1

I hava a pdf form. How to check with PDFBox v2.x.x if a pdf form was changed after the signature was added? I think the equivalent in itext 4.2.1 is the signaturecoverswholedocument method. The only thing i could find was how to check the signature itself:

        if (signerInformation.verify(new JcaSimpleSignerInfoVerifierBuilder().build(certificateHolder))) {
Kuronashi
  • 295
  • 3
  • 9

1 Answers1

3

No perfect answer, but a strategy to make a decision:

try (PDDocument document = PDDocument.load(new File(infile), password))
{
    for (PDSignature sig : document.getSignatureDictionaries())
    {
        int[] byteRange = sig.getByteRange();
        System.out.println("byteRange: " + Arrays.toString(byteRange));
        System.out.println("Range max: " + (byteRange[byteRange.length-2] + byteRange[byteRange.length-1]));
        // multiply content length with 2 (because it is in hex in the PDF) and add 2 for < and >
        System.out.println("Content len: " + (sig.getCOSObject().getString(COSName.CONTENTS).length() * 2 + 2));
        System.out.println("File len: " + new File(infile).length());
(...)

Now test this with this file. You'll get this output:

byteRange: [0, 192, 10094, 162062]
Range max: 172156
Content len: 9902
File len: 172156

The data that is signed starts at 0 with len 192, then the signature , then the rest of the data at 10094 with len 162062. You'll notice that 10094 + 162062 == 172156, and 192 + 9902 == 10094.

Of course if there are several signatures it won't look that perfect.

Tilman Hausherr
  • 17,731
  • 7
  • 58
  • 97
  • 1
    This essentially is what the *iText signaturecoverswholedocument method* mentioned by the OP does. – mkl May 17 '17 at 08:02
  • 1
    @mkl yeah, I've just seen your answer to https://stackoverflow.com/questions/37490084/how-reliable-is-itexts-signaturecoverswholedocument-vs-acrobat-reader . Maybe I'll add my solution to the ShowSignature example with a warning that a false result doesn't necessarily mean that the PDF is a fake. – Tilman Hausherr May 17 '17 at 08:09
  • it works. Would it also be possible to decrypt the (whatsoever) digest stored in the signature with the certifacte from the signatureDictionary, compute a digest from the actual pdffile (within the byteranges) and compare that digest with the decrypted digest? – Kuronashi May 18 '17 at 09:29
  • I think that is what is done in the ShowSignature example from the source code download. – Tilman Hausherr May 18 '17 at 22:09