I use a modified version of this library: https://github.com/vbuch/node-signpdf#readme in an angular app to sign a pdf with a signature that has been created elsewhere. When I open the signed pdf with foxit reader the signature is invalid with the following message:
Unexpected byte range values defining scope of signed data
Any ideas what the problem could be?
Here is the file: https://drive.google.com/file/d/1eS2waysotpAx6VtHMNvhGvl3wqgiyoT7/view?usp=sharing
First Example Document
I couldn't reproduce the “Unexpected byte range values defining scope of signed data” error message with the first example document, Foxit "merely" complained that the signature was invalid. Which it indeed is because you forgot to base64-decode the signature string before injecting it into the PDF - PDF requires the embedded signature containers in DER format.
Second Example Document
The second example document was shared in a comment:
Indeed, the signature container now is injected in DER format, so Foxit Reader can validate it. Concerning the new error messages:
"The document has been altered or corrupted since the Signature was applied." - this indicates here that there is some digest value mismatch.
Calculating and extracting the digest values in question shows that the SHA256 digest value of the signed byte ranges of the document is
while the message digest attribute in the signature container holds
so your signature indeed does not match the signed byte ranges.
Interestingly, though, this is exactly the same digest as signed in the signature container in the first file. Actually the whole signature container is identical. Apparently, you simply re-used the signature container you retrieved for your previous test. As the signing time in the new document differs, that cannot work, though, you have to calculate the digest of the signed byte ranges anew and request a signature for it.
That been said, even for your first document that digest is incorrect. So you apparently have an issue calculating digest values.
"The Signer's identity is invalid because it has expired or is not yet valid." I don't get that error message, not even after manually updating Foxit Reader. First I was informed that the certificate does not chain down to a trust anchor, and after explicitly trusting the root certificate, I get a "The signer's identity is valid." Have you selected some non-standard settings in your Foxit Reader? Or is the date of your local computer completely off?
"The signature includes an embedded timestamp but it could not be verified." I got that, too, but here I again merely needed to trust the root certificate of the TSA certificate to get going.
Comments
In comments you ask:
The message digest attribute is a signed attribute of the single
SignerInfoin the signature container.If you inspect your signature container using an ASN.1 viewer (e.g. http://lapo.it/asn1js/) look for this
If you want to understand the details of what you see, you should study RFC 5652 and specifications referenced from there.
For the signer certificate in Foxit Reader open the Signature Properties dialog, select Show Certificate, select the certificate you want to trust (root CA / intermediate CA / end entity), open the Trust tab, and press Add to Trusted Certificates.
For the TSA certificate in Foxit Reader open the Signature Properties dialog, at the bottom press Advanced Properties, select Show Certificate in the Timestamp Details, select the certificate you want to trust (root CA / intermediate CA / end entity), open the Trust tab, and press Add to Trusted Certificates.