[
https://issues.apache.org/jira/browse/PDFBOX-5647?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17753226#comment-17753226
]
Michael Klink commented on PDFBOX-5647:
---------------------------------------
The format PDF allows to append changes to a PDF without touching the original
bytes of the former document revision. These appended changes are called
incremental updates.
If you apply that mechanism to a signed PDF file, the signature mathematically
remains valid because the original bytes remain the same. For details see [this
old security stack exchange
answer|https://security.stackexchange.com/a/35131/16096].
This is why PDFBox outputs that the signature in [^Doc1_signed_corrupted.pdf]
is ok: The change, the deletion of the second page, is done in an incremental
update. You can verify using file compare tools that
[^Doc1_signed_corrupted.pdf] is [^Doc1_signed.pdf] plus some additions at the
end.
The PDFBox sample also tells you that there were additional changes, it outputs
"Signature does not cover whole document". Whenever you see that in the output
of ShowSignature, there may be arbitrary changes added after the signed
document revision.
----
Of course signatures that remain valid after arbitrary manipulations are not
helpful. Thus, only certain changes are allowed in incremental updates to
signed PDFs, see [this old stack overflow
answer|https://stackoverflow.com/a/16711745/1729265].
Analyzing the changes in an incremental update is non-trivial. Also, the
allowed changes are technically not well-specified. Thus, PDFBox has not
implemented a check whether incremental updates to a signed PDF are allowed,
its example validation code merely outputs if there are incremental updates
after the signature or not.
Adobe Acrobat, on the other hand, has implemented a check of the incremental
updates. Due to the mentioned deficits in the specification of the allowed
changes, though, this implementation has changed quite a bit in the recent
years. There are still multiple false positives and false negatives in its
reports, though.
> Showing signature verified for tempered document
> ------------------------------------------------
>
> Key: PDFBOX-5647
> URL: https://issues.apache.org/jira/browse/PDFBOX-5647
> Project: PDFBox
> Issue Type: Bug
> Components: Signing
> Reporter: Tanmay Sharma
> Priority: Blocker
> Attachments: Doc1_signed.pdf, Doc1_signed_corrupted.pdf
>
>
> A 2 page document was signed. The signature of document was verified by
> [ShowSignature
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java]
> and it prints "Signature Verified".
> Then a corrupted signed PDF was created by deleting the second page of the
> same signed PDF and the signature of the corrupted PDF was also verified
> using [ShowSignature
> sample|https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java].
> Ideally the verification should fail because hash of the document is changed
> (as second page is deleted). But instead of printing "Signature verification
> failed", it still prints "Signature Verified".
> How the signature of corrupted pdf is still getting verified successfully?
> Both signed pdf and corrupted signed pdf is added in the attachments.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
