You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Aleksei Balan (JIRA)" <ji...@apache.org> on 2017/07/17 09:47:00 UTC
[jira] [Comment Edited] (PDFBOX-3017) Improve document signing
[ https://issues.apache.org/jira/browse/PDFBOX-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16089556#comment-16089556 ]
Aleksei Balan edited comment on PDFBOX-3017 at 7/17/17 9:46 AM:
----------------------------------------------------------------
It is not needed to add certificate, it should be in certificateChain. But it will not harm because bouncycastle will sort the chain in correct order taking only necessary certificates.
The improvement can be seen for example in Adobe Acrobat and Reader. If the keystore will contain a certificate chain it will be copied to pdf signature.
You did see the certificate hierarchy because Acrobat could find the necessary intermediate certificates installed on your system and rebuild the chain by itself.
In general this is not the case so it is better to provide a chain inside the signature.
[^PDFBOX-3017_certificate_chain_Screenshot.png]
was (Author: abalanonline):
It is not needed to add certificate, it should be in certificateChain. But it will not harm because bouncycastle will sort the chain in correct order taking only necessary certificates.
The improvement can be seen for example in Adobe Acrobat and Reader. If the keystore will contain a certificate chain it will be copied to pdf signature.
You did see the certificate hierarchy because Acrobat could find the necessary intermediate certificates installed on your system and rebuild the chain by itself.
In general this is not the case so it is better to provide a chain inside the signature.
> Improve document signing
> ------------------------
>
> Key: PDFBOX-3017
> URL: https://issues.apache.org/jira/browse/PDFBOX-3017
> Project: PDFBox
> Issue Type: Improvement
> Components: AcroForm, Signing
> Affects Versions: 2.0.0, 3.0.0
> Reporter: Tilman Hausherr
> Fix For: 3.0.0
>
> Attachments: pdfa_signed_insivible.pdf, PDFBOX-3017_certificate_chain.diff, PDFBOX-3017_certificate_chain_Screenshot.png
>
>
> Improve signing code:
> - incremental save only works for signatures and doesn't respect certificates such as Adobe Extended Usage Rights
> - -{{prepareNonVisualSignature}} clears the AcroForm DR {{acroForm.setDefaultResources(null)}} which is not good if there are other form fields-
> - visual/nonVisualSignature should move into the {{interactive.forms}} package and be handled within the signature field
> - -verify signature (to have tests that go full circle)- done June 2016
> - document or refactor / rewrite visible labyrinthine signature code
> - why is it not possible to pass only the signatureField to addSignature, instead having to create a COSDocument with a page and annotations that has the signature field, and that must be searched for in {{prepareVisibleSignature()}}?
> - support rotated pages (see https://stackoverflow.com/questions/34012293/pdfbox-sign-landscape-file-error/34359956#34359956 )
> - -make sure that signed PDF/A files are still PDF/A (see http://www.pdfa.org/wp-content/uploads/2011/08/tn0006_digital_signatures_in_pdfa-1_2008-03-14.pdf ); /ID possibly not OK; /Annots is possibly required ([~tilman] removed this for invisible signatures); test signed files with PDF-Tools and with preflight- tested, they are OK with PDF-Tools and preflight
> - test whether "bad" signatures are detected by preflight (search in old issues)
> - -PDFBOX-3363 - why is the stream cached in a file? Should it be done in memory?- done on July 15, 2016
> - remove {{setVisualSignature(PDVisibleSigProperties visSignatureProperties)}} from SignatureOptions.java, all it does is to call {{visSignatureProperties.getVisibleSignature()}} which returns an {{InputStream}}, and this is already available
> - {{checkSignatureField}} violates the "do one thing" rule
> - decide whether the whole certificate chain should be passed in the sample code, instead of only the first one
> - check certificate chain, revocation lists, etc, only if needed by users, code [here|https://svn.apache.org/repos/asf/cxf/tags/cxf-2.4.1/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/]
> - deprecate / remove all PDVisibleSignDesigner constructors except those with a PDDocument object, to avoid a file being opened twice
> - ... your ideas...
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org