Simple Digital Signature Validation on PDF
1. Introduction
Based on wikipedia, digital signature(DS) is a mathematical scheme for verifying the authenticity of digital messages or documents. It have been used as a tool for non-repudiation.
The type of digital signature put in PDF are varied from a message digest to another type signature (CMS Advanced Electronic Signatures or CAdES). This article will explain more on how to validate the digital signature inside a PDF file.
2. Problem Statements
- Digital Signature Validation on PDF
- Type Signature: CAdES Detached, PKCS7 Detached, or ETSI.RFC3161
3. Digital Signature Inside PDF
When you open a PDF File in a text editor, you will find structures with tag in it, somewhat like a xml file. Digital signature is placed inside the Type Sig tag(Signature Dictionary). Try to find this kind of tag /Type /Sig in a PDF File. Below is an example of it:
In there you can also see a Filter and SubFilter tag. For further explanation of the value in that tag, you can check the PDF 32000–1:2008 document section 12.8.1. Looking further down inside the Sig dictionary, you will find a Contents tag. Inside that tag is the Based64 value of the digital signature. The example below show a CAdES signature inside the contents tag. Pay attention also the ByteRange tag, we will also use it in the digital signature validation process.
4. Digital Signature Validation
We will focus on PAdES-B Signature on PDF (/SubFilter type ETSI.CAdES.detached). It is basically using CAdES-detached signature that put into the Contents tag. The steps for validation are depicted in below figure.
- Parse the content in /Contents tag into CMS (Cryptography Message Syntax)
- Verify that the signature inside CMS is valid (compare it with the signed attribute inside CMS, using certificate in signerInfo Type)
- If valid, then get the message digest from the signed attribute inside CMS. Also get the digest algorithm used (SHA1,SHA256,etc)
- Calculate the actual message digest inside PDF (using the byterange and digest algorithm from no.3)
- Compare number (3) and no(4), if it is valid, then the digital signature value is valid
To be noted the steps above did not handle digital certificate validation, CRL checking, or OCSP checking. We will talk about that in another article. So, let’s breakdown the steps above into java code. The actual code can be seen in my github. We will be using 2 external libraries: pdfbox and bouncycastle.
4.1 Parsing CMS Content inside /Contents tag
First open the pdf and get the signature with this line of code:
Then get the /Contents tag inside the signature:
//Get PKCS#7 Data
CMSSignedData signedData=new CMSSignedData(signature.getContents());4.2 Verify CMS Signature is valid
First, we acquired the signerInfo inside CMS:
//Get SignerInfo
SignerInformation signerInfo=signedData.getSignerInfos().iterator().next();Then, we acquired the Public Key inside CMS:
Then, we acquired the signature algorithm:
Then, we check the validity of the signature inside CMS:
Signature rsaSign=Signature.getInstance(encAlgo);
rsaSign.initVerify(pubKey);
rsaSign.update(signerInfo.getEncodedSignedAttributes());
boolean cmsSignatureValid=rsaSign.verify(signerInfo.getSignature());4.3 Get the Message Digest Algorithm and the message digest data inside CMS
4.4 Calculate the Message Digest inside PDF
First, we calculate the byterange data on the PDF
Then, we calculate the Message Digest on the PDF
//Calculate MD in PDF
String mdPdf=Base64.getEncoder().encodeToString(digest.digest(contentToSigned));4.5 Compare the message digest from CMS and from calculation in PDF
If it is the same, then the signature is valid. On the other hand, if it is not the same, then the signature is not valid.
if(mdPdf.equals(messageDigest)) {
logApp.info("Message Digest Signature ID {} is valid, data integrity is OK",signatureSID);
}
else {
logApp.info("Message Digest Signature ID {} is invalid, data integrity is NOT OK",signatureSID);
}5. Remarks
Basically what we discuss in this blog is a very simple example of digital signature validation inside a PDF file. We hope that this simple example is enough to be a starting point in understanding how the validation works, and also how digital signature in PDF work. If you have any questions or suggestions, please do give comments below.
