How reliable is iText's signatureCoversWholeDocument() vs Acrobat Reader?

1
votes

I'd like to double check how reliable is iText's signatureCoversWholeDocument().

I have a document with one signature, which returns false for signatureCoversWholeDocument(), but Adobe Acrobat Reader doesn't report anything wrong with the document.

iText's method seems to be to sum up the byte range it gets in getSignatureNames():

public ArrayList<String> getSignatureNames() {

    .....

    PdfArray ro = v.getAsArray(PdfName.BYTERANGE);
    if (ro == null)
        continue;
    int rangeSize = ro.size();
    if (rangeSize < 2)
        continue;
    int length = ro.getAsNumber(rangeSize - 1).intValue() + ro.getAsNumber(rangeSize - 2).intValue();

...and then compare it to the document's length:

public boolean signatureCoversWholeDocument(String name) {
    getSignatureNames();
    name = getTranslatedFieldName(name);
    if (!sigNames.containsKey(name))
        return false;
    return sigNames.get(name)[0] == reader.getFileLength();
}

In my case the signature byte range is [0, 190, 33282, 382800] which sums up to 382800 + 33282 = 416082, but the document size is 665186

If I open the PDF with a text editor I also see the same signature byte range inside [0, 190, 33282, 382800]. If I look at PDFs that have byte ranges that add up perfectly to the file size, those get validated with iText no problem.

Another difference I see is that iText's 

(AcroFields) fields.getTotalRevisions() = 2

But inside Acrobat Reader I only see one revision.

Our client is pretty convinced that their documents are signed properly, so I'm quite confused...

So basically my questions are

  • Is this method that iText uses (summing up byte ranges) 100% reliable?
  • What method does Acrobat Reader use to validate that the whole document is signed?
  • Does Acrobat Reader show an error if the signature does not cover the whole document?
1
pdfitextdigital-signatureacrobat
Can you share a sample pdf for analysis? That being asked, document with 1 signature, which returns false for signatureCoversWholeDocument(), but Adobe Acrobat Reader, doesn't report anything wrong with the document - signatureCoversWholeDocument == false does not necessarily mean that something is wrong. Certain additions to a document are allowed after signing. Probably you have a certified form into which entries have been filed in. That also might explain differences in revision counts. - mkl

1 Answers

0
votes

Unfortunately the OP didn't share a sample PDF to illustrate his point. In general, though:

I have a document with one signature, which returns false for signatureCoversWholeDocument(), but Adobe Acrobat Reader doesn't report anything wrong with the document.

This does not necessarily mean that anything is wrong. See in this answer on Information Security Stack Exchange how multiple signatures in a single PDF work: The first signature covers only the first revision, the second one the first two revisions, etc... It is completely natural for the first signature not to cover the whole document.

Furthermore, additions to a signed PDF do not themselves need to be signed. I.e. you might have a PDF in which the first revision is signed and then some additions as incremental update. In this case it is also completely natural for the signature not to cover the whole document.

Should Adobe Reader show this as an issue? Not necessarily: Certain changes to a signed document are allowed! Read this answer on stack overflow.

Thus, I would assume you have a signed form into which entries have been filed in; or a signed arbitrary PDF to which other annotations were added.

That would also explain differences in revision counts. Adobe only counts each signed revision in its revision count while iText also counts a final, unsigned incremental update as a separate revision.

Thus,

  • Is this method that iText uses (summing up byte ranges) 100% reliable?

Summing up the latter two numbers to determine the size of the signed revision is completely ok. There simply may be additional data appended as an incremental update with allowed changes.

(There is a different issue, though: The gap in the byte ranges has to coincide with the space reserved for the signature container. As far as I remember iText does not strictly enforce this.)

  • What method does Acrobat Reader use to validate that the whole document is signed?

Adobe Reader checks the signatures just like iText does. In addition, though, it checks whether any additions are "allowed changes" as described in the documentation referenced above. If an incremental update after the last signature of a document contains only such allowed changes, Adobe Reader considers the signature valid in respect of the whole document.

(Beware, though: The algorithms Adobe Reader uses to determine whether changes are allowed, partially only allow changes done as Adobe Reader would have done them itself and partially don't recognize disallowed changes.)

  • Does Acrobat Reader show an error if the signature does not cover the whole document?

Not necessarily, only if there are disallowed changes in the extra content.