EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDF Signing + PDF Validation

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#29591
Posted: 05/27/2014 05:59:07
by Dmytro Bogatskyy (EldoS Corp.)

Hello,
Quote

The thing is, no matter how I alter the file, the sig.Validate() always returns true.. What can cause this?

It is unlikely, unless you append data to the file. If so, you can use TElPDFSignature.GetSignedVersion() method to get the signed part of the document.
Quote
Here it goes my zipped PDF file.

The signature is valid. You are using PKCS#1 signature, and so the sample can't lookup a certificate as it can't get CertID as it is a raw signature. I have updated a sample code to handle this case, please use it (replace a code after sig.Validate() method call):
https://www.dropbox.com/s/pnqusatw28yhu40/code.cs
#29592
Posted: 05/27/2014 05:59:19
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

For instance, I'm creating new PDF notes or commentaries. This way I'm appending data, right?

If this isn't enough how can I change a PDF content? The text is protected by default.
#29594
Posted: 05/27/2014 07:19:44
by Dmytro Bogatskyy (EldoS Corp.)

Quote

For instance, I'm creating new PDF notes or commentaries. This way I'm appending data, right?

Yes, in this case the data is appended (incremental update is used).
For example, you can use MDP (certification) signature and set TElPDFSignature.AllowedChanges property to restrict form filling or adding comments, see:
https://www.eldos.com/documentation/sb...anges.html
#29597
Posted: 05/27/2014 08:05:25
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

But in that case the signature should be considered invalid, and that doesn't happen. Why?
I could restrict those changes, but I'd like that the sig.Validate(true) would return false.
What is missing in the code to make that happen?
#29598
Posted: 05/27/2014 08:20:14
by Dmytro Bogatskyy (EldoS Corp.)

Quote
But in that case the signature should be considered invalid, and that doesn't happen. Why?
I could restrict those changes, but I'd like that the sig.Validate(true) would return false.
What is missing in the code to make that happen?

No, it won't work. For example, if you have two or more signatures returning 'false' for the first signature is incorrect (new signatures are also added using incremental update).
If you need to check that nothing was appended to the document after signing use TElPDFSignature.GetSignedVersion() method and compare the returned data size (if the size match then a data also would match the original document).
#29599
Posted: 05/27/2014 08:38:38
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

The getSignedVersion creates another file, right? There is no other way to do that data size verifications, without create another file?
#29603
Posted: 05/27/2014 10:46:47
by Dmytro Bogatskyy (EldoS Corp.)

Quote
The getSignedVersion creates another file, right? There is no other way to do that data size verifications, without create another file?

This method doesn't create a file, it copies signed data to a stream that you provide, MemoryStream is fine. Also, you can use simplified version of this method - TElPDFSignature.IsDocumentSigned() method that checks if a signature
cover the entire document.
#29604
Posted: 05/27/2014 10:55:35
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

What do I do with that MemoryStream? Can I use it each time I'm trying to verify the document signature?
The method TElPDFSignature.IsDocumentSigned() it always return true as well. Even if I add it some notes, it always says that the selected signature covers all the entire document.
#29609
Posted: 05/27/2014 17:28:21
by Dmytro Bogatskyy (EldoS Corp.)

Correction: IsDocumentSigned() method checks if a signature cover the entire document. The entire document here means that it checks if signed data starts from beginning of the document and includes everything till the end of the incremental update block that contains this signature. Theoretically, it is possible to create signature that will sign small part of the document (fake security), so it is better to check this by calling IsDocumentSigned() method.
Yes, you are right, IsDocumentSigned() method doesn't check any new incremental updates. The only solution for now to use GetSignedVersion() method.
Quote
What do I do with that MemoryStream? Can I use it each time I'm trying to verify the document signature?

Not sure if I understand. You create new instance of Stream object (MemoryStream, FileStream and etc.), then pass it to GetSignedVersion() method that copies a signed data to a stream object. Then you can compare it with original document.
#29615
Posted: 05/28/2014 04:40:06
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

Quote


Not sure if I understand. You create new instance of Stream object (MemoryStream, FileStream and etc.), then pass it to GetSignedVersion() method that copies a signed data to a stream object. Then you can compare it with original document.



What is the original document you are talking about? The signed one? The one we are checking for the signature?

Thank you.
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 3259 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!