One area of the PDF Java Toolkit that I have taken interest in as of late is the support that it has for digital signatures in PDFs, specifically how it supports PAdES. PDF Java Toolkit’s support for digital signatures is years ahead of the PDF Library in this area and PDF Advanced Electronic Signatures (PAdES) is a relatively new specification for digital signatures.
PAdES is an extension to the digital signatures functionality that is outlined in the PDF specification (ISO 32000). PAdES is of interest to me because one of its purposes is to provide a standard that allows verifying digital signatures in a PDF after long periods of time, this process is known as long term validation (LTV). PAdES was designed by the European Telecommunications Standards Institute (ETSI) and utilizes two of their other standards, CMS Advanced Electronic Signature (CAdES) and XML Advanced Electronic Signature (XAdES), and applies them to PDFs.
We recently added samples to our PDF Java Toolkit that demonstrate how to create digital signatures that comply with PAdES Basic, PAdES Enhanced, and PAdES Long Term. We will also be writing posts over the next few weeks that go into more detail about each of these samples.
The PAdES specification is made up of six different parts :
- PAdES Basic
- PAdES Enhanced
- PAdES Long Term
- PAdES for XML Content
- Visual Representations of Electronic Signatures
PAdES Basic is defined by a subset of the rules that define digital signatures in the PDF specification. In order to create digital signatures that comply with the PAdES Basic profile the digital signature must be created with
- PKCS #7 data object
PAdES Enhanced contains two separate profiles, Basic Electronic Signatures (BES) and Explicit Policy Electronic Signatures (EPES).
PAdES BES digital signatures must be created with
- Protection of the signing certificate by the signature itself (the signing certificate digest is incorporated as part of a signed attribute to the signature). This prevents certificate substitution attacks.
- Indication of the time when the signatory purportedly generated the signature (claimed signing time)
- Identification of the set of rules that govern the generation and verification of the signature (signature policy identifier)
- Reason for signing and commitment taken when signing (Reason / commitment type indication)
- Indication of the purported place where the signatory signs the document (signer location)
- Indication of the claimed role played by the signatory when signing or any claimed attribute that the signatory may have (Claimed signer attributes)
- Time-stamp on the contents to be signed
It may also contain :
PAdES EPES digital signatures must be created with the following in addition to the requirements for PAdES BES
- Attribute identifying the signature policy
PAdES Long Term is a profile that can be applied to a document that contains a PAdES Basic, PAdES BES, or a PAdES EPES compliant signature. In order to create digital signatures that comply with the PAdES Long Term profile the digital signature must be created with
- a structure that appends the validation data and document time-stamp to the signed PDF document
- document time-stamp
PDF Java Toolkit does not support part 5 (PAdES for XML Content) of the PAdES specification.
Come back next week for the second part of this series where I will discuss the code in the PDF Java Toolkit sample that creates PAdES Basic compliant digital signatures!
For more information on PAdES, please see the FAQ that ETSI has posted.