Hash-Algorithm for digital signature always SHA-1?

JanMundo · September 15, 2016, 3:47am

Hi,

we are using Aspose-Words for Java to convert Word-Documents to PDF-Files. Addionatly we add a digitial Signature. So far it works. Now we want to choose the Hash-Algorithm for the Signature. No matter which algorithm we choose in the PDF-File always SHA-1 is used as Hash-Algorithm.

Code-Snippet:

PdfSaveOptions options = new PdfSaveOptions();
CertificateHolder certificateHolder = CertificateHolder.create(“certificate.p12”, “password”);

PdfDigitalSignatureDetails pdfDigitalSignatureDetails = new PdfDigitalSignatureDetails(certificateHolder, null, null, new Date());

pdfDigitalSignatureDetails.setHashAlgorithm(PdfDigitalSignatureHashAlgorithm.SHA_512);

options.setDigitalSignatureDetails(pdfDigitalSignatureDetails);
doc.save(“Testdocument_SHA512.pdf”, options);

Regards

tahir.manzoor · September 16, 2016, 9:25am

Hi Jan,

Thanks for your inquiry. To ensure a timely and accurate response, please attach the following resources here for testing:

Your input Word document.
Please attach the output Pdf file that shows the undesired behavior.
Please attach certificate.p12.

As soon as you get these pieces of information ready, we'll start investigation into your issue and provide you more information. Thanks for your cooperation.

PS: To attach these resources, please zip them and Click 'Reply' button that will bring you to the 'reply page' and there at the bottom you can include any attachments with that post by clicking the 'Add/Update' button.

JanMundo · September 26, 2016, 9:59am

Hi,

i have attached the zip file with the information at the original post.

Regards

tahir.manzoor · September 27, 2016, 1:52am

Hi Jan,

Thanks for sharing the detail. We have tested the scenario and have managed to reproduce the same issue at our side. For the sake of correction, we have logged this problem in our issue tracking system as WORDSNET-14224. You will be notified via this forum thread once this issue is resolved.

We apologize for your inconvenience.

tahir.manzoor · January 13, 2017, 12:40am

Hi Jan,

Thanks for your patience. It is to inform you that the issue which you are facing is actually not a bug in Aspose.Words. So, we have closed this issue (WORDSNET-14224) as 'Not a Bug'.

Aspose.Words currently supports only adbe.pkcs7.sha1 digital signature /SubFilter. This /SubFilter allows only SHA1 digest of the document. In PDF1.5 only SHA1 could be used.

JanMundo · January 13, 2017, 3:36am

Hi,

thanks for clarification. I wonder why the enumeration PdfDigitalSignatureHashAlgorithm provides values like SHA_256 and SHA_512. Why are the constants provided if they dont't have any effect?

Regarding the adbe.pkcs7.sha1 subprofile Adobe states that "Other algorithms may be used to digest the signed data field; however, SHA1 is used to digest the signed data." Is it possible to use the specified SignatureHashAlgorithm to digest the signed data field?

Due to compliance rules, we must sign pdfs with SHA-256 or higher. Is there any setting/workaround which allows the usage of SHA-256 in the described setting?

Or do we have to wait until newer PDF versions (as SHA-256 is only supported for PDF1.6 and higher) and different subprofiles are supported? If so, is there any release plan?

Best regards

Jan

tahir.manzoor · January 16, 2017, 1:24am

Hi Jan,

Thanks for your inquiry. In PDF 1.5, only SHA1 could be used. Other hash algorithms require PDF1.6 and PDF1.7 versions. Unfortunately, PDF version support for 1.6 and 1.7 are not supported in Aspose.Words. We already logged these features in our issue tracking system as follow:

WORDSNET-11263 : Add feature to convert document to PDF 1.6

WORDSNET-11083 : Support converting to PDF 1.7

We will inform you via this forum thread once these features are available. We apologize for your inconvenience.

JanMundo:

Is it possible to use the specified SignatureHashAlgorithm to digest the signed data field?

Due to compliance rules, we must sign pdfs with SHA-256 or higher. Is there any setting/workaround which allows the usage of SHA-256 in the described setting?

Or do we have to wait until newer PDF versions (as SHA-256 is only supported for PDF1.6 and higher) and different subprofiles are supported? If so, is there any release plan?

We are in communication with our product team about your query and will share more information on this.

tahir.manzoor · January 18, 2017, 8:54am

Hi Jan,

JanMundo:

Is it possible to use the specified SignatureHashAlgorithm to digest the signed data field?

The SignatureHashAlgorithm is used to digest the signed data filed in the PKCS#7 message.

JanMundo:

Is there any setting/workaround which allows the usage of SHA-256 in the described setting?

Unfortunately, there is no workaround available using Aspose.Words.

JanMundo:

Or do we have to wait until newer PDF versions (as SHA-256 is only supported for PDF1.6 and higher) and different subprofiles are supported? If so, is there any release plan?

Unfortunately, this feature is not in the release plan. We apologize for your inconvenience.

JanMundo · September 15, 2017, 6:37am

Hi,
are there any news to this topic. Is the support already in the release plan?
Regards
Jan

tahir.manzoor · September 15, 2017, 2:49pm

@JanMundo

Thanks for your inquiry. We regret to share with you that there is no update available on WORDSNET-11263 and WORDSNET-11083. We apologize for your inconvenience.

tahir.manzoor · February 19, 2018, 4:39pm

A post was split to a new topic: Hash-Algorithm for digital signature always SHA-1

aspose.notifier · February 7, 2019, 4:46pm

The issues you have found earlier (filed as ) have been fixed in this update. This message was posted using BugNotificationTool from Downloads module by MuzammilKhan

aspose.notifier · December 11, 2019, 7:49am

The issues you have found earlier (filed as WORDSNET-11083) have been fixed in this Aspose.Words for .NET 19.12 update and this Aspose.Words for Java 19.12 update.