[
https://issues.apache.org/jira/browse/PDFBOX-5647?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tanmay Sharma updated PDFBOX-5647:
----------------------------------
Description:
A 2 page document was signed. The signature of document was verified by
[ShowSignature
sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java]
and it prints "Signature Verified".
Then a corrupted signed PDF was created by deleting the second page of the same
signed PDF and the signature of the corrupted PDF was also verified using
[ShowSignature
sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java].
Ideally the verification should fail because hash of the document is changed
(as second page is deleted). But instead of printing "Signature verification
failed", it still prints "Signature Verified".
How the signature of corrupted pdf is still getting verified successfully?
Both signed pdf and corrupted signed pdf is added in the attachments.
was:
A 2 page document was signed. The signature of document was verified by
[ShowSignature
sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java]
and it prints "Signature Verified".
Then a corrupted signed PDF was created by deleting the second page of the same
signed PDF and the signature of the corrupted PDF was also verified using
[ShowSignature
sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java].
Ideally the verification should fail because hash of the document is changed
(as second page is deleted). But instead of printing "Signature verification
failed", it still prints "Signature Verified".
How the signature of corrupted pdf is still getting verified successfully?
> Showing signature verified for tempered document
> ------------------------------------------------
>
> Key: PDFBOX-5647
> URL: https://issues.apache.org/jira/browse/PDFBOX-5647
> Project: PDFBox
> Issue Type: Bug
> Components: Signing
> Reporter: Tanmay Sharma
> Priority: Blocker
> Attachments: Doc1_signed.pdf, Doc1_signed_corrupted.pdf
>
>
> A 2 page document was signed. The signature of document was verified by
> [ShowSignature
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java]
> and it prints "Signature Verified".
> Then a corrupted signed PDF was created by deleting the second page of the
> same signed PDF and the signature of the corrupted PDF was also verified
> using [ShowSignature
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java].
> Ideally the verification should fail because hash of the document is changed
> (as second page is deleted). But instead of printing "Signature verification
> failed", it still prints "Signature Verified".
> How the signature of corrupted pdf is still getting verified successfully?
> Both signed pdf and corrupted signed pdf is added in the attachments.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
