Can it be possible to trust a certificate like in acrobat?

IDontKnow2Code commented 9 months ago

Here is the reference for what I am asking? Validity-Unknown-in-Aadhaar-Card-when-it-is-not-Verified.png

Validate-E-Aadhaar-Card-Signature-after-Downloading.gif

Validated-Aadhaar-Card-Sign-after-Validating-Aadhaar-Card.png

JakubMelka commented 9 months ago

Hello, I have fixed it. Now, you can just open context menu and add the certificate as valid.

IDontKnow2Code commented 9 months ago

It still shows not trusted and no green - tick either but certificate did get add to trusted store.

JakubMelka commented 9 months ago

Strange, it worked for me. Could you please provide sample document, where it does not work?

IDontKnow2Code commented 9 months ago

Strange, it worked for me. Could you please provide sample document, where it does not work?

Unfortunately, I can't provide it. It is a government issued document. I don't know where to get similar dummy document. My search about that document show that it's certificate is x.509 certificate, they generate it with iTextPDF The document is called Aadhar card.

itsKV commented 4 months ago

Hello, I have fixed it. Now, you can just open context menu and add the certificate as valid.

@JakubMelka Would you plz explain how to do this? I couldn't find the context menu as no menu gets open on right click.

JakubMelka commented 4 months ago

@itsKV, please try this:

itsKV commented 4 months ago

Sorry to say but that context menu doesn't come on any of the field from signature sidebar content. Nothing happens when you right click on any of them.

This also happens for Actual PDF content too. Nothing happens when you right click or left click anywhere on the pdf content. I don't know if that's the normal behavior.

JakubMelka commented 4 months ago

Could you please try a newest install from daily build? Could you please attach problematic PDF, if it is possible?

itsKV commented 4 months ago

I am not installing the build but using the zip version by extracting it locally (no admin rights to install). I can't share the pdf because the file is itself a critical document (analogues to your social security number SSN document) However, I can post issuer's chained certificates if you ask.

JakubMelka commented 4 months ago

OK @itsKV , if you can post the certificates, please post them.

itsKV commented 4 months ago

Complete chain of trust is as follows. Read from bottom to top where root CA is at last and so on.

lucifer-woo commented 2 months ago

Hey folks, what is the status of the issue ?

This app is the only fully featured alternative to adobe. If this is done. It would be great.

JakubMelka commented 2 months ago

@lucifer-woo, sorry, I will try to take time to solve it. I will reopen the issue.

lucifer-woo commented 2 months ago

Cool to know. Looking forward for the fix.

8 Sept 2024, by @.***:

@lucifer-woo https://github.com/lucifer-woo> , sorry, I will try to take time to solve it. I will reopen the issue.

— Reply to this email directly, > view it on GitHub https://github.com/JakubMelka/PDF4QT/issues/161#issuecomment-2336731326> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/BHW4ETI6MI5AWWSCYOFHMEDZVRV73AVCNFSM6AAAAABCO4UCF6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZWG4ZTCMZSGY> . You are receiving this because you were mentioned.> Message ID: > <JakubMelka/PDF4QT/issues/161/2336731326> @> github> .> com>

JakubMelka commented 2 months ago

Hello, I am not an expert in internet security and I was unable to create a PDF with the given certificate chain. But I think the workaround exists. @lucifer-woo, @itsKV, could you please try to install the root certificate to the system's certificate store? When PDF4QT validates the PDF's signatures, it also looks in the system's certificate store to retrieve the root certificates for the validation.

lucifer-woo commented 2 months ago

I understand your frustation. But how do I install the root CA to the system CA. I am novice to this stuff. I am not that much proficient in this.

Foxit PDF reader for linux also provides this feature. Maybe check it out as a reference ?

As of now, I added the certificate by right clicking and "Add to Trusted certificates". I could also see it in Tools > Options > Signatures. But I cannot see it in Tools > Certificates. Is that a problem ?

So far, this is how it is done - https://www.youtube.com/watch?v=aVNfUNlccZs.

It's an old video. Trusting isn't even needed as of now because Adobe just validates and renders it using OCSP servers. No need to trust certificates. Maybe you need to rethink the logic behind it.

Some docs regarding:

I think could be implemented using this python library : https://pyhanko.readthedocs.io/en/latest/cli-guide/validation.html

I just pulled the web regarding this info. I don't know much other than these.

itsKV commented 2 months ago

Hello, I am not an expert in internet security and I was unable to create a PDF with the given certificate chain. But I think the workaround exists. @lucifer-woo, @itsKV, could you please try to install the root certificate to the system's certificate store? When PDF4QT validates the PDF's signatures, it also looks in the system's certificate store to retrieve the root certificates for the validation.

