You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Tilman Hausherr (JIRA)" <ji...@apache.org> on 2016/07/14 19:17:20 UTC

[jira] [Updated] (PDFBOX-3017) Improve document signing

     [ https://issues.apache.org/jira/browse/PDFBOX-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tilman Hausherr updated PDFBOX-3017:
------------------------------------
    Description: 
Improve signing code:
- incremental save only works for signatures and doesn't respect certificates such as Adobe Extended Usage Rights
- -{{prepareNonVisualSignature}} clears the AcroForm DR {{acroForm.setDefaultResources(null)}} which is not good if there are other form fields-
- visual/nonVisualSignature should move into the {{interactive.forms}} package and be handled within the signature field
- -verify signature (to have tests that go full circle)- done June 2016
- document or refactor / rewrite visible labyrinthine signature code
- why is it not possible to pass only the signatureField to addSignature, instead having to create a COSDocument with a page and annotations that has the signature field, and that must be searched for in {{prepareVisibleSignature()}}?
- support rotated pages (see https://stackoverflow.com/questions/34012293/pdfbox-sign-landscape-file-error/34359956#34359956 )
- make sure that signed PDF/A files are still PDF/A (see http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf ); /ID possibly not OK; /Annots is possibly required ([~tilman] removed this for invisible signatures); test signed files with PDF-Tools and with preflight; test whether "bad" signatures are detected by preflight
- PDFBOX-3363 - why is the stream cached in a file? Should it be done in memory?
- remove {{setVisualSignature(PDVisibleSigProperties visSignatureProperties)}} from SignatureOptions.java, all it does is to call {{visSignatureProperties.getVisibleSignature()}} which returns an {{InputStream}}, and this is already available
- {{checkSignatureField}} violates the "do one thing" rule
- decide whether the whole certificate chain should be passed in the sample code, instead of only the first one
- check certificate chain, revocation lists, etc, only if needed by users, code [here|https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/]
- deprecate / remove all PDVisibleSignDesigner constructors except those with a PDDocument object, to avoid a file being opened twice
- ... your ideas...

  was:
Improve signing code:
- incremental save only works for signatures and doesn't respect certificates such as Adobe Extended Usage Rights
- -{{prepareNonVisualSignature}} clears the AcroForm DR {{acroForm.setDefaultResources(null)}} which is not good if there are other form fields-
- visual/nonVisualSignature should move into the {{interactive.forms}} package and be handled within the signature field
- -verify signature (to have tests that go full circle)- done June 2016
- document or refactor / rewrite visible labyrinthine signature code
- why is it not possible to pass only the signatureField to addSignature, instead having to create a COSDocument with a page and annotations that has the signature field, and that must be searched for in {{prepareVisibleSignature()}}?
- support rotated pages (see https://stackoverflow.com/questions/34012293/pdfbox-sign-landscape-file-error/34359956#34359956 )
- make sure that signed PDF/A files are still PDF/A (see http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf ); /ID possibly not OK; /Annots is possibly required ([~tilman] removed this for invisible signatures); test signed files with PDF-Tools and with preflight; test whether "bad" signatures are detected by preflight
- PDFBOX-3363 - why is the stream cached in a file? Should it be done in memory?
- remove {{setVisualSignature(PDVisibleSigProperties visSignatureProperties)}} from SignatureOptions.java, all it does is to call {{visSignatureProperties.getVisibleSignature()}} which returns an {{InputStream}}, and this is already available
- {{checkSignatureField}} violates the "do one thing" rule
- decide whether the whole certificate chain should be passed in the sample code, instead of only the first one
- check certificate chain, revocation lists, etc, only if needed by users, code [here|https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/]
- ... your ideas...


> Improve document signing
> ------------------------
>
>                 Key: PDFBOX-3017
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-3017
>             Project: PDFBox
>          Issue Type: Improvement
>          Components: Signing
>    Affects Versions: 2.0.0, 2.1.0
>            Reporter: Tilman Hausherr
>         Attachments: pdfa_signed_insivible.pdf
>
>
> Improve signing code:
> - incremental save only works for signatures and doesn't respect certificates such as Adobe Extended Usage Rights
> - -{{prepareNonVisualSignature}} clears the AcroForm DR {{acroForm.setDefaultResources(null)}} which is not good if there are other form fields-
> - visual/nonVisualSignature should move into the {{interactive.forms}} package and be handled within the signature field
> - -verify signature (to have tests that go full circle)- done June 2016
> - document or refactor / rewrite visible labyrinthine signature code
> - why is it not possible to pass only the signatureField to addSignature, instead having to create a COSDocument with a page and annotations that has the signature field, and that must be searched for in {{prepareVisibleSignature()}}?
> - support rotated pages (see https://stackoverflow.com/questions/34012293/pdfbox-sign-landscape-file-error/34359956#34359956 )
> - make sure that signed PDF/A files are still PDF/A (see http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf ); /ID possibly not OK; /Annots is possibly required ([~tilman] removed this for invisible signatures); test signed files with PDF-Tools and with preflight; test whether "bad" signatures are detected by preflight
> - PDFBOX-3363 - why is the stream cached in a file? Should it be done in memory?
> - remove {{setVisualSignature(PDVisibleSigProperties visSignatureProperties)}} from SignatureOptions.java, all it does is to call {{visSignatureProperties.getVisibleSignature()}} which returns an {{InputStream}}, and this is already available
> - {{checkSignatureField}} violates the "do one thing" rule
> - decide whether the whole certificate chain should be passed in the sample code, instead of only the first one
> - check certificate chain, revocation lists, etc, only if needed by users, code [here|https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/]
> - deprecate / remove all PDVisibleSignDesigner constructors except those with a PDDocument object, to avoid a file being opened twice
> - ... your ideas...



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org