使用iText7签名的PDF/A允许更改附件文档而不会破坏签名 [英] PDF/A signed with iText7 allows changing attached documents without breaking a signature
问题描述
我已经使用iText7创建了PDF/A文档.创建的文档带有附件().附件是一个.csv文件.然后整个PDF/A已签名.我打开了附件.csv文件,并在对其签名后对其进行了更改.我已经使用以下代码来验证签名:
I have created a PDF/A document using iText7. The created document has an attachment (). The attachment is a .csv file. Then the whole PDF/A has been signed. I have opened the attached .csv file and changed it after I have signed it. I have used following code to verify the signature:
public PdfPKCS7 verifySignature(SignatureUtil util, String name) throws GeneralSecurityException, IOException {
System.out.println("Signature covers whole document: " + util.signatureCoversWholeDocument(name));
System.out.println("Document revision: " + util.getRevision(name) + " of " + util.getTotalRevisions());
PdfPKCS7 pkcs7 = util.verifySignature(name);
System.out.println("Integrity check OK? " + pkcs7.verify());
return pkcs7;
}
我原本希望完整性检查返回错误,但是我得到了:
I would have expected that integrity check returned error, but I got:
Signature covers whole document: false
Document revision: 1 of 2
Integrity check OK? true
这是预期的iText行为吗?我是否误解了签名的意图?我希望整个文档都可以锁定以进行更改(如果允许的话,可以填写表格或注释).
Is this intended iText behavior and did I misunderstand the intention of a signature? I would expect the WHOLE document to be locked for changes (apart from filling forms or annotations if those are allowed).
如果我要禁止更改附件,用附件对PDF进行签名的最佳方法是什么?
What would be the best way to go about signing PDF with attachments in case I want to prohibit attachment changes?
推荐答案
要了解此处发生的情况,您必须知道有多种将更改保存到PDF的方法:
To understand what happens here you have to know that there are multiple ways to save changes to a PDF:
-
您可以像将其作为一个新文档一样简单地保存操作过的PDF.这样做通常会更改已签名的字节,从而使您运行的完整性检查失败.
或者您可以将更改添加为所谓的增量更新,即将其附加到PDF.这样做不会更改有符号的字节范围,从而使您成功执行的完整性检查.
Or you can add the changes as a so-called incremental update, i.e. append them to the PDF. Doing so will not change the signed byte range making the integrity check you ran succeed.
在您的情况下,已使用增量更新保存了编辑内容.这不会更改带符号的字节.因此,完整性检查将成功,因为它仅检查签名是否仍正确地对原始签名的字节范围进行签名.
In your case the edit has been saved using an incremental update. This does not change the signed bytes; thus, the integrity check will succeed because it only checks whether the signature still correctly signs the originally signed byte ranges.
另一方面,覆盖率检查(您的signatureCoversWholeDocument呼叫)通知您有关签名不再涵盖整个文档.因此,您知道更改已作为增量更新附加.
The coverage check (your signatureCoversWholeDocument call) on the other hand informs you that the signature in question does not cover the whole document anymore. Thus, you know that changes have been appended as incremental updates.
不幸的是,iText尚未提供高级API来确定增量更新引入的更改的性质(不过,iText低级API可以用作实现此类API的基础).
Unfortunately iText does not yet offer a high level API to determine the nature of the changes introduced by an incremental update (the iText low level APIs can be used as a base upon which to implement such an API, though).
对于集成PDF签名的某些背景,您可能需要阅读此答案以及从中引用的文档.
For some backgrounds on integrated PDF signatures you may want to read this answer and the documents referenced from there.
我希望整个文档都将被锁定以进行更改(如果允许的话,除了填写表格或注释外).
I would expect the WHOLE document to be locked for changes (apart from filling forms or annotations if those are allowed).
从技术上讲,您可以在增量更新中添加任何类型的更改.增量更新不仅用于存储对签名文档的允许更改,还可以在没有签名的情况下使用,例如在PDF中保留修订历史记录,或(单独保存)以允许在WORM设备上有效地存储PDF编辑内容.
Technically you can add any kind of changes in an incremental update. Incremental updates are not only for use in storing allowed changes to signed documents, they can be used without signatures, too, e.g. to keep a revision history in the PDF or (saved separately) to allow resource efficient storage of PDF edits on WORM devices.
因此,要确定是否允许对PDF进行更改,验证程序必须分析增量更新中的添加内容.
Thus, to determine whether changes to a PDF are allowed or not, the validator has to analyze the additions in the incremental updates.
这篇关于使用iText7签名的PDF/A允许更改附件文档而不会破坏签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
