How to add overlay to already signed PDF without invalidating first signature using PDFBOX?

0
votes

I am trying to add overlay (which i think is a disallowed change) to already signed PDF (visible detached signature) and then sign this PDF again. This results in invalidation of first signature. However, second signature remains valid.

Is it possible to have both signatures to be valid after second sign ?

I am using PDFBOX v2.0.8

Attaching sample pdfs here

  1. Original PDF
  2. Digitally sign PDF from step 1
  3. Overlay digitally signed PDF from step 2
  4. Digitally sign PDF produced from Step 3

Thanks, Abhi

1
javapdfdigital-signaturepdfbox
Can you share the result file? Btw "2.0.x" is not a version. 2.0.8 is.Tilman Hausherr
First of all, for allowed and disallowed changes look here. I the light of that answer: a what type of signature is your existing signature? b what exactly do you mean by overlay? Something done using the pdfbox Overlay class or something overlaying in an arbitrary manner?mkl
@mkl : a) visible detached sign with "ECDSAwithSHA256" b) overlay means merging two pdf document via this method of OverlayAbhishek Dadhich
Sorry, by "type of signature" in a I meant: Is it a certification signature or an approval signature? In the former case, which changes are allowed by the certification signature? Concerning your answer to b, though: No, doing overlays as the Overlay class does is never allowed in already signed documents because the Overlay class manipulates page content which is forbidden for any kind of signed document.mkl
First of all, the signature in the sample document with one signature, 2_Signed.pdf, is not a certification signature (Adobe Reader in case of documents whose first signature is merely an approval signature assumes an equivalent of the most liberal certification which might have made you think it is a certification signature). And then your problem concerning the first signature is not merely that you applied disallowed changes in an incremental update as was expected here. You actually saved the file normally after using Overlay, not using an incremental update. This completely breaksmkl

1 Answers

2
votes

As it turned out the main problem was not whether or not the changes applied after the first signature were allowed or not, the problem was that these changes were added to the file using a normal save.

Such a normal save can completely change the order in which PDF objects are stored in the PDF file. Consequentially such a normal save damages the first signature beyond repair as its alleged signed byte ranges have changed and the signature value is not located in the gap between those ranges anymore either.

Thus, whichever changes you apply to a signed document, make sure you store them as an incremental update!

That being said, though, it is difficult to use the PDFBox incremental update mechanism for anything else than what it was designed for, i.e. anything but adding additional signatures. You have to mark the low level objects you changed including a chain of objects from the document catalog to them, so you must in particular understand how exactly your changes are implemented on a very low level. Furthermore, this mechanism often requires you to save more objects than actually have changed to to the "chain from the catalog" criterion.