这个pdf数字签名正确吗?PHP/TCPD

2022-01-07 00:00:00 pdf openssl php tcpdf digital-signature

我正在为我的公司更新一个项目,有一个部分需要我们使用我们的证书文件对 pdf 进行数字签名.在这种情况下,我应该使用 PHP 中的更新库更改签署此 pdf 的脚本.

在旧代码中,我们使用另一个脚本来实现这一点,我们不得不使用一个 .p12 文件 + 一个字符串.使用这个旧脚本,当您使用 Acrobat Reader DC 打开创建的 pdf 时,我们会得到下一张图片,您可以在其中看到已签名且所有签名均有效".

在新脚本中,我使用下一个示例:

我担心是因为我可以看到上面写着由我的公司认证认证",看起来一切正常,但没有绿色勾号,我不确定它是否完全有效.您必须认为我需要最安全的方式来验证此 pdf 的真实性和完整性.

解决方案

PDF 格式支持两种类型的用户签名:

  • 批准签名和
  • 认证签名.

认证签名除了签署文件外,还选择签署后允许对文件进行哪些更改;批准签名只是签字.

文档的作者通常使用证明签名来签署文档,以表明他是文档的作者,并且只允许对其进行某些添加(例如表单填写).然后将经过如此认证的文件转发给其他方,他们(可能在填写表格后)使用批准签名签署文件,以表明他们批准了文件内容,包括其添加内容.

您的旧代码应用了批准签名,而您的新代码应用了认证签名,允许仅填写表单、签名和页面添加操作".

关于您的担忧

<块引用>

我担心是因为我可以看到上面写着由我的公司认证认证",看起来一切正常,但没有绿色勾号,我不确定它是否完全有效.

除上述区别外,认证签名与批准签名一样有效.作为对签名状态栏图标含义的概述,请看这里:

(此备忘单适用于 Adob​​e Acrobat 和 Reader 9;同时认证色带的颜色由蓝色变为黑色,但其含义仍然相同)

<小时>

如果您确实想回到批准签名,请尝试延长行

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info);

在带有另一个参数的示例代码中

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info, 'A');

这应该(乍一看 TCPDF 来源)导致代码创建批准签名.

I'm updating a project for my company and there is a section where we need to digitally sign a pdf with our certificate file. In this case, I should change the script that signs this pdf using an updated library from PHP.

In the old code, we were using another script to make happen that, and we had to use a .p12 file + a string. Using this old script, when you open the created pdf with Acrobat Reader DC we get the next image where you can see that says "Signed and all signatures are valid".

In the new script, I'm using the next example:

https://tcpdf.org/examples/example_052/

To be able to apply this example with my certificate I had to convert my pfx file certificate (".p12") to 2 kinds of ".pem" throw these nexts commands lines:

openssl pkcs12 -in myOldCertificate.p12 -clcerts -nokeys -out publicCert.pem -> asked me "Enter Import Password"

openssl pkcs12 -in myOldCertificate.p12 -nocerts -out privateKey_cert.pem -> asked me "Enter Import Password" and also for "Enter PEM pass phrase"

So finally, I just changed the line 89 from the downloaded example 52.

// set document signature

$pdf->setSignature('file:///var/www/html/publicCert.pem', 'file:///var/www/html/privateKey_cert.pem', 'xxxxxx', '', 2, $info); -> In the 'xxxxx' I wrote the same string as the Import password and, just in case, also the same for PEM pass phrase.

And when I create the digital signed pdf and open it with the Acrobat Reader DC you can see the next image:

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid. You have to think that I will need the most secure way to verify the authenticity and the integrity of this pdf.

解决方案

The PDF format supports two types of user signatures:

  • approval signatures and
  • certification signatures.

Certification signatures in addition to signing the document also select which changes to the document shall be allowed after signing; approval signatures merely sign.

Usually the author of a document signs it using a certification signature to indicate that he is the author of the document and allows only certain additions to it (e.g. form fill-ins). A so certified document then is forwarded to other parties who (probably after form fill-ins) sign the document using an approval signature to indicate that they approve the document contents including their additions.

Your old code applied an approval signature while your new code applies a certification signature allowing "only form fill-in, signing, and page adding actions".

Concerning your worries

My worry is because I can see that says "Certified by My company certification" and seems all ok but there is not green tick and I'm not sure if it's completely valid.

Other than the difference described above, the certification signature is just as valid as the approval signature. As an overview of the meanings of the signature status bar icons, have a look here:

(This cheat sheet is for Adobe Acrobat and Reader 9; meanwhile the color of the certification ribbon has changed from blue to black but its meaning is still the same)


If you strictly want to go back to an approval signature, try extending the line

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info);

in the example code with another parameter to

$pdf->setSignature($certificate, $certificate, 'tcpdfdemo', '', 2, $info, 'A');

which should (at first glance at the TCPDF sources) cause the code to create approval signatures.

相关文章