pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Chojecki <i...@rayman2200.de>
Subject Re: Validating signatures and removing signatures
Date Fri, 03 Jan 2014 21:37:12 GMT
Am Thu, 2 Jan 2014 23:58:51 +0000
schrieb Ross Woolf <rwoolf@tybera.com>:

> I have two related questions regarding signed PDF documents
> 
> 1.       Is it possible with PDFBox to validate signatures?
Not directly. You can extract the cms signature and verify it with
bouncy castle. You can load the document and grab all signatures with
doc.getSignatureDictionaries().

The PDSignatureDictionary provides two methods:
1. byte[] getSignedContent(InputStream pdfFile) 
This extract the signed content. The part that the signature covers.
This will extract the Content using the ByteRange.

2. byte[] getContents(InputStream pdfFile)
With this one you can extract the signature from the document. This
will extract the signature using the gap declarated by the ByteRange.


Next you need to convert the byte[] into a CMS signature object and
verify the signature using the extracted signed content. The
certificate can be extracted from the CMS signature.


> 2.       Is it possible to remove signatures using PDFBox that were
> previously signed using PDFBox (the same certificate as signing will
> be available)?
Yes, there are two different ways to do that. PDFBox create incremental
updates for each signature. So if you remove the made incremental
section, the document will be exactly the same as before signing. 

The second way is to flatten the document. For this you need to get the
AcroForms from the Catalog and remove the SignatureField from the
Fields array.

PDDocumentCatalog catalog = doc.getDocumentCatalog();
PDAcroForm acroform = catalog.getAcroForm();
List fields = acroform.getFields();

Now you need to find the right signature field and remove it from the
document. I did not know if this work properly, some people on the
mailinglist means, this method does not work.


But if you just add new content and sign it again, you can leave the
signatures where it is. The signature covers only a specific part of
the document and does not break if new content will be add
incremental. At the moment the pdfbox only support incremental updates
for signature. If you want to add additional content like pages, you
will break the signature if you save the document the convetional way.

If you add a new page and add a signature,this maybe will work. I've
don't test it yet. 

> For integrity sake before appending the pages I want to check that
> the original signature is valid, and if so, then remove the original
> signature, append the necessary data, and then sign the document anew
> relative to the modified document and then send it on to the
> requester.

Try the last made sugestion with adding a page and signature and
perform a saveIncremental.

Best regards
Thomas

Mime
View raw message