pdfbox-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ross Woolf <rwo...@tybera.com>
Subject RE: Validating signatures and removing signatures
Date Thu, 10 Apr 2014 19:49:35 GMT
As further comment, when I tried to use the method of removing signatures via deleting the
signature fields from the fields array.  It first appeared to work.  When the pdf is opened
in the adobe reader it does not indicate anything about signatures and it seems as if none
exist, but if I scroll through the document it will then all of a sudden display a banner
that says that a signature requires validating, but you can't open the signature panel to
investigate.  So apparently just removing the signature fields is not enough.  Something remains
in the document that causes it to have this odd behavior.

Therefore I would like to pursue the approach of removing the incremental section, but I have
no clue how to even find this section or identify it.  Any help would be appreciated.

-----Original Message-----
From: Ross Woolf 
Sent: Wednesday, April 09, 2014 4:31 PM
To: users@pdfbox.apache.org
Subject: RE: Validating signatures and removing signatures

It has been awhile but I am now back on this project.  In terms of removing signatures,  I'm
interested in the approach of just removing the incremental section, but being new to PDFBox
I am clueless as to how to do this.  Could anyone point me in the direction of how I would
go about finding and removing this section?

Thanks

-----Original Message-----
From: Thomas Chojecki [mailto:info@rayman2200.de]
Sent: Friday, January 03, 2014 2:37 PM
To: users@pdfbox.apache.org
Subject: Re: Validating signatures and removing signatures

Am Thu, 2 Jan 2014 23:58:51 +0000
schrieb Ross Woolf <rwoolf@tybera.com>:

> I have two related questions regarding signed PDF documents
> 
> 1.       Is it possible with PDFBox to validate signatures?
Not directly. You can extract the cms signature and verify it with bouncy castle. You can
load the document and grab all signatures with doc.getSignatureDictionaries().

The PDSignatureDictionary provides two methods:
1. byte[] getSignedContent(InputStream pdfFile) This extract the signed content. The part
that the signature covers.
This will extract the Content using the ByteRange.

2. byte[] getContents(InputStream pdfFile) With this one you can extract the signature from
the document. This will extract the signature using the gap declarated by the ByteRange.


Next you need to convert the byte[] into a CMS signature object and verify the signature using
the extracted signed content. The certificate can be extracted from the CMS signature.


> 2.       Is it possible to remove signatures using PDFBox that were
> previously signed using PDFBox (the same certificate as signing will 
> be available)?
Yes, there are two different ways to do that. PDFBox create incremental updates for each signature.
So if you remove the made incremental section, the document will be exactly the same as before
signing. 

The second way is to flatten the document. For this you need to get the AcroForms from the
Catalog and remove the SignatureField from the Fields array.

PDDocumentCatalog catalog = doc.getDocumentCatalog(); PDAcroForm acroform = catalog.getAcroForm();
List fields = acroform.getFields();

Now you need to find the right signature field and remove it from the document. I did not
know if this work properly, some people on the mailinglist means, this method does not work.


But if you just add new content and sign it again, you can leave the signatures where it is.
The signature covers only a specific part of the document and does not break if new content
will be add incremental. At the moment the pdfbox only support incremental updates for signature.
If you want to add additional content like pages, you will break the signature if you save
the document the convetional way.

If you add a new page and add a signature,this maybe will work. I've don't test it yet. 

> For integrity sake before appending the pages I want to check that the 
> original signature is valid, and if so, then remove the original 
> signature, append the necessary data, and then sign the document anew 
> relative to the modified document and then send it on to the 
> requester.

Try the last made sugestion with adding a page and signature and perform a saveIncremental.

Best regards
Thomas

Mime
View raw message