EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDF size after signing

Posted: 07/23/2015 04:03:03
by Piotr Szychowski (Priority Standard support level)
Joined: 04/03/2015
Posts: 3

I'm using Eldos SecureBlackBox product to signing PDF with qualified certificate. Source PDF has 23 KB. After signing operation it has 412 KB. Petr Stransky had the same problem (https://eldos.com/forum/read.php?TID=5021). You advised him to change property PredefinedSignatureSize TElPDFAdvancedPublicKeySecurityHandler's class (12th post):

Good, thank you for letting us know. Now we can move on to the file size issue.

The problem with PDF signing is that the signing component must allocate a 'signature window' in the PDF document *before* initiating the signing process. Unfortunately, it is not always possible to predict the accurate size of the future signature on this stage (as they can't predict the size of an external timestamp blob, for instance), so the components try to allocate a window big enough to accommodate the largest possible signature. The advanced handler has to reserve even a larger window, to provide for auxiliary validation elements (CRLs, OCSP responses) it obtains from online sources.

Now, if you plan to always use the same or similar signing configurations (same certificate, same TSA, same handler setup), you can tune up the component to generate the minimal signature window overhead. This can be done by adjusting the SignatureSizeEstimationStrategy property to match your environment best. In particular, you can set it to psesPredefinedSize and specify the fixed window size (e.g. 16384) via the PredefinedSignatureSize property of the handler. The exact window size in this case can be established in experimental way.

The ExtraSpace property you discovered also helps to fine-tune the signature window. It specifies how many bytes the handler should *add* to the size estimated internally by the components, and might be useful in situations where one of validation components (TSA reply, CRL or OCSP response) exceeds mean statistical sizes used for estimation internally by PDFBlackbox

I experimentally set this value to 1300 (when it's set to 1200 program rises an exception “Signature is to large to fit in he allocated window”). But I expected that space improvement will be better – PDF has 409 KB. Is there any way to do this?
Posted: 07/23/2015 04:44:57
by Ken Ivanov (Team)

Hi Mateusz,

The total size of a PDF signature depends on several factors. The main factors that affect the size are:

- The scope of cryptographic material included to the signature. Including the signing certificate only increases the overall size of the signature blob up to 2KB; the whole certificate chain might occupy up to 10KB; the whole chain together with complete revocation details might make a significantly larger contribution (hundreds of kilobytes in case of large CRLs).

- The size of the timestamp - if the signature is timestamped. The size of the timestamp is out of control of SecureBlackbox, as it is generated by an independent third party. Generally, it is subject to the same factors as described above, as any timestamp is basically the same signature but signed with a specific authority.

If the signatures you are creating are PAdES ones with relevant requirements in place for validation information that should be included, you should be prepared to see a significant increase in their size after signing. Please note that the size of the added signature piece is fixed and does not depend on the size of the original document - so no matter if you are signing a 23KB or 23MB document, the amount of added bytes would be about 400KB (in your particular case) for both documents.

Posted: 07/23/2015 09:01:47
by Piotr Szychowski (Priority Standard support level)
Joined: 04/03/2015
Posts: 3

For me it's very strange that when i'm using Eldos signed PDF has 412 KB, but when i'm signing with Adobe Reader signed PDF has 93 KB. This is a lot of memory. My company generate thousands documents per day.
Posted: 07/23/2015 09:35:23
by Ken Ivanov (Team)

That's because SBB and Adobe Reader are probably including different sets of auxiliary data into their signatures.

You are welcome to send in both documents (via our confidential helpdesk please) so that we could tell you about the differences in the content of the signatures.




Topic viewed 1927 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!