0

I want to verify a digitally signed PDF and get informations like in Adobe Acrobat in PHP 7.4.

What I already achieved:

  1. I get the signature of the PDF by reading the bytes defined in ByteRange in the PDF-File and store it in a variable.
  2. Then I convert it like this: base64_encode(hex2bin($raw_signature_data));
  3. After that, I change the formatting to pkcs7:
$zertifikat_formattiert = "";
$zertifikat_formattiert .= "-----BEGIN PKCS7-----\n";
$zertifikat_formattiert .= chunk_split($raw_signature_data, 64);
$zertifikat_formattiert .= "-----END PKCS7-----";```
  1. Then I read the formatted pkcs7 string with openssl_pkcs7_read($zertifikat_formattiert, $zertifikate);
  2. Now I loop the outputed array by openssl_pkcs7_read with foreach and for every element I obtain the fingerprint with:
foreach($zertifikate as $zertifikat_nummer => $zertifikat_x509_raw) {
    openssl_x509_fingerprint($zertifikat_x509_raw, "sha1WithRSAEncryption");
}


Additionaly I get infomations like the valid from- and to-time like this (inside the foreach loop):

$x509_zertifikat = openssl_x509_parse(openssl_x509_read($zertifikat_x509_raw));
$valid_from_time = $x509_zertifikat['validFrom_time_t'];
$valid_to_time ['validTo_time_t'];

My questions

  1. Now how can I verify, that the document was not modified since it was signed, in PHP with this data / informations?
  2. How can I check if the PDF was signed with the clock from the signer's computer?

I have already tried it like the answer suggested from here (Verify signed PDF Document in PHP) with no success.

Greetings and thanks!

Leon D
  • 1
  • 1

1 Answers1

0

Signature validity verification is quite big task with many facets and hard to be fully answered in stackoverflow. Especially as the PHP has limited support for cryptography libraries.

You need to consider which certificates do you trust, make sure these are not revoked and not expired.

PDF Signature verification consist of 2 main parts.

  1. Calculating the digest of the signed document. For this take everything outside the signature ByteRange. Leave also <> out. Calculate digest of this document. If there are more than one signatures then you need to parse PDF and omit all incremental saves to get to the same revision as the file was when signing.
  2. Verify signature and compare the hash value. One way is executing openssl commands like this How to verify a file and a p7s detached signature with openssl?

Easiest is to use some service that is able to parse and tell the status of the documents, like https://documenter.getpostman.com/view/3869493/Szf6WoG1#01414413-b076-4297-a6ac-269d884a044c . Otherwise you can try openssl commands that can be executed from the PHP code, here are some ideas How to verify a file and a p7s detached signature with openssl?

Margus Pala
  • 8,433
  • 8
  • 42
  • 52
  • Thanks for the reply. Unfortunately, I am not allowed to use third party services or the command line. – Leon D Jan 04 '21 at 07:21
  • I added more details of steps that need to be done. Still its quite big undertaking. If you need more help with the implementation then you can get in touch with email in my profile. – Margus Pala Jan 05 '21 at 08:58