Summary: | Certificate chain from PDF digital signature back to trusted root certificate not verified? | ||
---|---|---|---|
Product: | poppler | Reporter: | Sebastian Rasmussen <sebras> |
Component: | general | Assignee: | poppler-bugs <poppler-bugs> |
Status: | RESOLVED MOVED | QA Contact: | |
Severity: | normal | ||
Priority: | medium | CC: | aguerreiro1985, brian, sebras |
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
i915 platform: | i915 features: |
Description
Sebastian Rasmussen
2017-01-11 18:04:15 UTC
Adding Andre as he appear to be the one developing the certificate related code. Having a look at this enum SignatureValidationStatus { SIGNATURE_VALID, SIGNATURE_INVALID, SIGNATURE_DIGEST_MISMATCH, SIGNATURE_DECODING_ERROR, SIGNATURE_GENERIC_ERROR, SIGNATURE_NOT_FOUND, SIGNATURE_NOT_VERIFIED }; enum CertificateValidationStatus { CERTIFICATE_TRUSTED, CERTIFICATE_UNTRUSTED_ISSUER, CERTIFICATE_UNKNOWN_ISSUER, CERTIFICATE_REVOKED, CERTIFICATE_EXPIRED, CERTIFICATE_GENERIC_ERROR, CERTIFICATE_NOT_VERIFIED }; I don't think signature validation has anything to do with the certificates having been checked, I'd say certificate validation is what would give that information. I.e. valid signature is just saying "yeah this is a signature that seems to be from this guy", whether you trust that guy or not would be part of certificate trustness, that since in this case it's expired doesn't happen and that's why you get the same result whether you initialize the certificate database or not. This is my understanding, OTOH i did not write the code so I may be totally wrong. There are indeed 2 different validations happening here: 1- Verification of the cryptographic signature in a strict sense 2- Certificate verification: which includes validity checking and making sure that the certificate chain ends in a trusted root. Maybe we can change the output string of pdfsig for the 1st validation to something more specific if people find the wording to be misleading: "Signature Validation: the document was not modified since the document was signed" Additionally we could output a "global" validation result for each signature which would have 3 possible values: Valid, Invalid or has Issues (when the certificate is not valid or wasn't even verified). This seems to be the approach taken by Adobe Reader for the signature status icons (Green check, Red Cross, Question Mark) Thanks for the explanations of where I misunderstood what's happening.
Sorry for the unnecessary noise.
> Maybe we can change the output string of pdfsig for the 1st validation to
> something more specific if people find the wording to be misleading:
> "Signature Validation: the document was not modified since the document was
> signed"
There is alos "Digest mismatch" though, which also says something about whether the document was been modified.
As I understand it you basically have three booleans:
1. does the digest for the file match that in the signature dictionary?
2. does the signature in the dictionary sign the digest?
3. is the signature trusted?
And to lessen the confusion maybe these three cases should attempt to
not use overlapping terminology. I'm new to this certificate validation
things though, so maybe it's just me being confused because I'm not yet
clued in on the details. :)
Hello, I also got this problem with pdfsig v0.52.0. It seems that pdfsig simply passes to NSS the signer certificate and ask "is it valid?" The problem is that, normally, NSS cannot verify all the chain from the (imported) root CA to the signer certificate because it misses all the intermediate CA. If I manually import all intermediate CA into firefox, pdfsig can verify the certificate correctly. However, it is not expected that the user must import intermediate CA before checking a certificate. A PDF file must contain all the certificate chain from the signer certificate (first) until the last CA before root CA. It seems that pdfsig is not passing these intermediate certificates to NSS. I never used NSS but it must import all intermediate CA into NSS session as an non-root CA. Hello Luiz, pdfsig is indeed considering the intermediate CA certificates included in the PDF. I think you may be experiencing a different issue maybe related to the specific certificates. Can you share a PDF file so I can investigate this further? -- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/poppler/poppler/issues/546. |
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.