0

We are trying to add certification signature to avoid further modifications on the document after the first signature. But whenever we set DocMDP tranform with the value 2 (that should allow new signatures) Adobe reader disables the option to digitally sign the document although on the secutity properties it shows that signatures are allowed. Is that a bug in Adobe Reader or are we doing something wrong on our code?

PDFBox version:

       try (PDDocument document = PDDocument.load(conteudoStream, MemoryUsageSetting.setupTempFileOnly())) {
                PDSignature signature = new PDSignature();

                signature.setFilter(PDSignature.FILTER_ADOBE_PPKLITE); 
                signature.setSubFilter(PDSignature.SUBFILTER_ADBE_PKCS7_DETACHED);
                signature.setName("My System");
                signature.setLocation(SOURCE_LOCATION);
                signature.setReason("Assinatura Digital de documento.");


                boolean isFirst = document.getSignatureDictionaries().isEmpty();
                document.addSignature(signature);

                if (isFirst) {
                    SigUtils.setMDPPermission(document, signature, 3);
                }


                ExternalSigningSupport externalSign = PdfBoxHelper.saveIncrementalForExternalSigning(document, output);              
                    externalSign.setSignature(signature);
               
             
            }

        }

Itext version:

    Rectangle rect = new Rectangle(36, 748, 144, 780);
        PdfSigner signer = new PdfSigner(new PdfReader(inputPath), new FileOutputStream(outputPath), false);
        signer.setFieldName("signature");
        signer.setCertificationLevel(PdfSigner.CERTIFIED_FORM_FILLING);
        System.out.println("provider: "+Util.getProvedor().getName());
        signer.signDetached(new BouncyCastleDigest(), new PrivateKeySignature(key), DigestAlgorithms.SHA512, "SunMSCAPI"), chain, null, null, null, 0, PdfSigner.CryptoStandard.CMS);

Security properties:

security properties

Signature disabled:

Signature disabled

We expected that modifications on the document would be forbidden but new signatures would be allowed as the description for DocMDP should allow "Form fill-in and digital signatures" and Adobe Reader list signatures as allowed although it greys out the option to sign.

Edit: As requested I've included a sample certified PDF. We are using Adobe Reader version 2023.001.20143. It's certifies with DocMPD transform P=2. Adobe Reader show signatures as allowed but Digitally Sign button is disabled.

Edit 2: included also a sample using iText instead of PDFBox.

Edit 3: searched for sample certified pdfs on the Internet and for none of them the Digitally Sign button on Adobe Reader was enabled. I'm suspecting it's a bug on Adobe Reader. Does anyone knows of a certified PDF that Adobe Reader would allow new signatures so we can compare what's different on the PDF structure?

Sample certified PDF (PDFBOX)

Sample certified PDF (ITEXT)

Tiago Schumann
  • 43
  • 5
  • Please share an example signed PDF to reproduce the issue, and indicate the Adobe Reader version you use. That being asked for, please have a look at [this stack overflow answer](https://stackoverflow.com/a/16711745/1729265) about the original allowed and disallowed changes to signed documents. You will in particular see the difference that in certified documents, _adding form fields_ always is disallowed, so to sign you needed an empty signature field. IIRC that concept was changed slightly over time to allow adding signature fields for P=1 and P=2 but maybe in your case that is suppressed. – mkl May 18 '23 at 16:33
  • 1
    It may be related to your signature having issues, in a byte range signature (the nowadays only interoperable signature type) _all values in the signature dictionary shall be direct objects_. In your file, though, the signature reference dictionary is indirect and the transform parameters therein also are indirect. Furthermore, the signature field claims to have its widget on the page object with ID 6 but that page object does not have any annotations at all. – mkl May 23 '23 at 15:26
  • Thanks I'll check that. We do not deal directly with these low level PDF internal structure, we use PDFBox Java library methods as an abstraction. I don't know if we are doing something wrong with it or it's a bug in the library, but thanks for throwing some light on that. I'll try to learn more about PDF internal structure details and how PDFBox deal with them. – Tiago Schumann May 24 '23 at 11:24
  • 1
    Re @mkl comment (thanks), the annotation thing was fixed some time ago; for the "indirect" thing, one would have to change `SigUtils.setMDPPermission()` and add `referenceDict.setDirect(true);` and `referenceArray.setDirect(true);` and `transformParameters.setDirect(true);`. I will fix this in the examples. – Tilman Hausherr May 25 '23 at 06:56
  • @Tiago Tilman has checked in those changes ([PDFBOX-5609](https://issues.apache.org/jira/browse/PDFBOX-5609)). Can you update your code accordingly and try again? That will show whether we identified the problem or whether there are other things Adobe Acrobat requires. (After all, whether some tools in Acrobat are available or not, is as much a matter of the closed Acrobat sources as of the PDF in question.) – mkl May 25 '23 at 08:01
  • thank you both for the help. Unfortunattely the updated code did not solve the sympthom. I took a look in the iText generated signed PDF too and all the references seem to be direct but the same behaviour occurs in Adobe Reader too. So probably thats not the real reason for the option to be disabled. It must be something else. – Tiago Schumann May 25 '23 at 16:21
  • 1
    Ok, I just looked at the issue the other way around: I used Adobe Acrobat to create and certify a document, and guess what, for that document I got the exact same behavior! If the certified document contained an empty signature field, I could sign by clicking it; nonetheless, the option to digitally sign in the certificates menu was inactive. – mkl May 25 '23 at 21:25
  • *"I'm suspecting it's a bug on Adobe Reader."* - Actually I'm suspecting this is the intended behavior: Already for Acrobat 9 Adobe has described that for certified documents adding new form fields (including signature fields!) always is forbidden. Unless no changes are allowed, signing is allowed by using empty signature fields. For a signed but not certified document, though, adding signature fields is allowed. Cf. [this old answer](https://stackoverflow.com/a/16711745/1729265). – mkl May 25 '23 at 21:35

0 Answers0