2

I'm generating a PDF file with puppeteer. It automatically generates a PDF-1.4 file. Then, I use dss to digitally sign it with a PAdES signature. The resulting file can be opened in PDF viewers and PDFStudio seems to correctly parse the document signature.

Is this valid however? Wikipedia states that the PDF/A-2 (which is based on 1.7) added support for PAdES. Do I need to generate at least PDF-1.7 (or PDF/A-2) to have a valid PDF file with a valid signature?

Note: I use the term valid in both the technical and legal terms.

Leprechaun
  • 852
  • 6
  • 25

1 Answers1

2

The PAdES norm ETSI EN 319 142 characterizes

PAdES signatures profiled in the present document build on PDF signatures specified in ISO 32000-1 with an alternative signature encoding to support digital signature formats equivalent to the signature format CAdES.

The PDF norm ISO 32000-1 characterizes

ISO 32000 specifies a digital form for representing documents called the Portable Document Format or usually referred to as PDF. PDF was developed and specified by Adobe Systems Incorporated beginning in 1993 and continuing until 2007 when this ISO standard was prepared. The Adobe Systems version PDF 1.7 is the basis for this ISO 32000 edition. The specifications for PDF are backward inclusive, meaning that PDF 1.7 includes all of the functionality previously documented in the Adobe PDF Specifications for versions 1.0 through 1.6. It should be noted that where Adobe removed certain features of PDF from their standard, they too are not contained herein.

(This may sound a bit confusing, on one hand PDF 1.7 includes all of the functionality previously documented in the Adobe PDF Specifications for versions 1.0 through 1.6, on the other hand Adobe removed certain features of PDF from their standard. Indeed, some features were removed but I don't believe your PDF 1.4 files are affected.)

Thus, a PDF file like yours claiming a version 1.4 also is a PDF 1.7 by backward inclusiveness and as such can get signed by PAdES signatures.

Thus, yes, PDF 1.4 files can (technically) validly be signed with PAdES signatures. (Unless, obviously, your files explicitly disallow this.)

(Actually one can also view PAdES signatures as adopted in ISO 32000-2; in this case your PDF 1.4 files by backward inclusiveness are also PDF 2.0 and as such can be signed using PAdES signatures as specified there.)

You also enquire about legal aspects. First of all, I am not a lawyer, so don't consider this formal legal consultation.

To start with, though, you have to make clear in which legal system you want to investigate legal validity.

While PAdES originally has been defined in the context of European Union signature regulations, a number of other countries also adopted PAdES as standard for their preferred PDF signatures.

So: Are you wondering about validity as signatures in the context of EU eIDAS signatures? Are you considering specific regulations of EU member states? Or are you wondering about the situation in other countries outside the EU?

In the EU your PAdES signatures should be generally accepted. Even though there may be some member state special regulations in specific contexts, they should only influence your choice of the PAdES profile you request for your signatures from DSS, they should not render your PDF 1.4 source PDFs unusable for PAdES signing.

I don't know specifics about non-EU legal systems with a PAdES preference. But I indeed would be surprised if any would be bothered by your PDFs being PDF 1.4.

In comments the question arose whether the signed file is also still a valid PDF 1.4 and if not whether the version 1.4 in the file header would be a concern.

Obviously PDF 1.4 does not know the details of the PAdES signature encodings. Fortunately, though, the PDF Reference 1.4 actually does not know any specific signature encoding at all! Thus, no signature encoding is invalid as long as it follows the very few rules present in the PDF 1.4 reference, and PAdES signatures do so.

Furthermore, the PDF 1.4 reference allows

A PDF producer or Acrobat plug-in extension may also add keys to any PDF object that is implemented as a dictionary, except the file trailer dictionary (see Section 3.4.4, “File Trailer”).

Thus, any keys added while applying the PAdES signature which are not defined in PDF 1.4 are harmless.

Thus, the PDF 1.4 files with PAdES signatures added are also still valid PDF 1.4 files. Obviously, though, a plain PDF 1.4 viewer does not know how to validate the PAdES signatures. But as it does not know how to validate any signatures at all, that's of no concern.

mkl
  • 90,588
  • 15
  • 125
  • 265
  • What exactly does it mean that `The specifications for PDF are backward inclusive` ? I imagine we are not talking about traditional backwards compatibility. However, implying that all features of 1.7 are somehow included in 1.4 as well are defeating the whole point of version semantics, don't they? I've tried to google the phrase but came empty-handed. – Leprechaun Nov 09 '20 at 22:07
  • What they want to imply by that term is that a pdf 1.4 document automatically also is a pdf 1.5, 1.6, and 1.7 document. That all features of 1.4 essentially also are included in all following versions. The version entry in a pdf shall essentially denote a minimum version a pdf viewer must support to display the document, a 1.4 pdf file is a valid pdf according to pdf 1.4, 1.5, 1.6, ... specifications. – mkl Nov 10 '20 at 05:45
  • So PDF-1.4 is a valid 1.7 file. That's OK I get that. But if there's a feature introduced in PDF-1.7 (such as the signatures in question), It doesn't make sense to be retroactively backported to 1.4. Otherwise the numbers make no sense. Either the 1.7 is a superset of 1.4 or the 1.4 is a superset of 1.7. How can both statements be true? – Leprechaun Nov 10 '20 at 11:15
  • They obviously are not backported. Your original 1.4 files are valid as 1.7 files. Therefore, they can be PAdES signed and the results are PDF 1.7 files (with an ESIC or ADBE extension). We have not discussed whether those results are valid PDF 1.4 files. That discussion is related to the section "LTV-enabled vs. PDF 1.4" in [this answer](https://stackoverflow.com/a/26124267/1729265). – mkl Nov 10 '20 at 14:09
  • But adding the signature (with DSS or PDFBox) does not change the file header, which still contains `%PDF-1.4`. So the signing produces a 1.7 file with a 1.4 header? That does not sound valid to me. – Leprechaun Nov 10 '20 at 14:46
  • According to ISO 32000-1: "The first line of a PDF file shall be a header consisting of the 5 characters %PDF– followed by a version number of the form 1.N, where N is a digit between 0 and 7." Please remember there also is the **Version** key in the **Catalog**. Furthermore, I said *We have not discussed...*. That does not mean that it is not a valid 1.4 document, merely that we have not discussed that issue yet... ;) – mkl Nov 10 '20 at 14:51
  • So is it a valid 1.4 doc? Or a 1.7 doc? Oh my, this is getting too complicated. Even my PDF readers say the resulting file is a 1.4, although they may just be parsing the header and not doing much validation. I think I'm just gonna accept your answer with a TLDR: "There is no answer. The PDF is a mess. Is it valid? Well technically yes, but actually no." – Leprechaun Nov 10 '20 at 15:08
  • The answer to that actually is more specific. See my edit. – mkl Nov 10 '20 at 15:32