The issue is not about root cert availability in cert store. The issue is UI bug which doesn't give option to validate the document's signature. See the OP. btw, the root and intermediate certs are already installed into windows store.

itsKV commented 2 months ago

I understand your frustation. But how do I install the root CA to the system CA. I am novice to this stuff. I am not that much proficient in this.

See the article here... https://www.itechtics.com/update-root-certificates/ Adding the signature into PDF reader's trusted database in different and adding the certificate into operating system's root store is different thing.

lucifer-woo commented 2 months ago

It isn't the same way for linux, I am not sure if those root and intermediate CA or installed. Can you tell the name ?

For windows, problem is validation. For linux, to trust and also validate.

16 Sept 2024, 13:05 by @.***:

I understand your frustation. But how do I install the root CA to the system CA. I am novice to this stuff. I am not that much proficient in this.

See the article here... > https://www.itechtics.com/update-root-certificates/ Adding the signature into PDF reader's trusted database in different and adding the certificate into operating system's root store is different thing.

— Reply to this email directly, > view it on GitHub https://github.com/JakubMelka/PDF4QT/issues/161#issuecomment-2352202292> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/BHW4ETPFVZZK4AL2DXV6QRTZW2C27AVCNFSM6AAAAABCO4UCF6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNJSGIYDEMRZGI> . You are receiving this because you were mentioned.> Message ID: > <JakubMelka/PDF4QT/issues/161/2352202292> @> github> .> com>

JakubMelka commented 1 month ago

Hello, I have tried to fix it. Could you please try this build? https://github.com/JakubMelka/PDF4QT/actions/runs/11306021848

@itsKV, @lucifer-woo

Thank you.

lucifer-woo commented 1 month ago

I tried it in both .exe and .deb. Still no changes. The same, After I click "Add to trusted certificates". I can see the certificate under Options (Ctrl + K) > Signature > Trusted Certificate store.

But still it is :

It does not verify or render the signature. I would suggest OCSP based revocation checking and render it instead of blindly trusting it like adobe trusts.

I cannot see anything under Tools > Certificates. Just blank.

dipak-progrc commented 1 month ago

@lucifer-woo OSCP based revocation checking is not always possible. As some CA might not have OSCP Responder endpoint.

Additionally, the LTV(long term validation) signatures tend to contain everything(Cert Chain, CRL responses, OSCP responses, Timestamp) it needs to validate the signature, and thus do not need internet to validate signature. So a standalone implementation is required anyway.

Regarding the bug, I tried adding Root CA from a signature to Trusted list. It worked as intended. Root Certificate added and signature validated fine.

@JakubMelka Adobe manages/updates its AATL Roots via this URL - http://trustlist.adobe.com/tl12.acrobatsecuritysettings The url returns a signed pdf file with an XML file as attachment. That XML contains all the latest AATL Root Certificates. This is undocumented url, if you'd like to ship the Trusted Roots, you can consider implementing it.

lucifer-woo commented 1 month ago

Alright.

I tried adding Root CA from a signature to Trusted list

@dipak-progrc Do you mean, as right clicking and "add to .." or extracting the cert, add to system's root store and verifiying it ?

Because, I cannot verify and validate the signature at all from the new builds.

dipak-progrc commented 1 month ago

@lucifer-woo I added the certificate by right clicking on the Root certificate of chain shown in Signature, then clicked the only option shown in the context menu - "Add to trusted certificates". These Manually added Trusted Certificates show in "Tools" -> "Options" -> (Dialog Box) -> "Signatures"(Side Panel) -> "Trusted Certificate Store".

The options for Digital Signature Verification are set as - Signature verification - ✓Enable Strict mode - X Ignore expired certificates - X Use system certificate store - ✓Enable

I used PDF4QT-1.4.0.0-x86_64.AppImage on Ubuntu 24 Desktop.

lucifer-woo commented 4 weeks ago

I have the same settings as you. But I can't verify and render the digital signature to a Greencheck mark as the OP denotes.

Using Fedora 40, Installed the deb package with dpkg present in fedora. (Yes it is possible to install deb packages in fedora. Just not a repostiroy that is apt unavailable to update them)

JakubMelka commented 4 weeks ago

@dipak-progrc I will add these certificates to the program.

lucifer-woo commented 4 weeks ago

Do you mean the adobe trustlist ?

