IText detached signature means
Could you please explain to me in more detail in the end giving me an example (one for pinned and one for stripping) of what iText has stripped off signatures exactly mean?
I found this great documentation: iText pdf digital signature about iText digital signature, but I'm still not sure I understand the concept of iText stamped signature.
Read the documentation (see link). I found this definition:
In PDF, we sometimes refer to a separate signature. According to Wikipedia, a separate signature is a type of digital signature that is stored "separately from its signed data, and not" combined "into one file. This definition is not entirely correct in the context of a PDF: the signature is enclosed in a PDF file, but the signature attributes are" part signatures, not "are stored in the signature dictionary .
where it is not clear to me what "signature attributes" means (what signature attributes does it refer to?)
Note that the author of the article (iText documentation), working with these snippets of the signed PDF file:
%PDF-1.4 %รขรฃรร 3 0 obj <</F 132/Type/Annot/Subtype/Widget/Rect[0 0 0 0]/FT/Sig /DR<<>>/T(signature)/V 1 0 R/P 4 0 R/AP<</N 2 0 R>>>> endobj 1 0 obj <</Contents <0481801e6d931d561563fb254e27c846e08325570847ed63d6f9e35 ... b2c8788a5> /Type/Sig/SubFilter/adbe.pkcs7.detached/Location(Ghent)/M(D:20120928104114+02'00') /ByteRange [0 160 16546 1745 ]/Filter/Adobe.PPKLite/Reason(Test)/ContactInfo()>> endobj ... 9 0 obj <</Length 63>>stream q BT 36 806 Td 0 -18 Td /F1 12 Tf (Hello World!)Tj 0 0 Td ET Q endstream endobj ... 11 0 obj <</Type/Catalog/AcroForm<</Fields[3 0 R]/DR<</Font<</Helv 5 0 R /ZaDb 6 0 R>>>>/DA(/Helv 0 Tf 0 g )/SigFlags 3>>/Pages 10 0 R>> endobj xref 0 12 0000000000 65535 f ... 0000017736 00000 n trailer <</Root 11 0 R/ID [<08ed1afb8ac41e841738c8b24d592465><bd91a30f9c94b8facf5673e7d7c998dc>]/Info 7 0 R/Size 12>> startxref 17879 %%EOF
source to share
While the white paper you pointed out, Bruno Lowagie's Digital Signatures for PDF Documents is really a must for anyone trying to create integrated PDF signatures using iText (and a good source of information even if you don't use iText). I agree that the explanation for this is to use the word "detached" "in the" detached PDF signature "didn't really make it home:
NOTE: In PDF, we sometimes refer to a separate signature. According to Wikipedia, a separate signature is a type of digital signature that is stored "separately from its signed data, since on the contrary, they are combined into one file. This definition is not entirely correct in the PDF context: the signature is enclosed in a PDF file, but the signature attributes are" part signatures rather than "stored in the signature dictionary".
First of all, calling these signatures "detached" is not a term enforced by any current specification. The reason we do this is because the identifier used in the signature dictionaries of such signatures ( adbe.pkcs7.detached or ETSI.CAdES.detached ) contains this word.
So the question should really be: why do these identifiers contain the word "separate"?
To understand this, you need to know that there were originally two types of integrated PDF signatures that inserted a PKCS # 7 signature container into the PDF, respectively identified by adbe.pkcs7.detached and adbe.pkcs7.sha1 .
The difference between these two types of signatures is that
- for adbe.pkcs7.sha1 signatures, the SHA1 digest for signed PDF byte ranges is subtracted and embedded in the
ContentInfo
signature container structure and this embedded data packet is signed in PKCS # 7 mode; - for adbe.pkcs7.detached signatures , on the other hand, the signature container structure remains empty and the external document's signed data ranges are signed in the PKCS # 7 path.
ContentInfo
So in the case of adbe.pkcs7.sha1 signatures , the actual signed data is embedded in the container, and in the case of adbe.pkcs7.detached there is no actual signed data.
Thus, at the PKCS # 7 signature level, the signed data and the signature are decoupled from each other in the latter case.
(The fact that signing in a PKCS # 7 way can - and typically - involve calculating a hash of the signing data, adding that hash to a set of so-called authenticated attributes, and ultimately signing those special attributes. shouldn't distract us.)
Another type of detached signatures ( ETSI.CAdES.detached ) are built similarly to adbe.pkcs7.detached containers . The differences between the two are mainly in the profiling of additional container attributes.
The argument in the White Paper regarding the attributes that are part of the signature container actually illustrates the difference between all the signature types mentioned earlier and adbe.x509.rsa_sha1 signature , which is the third original built-in PDF signature type. This type is not based on signature containers, but rather bare signatures; thus any additional information in this case should be stored in their own structures in PDF
source to share