I succeed in making the saveIncremental() work, but the signature is invalid,
because of the /ByteRange is not consistent (Acrobat Reader and DSS do moan
when verifying)...
<Indication>FAILED</Indication>
<SubIndication>HASH_FAILURE</SubIndication>
<Errors Key="BBB_FC_IBRV_ANS">The /ByteRange dictionary is not
consistent!</Errors>
<Errors Key="BBB_CV_IRDOI_ANS">The reference data object is not intact!</Errors>
So I'm wrong (before signing PDF say the file is OK, so it must be my patch).
My modification, base on 4.0.0-SNAPSHOT trunk is, just taking the maximum for
byteRangeLength , thus in fact always 35:
->
org.apache.pdfbox.pdfwriter.COSWriter.visitFromDictionary(COSDictionary)
//FIXME testing patch (around line 1245)
//byteRangeLength = getStandardOutput().getPos() - 1 -
byteRangeOffset;
long byteRangeLengthNow=getStandardOutput().getPos() -
1 - byteRangeOffset;
System.err.printf("DEBUGTRACE: visitFromDictionary
previous byteRangeLength=%d byteRangeLengthNow=%d
%n",byteRangeLength,byteRangeLengthNow);
if(byteRangeLength<byteRangeLengthNow)
byteRangeLength=byteRangeLengthNow;
I also added some traces, and it happens as I said before:
First I visit my AcroForm/Fields signature with a default ByteRange value
DEBUGTRACE: visitFromDictionary on BYTERANGE=COSArray{[COSInt{0},
COSInt{1000000000}, COSInt{1000000000}, COSInt{1000000000}]}
DEBUGTRACE: visitFromDictionary
obj=COSDictionary{COSName{Type}:COSName{Sig};COSName{Filter}:COSName{Adobe.PPKLite};COSName{SubFilter}:COSName{ETSI.CAdES.detached};COSName{Reason}:COSString{Signé
électroniquement par
XXX};COSName{M}:COSString{D:20250904131106+02'00'};COSName{Contents}:COSString{..
DEBUGTRACE: visitFromDictionary previous byteRangeLength=0 byteRangeLengthNow=35
DEBUGTRACE: visitFromDictionary after byteRangeLength=35
Then a signature in Perms/UR3
DEBUGTRACE: visitFromDictionary on BYTERANGE=COSArray{[COSInt{0}, COSInt{1569},
COSInt{11103}, COSInt{160382}]}
DEBUGTRACE: visitFromDictionary
obj=COSDictionary{COSName{ByteRange}:COSArray{COSInt{0};COSInt{1569};COSInt{11103};COSInt{160382};};COSName{Contents}:COSString{...
... (found while debugging) (it's in Perms/UR3)
COSName{Filter}=COSName{Adobe.PPKLite}
COSName{M}=COSString{D:20120425164059+02'00'}
COSName{Name}=COSString{ARE Acrobat Product v8.0 P23 0002337}
COSName{Prop_Build}=COSDictionary{COSName{App}:COSDictionary{COSName{Name}:COSName{Exchange-Pro};COSName{OS}:COSArray{COSName{Win};};COSName{R}:COSInt{589824};COSName{REx}:COSString{9.0.0};COSName{TrustedMode}:true;};COSName{Filter}:COSDictionary{COSName{Date}:COSString{Jun
11 2008
22:53:02};COSName{Name}:COSName{Adobe.PPKLite};COSName{R}:COSInt{131103};};COSName{PubSec}:COSDictionary{COSName{Date}:COSString{Jun
11 2008 22:51:44};COSName{NonEFontNoWarn}:true;COSName{R}:COSInt{131103};};}
COSName{Reference}=COSArray{[COSObject{6 0 R}]}
COSName{SubFilter}=COSName{adbe.pkcs7.detached}
COSName{Type}=COSName{Sig}
...
And finally, it writes the ByteRange for the new signature, no IOException this
time.
DEBUGTRACE: visitFromDictionary previous byteRangeLength=35
byteRangeLengthNow=20
DEBUGTRACE: visitFromDictionary after byteRangeLength=35
DEBUGTRACE: doWriteSignature beforeLength=145549 afterOffset=164495
afterLength=27772
the tragedy is that afterward the document signature is invalid.
I've checked, the document is not password protected.
However, I've seen some properties that seems to point it's "Exchange-Pro"
9.0.0 that generated (PROP_BUILD??) that signature ...(no idea what it is
precisely)...
APP=(
Name=Exchange-Pro
OS=Win
Rex=9.0.0
TrustedMode=true
Filter=(
Date=Jun 11 2008 22:53:02,
Name=Adobe.PPKLite,
PubSec=( Date=Jun 11 2008 22:51:44,NonEFontNoWarn=true...)
)
)
Another property points to " ARE Acrobat Product v8.0 P23 0002337".
It seems acrobat products can give users using Acrobat Reader, some extension
of license ...
Maybe this is how clients could lock they file.
https://community.adobe.com/t5/acrobat-discussions/how-to-discover-by-which-method-a-given-reader-extended-file-received-the-extension-of-rights-by/m-p/8697438
I will investigate to find how was this form generated
Alain COETMEUR
Interne
-----Message d'origine-----
De : Marc Kaufman <[email protected]>
Envoyé : mardi 2 septembre 2025 19:20
À : [email protected]
Objet : Re: Error "Can't write new byteRange … not enough space…" signing with
PADES a document having user's rights protected by Perms/UR3
Ce message et toutes les pièces jointes (ci-après le «message») sont
confidentiels et établis à l’intention exclusive de ses destinataires. Toute
utilisation de ce message non conforme à sa destination, toute diffusion ou
toute publication, totale ou partielle, est interdite, sauf autorisation
expresse. Si vous recevez ce message par erreur, merci de le détruire sans en
conserver de copie et d’en avertir immédiatement l’expéditeur. Internet ne
permettant pas de garantir l’intégrité de ce message, la Caisse des Dépôts et
Consignations décline toute responsabilité au titre de ce message s’il a été
modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les
précautions prises pour éviter la présence de virus dans nos envois, nous vous
recommandons de prendre, de votre côté, les mesures permettant d'assurer la
non-introduction de virus dans votre système informatique. This email message
and any attachments (“the email”) are confidential and intended only for the
recipient(s) indicated. If you are not an intended recipient, please be advised
that any use, dissemination, forwarding or copying of this email whatsoever is
prohibited without prior written consent of Caisse des Depots et Consignations.
If you have received this email in error, please delete it without saving a
copy and notify the sender immediately. Internet emails are not necessarily
secure, and Caisse des Depots et Consignations declines responsibility for any
changes that may have been made to this email after it was sent. While we take
all reasonable precautions to ensure that viruses are not transmitted via
emails, we recommend that you take your own measures to prevent viruses from
entering your computer system.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
