Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is this pdf digital signed correctly? PHP/TCPDF

I'm updating a project for my company and there is a section where we need to digitally sign a pdf with our certificate file. In this case, I should change the script that signs this pdf using an updated library from PHP.

In the old code, we were using another script to make happen that, and we had to use a .p12 file + a string. Using this old script, when you open the created pdf with Acrobat Reader DC we get the next image where you can see that says "Signed and all signatures are valid".

enter image description here

In the new script, I'm using the next example:

https://tcpdf.org/examples/example_052/

To be able to apply this example with my certificate I had to convert my pfx file certificate (".p12") to 2 kinds of ".pem" throw these nexts commands lines:

openssl pkcs12 -in myOldCertificate.p12 -clcerts -nokeys -out publicCert.pem -> asked me "Enter Import Password"

openssl pkcs12 -in myOldCertificate.p12 -nocerts -out privateKey_cert.pem -> asked me "Enter Import Password" and also for "Enter PEM pass phrase"

So finally, I just changed the line 89 from the downloaded example 52.

// set document signature

$pdf->setSignature('file:///var/www/html/publicCert.pem', 'file:///var/www/html/privateKey_cert.pem', 'xxxxxx', '', 2, $info); -> In the 'xxxxx' I wrote the same string as the Import password and, just in case, also the same for PEM pass phrase.

And when I create the digital signed pdf and open it with the Acrobat Reader DC you can see the next image:

enter image description here

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid. You have to think that I will need the most secure way to verify the authenticity and the integrity of this pdf.

like image 200
Ricard Espinàs Llovet Avatar asked Jul 06 '18 11:07

Ricard Espinàs Llovet


People also ask

How do you check if PDF is digitally signed or not?

Click on the Signature Properties button to check signature properties. In the signature Properties window click Show Signers Certificate button. Following screen will be displayed once you click on it. Initially you will get the summary of the Digital Signature in the certificate viewer window.

What is a digitally signed PDF?

A digital signature in a PDF is the equivalent of an ink signature on a paper document, but it's much more secure. This piece of information is placed inside a document, and it lets PSPDFKit and other PDF readers check two important things: That the document has not been modified by an unknown person.

How do you edit a PDF which is digitally signed?

Can I edit a PDF that I signed? If you're the only one signer, you can remove the signature and then work on the document or edit the source document. To remove your signature, right-click the signature and then choose Clear Signature.


1 Answers

The PDF format supports two types of user signatures:

  • approval signatures and
  • certification signatures.

Certification signatures in addition to signing the document also select which changes to the document shall be allowed after signing; approval signatures merely sign.

Usually the author of a document signs it using a certification signature to indicate that he is the author of the document and allows only certain additions to it (e.g. form fill-ins). A so certified document then is forwarded to other parties who (probably after form fill-ins) sign the document using an approval signature to indicate that they approve the document contents including their additions.

Your old code applied an approval signature while your new code applies a certification signature allowing "only form fill-in, signing, and page adding actions".

Concerning your worries

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid.

Other than the difference described above, the certification signature is just as valid as the approval signature. As an overview of the meanings of the signature status bar icons, have a look here:

Acrobat signature validation cheat sheet

(This cheat sheet is for Adobe Acrobat and Reader 9; meanwhile the color of the certification ribbon has changed from blue to black but its meaning is still the same)


If you strictly want to go back to an approval signature, try extending the line

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info);

in the example code with another parameter to

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info, 'A');

which should (at first glance at the TCPDF sources) cause the code to create approval signatures.

like image 72
mkl Avatar answered Oct 13 '22 09:10

mkl