I don't know what to say but I can't verify as dipak did.

JakubMelka commented 3 weeks ago

Yes. However, I am struggling now, because I cannot download Qt 6.8.0 using aqt.

JakubMelka commented 2 weeks ago

I have added the AATL certificates, please have a look on it. @IDontKnow2Code, @lucifer-woo, @dipak-progrc, please test the instalations here:

https://github.com/JakubMelka/PDF4QT/actions/runs/11581118192 Linux
https://github.com/JakubMelka/PDF4QT/actions/runs/11581121121 Windows

dipak-progrc commented 2 weeks ago

@JakubMelka I tested the Linux version. Signatures gets validated fine for documents signed by me with an officially issued Digital Signature Certificate.

But it fails with error "Certificate validation failed with code 26" for the Adobe Trust List pdf file, which is digitally signed by Adobe. Attaching the screenshot -

The sample file can be downloaded from the AATL Trust List link I provided earlier.

IDontKnow2Code commented 2 weeks ago

I have added the AATL certificates, please have a look on it. @IDontKnow2Code, @lucifer-woo, @dipak-progrc, please test the instalations here:

https://github.com/JakubMelka/PDF4QT/actions/runs/11581118192 Linux

https://github.com/JakubMelka/PDF4QT/actions/runs/11581121121 Windows

I tried this build it states Trusted Certificate not found.

cert sig

dipak-progrc commented 2 weeks ago

@IDontKnow2Code I think in your case the Signature Field in the PDF file might not have the complete certificate chain. Can you confirm this with some other tools like Adobe Acrobat, or PKI Tools - PDF Validator ?

Edit: I confirmed by downloading my Aadhaar PDF, the file has incomplete chain. @IDontKnow2Code you can try with some Digitally Signed eGazzete pdf.

IDontKnow2Code commented 2 weeks ago

@IDontKnow2Code I think in your case the Signature Field in the PDF file might not have the complete certificate chain. Can you confirm this with some other tools like Adobe Acrobat, or PKI Tools - PDF Validator ?

Edit: I confirmed by downloading my Aadhaar PDF, the file has incomplete chain. @IDontKnow2Code you can try with some Digitally Signed eGazzete pdf.

I opened Aadhaar in acrobat reader in win 11 it works fine.

Screenshot 2024-10-30 153933.png

Screenshot 2024-10-30 153905.png

dipak-progrc commented 2 weeks ago

I opened Aadhaar in acrobat reader in win 11 it works fine.

@IDontKnow2Code This may be because you already have the DS UIDAI Certificate trusted manually. Check the Root Trust Store of your OS.

IDontKnow2Code commented 2 weeks ago

@IDontKnow2Code This may be because you already have the DS UIDAI Certificate trusted manually. Check the Root Trust Store of your OS.

I don't understand what you mean can you elaborate?

dipak-progrc commented 2 weeks ago

I don't understand what you mean can you elaborate?

@IDontKnow2Code Similar to the PDF4QT, in Adobe Acrobat Reader we can add a certificate to the Trusted List. So I am speculating that at some point in the past, the system you are working on have had the DS UIDAI Certificate manually added to the Root Trust. That's why, the Aadhaar PDFs even with the single certificate in the chain are validating fine.

A point here can be made - if the certificate is already added to the Root Trust, why cant PDF4QT obey that and validate the signature! @JakubMelka

To see if the DS UIDAI certificate is added manually, you may check your Root Trust Certificates Store. The way to access the Store varies from OS to OS. In case of Adobe Acrobat Reader, you may go to Preference > Signatures(Sidebar of Dialog) > Identities & Trusted Certificates > More > Trusted Certificate(Sidebar of Dialog). The DS UIDAI certificate is not supposed to be in that list, as it is not a Root CA. Digital Signature Certificates issued in India all have to terminate in single root, that is CCA India.

IDontKnow2Code commented 2 weeks ago

To see if the DS UIDAI certificate is added manually, you may check your Root Trust Certificates Store. The way to access the Store varies from OS to OS. In case of Adobe Acrobat Reader, you may go to Preference > Signatures(Sidebar of Dialog) > Identities & Trusted Certificates > More > Trusted Certificate(Sidebar of Dialog). The DS UIDAI certificate is not supposed to be in that list, as it is not a Root CA. Digital Signature Certificates issued in India all have to terminate in single root, that is CCA India.

Yes I can see there is DS Unique Identification... Certificate in Acrobat.

