[Proposal/Issue] More about Digital signatures

[nichierichetti]

I managed to built up a system to digitally sign documents using TCPDF, and it works great!

The problem is that:

• i can only manage pdfs that are version 1.4 or earlier
• digital signature is not in ETSI.CAdES.detached (which is the requirement nowadays)
• multiple signatures support (now, tcpdf basically creates a new pdf and then signs it, so all the previous metadata and signatures are lost)

it would be great if this could be implemented, as TCPDF is basically the only remaining free library that allows digital signature!

[williamdes]

Can you open a PR for it?
Not sure it will be accepted since tcpdf is in maintenance mode but it's worth contributing it back and having reviews
Maybe have a look to #617 it may be related

[nichierichetti]

@williamdes sadly I don't know how to handle it. It was just a proposal, but I have no idea how to solve it at the moment :/

[williamdes]

Okay, do you use git?
If not post here your files or changes and I will try to make a pull-request for them if I find time

[pr-apes]

@nichierichetti,

just in case it might help, allow me some comments.

I'm not a TCPDF user (but I have received PDF documents generated with TCPDF and they are problematic).

To your first issue, from the received PDF document metatada (which I cannot share):

Created: 20/10/2023 11:30:44
Modified: 20/10/2023 11:30:44
PDF Producer: TCPDF 6.4.4 (http://www.tcpdf.org)
PDF Version: 1.7

Also https://tcpdf.org/files/examples/example_052.pdf seems to be PDF-1.7.

Sorry, but what you mean is that TCPDF does allow you to sign source documents up to version 1.4, don't you?

To your second issue, the requirement seems to be found on the first part of the PAdES specification and its second part (this is just for reference).

If I'm not wrong, TCPDF only provides a certification signature. According to the freely-accessible PDF specification, PDF documents may contain the following signature types:

• As many as desired approval signatures.
• At most, a single certification signature.
• At most, two usage rights signatures.

Multiple signatures would require that signatures are approval signatures (the standard ones for the rest of us).

For some reason (unknown to me), @nicolaasuni seems to have explicitly avoided this.

For me, a single signature would be fine, but the problem is that the certification signatures generated by TCPDF cannot be correctly validated by Acrobat.

@williamdes, would you be so kind to check what might be wrong with #234?

Sorry, PHP is unknown to me and this is also the first time I'm confronted with a certification signature.

Many thanks for your help.

[williamdes]

Hi @pr-apes
Thank you for this nice summary

@williamdes, would you be so kind to check what might be wrong with #234?

I have very limited time nowdays, I can not search this subject. Maybe other users can do it

[pr-apes]

Hi @williamdes,

on further inspection, the PDF document that originated the report may have an issue with the signing certificate (there may be no issue with TCPDF).

But I have received a PDF document with undecidable validity for the certificate hierarchy, which I suspect it might be caused by the way TCPDF is writing the signature (I'm afraid I cannot share that document).

Maybe, a way to test the undecidable validity of certificates would be to generate a root certificate and another certificate signed by the first.

I will have to learn how generate both certificates, but I don't have access to any version of TCPDF. I cannot install it either.

If I provide both root and signing certificate, could you use them to sign with current TCPDF?

Many thanks for your help and best wishes for 2024.

[pr-apes]

@williamdes,

as already mentioned in #234 (comment), my previous comment makes no sense.

Certification signatures are fine (in regard to #234), although they are extremely tricky.

@nichierichetti,

please consider implementing just approval signatures, since they are way more usable for the rest of us.

I don't mean it in TCPDF, but in the new project (sorry, I cannot check its name now).

Many thanks for your help and your code.