Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Digital Signature Validation - chain validation through custom root certificate #2414

Open
1 task done
dipak-progrc opened this issue Dec 7, 2024 · 5 comments
Open
1 task done

[Bug]: Digital Signature Validation - chain validation through custom root certificate #2414

dipak-progrc opened this issue Dec 7, 2024 · 5 comments

Comments

@dipak-progrc
Copy link

Installation Method

Docker

The Problem

Hi, thank you for adding the Digital Signature Validation feature in Stirling-PDF.

I tried using Digital Signature Validation feature, and I found that the default Root Trust Certificates are from Mozilla NSS. I believe Mozilla NSS is not a suitable Trust List for validating digital signatures on PDF documents. I'd instead suggest either shipping Adobe Approved Trust List(AATL), European Union Trust List(EUTL) or both as the Root Trust List.

However, the feature has option to supply a custom certificate for validation. I observed that the validation of file and chain succeeds only if the custom certificate is the Issuer of the Signer.

Take for example -
[ Document ] - signed by A - issued by B - issued by C - issued by D(self signed root)

Now, if I provide Document + certificate D to the Validator, then it fails validation.
But if I provide Document + certificate B to the Validator, then it passes validation.

This scenario where a document is signed with a complete chain and the root of the chain not being present in the shipped Mozilla NSS can be fairly common. And validating a file against a custom Root Certificate would be a better option than a custom issuer certificate.

As a part of resolution of the bug, I'd suggest implementing --

  1. Inclusion of AATL : The complete trust list is published and regularly updated on this url. The url provides a signed PDF file, with an attached file named "SecuritySettings.xml". The XML file has all the latest Root Certificates in AATL.
  2. Update the Custom Certificate based Validation logic to validate the file+chain if the custom certificate matches any certificate in the chain, including the immediate signer.

Version of Stirling-PDF

0.36.0

Last Working Version of Stirling-PDF

No response

Page Where the Problem Occurred

No response

Docker Configuration

No response

Relevant Log Output

No response

Additional Information

No response

Browsers Affected

No response

No Duplicate of the Issue

  • I have verified that there are no existing issues raised related to my problem.
@Frooodle
Copy link
Member

Frooodle commented Dec 7, 2024

Very good points, thanks for raising this

I will enhance for all the above

@Frooodle
Copy link
Member

Frooodle commented Dec 7, 2024

Do you know if the acrobatsecuritysettings file is available in any other formats?

@Frooodle
Copy link
Member

Frooodle commented Dec 7, 2024

Nevermind i was able to parse it

@dipak-progrc
Copy link
Author

@Frooodle, no I have not seen any other formats.

I'd like to add that the AATL url is not officially provided by Adobe for this purpose. I happened to find the URL while looking at strings in Adobe Acrobat Reader binary. But I have observed it to be stable over last few years' releases of Adobe Acrobat Readers. Sorry, I should have put it out earlier in original bug report while sharing the link.

@Frooodle
Copy link
Member

Frooodle commented Dec 7, 2024

hmmm ill have to check if i am allowed to use this file and what license it falls under then

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Stirling-PDF V1
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Frooodle @dipak-progrc