0

Using the below code "Show Signature code" for verifying the signature:

https://apache.googlesource.com/pdfbox/+/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/ShowSignature.java

Using the "acro_signed.pdf" from the link (https://issues.apache.org/jira/browse/PDFBOX-2816) to verify signature. But Acrobat is showing this file as tampered or corrupt but pdfbox is showing as verifying as successful.

How can I find the issue?

halfer
  • 19,824
  • 17
  • 99
  • 186
Rajat Gaur
  • 39
  • 5
  • ShowSignature can't tell whether changes are allowed or not, however it can tell whether the signature covers the whole document or not. – Tilman Hausherr Aug 08 '23 at 08:21

1 Answers1

1

The format PDF allows to append changes to a PDF without touching the original bytes of the former document revision. These appended changes are called incremental updates.

If you apply that mechanism to a signed PDF file, the signature mathematically remains valid because the original bytes remain the same. This is why PDFBox outputs that the signature is ok. For details see this old answer.

Of course signatures that remain valid after arbitrary manipulations are not helpful. Thus, only certain changes are allowed in incremental updates to signed PDFs, see this old answer.

Analyzing the changes is non-trivial. Also, the allowed changes are technically not well-specified. Thus, PDFBox has not implemented a check whether incremental updates to a signed PDF are allowed, its example validation code merely outputs if there are incremental updates after the signature or not.

Adobe Acrobat, on the other hand, has implemented a check of the incremental updates. Due to the mentioned deficits in the specification of the allowed changes, though, this implementation has changed quite a bit in the recent years. There are still multiple false positives and false negatives in its reports, though.

In the case at hand, therefore, the PDFBox example class ShowSignature outputs something along the lines of "Signature valid, but there are changes in incremental updates", Adobe Acrobat indicates a broken signature (due to the changes in the incremental update). Both are right in their way.

halfer
  • 19,824
  • 17
  • 99
  • 186
mkl
  • 90,588
  • 15
  • 125
  • 265
  • I have tried the PDF in which tthe signature is applied and it was ok but after that I have tampered the PDF by changing one of the COSObject values in the pdf and after that tried verification of PDF using PDFBox but still it is showing verified. It should be shown invalid as the hash is changed. However the same PDF is shown invalid in Acrobat. – Rajat Gaur Aug 08 '23 at 15:42
  • 1
    Please share both the original pdf and the manipulated one for analysis. My guess would be that you manipulated a value in an incremental update _after_ the signed revision. If such an update is not also signed, you can obviously manipulate it without breaking the earlier signature mathematically. – mkl Aug 09 '23 at 05:24
  • One of the file I have shared in the question itself. – Rajat Gaur Aug 10 '23 at 06:53
  • *"One of the file I have shared in the question itself."* - Please share ***both** the original pdf and the manipulated one* for analysis. The original one may be the one you mentioned but where is the manipulated one? – mkl Aug 10 '23 at 13:39
  • This one is the manipulated one. I have got this manipulated file from apache pdfbox jira issues – Rajat Gaur Aug 15 '23 at 07:30
  • @RajatGaur *"One of the file I have shared in the question itself... This one is the manipulated one. "* - In the question you only mention "acro_signed.pdf" from PDFBOX-2816. I opened it in the current Adobe Acrobat Reader and it says "The document has not been modified since the signature was applied." So I cannot grok the point you're trying to make. – mkl Aug 15 '23 at 08:13