diff --git a/poppler/Form.cc b/poppler/Form.cc index c5b7078..c7f18f5 100644 --- a/poppler/Form.cc +++ b/poppler/Form.cc @@ -1433,7 +1433,7 @@ void FormFieldSignature::parseInfo() // check if subfilter is supported for signature validation, only detached signatures work for now sig_dict.dictLookup("SubFilter", &subfilterName); - if (subfilterName.isName("adbe.pkcs7.detached")) { + if (subfilterName.isName("adbe.pkcs7.detached") || subfilterName.isName("adbe.pkcs7.sha1")) { signature_info->setSubFilterSupport(true); } diff --git a/poppler/SignatureHandler.cc b/poppler/SignatureHandler.cc index c741958..861c7fa 100644 --- a/poppler/SignatureHandler.cc +++ b/poppler/SignatureHandler.cc @@ -193,7 +193,8 @@ NSSCMSSignerInfo *SignatureHandler::CMS_SignerInfoCreate(NSSCMSSignedData * cms_ if (!signerInfo) { printf("Error in NSS_CMSSignedData_GetSignerInfo()\n"); return NULL; - } else { + } + else { return signerInfo; } } @@ -219,10 +220,33 @@ NSSCMSVerificationStatus SignatureHandler::validateSignature(unsigned char *sign if ((NSS_CMSSignerInfo_GetSigningCertificate(CMSSignerInfo, CERT_GetDefaultCertDB())) == NULL) CMSSignerInfo->verificationStatus = NSSCMSVS_SigningCertNotFound; - if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, NULL) != SECSuccess) { + if (CMSSignedData->contentInfo.content.data != NULL) + { + /* + This means it's not a detached type signature + so the digest is contained in SignedData->contentInfo + */ + if(memcmp(digest.data, CMSSignedData->contentInfo.content.data->data, hash_length) == 0 + && digest.len == CMSSignedData->contentInfo.content.data->len) + { + PORT_Free(digest_buffer); + return NSSCMSVS_GoodSignature; + } + else + { + PORT_Free(digest_buffer); + return NSSCMSVS_DigestMismatch; + } + + } + else if (NSS_CMSSignerInfo_Verify(CMSSignerInfo, &digest, NULL) != SECSuccess) + { + PORT_Free(digest_buffer); return CMSSignerInfo->verificationStatus; - } else { + } + else + { PORT_Free(digest_buffer); return NSSCMSVS_GoodSignature; }