe it is not properly terminated)

My multipart POST client code and the complete error stack trace is below. If needed I can also provide the x-www-form-urlencoded version. 

Please, would you be so kind to provide me with any hints on what I’m doing wrong and why I cannot get SignServer to properly handle my PDF sign request

Thank you in advance!

Ivan


//—Main.java— MultiPart POST client ——————————————————————————————————————————
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.URL;
public class Main {
    private final String USER_AGENT = "Mozilla/5.0";
    public static void main(String[] args) throws Exception {
//-------------- Connect to the web server endpoint
        URL serverUrl = new URL("http://localhost:4447/signserver/process");
        HttpURLConnection urlConnection = (HttpURLConnection) serverUrl.openConnection();
        String boundaryString = "test.pdf";
        String fileUrl = "/Users/Ivan/Desktop/test.pdf";
        File FileToUpload = new File(fileUrl);
//-------------- Indicate that we want to write to the HTTP request body
        urlConnection.setDoOutput(true);
        urlConnection.setRequestMethod("POST");
        urlConnection.addRequestProperty("Content-Type", "multipart/form-data; boundary=" + boundaryString);
        urlConnection.addRequestProperty("workerId", "2");
        urlConnection.addRequestProperty("fileName", "test.pdf");
//-------------- Indicate that we want to write some data as the HTTP request body
        urlConnection.setDoOutput(true);
        OutputStream outputStreamToRequestBody = urlConnection.getOutputStream();
        BufferedWriter httpRequestBodyWriter = new BufferedWriter(new OutputStreamWriter(outputStreamToRequestBody));
//-------------- Include the section to describe the file
        httpRequestBodyWriter.write("\n--" + boundaryString + "\n");
        httpRequestBodyWriter.write("Content-Disposition: form-data;" + "name=\"myFile\";" + "filename=\""+ FileToUpload.getName() +"\"" + "\nContent-Type: text/plain\n\n");
        httpRequestBodyWriter.flush();
//-------------- Write the actual file contents
        FileInputStream inputStreamToFile = new FileInputStream(FileToUpload);
        int bytesRead;
        byte[] dataBuffer = new byte[inputStreamToFile.available()];
        while((bytesRead = inputStreamToFile.read(dataBuffer)) != -1) {
            outputStreamToRequestBody.write(dataBuffer, 0, bytesRead);
        }
        outputStreamToRequestBody.flush();
//-------------- Mark the end of the multipart http request
        httpRequestBodyWriter.write("\n--" + boundaryString + "--\n");
        httpRequestBodyWriter.flush();
//-------------- Close the streams
        outputStreamToRequestBody.close();
        httpRequestBodyWriter.close();
//-------------- Read response from web server, which will trigger the multipart HTTP request to be sent.
        BufferedReader httpResponseReader = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
        String lineRead;
        while((lineRead = httpResponseReader.readLine()) != null) {
            System.out.println(lineRead);
        }
    }
}
//—Responce to client——————————————————————————————————————————————
Exception in thread "main" java.io.IOException: Server returned HTTP response code: 500 for URL: http://localhost:4447/signserver/process
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1876)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
	at Main.main(signer_new.java:53)
//—Error on server————————————————————————————————————————————————
ERROR [io.undertow.request] (default task-17) UT005023: Exception handling request to /signserver/process: javax.servlet.ServletException: Upload failed
	at org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:266)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.commons.fileupload.FileUploadException: Header section has more than 10240 bytes (maybe it is not properly terminated)
	at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:362)
	at org.apache.commons.fileupload.servlet.ServletFileUpload.parseRequest(ServletFileUpload.java:115)
	at org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:155)
	... 31 more
Caused by: org.apache.commons.fileupload.MultipartStream$MalformedStreamException: Header section has more than 10240 bytes (maybe it is not properly terminated)
	at org.apache.commons.fileupload.MultipartStream.readHeaders(MultipartStream.java:543)
	at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.findNextItem(FileUploadBase.java:1038)
	at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:1003)
	at org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)
	at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)
	... 33 more

Re: [SignServer-develop] Demo app: Worker Not Found: PDFSigner, XMLSigner

[And I. <and...@gm...>]

Dear Markus,

thank you very much for the hints and for such a quick response. I've
completely missed the Signer init section from the docs because another
developer tried to set everything up while I have just fixed the app server
issues he had.

I will follow the signers init section and continue the evaluation.

Thanks,
Andrew

On Mon, Jun 26, 2017 at 10:37 PM, Markus Kilås <mar...@pr...>
wrote:

> On 06/26/2017 02:21 PM, And Impd wrote:
> > Hello,
> >
> > I'm trying to get SignServer 4.0 CE up using WildFly9 (hosted in MS
> > Azure Ubuntu 17.04) for evaluation purposes. I have followed
> > installation instructions and managed to have signserver.ear
> > successfully deployed. The app server starts and I can access SignServer
> > via local URL (http://localhost:4457/signserver) .
> >
> > However, when I navigate to /signserver/demo/pdfsign.jsp and click on
> > the Submit button to invoke PDFSigner I get redirected to
> > /signserver/worker/PDFSigner and the following error is displayed:
> >
> > HTTP Status 404 - Worker Not Found
> >
> > The exact message from logs is this:
> >
> > 10:54:38,477 INFO  [org.signserver.server.log.SignServerLog4jDevice]
> > (default task-24) EVENT: PROCESS; OUTCOME: FAILURE; MODULE: WORKER;
> > ADMINISTRATOR: Client user; ISSUER: null; SERIAL_NUMBER: null;
> > WORKER_ID: null; EXCEPTION: No such worker: PDFSigner/; PROCESS_SUCCESS:
> > false; LOG_TIME: 1498474478472; LOG_ID:
> > 82e250f4-e4ca-4281-93dc-dfdf70819161; CLIENT_IP: xxx.xxx.xxx.xxx;
> > REPLY_TIME:1498474478477
> >
> > Next, if I simply reload the current signserver/worker/PDFSigner page I
> > dont' get 404 error, instead I get HTTP 400 code:
> >
> > 12:13:51,685 INFO  [org.signserver.web.GenericProcessServlet] (default
> > task-16) Bad request: Missing field 'data' in request
> >
> > Why the PDFSigner worker is not found in the demo app while the app
> > server seems to start successfully without any critical exception
> > (except for https:// complaints). I have tried other demo pages and
> > other workers like XMLSigner: same stuff.
> >
> > What config places should I check to enable the PDFSigner worker in the
> > demo app? Any help/hints would be much appreciated.
> >
> > Thanks,
> > Andrew S.
>
> Hi Andrew,
>
> This is all expect as the demo web forms are just static forms and by
> default the SignServer database is empty with no workers configured.
>
> You will need to configure the workers that you want to have either
> using the command line interface or GUI.
>
> The quick start demo guide shows how you can first set up a keystore
> crypto token with the bundled keystore containing already ready keys and
> certificates and then to set up a PDF signer:
> https://www.signserver.org/doc/current/manual/
> installguide.html#Quick_start_demo_PDF_signer
>
> Regards,
> Markus Kilås
> PrimeKey Solutions
>
> Save time and money with an Enterprise support subscription. Please see
> www.primekey.com for more information.
> https://www.primekey.com/products/software/
>
>
>