How to check whether the digitally signed document is correct

0
votes

I am working on creating a PDF file which is digitally certified/signed. I am successfully able to sign my pdf document, using itext library.

However, the certificate details on the adobe reader shows me as below:

Screenshot

Is the certificate ok? or is there any issue with it?

1
itextdigital-signaturedigital-certificate
According to the popup, the certificate is trusted for signing document, i.e. for your use case. Thus, it looks ok. As you did not provide the certificate itself, more is hard to say...mkl
Please read itextpdf.com/book/digitalsignatures and try the code shown in chapter 5 to verify the signed document.Bruno Lowagie
@BrunoLowagie: Tried what you suggested, the output shows that the certificate integrity check is true, however I have used my SSL certificate for signing it. Do you think that it is ok for signing? Output: ===== ankit1 ===== Signature covers whole document: true Document revision: 1 of 1 Integrity check OK?trueAnkit
Usually not: stackoverflow.com/questions/16029261/… There could be exceptions, but you should ask your CA, he'll be happy to sell you a certificate that can be used for signing.Bruno Lowagie
@BrunoLowagie: You have given me the link of another question of mine. I posted this question after I got answer for the question on link.Ankit

1 Answers

0
votes

Is the certificate ok? or is there any issue with it?

As far as your PDF viewer is concerned...

The certificate obviously is ok as far as your Adobe Reader is concerned. Your screen shot

screen shot

contains this document status in the document message bar:

enter image description here

According to the Signature Validation guide by Adobe

Signature Validation cheat sheet

this means two things:

  • Document has not changed or only contains permitted changes. (Document integrity check)
  • [Identity] Verified for all signers. (Identity Check)

In particular the latter means that Adobe Reader sees no issue with your certificate.

In the Certificate viewer this is confirmed by

Certificate trust settings

Your certificate is trusted to sign documents or data.

... but what is its legal value?

This is a different question altogether.

You already mention one obvious issue in a comment,

however I have used my SSL certificate for signing

in particular the subject of the certificate essentially only is your web site. That web site definitively is no natural person and most likely (I don't know Indian law) not a legal person / corporate body either. Thus, it isn't even clear who signed in that signature to start with.

Furthermore, SSL certificates usually probably have a key usage attribute value "digital signature" but not "non-repudiation". Thus, all it expresses is "this is a document as I saw it" (as long as the signature is not broken) but definitively not "I am responsible and liable for its contents".

In general, depending on the context the legal value is considered for, there are many countries and associations of countries which have strictly defined requirements for digital signatures to have immediate legal value, e.g. in the EU the eIDAS regulations. As you appear to be interested in India, Aadhaar certificates by the UIDAI might be more appropriate.

On the other hand, if you have agreed with the recipient of your signed document beforehand that you will use your SSL certificate for binding signatures, chances are that such signatures eventually are recognized as legally binding, too, and you can be held liable in court for what you signed.