iText pdf完整性检查

Question

I have a pdf file, where:

• Rev. 1 contains document timestamp
• after timestamping some text was added without creating the new revision
• in Rev. 2 document was signes

Here is from Signatures panel

How validate pdf integrity with iText 5? I want to detect, that someone change document after timestamp (between Rev.1 and Rev.2, or after Rev. 2).

Is it possible with iText 5 detect document changes which way as Adobe Acrobat this evaluates, as shown in the screen:

• 'Document has been altered or corrupted since it was signed.'
• '2 Pages(s) Modified'

Pseudo JAVA code below, always returns Integrity check OK? true for Rev.1 timestampField

 PdfReader reader = new PdfReader("C:/tstEditSign.pdf");
 AcroFields acro = reader.getAcroFields();
 PdfPKCS7 pkcs7 = acro.verifySignature("timestampField");
 System.out.println("Integrity check OK? " + pkcs7.verify());

Thanks for any help or hint, how to resolve this issue.

Answer 1

Please be aware that there two ways the integrity of an integrated PDF signature can be violated:

• The range of bytes in the PDF it signs is actually changed.
• Additions in incremental updates after the range of bytes it signs introduce disallowed changes.

iText can recognize the first type of change (using code like your pseudocode) but it cannot out of the box differentiate allowed and disallowed changes in incremental updates.

Backgrounds

A PDF with multiple signatures has a structure like in this image: The signature in the original version, signature1, only signs the bytes of this original version. signature2 then signs the original version plus the changes for version 2 etc. (For details read here and here .)

But according to the PDF specifications only a limited set of changes are allowed to be applied by the later versions, and this set of changes can depend on properties of the original signature. (For details read here .)

Your code, in particular the pkcs7.verify() , only checks whether a signature still correctly signs the bytes it applies to. It does not check, though, whether the kind of changes introduced by later additions are allowed by the first signature.

Actually I'm not aware of any non-Adobe software executing that check, and even Adobe's checks are not perfect: They are biased towards recognizing allowed changes only if they are applied in a way akin to how Adobe software would have applied it. This sometimes results in contradicting statements, eg both

• Some of the changes that have been made to this document since this signature was applied are not permitted by the document author.
• There have been no changes made to this document since this signature was applied.

in

Implementing a check for (dis)allowed changes

While iText does not offer this check out of the box, it does offer you a base framework upon which you can try and implement it yourself. In particular you can retrieve each complete signed revision of the document and compare their structures on the level of simple PDF objects.

Unfortunately the allowed and disallowed changes are described only in terms of how the document looks like in a viewer or which behaviors it has, not in terms of which exact low level object additions are allowed. This will make the endeavor highly non-trivial.