EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Hash of orginal PDF contents

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 12/02/2010 17:04:59
by SJVAPCD Programmers (Standard support level)
Joined: 06/14/2010
Posts: 9

I have a PDF file that has been digitally signed with a PKCS #12 certificate. Is there a way to get the MD5 or SHA1 hash of the orginal PDF file contents excluding the embedded certificate?

What I am trying to do is generate a PDF file. Send it to a user to sign and return back. I want to make sure that the signed copy is the exact copy of the original that was sent to the user to sign. Options.

Option 1:
1. Get hash of PDF file contents before sending it out to user to sign.
2. Get hash of the PDF file contents of the signed PDF to compare to has in step one to verify integrity.

Option 2:
1. Sign PDF file with my digital signature before sending out to user to sign.
2. Returned signed copy from user should have user signature and my signature. Validate my signature with CA to confirm integrity.

Any other ideas or better way to do this?

Posted: 12/02/2010 17:22:54
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Specifics of the PDF format make your task a non-trivial one. Most of (not to say all) the PDF signing tools invalidate the structure of original document. This is mainly caused by the way the signature is added to the document -- the signing application has to add a number of new signature-related objects to the document, invalidating all the possible hashes that could have been calculated before. Besides, PDF format supports so-called incremental update method, which allows one to modify the document by appending new revisions of the object to the end of the file (and thus keeping the original piece of the file intact, so the hashes are not changed).

A better solution would be to calculate a hash of the document locally and ask user to only sign this hash. Once you received signed hash back from a user, you can use it to form a signature blob and place it to the document.
Posted: 12/02/2010 17:43:56
by SJVAPCD Programmers (Standard support level)
Joined: 06/14/2010
Posts: 9

Thank you for the quick response.

I like your idea but unfortunately I am required to show the user exactly what they are signing at the time the signature is applied. There will be a slight legal liability for us if we don't show them and if we are applying the user's signature for them or even applying the signature blob as you suggested.

I think my best option at this point is to require two signatures on the document as outlined in Option 2. I digitally sign the PDF before sending it out if anything changes then it would invalidate my signature therefore flagging a data integrity issue.

As far as I know a PDF document can have more than one digital signature applied right?
Posted: 12/02/2010 18:03:27
by Ken Ivanov (EldoS Corp.)

Yes, Option 2 would be the best choice then. Please note that you should use MDP (certification) signature type when signing the document on your side. This will prevent the user from introducing malicious modifications to the document with the use of incremental update method. Remember to add the sacFillInForms flag to the TElPDFSignature.AllowedChanges flag set when signing the document, as the user's signature will invalidate your one otherwise.
Posted: 12/02/2010 18:40:20
by SJVAPCD Programmers (Standard support level)
Joined: 06/14/2010
Posts: 9

Yes, I will pursue Option 2 and see how that turns out. Thank you for the advice and for your time.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.



Topic viewed 4226 times



Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!