Hi,
I do understand it somewhat, the problem is that for some reason several
signatures are in the incremental part. It doesn't happen with
https://issues.apache.org/jira/secure/attachment/12744153/santander_freistellungsauftrag.pdf
from https://issues.apache.org/jira/browse/PDFBOX-2858 .
We could change the code so that only the first one reached is
considered. However, how do we know that the correct one is reached first?
I may have an idea:
The previous Perms/UR3 signature seems to cover much less, and is thus shorter
COSArray{[COSInt{0}, COSInt{1569}, COSInt{11103}, COSInt{160382}]}
What is the exact length of the unsigned file?
Tilman
Am 01.09.2025 um 10:25 schrieb Coetmeur, Alain:
Hello,
I have a problem using PDFBox 3.05 via DSS6.3.
When I try to sign some documents, it fails on a ByteRange serialization “Can't
write new byteRange … not enough space…”.
I’ve investigated and I think I found the problem.
I’m not at all expert in PDF, so I may be wrong.
This document “User’s Rights” are signed with a root/Perms/UR3 signature :
Type=Sig
Filter=Adobe.PPKLite
SubFilter=adbe.pkcs7.detached
Name=ARE Acrobat Product v8.0 P23 0002337
It’s a Form that is filled by a client (I cannot send it to you sadly, sorry).
Maybe that explains the problem.
I suspect the Form was signed by a company, before the client filled it, making
it much longer than what the UR3 signed.
DSS tries to add a classic PADES signature in root/AcroForm/Fields/V
Type=Sig
Filter=Adobe.PPKLite
SubFilter=ETSI.CAdES.detached
The problem happens in
org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(OutputStream)
I’ve traced that first, PdfBox visits the ByteRange of the PADES signature in
AcroFrom/Fields, THEN in Perms/UR3.
org.apache.pdfbox.pdfwriter.COSWriter.visitFromDictionary(COSDictionary)
Each times, it store the latest value of ByteRange in an instance variable
“byteRangeArray”
The new PADES signature has a ByteRange still undetermined set as
COSArray{[COSInt{0}, COSInt{1000000000}, COSInt{1000000000},
COSInt{1000000000}]}
The previous Perms/UR3 signature seems to cover much less, and is thus shorter
COSArray{[COSInt{0}, COSInt{1569}, COSInt{11103}, COSInt{160382}]}
Thus at the end
this.byteRangeArray is COSArray{[COSInt{0}, COSInt{1569}, COSInt{11103},
COSInt{160382}]}
Finally the method
org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature()
is called and fails with an IO Exception:
Can't write new byteRange '0 145478 164424 26017]' not enough space:
byteRange.length(): 22, byteRangeLength: 20, byteRangeOffset: 180045
it tries to write the real ByteRange for the PADES Signature which is
COSArray{[COSInt{0}, COSInt{145478}, COSInt{164424}, COSInt{26017}]}
Which is longer than the last UR3 signature visited and set into byteRangeArray
I can give more detail on the stacktrace, but probably it’s enough. I don’t
know the subtleties of PDF format, so maybe I miss an important point.
I’ve tried to generate a similar file with JSignPDF 2.3.0, starting from a XFA
forms
https://mfinante.gov.ro/documents/2552173/2552377/31.OrdinPlataElectronic_2023_05_19_A2.0.26+.pdf/5acf3ff7-7ff1-aa2c-283c-151d49af0d8b?t=1684492636871&download=true
found in this Post:
https://stackoverflow.com/questions/76736428/programatically-fill-government-pdf-xfa-dynamic
and I succeeded in creating an UR3 signature (sign with a PKCS12, asking “No
Certification” as “certification level”, and adding a owner password for
encryption), but I could not reproduce the bug. Sorry.
I can test some correction proposal, but I cannot give the document.
Hope this helps.
Best regards.
Ce message et toutes les pièces jointes (ci-après le «message») sont
confidentiels et établis à l’intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion ou
toute publication, totale ou partielle, est interdite, sauf autorisation
expresse. Si vous recevez ce message par erreur, merci de le détruire sans en
conserver de copie et d’en avertir immédiatement l’expéditeur. Internet ne
permettant pas de garantir l’intégrité de ce message, la Caisse des Dépôts et
Consignations décline toute responsabilité au titre de ce message s’il a été
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique. This email message
and any attachments (“the email”) are confidential and intended only for the
recipient(s) indicated. If you are not an intended recipient, please be advised
that any use, dissemination, forwarding or copying of this email whatsoever is
prohibited without prior written consent of Caisse des Depots et Consignations.
If you have received this email in error, please delete it without saving a
copy and notify the sender immediately. Internet emails are not necessarily
secure, and Caisse des Depots et Consignations declines responsibility for any
changes that may have been made to this email after it was sent. While we take
all reasonable precautions to ensure that viruses are not transmitted via
emails, we recommend that you take your own measures to prevent viruses from
entering your computer system.
Interne
