I'm trying to create a PAdES digital signature based on PDFNet API. The problem is that the signature is not recognized by DSS Verification due to Content field from ContentInfo which should not exist according to PAdES standard. This is also marked as optional in RFC5652, chapter 3.
This is the field that is causing the problem:
This is my code:
if (this->digest.size() == 0) {
this->digest.resize(this->digest_size);
EVP_DigestFinal(this->hash_context, &(this->digest[0]), NULL);
}
PKCS7* p7 = PKCS7_new();
PKCS7_set_type(p7, NID_pkcs7_signed);
PKCS7_add_certificate(p7, this->x509_cert);
for (int c = 0; c < sk_X509_num(this->x509_chain); c++) {
X509* cert = sk_X509_value(this->x509_chain, c);
PKCS7_add_certificate(p7, cert);
}
PKCS7_SIGNER_INFO* p7Si = PKCS7_add_signature(p7, x509_cert, priv_key, EVP_get_digestbyname(hash_type.c_str()));
PKCS7_add1_attrib_digest(p7Si, &(this->digest[0]), this->digest_size);
PKCS7_add_attrib_content_type(p7Si, OBJ_nid2obj(NID_pkcs7_data));
ESS_SIGNING_CERT_V2* signing_cert = OSSL_ESS_signing_cert_v2_new_init(EVP_get_digestbyname(this->hash_type.c_str()), this->x509_cert, NULL, -1);
int len_sign_cert = i2d_ESS_SIGNING_CERT_V2(signing_cert, NULL);
unsigned char* encoded_data = (unsigned char*)malloc(len_sign_cert * sizeof(unsigned char));
unsigned char* p = encoded_data;
i2d_ESS_SIGNING_CERT_V2(signing_cert, &p);
ASN1_STRING* seq = ASN1_STRING_new();
ASN1_STRING_set(seq, encoded_data, len_sign_cert);
PKCS7_add_signed_attribute(p7Si, NID_id_smime_aa_signingCertificateV2, V_ASN1_SEQUENCE, seq);
PKCS7_content_new(p7, NID_pkcs7_data);
PKCS7_set_detached(p7, 1);
PKCS7_SIGNER_INFO_sign(p7Si);
I tried to use CMS instead of PKCS7 so I can workaround the problem, but there is also a problem there because the signingTime field is set automatically at the call of CMS_SignerInfo_sign (and this field shall not be prezent in a PAdES digital signature).