7 Replies Latest reply on Aug 21, 2014 1:50 AM by Steven.Madwin

    Verifying digital signatures in PDF documents

    wolvz44

      I'm working on verifying PDFs digital signatures.

      I know that when a PDF is signed, a byterange is defined, the certificates get embedded, and from what i've read, the signed message digest and the timestamp are also stored in the PDF.

      I already can extract the certificates and validate them. Now I'm trying to validate the pdf's integrity and my problem is I don't know where the signed message digest is located.

      In this sample signed pdf (http://blogs.adobe.com/security/SampleSignedPDFDocument.pdf), I can clearly identify the digest since it is down below the embedded certificates: /DigestMethod/MD5/DigestValue/ (line 1520).

      But that PDF sample seems to be from 2009, and I suspect the message digest is stored in a different way now, because I signed a PDF with Adobe Reader and I can't find any message digest field like the previous one. Can someone tell if the digests are now stored in a different way? Where are they located?

      Anyway, for now I'm using that sample document, and trying to verify its integrity. I'm getting the document's bytes to be signed acording to the specified byterange, and digesting them with MD5 algorithm, but the digest value I get doesn't match with the one from the message digest field... Am I doing something wrong? Is the digest also signed with the signer's private key?

      I appreciate any help.

        • 1. Re: Verifying digital signatures in PDF documents
          IsakTen Level 4

          I do not understand what is the purpose of your exercise. Do you want to write your own PDF signature validation application? You do not trust Adobe Reader to do it right? Or do you want to satisfy your curiosity and see how the digest looks and to manually compute and verify the digest? The solution for each of these cases is very different. If you tell us what exactly you want to accomplish we can try to help you.

          • 2. Re: Re: Verifying digital signatures in PDF documents
            wolvz44 Level 1

            Thanks for your reply.

             

            I'm trying to implement digital signature validation in pdf.js, which is a javascript application for rendering pdfs within the browser.

            So I basically want to see how the digest looks and to manually compute and verify the digest. I'm already extracting the certificates and validating them.

             

            I've been trying to understand how it works.

            I had this original PDF file, which I signed with Adobe Reader.

            Then I compared the content of the original PDF file and the signed one, and realized it changes a lot after the signature process (it doesn't just add a pkcs7 object to the file).

            So, if I hash the content of the signed PDF file, according to the byterange (therefore excluding the pkcs7 object), it will not match the original one because, apparently, the content changes in a lot of different places.

            • 3. Re: Verifying digital signatures in PDF documents
              Test Screen Name Most Valuable Participant

              Is there something which is not clear in 32000-1, or are you trying to do this without a detailed understanding of 32000-1?

              • 4. Re: Verifying digital signatures in PDF documents
                IsakTen Level 4

                You cannot rely on the digest to be in a certain place in PDF. If you want to manually verify the digest in a PDF signature here's what you need to do.

                1. Open PDF in a Text Editor.

                2. Find Signature Dictionary for your signature.

                3. Get the Hex String which is the value of the /Contents entry in the Signature Dictionary.

                4. Convert Hex String to binary string and discard trailing zeros. Remember that in a Hex string each byte is represented with two characters and the last one might be a zero. So, when you discard zeros make sure that what you get left has even number of bytes.

                5. Use one of the commercially available BER Viewers (you can find free BER Viewers on the Web) to convert the binary string to ANSI.1 representation.

                6. Analyze the BER-decoded PKCS#7 signature object (RFC 2315 describes it) and find the digest that you are looking for in it. It is an OCTET STRING.

                If you want to programmatically validate a signature, you need to write code that does all that. Signature validation includes much more than checking the digest. You need to build chain, validate each certificate in the chain, check revocation for each certificate in the chain, etc. RFC 5280 is the guide what to do.

                Good luck!

                • 5. Re: Verifying digital signatures in PDF documents
                  wolvz44 Level 1

                  Thanks isakten.

                  This is the pdf sample: bit.ly/1oR8XHK I'm working on.

                  I extracted the /Contents value, and used an ASN.1 parser to check what's the digest value, obtaining bit.ly/1kcbZFK. The digest value is "77908DA519EF898F66166CC0ACE6B82461A6DE87BE00BA5A702EAB0C263678BE". Then I erased the /Contents value from the PDF, digested the whole document with SHA-256 algorithm (the same it was used), obtaining "C2F281B16FB896E39BE7CFA2A4ABE3C8DDDDA81FE284CFB2BD22933DA3A429B2", which is different.

                  Any clue why?

                  • 6. Re: Verifying digital signatures in PDF documents
                    IsakTen Level 4

                    The digest value that you get after BER-decoding /Contents string is encrypted with the signer's private key. The encrypted content may also include authenticated attributes. When you calculate the digest you need to calculate it according to the ByteRange values, not the whole document.

                    • 7. Re: Verifying digital signatures in PDF documents
                      Steven.Madwin Adobe Employee

                      Hi Wolvz44,

                       

                      If you can extract the contents dictionary from within the signature dictionary in the signed PDF file, and you've managed to hex decode it back into a binary CMS object, then the encrypted digest is the very last part of CMS object as per RFC 3852.

                       

                      Steve