[
https://issues.apache.org/jira/browse/PDFBOX-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17225308#comment-17225308
]
Michael Klink commented on PDFBOX-3017:
---------------------------------------
{quote}So to me our implementation should be to the spec with Acrobat being
able to validate after the issue has been fixed.{quote}
That remains to be seen: It's only allowed to add LTV (DSS and DTS) to a DocMDP
no-changes-allowed document. Thus, the tiniest object added which is not
necessary for adding LTV may be interpreted as invalid change. And ever since
the Shadow Attacks publication Adobe is likely to be especially cautious not to
allow any unnecessary additions, see PDFBOX-4997.
> Improve document signing
> ------------------------
>
> Key: PDFBOX-3017
> URL: https://issues.apache.org/jira/browse/PDFBOX-3017
> Project: PDFBox
> Issue Type: Improvement
> Components: AcroForm, Signing
> Affects Versions: 2.0.0, 3.0.0 PDFBox
> Reporter: Tilman Hausherr
> Priority: Major
> Fix For: 3.0.0 PDFBox
>
> Attachments: Eingangsbestaetigung-376670811-sig.pdf,
> Eingangsbestaetigung-376670811-sig_ocsp.pdf,
> PDFBOX-3017_certificate_chain.diff,
> PDFBOX-3017_certificate_chain_Screenshot.png, QV_RCA1_RCA3_CPCPS_V4_11.pdf,
> SO52757037-Signed3-OCSP-with-KeyHash.pdf, pdfa_signed_insivible.pdf
>
>
> Improve signing code:
> - incremental save only works for signatures and doesn't respect certificates
> such as Adobe Extended Usage Rights
> - -{{prepareNonVisualSignature}} clears the AcroForm DR
> {{acroForm.setDefaultResources(null)}} which is not good if there are other
> form fields-
> - visual/nonVisualSignature should move into the {{interactive.forms}}
> package and be handled within the signature field
> - -verify signature (to have tests that go full circle)- done June 2016
> - document or refactor / rewrite visible labyrinthine signature code
> - why is it not possible to pass only the signatureField to addSignature,
> instead having to create a COSDocument with a page and annotations that has
> the signature field, and that must be searched for in
> {{prepareVisibleSignature()}}?
> - -support rotated pages (see
> https://stackoverflow.com/questions/34012293/pdfbox-sign-landscape-file-error/34359956#34359956
> )- done in PDFBOX-3671
> - -make sure that signed PDF/A files are still PDF/A (see
> http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf
> ); /ID possibly not OK; /Annots is possibly required ([~tilman] removed this
> for invisible signatures); test signed files with PDF-Tools and with
> preflight- tested, they are OK with PDF-Tools and preflight
> - test whether "bad" signatures are detected by preflight (search in old
> issues)
> - -PDFBOX-3363 - why is the stream cached in a file? Should it be done in
> memory?- done on July 15, 2016
> - remove {{setVisualSignature(PDVisibleSigProperties
> visSignatureProperties)}} from SignatureOptions.java, all it does is to call
> {{visSignatureProperties.getVisibleSignature()}} which returns an
> {{InputStream}}, and this is already available
> - {{checkSignatureField}} violates the "do one thing" rule
> - -decide whether the whole certificate chain should be passed in the sample
> code, instead of only the first one- yes the whole chain is stored
> - -check certificate chain, revocation lists, etc,- only if needed by users,
> code
> [here|https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/]
> - deprecate / remove all PDVisibleSignDesigner constructors except those with
> a PDDocument object, to avoid a file being opened twice
> - ... your ideas...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
