Why is one of these two itext 7 signed and validat

2019-02-28 21:04发布

问题:

I've two pdf documents certified (signed and validated with the same mechanism based on Itext 7 ) and when i use adobe reader DC to check their validity, only one has the green mark.

the good one: https://1drv.ms/b/s!AkF6t4TavwMvgxWaidlUqvPvHH1r

the bad one: https://1drv.ms/b/s!AkF6t4TavwMvgxQCMdGY61S1EvUh

Regards

David L

回答1:

This is not an Adobe bug, it's a feature. (And an iText bug)

When Adobe performs the cryptographic validation, it will also perform additional checks to see if a signature was attacked or not. It analyses several suspects and if that analysis turns out negative, Adobe will show you an error message. This is Adobe misreporting the analysis and validity. However, there is a work around for these hidden requirements.

First of, iText was used in non-append mode to modify the document:

Unfortunately, in specific cases iText 7, when used in non-append mode, introduces changes that are disallowed by the specification. The issue is that iText introduces subsections. That is something the specification allows you to do, but this is explicitly disallowed for the first revision:

Section 7.5.4 Cross-Reference Table [...] For a file that has never been incrementally updated, the cross-reference section shall contain only one subsection, whose object numbering begins at 0. [...]

Below you'll find the xref of the first revision after iText was used in non-append mode, every colored rectangle is a new subsection. To be compliant there should only be one rectangle.

This will be fixed in the upcoming 7.0.4 release, planned for end of July.



回答2:

Since multiple other tools validate these two documents without any issue ...we may think that's an adobe reader bug.

In particular as Adobe Acrobat is itself is torn: