3

I've two pdf documents certified (signed and validated with the same mechanism based on Itext 7 ) and when i use adobe reader DC to check their validity, only one has the green mark.

the good one: https://1drv.ms/b/s!AkF6t4TavwMvgxWaidlUqvPvHH1r

the bad one: https://1drv.ms/b/s!AkF6t4TavwMvgxQCMdGY61S1EvUh

Regards

David L

David L
  • 175
  • 1
  • 14
  • *with the same mechanism* - how *exactly* is this mechanism designed? E.g. are you signing as incremental update? – mkl Jul 17 '17 at 17:45
  • Hi, have a look at this older post explaining the method : – David L Jul 17 '17 at 17:54
  • https://stackoverflow.com/questions/39151230/in-itext-7-how-to-sign-a-pdf-with-2-steps – David L Jul 17 '17 at 17:55
  • What's annoying is that the signature of the two docs pass the verification in Itext 7 but not with adobe dc reader...Adobe tells that the bad one has been tampered – David L Jul 18 '17 at 05:26
  • I've checked the two documents with Foxit and both certifying signature are considered as being valid ...What does adobe reader DC ? – David L Jul 18 '17 at 07:15
  • Even more funny, using an Adobe Acrobat showing more detailed signature information, one sees [this](https://i.stack.imgur.com/xG3A2.png), in particular both "Some of the changes that have been made to this document since this signature was applied are not permitted by the document author." and "There have been no changes made to this document since this signature was applied." on the same dialog page. An Adobe Acrobat bug... – mkl Jul 18 '17 at 07:48
  • Very funny indeed ...that will make an excellent item for the daily wtf website... I've opened a ticket on Adobe website – David L Jul 18 '17 at 07:51
  • Thanks for your help – David L Jul 18 '17 at 07:51
  • David, Have you got any reply from Adobe concerning the ticket you opened with Adobe? – mkl Apr 16 '18 at 10:18
  • Here was the answer of Adobe ... https://forums.adobe.com/thread/2358988. Alas It’s not enough in my case ..I’ll do other checks – David L Apr 22 '18 at 08:39

2 Answers2

8

This is not an Adobe bug, it's a feature. (And an iText bug)

When Adobe performs the cryptographic validation, it will also perform additional checks to see if a signature was attacked or not. It analyses several suspects and if that analysis turns out negative, Adobe will show you an error message. This is Adobe misreporting the analysis and validity. However, there is a work around for these hidden requirements.

First of, iText was used in non-append mode to modify the document: document properties

Unfortunately, in specific cases iText 7, when used in non-append mode, introduces changes that are disallowed by the specification. The issue is that iText introduces subsections. That is something the specification allows you to do, but this is explicitly disallowed for the first revision:

Section 7.5.4 Cross-Reference Table [...] For a file that has never been incrementally updated, the cross-reference section shall contain only one subsection, whose object numbering begins at 0. [...]

Below you'll find the xref of the first revision after iText was used in non-append mode, every colored rectangle is a new subsection. To be compliant there should only be one rectangle. XREF table

This will be fixed in the upcoming 7.0.4 release, planned for end of July.

Michaël Demey
  • 1,567
  • 10
  • 18
  • 1
    *This is not an Adobe bug* - well, Adobe at the same time says "Some of the changes that have been made to this document since this signature was applied are not permitted by the document author." and "There have been no changes made to this document since this signature was applied." One can argue this is not a bug but a case of *garbage-in, garbage-out*, but Adobe should still consider preventing such contradictions in their signature validation outputs. – mkl Jul 18 '17 at 10:16
  • 1
    That's true. I've reported this confusing reporting to Adobe last week, we'll see if they do anything about it. – Michaël Demey Jul 18 '17 at 10:24
  • Michaël, have you got any reply from Adobe on this? – mkl Apr 16 '18 at 09:57
  • We had a discussion with some Adobe developers. They confirmed what I wrote above. Meaning that Adobe Reader/Acrobat does additional checks and that it misreports on the validity of the signature. I asked for some public documentation on this modification analysis so that we can include these checks (where it makes sense). But I got no reply on that request. We urged them recently again for more information, but again, no response. As a side note: the above has been fixed and the split XREF table shouldn't be the cause of the message in Adobe anymore. But it's all we can do as of now. – Michaël Demey Apr 16 '18 at 10:04
  • Ok, thanks. I asked because some people still use early iText 7.0.x versions and run into this issue, cf. [this question](https://stackoverflow.com/q/49812168/1729265). – mkl Apr 16 '18 at 10:09
2

Since multiple other tools validate these two documents without any issue ...we may think that's an adobe reader bug.

In particular as Adobe Acrobat is itself is torn:

Both "Some of the changes that have been made to this document since this signature was applied are not permitted by the document author." and "There have been no changes made to this document since this signature was applied." on the same dialog page

mkl
  • 90,588
  • 15
  • 125
  • 265
David L
  • 175
  • 1
  • 14