Aldo,
ABU-7 wrote: > > The Question: What is a ByteRange ? > > * The Official PDF-Spec says that ByteRange is an array of (pairs of) > integer. > * iText allows 2 or more pairs of integers. > The following sample has 1 cert-signature plus 2 signatures > http://web.tiscali.it/irrational/exp-sign/X-Cert-AZ.pdf > All the signatures are validated (integrity check) by iText method > "verify" > > * A lot of Adobe docs say that ByteRange is made of 4 integers ONLY. > * Acrobat Reader won't validate the above pdf ; If you try, you can > see a generic message about "..damaged or suspect data in SigDict ..." > (Note: since the certificate used (for all the 3 signatures) has been > revoked, you should *temporarily* declared it as a trusted root > certificate) > > If you inspect the above pdf, you can see that the 3rd signature has the > following "uncommon" byterange ; > /ByteRange [0 31771 56897 621 78000 4086] , that is the 3rd signature > excludes the whole block of the 2nd signature, plus of course its own > /Contents block. > > Do you think this kind of signature is a valid signature or not ? > Do you think Acrobat signature validation is correct or should Acrobat be > more permissive ? > ISO 32000-1:2008, section 12.8.1 says: "A byte range digest shall be computed over a range of bytes in the file, that shall be indicated by the ByteRange entry in the signature dictionary. This range should be the entire file, including the signature dictionary but excluding the signature value itself (the Contents entry). Other ranges may be used but since they do not check for all changes to the document, their use is not recommended. When a byte range digest is present, all values in the signature dictionary shall be direct objects." Thus, according to this norm, more piecewise byte ranges are permissible. Any verification algorithm accepting more piecewise byte ranges, i.e. byte ranges excluding more than the actual signature container, though, had better indicate which parts of the PDF its verification statement refers to. The situation is slightly different, though, as soon as you want to have the signatures be legally binding. In contexts like this the rules are a bit more restrictive. E.g., confer ETSI TS 102 778, section 4.3 says: "As with other CMS-based signature implementations, a digest is computed over a range of bytes of the file. However with PDF, as the signature information is to be embedded into the document itself, this range shall be the entire file, including the signature dictionary but excluding the PDF Signature itself. The range is then indicated by the ByteRange entry of the signature dictionary. NOTE 1: This makes normative a recommendation in ISO 32000-1 [1], clause 12.8.1. NOTE 2: By restricting the ByteRange entry this way, it ensures that there are no bytes in the PDF that are not covered by the digest, other than the PDF signature itself." Therefore, as soon as you're into signatures seriously, the signed byte range simply has to cover all of the document but the one signature container which signs this very byte range. Regards, Michael. PS: If you want to do piecewise signatures, writing an according acrobat plug-in may be the way you want to go. -- View this message in context: http://www.nabble.com/Uncommon-ByteRange-entry-in-signature-dictionary-tp23670277p23671330.html Sent from the iText - General mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
