EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Get signer certificate(s) from PDF using TElPDFPublicKeySecurityHandle

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#34712
Posted: 10/11/2015 13:38:28
by Petr Stransky (Standard support level)
Joined: 09/24/2012
Posts: 18

I need to validate the signature(s) in a PDF file and output information about signer's certificate(s).


I am doing cca the same as Adi Vasi in https://www.eldos.com/forum/read.php?FID=7&TID=4048 and it works for PKCS7SHA1 signatures. I take TElPDFPublicKeySecurityHandler.certIDs and find the corresponding certificates in TElPDFPublicKeySecurityHandler.Certifiactes.

But when the type is X509RSASHA1 the certIDs are empty. I suppose that it is the same problem as in https://www.eldos.com/forum/read.php?FID=7&TID=3104 .
However the discussion moved to a closed helpdesk without clear resolution in the forums. I suppose that in that case I should take all non-CA certificates in TElPDFPublicKeySecurityHandler.Certifiactes but I would like to confirm that.

Is the TElPDFPublicKeySecurityHandler.Detached field relevant for this too?

Is there any other property that is relevant for this?
#34713
Posted: 10/11/2015 14:02:01
by Eugene Mayevski (EldoS Corp.)

The resolution in the previous forum post was that the signature was made with an RSA key, which was just extracted from some certificate.

I am afraid that in your case the outcome can be the same. Do you have a sample document that has such signature? Maybe you can post it to our HelpDesk so that we could take a look and see what information we/you could extract and use.


Sincerely yours
Eugene Mayevski
#34714
Posted: 10/11/2015 15:06:01
by Petr Stransky (Standard support level)
Joined: 09/24/2012
Posts: 18

The PDF document in question is unfortunately a live contract and I would need to ask for the permission to send it to your helpdesk.
But for now it would be enough for me to know, how should I find the signer's certificate in the case of pstX509RSASHA1 signature type. Should the CertID be filled out by the validate() method?

I can provide details about the document. It contains two signatures and both are recognized as valid using Adobe Reader.

Fist signature is of type pstPKCS7SHA1, contains one certificate and one certID. Validate retuns true and the certID correctly maps to a provided certificate. See output of our test tool:
Code
Signature #1,Signature name:Signature1 Author:Not specified
  SigType,PKCS7SHA1 Detached: True
  Validation,Validate: True
  Certificates,1
    Certificate #1,"Subject: /C=CZ..... Issuer: /C=CZ/.... Serial: 0x00A890A6 NotBefore: 3.8.2015 10:56:04 NotAfter: 2.8.2016 10:56:04"
  CertIDs,1
    CertID #1,"/C=CZ/.... Serial: 0x00A890A6"
  CRLs,0
  RecipientsGroups,0

The second certificate is of type pstX509RSASHA1, it contains one certificate and validate returns true. However there is no certID provided (although the certificate is the one that Reader shows as the signer's one):
Code
Signature #2,Signature name:Signature2 Author:Not specified
  SigType,X509RSASHA1 Detached: True
  Validation,Validate: True
  Certificates,1
    Certificate #1,"Subject: /C=CZ/... Issuer: /C=CZ/... Serial: 0x1A55FC NotBefore: 5.12.2014 14:34:00 NotAfter: 5.12.2015 14:34:00"
  CertIDs,0
  CRLs,0
  RecipientsGroups,0


So basically my question is this: should the second signature contain a certID pointing to the certificate? Or should I handle this signature type in a different way?

If you say that the handling is the same for both of the signature types I will try to get a permission to send the document or ask the author to create some sort of sample (unfortunately the second signature is made by a customer of our customer so it may be a little problematic).

For the sake of completeness - SBB version is 12.0.267.0
#34728
Posted: 10/12/2015 09:53:58
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
But for now it would be enough for me to know, how should I find the signer's certificate in the case of pstX509RSASHA1 signature type. Should the CertID be filled out by the validate() method?

Thank you for the details.
The pstX509RSASHA1 signature type contains PKCS#1 plain signature, it doesn't contain CertID as this property is related only to pstPKCS7SHA1 signature type.

Reply

Statistics

Topic viewed 2778 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!