[
https://issues.apache.org/jira/browse/PDFBOX-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17218912#comment-17218912
]
Michael Klink commented on PDFBOX-3017:
---------------------------------------
{quote}don't add LTV when MDP prevents this{quote}
MDP cannot prevent LTV, cf. ISO 32000-2:
{panel:title=ISO 32000-2, section 12.8.2.2 DocMDP}
A value of 1 for *P* indicates that the document shall be final; that is, any
changes shall invalidate the signature with the exception of subsequent DSS
(see 12.8.4.3, "Document Security Store (DSS)") and/or document timestamp (see
12.8.5, "Document timestamp (DTS) dictionary") incremental updates.
{panel}
If you encounter a PDF validator that claims the LTV additions break MDP
restrictions, that viewer is not working according to to the standard or you
actually add more than required for DSS/DTS addition.
> Improve document signing
> ------------------------
>
> Key: PDFBOX-3017
> URL: https://issues.apache.org/jira/browse/PDFBOX-3017
> Project: PDFBox
> Issue Type: Improvement
> Components: AcroForm, Signing
> Affects Versions: 2.0.0, 3.0.0 PDFBox
> Reporter: Tilman Hausherr
> Priority: Major
> Fix For: 3.0.0 PDFBox
>
> Attachments: PDFBOX-3017_certificate_chain.diff,
> PDFBOX-3017_certificate_chain_Screenshot.png, QV_RCA1_RCA3_CPCPS_V4_11.pdf,
> SO52757037-Signed3-OCSP-with-KeyHash.pdf, pdfa_signed_insivible.pdf
>
>
> Improve signing code:
> - incremental save only works for signatures and doesn't respect certificates
> such as Adobe Extended Usage Rights
> - -{{prepareNonVisualSignature}} clears the AcroForm DR
> {{acroForm.setDefaultResources(null)}} which is not good if there are other
> form fields-
> - visual/nonVisualSignature should move into the {{interactive.forms}}
> package and be handled within the signature field
> - -verify signature (to have tests that go full circle)- done June 2016
> - document or refactor / rewrite visible labyrinthine signature code
> - why is it not possible to pass only the signatureField to addSignature,
> instead having to create a COSDocument with a page and annotations that has
> the signature field, and that must be searched for in
> {{prepareVisibleSignature()}}?
> - -support rotated pages (see
> https://stackoverflow.com/questions/34012293/pdfbox-sign-landscape-file-error/34359956#34359956
> )- done in PDFBOX-3671
> - -make sure that signed PDF/A files are still PDF/A (see
> http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf
> ); /ID possibly not OK; /Annots is possibly required ([~tilman] removed this
> for invisible signatures); test signed files with PDF-Tools and with
> preflight- tested, they are OK with PDF-Tools and preflight
> - test whether "bad" signatures are detected by preflight (search in old
> issues)
> - -PDFBOX-3363 - why is the stream cached in a file? Should it be done in
> memory?- done on July 15, 2016
> - remove {{setVisualSignature(PDVisibleSigProperties
> visSignatureProperties)}} from SignatureOptions.java, all it does is to call
> {{visSignatureProperties.getVisibleSignature()}} which returns an
> {{InputStream}}, and this is already available
> - {{checkSignatureField}} violates the "do one thing" rule
> - -decide whether the whole certificate chain should be passed in the sample
> code, instead of only the first one- yes the whole chain is stored
> - -check certificate chain, revocation lists, etc,- only if needed by users,
> code
> [here|https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/]
> - deprecate / remove all PDVisibleSignDesigner constructors except those with
> a PDDocument object, to avoid a file being opened twice
> - ... your ideas...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
