pdfsignatureverify

PDF Signature invalid but Verify Signature with PDFBox2 is valid (true)


PDF Signature invalid but Verify Signature with PDFBox2 is valid (true)

Sample PDF download:

https://drive.google.com/file/d/18CY_6qe_xog9Zil0qNhF_o6h4Cs6VW6Z/view?usp=sharing

So when the PDF is opened in A.Reader (Contineous release) it says the Certificate is invalid as Changes have been made to this document that rendered the signature invalid.

But I can't see what is wrong. Only a Signature (certificate) was added with our own application that adds correct signatures for thousands of other PDFs. No other changes performed. Verifying the Hash with our own code or using PDFBox2 with following code says the signature is valid (true).

Using this code to verify:

    byte[] pdfByte;
    PDDocument pdfDoc = null;
    SignerInformationVerifier verifier = null;
    try
    {
        pdfByte = FileUtils.readFileToByteArray(new File(FOLDEROUT, "Example-link-fails.pdf"));  
        pdfDoc = PDDocument.load(new File(FOLDEROUT, "Example-link-fails.pdf"));  
       // pdfDoc = Loader.loadPDF(new ByteArrayInputStream(pdfByte));
        PDSignature signature = pdfDoc.getSignatureDictionaries().get(0);

        byte[] signatureAsBytes = signature.getContents();
        byte[] signedContentAsBytes = signature.getSignedContent(pdfByte);
        CMSSignedData cms = new CMSSignedData(new CMSProcessableByteArray(signedContentAsBytes), signatureAsBytes);
        SignerInformation signerInfo = (SignerInformation) cms.getSignerInfos().getSigners().iterator().next();
        X509CertificateHolder cert = (X509CertificateHolder) cms.getCertificates().getMatches(signerInfo.getSID())
                .iterator().next();
        verifier = new JcaSimpleSignerInfoVerifierBuilder().setProvider(new BouncyCastleProvider()).build(cert);

        // result if false
        boolean verifyRt = signerInfo.verify(verifier);
        System.out.println("Verify result: " + verifyRt);
    }
    finally
    {
        if (pdfDoc != null)
        {
            pdfDoc.close();
        }
    }

So why is A.Reader complaining?

Remark: Other PDFs with link are accepted by A.Reader so clueless right now.

Any help much appreciated (getting (slowly) crazy) :-(


Solution

  • There is an error in your page annotations array:

    1 0 obj 
    <<
      /Annots [24 0 R 39 0 R ] 
      /CropBox [0 0 612 792 ] 
      /Type /Page
      ...
    >>
    endobj
    39 0 obj 
    [38 0 R ] 
    endobj
    

    This obviously is incorrect, the Annots array shall contain indirect references to the annotations associated with the page, not to nested arrays.

    Errors like this can make Adobe Acrobat try to fix the PDF (in memory) upon loading, and such fixes can cause signature validation to fail.