Search code examples
pdfdigital-signaturepades

PADES certificate signature not validating but approval signatures validate (DocMDP)

I've created a document with a PADES approval signature, which works fine, when digitally signed, but fails when i try add a DocMDP dictionary to turn the first signature into a certification/Author signature. (documents linked below)

Approval Signature

This first document shows the approval signature which is validating..

enter image description here

enter image description here

Certification Signature

The second document is a certification signature.. i've added a DocMDP dictionary to the document and copied the first signature dictionary into that.

enter image description here

enter image description here

Both DER encoded signer objects are the same in both sigs.

What i'm trying to achieve

This is an Adobe certification signature.. my PDF dictionary structure is the same as that and everything looks the same.

enter image description here

The issue (maybe)

I think my issue might be to do with the ByteRange i sign. With the Approval signature the ByteRang is 0 to the start of the /Contents signature field, which when captured contains a default byte range placeholder. Then from the end of the contents to the end of the file.. [0, 11347, 31349, 4448]

But when adding a DocMDP, because the byteRang is 4 digits, and the /contents default placeholder has been duplicated to the DocMDP, the creation signature ByteRange includes the full contents of the default byte range in there, which obviously changes when replaced with the signature object after signing.. [0, 11361, 31363, 24958]

I've tried using a six digit ByteRange to bypass the DocMDP contents field as well but that didnt work, and also the correctly signed Adobe document only uses 4 digits. I can't find any info on how to get around this and what the ByteRange should cover in this situation. This is the Adobe document's DocMDP dictionary i'm referencing, which you can see the last digit is a lot smaller..

enter image description here

Reference documents

Solution

  • The second document is a certification signature.. i've added a DocMDP dictionary to the document and copied the first signature dictionary into that.

    And this already is the error: If you copy the signature dictionary, you suddenly have two places where you have to insert a signature upon signing, and each of those signatures has to sign the whole PDF file except it itself. This cannot work.

    What you want to do instead of copying the original signature dictionary there, is referencing the original signature dictionary from there.

    Have a look at your example Adobe signed document, there both the V of the signature field and the DocMDP of the Perms refer to object 28, while in your document the V of the signature field refers to object 12 and the DocMDP of the Perms refers to object 13.