Hi Tilman, thanks for the hint with the lenient mode (I wasn't aware of this feature, as it is not exposed by the static PDDocument.load methods). I tried it and now the COSParser throws an Exception as expected.
> > Can you explain what you mean? I thought that the current check did > just > that. > As far as I understood the attack, the signature object is modified by the attacker and the /Byterange modified in such a way that the cryptographically verification still holds (the gap between the two signed ranges is increased). As a result of this, the actually used /Byterange (the modified one) is no longer part of the signed data. So my first idea was to check if the actually used /Byterange array is covered by the signature (is not in the unsigned gap). Anyway, I think turning off the lenient mode together with the "covers whole document" check, should provide an adequate security level. Thanks a lot for your valuable feedback, Wolfgang
smime.p7s
Description: S/MIME cryptographic signature