I can confirm that both Linux and windows version of PDF4QT shows this same error

I tried this build it states Trusted Certificate not found.

lucifer-woo commented 2 weeks ago

The same thing for me like @IDontKnow2Code both on Linux and Windows. Just works flawlessly in Adobe. I think the problem is Rendering the green check as we have trusted the certificate already as @dipak-progrc said. You need to render it as in the OG picture that seems to be the problem.

JakubMelka commented 1 week ago

I need a sample document to do that.

lucifer-woo commented 1 week ago

Nobody here would do it. It's a critical document. As per a reddit post, I found this - https://www.mupdf.com/. Need to figure how to use it to validate. I have of pdfsig in various stackexchange answer. But nothing worked or I am using the command in a wrong way.

I am trying this way - https://mupdf.readthedocs.io/en/latest/mutool-run-js-api.html#validateSignature

Foxit PDF reader on Linux could do this as of now. But I do not trust it at all.

lucifer-woo commented 1 week ago

I used pdfsig. Some insights that could help.

Digital Signature Info of: file0.pdf Signature #1:

Signature Field Name: Signature1 Syntax Error (0): Illegal values in ByteRange array
Signer Certificate Common Name:
Signer full Distinguished Name:
Signing Time:
Signing Hash Algorithm: unknown
Signature Type: adbe.pkcs7.detached
Signed Ranges: [0 - 1022752], [1039138 - 1042281]
Not total document signed
Signature Validation: Signature has not yet been verified.

Digital Signature Info of: file1.pdf Signature #1:

Signature Field Name: GCMSignature Internal Error (0): Input couldn't be parsed as a CMS signature
Signer Certificate Common Name:
Signer full Distinguished Name:
Signing Time:
Signing Hash Algorithm: unknown
Signature Type: adbe.pkcs7.sha1
Signed Ranges: [0 - 213], [12853 - 490115]
Total document signed
Signature Validation: Unknown Validation Failure.

Seems like the signature itself is a different type. I don't things very much. Just a guess.

file0 is the document as in OP. file1 is another document by government.

lucifer-woo commented 1 week ago

Adobe reader checks and validates it based on PKCS7 Signature via OCSP to a domain named *.gov.in ( I didn't catch the * part that much) when your device is connected to internet. If there is no internet. You need to trust it manually as in the GIF posted in 1st comment.

These are final things/help I could provide from my side. I hope it's informative.

JakubMelka commented 1 week ago

@lucifer-woo, I think in the link under this video: https://www.youtube.com/watch?v=aVNfUNlccZs there is a sample document, but for some reason, I am not able to download it. Could you please attach it?

lucifer-woo commented 1 week ago

It is a link to download the actual document of a person not a sample document.

JakubMelka commented 1 day ago

@lucifer-woo, is there some sample document signed with this certificate (for example, some public document), where the problem is observable?

lucifer-woo commented 1 day ago

This is a supreme court of India document on a controversial case. I had it for a case study. It has a digital signature similar to that of the ones as in Aadhaar. I hope you can make use of it.

article_370.pdf

JakubMelka commented 1 day ago

Hello @lucifer-woo, the certificate in the document has expired. However, if you setup it this way, you can verify it:

However, I do not change graphics of the form field.

lucifer-woo commented 23 hours ago

Well, a lot of other public available case documents on SCI's website could be used for testing in the case of this. We insist on Graphical change of it since, in case we print a document with a digital signature but doesn't have a QR code. It might be a hurdle for us in real life while submitting documents. Since, if QR code is not present only digital signature, officials could not verify documents and is returned back for correction.

The problem for all commentors on the issue here is not only adding it to the trusted certificate store (which it gets successfully added) rather change it in the graphical form as Adobe does too to the Green checkmark.

Use this in case, you need a new document

https://www.sci.gov.in/wp-admin/admin-ajax.php?action=get_court_pdf&diary_no=501272024&type=o&order_date=2024-11-14&from=latest_judgements_order

lucifer-woo commented 23 hours ago

If I am right, the form field is separate and just a layer over the actual document than a part of PDF. So, it could be possible to change it graphically, mostly

Yes, the signature is valid and AATL seems to be working correctly as intended, since I don't see Trust certificate not found and elephant in the room is graphic change.

Question : Is AATL, static or dynamically updated by fetching from the URL provided by Dipak ?

If not updated, I would suggest Github actions to update the AATL to a Github file in the repostiory and make the app fetch it at certain intervals of time or on demand when a trusted certificate is not found for a signature.

dipak-progrc commented 8 hours ago

In terms of PDF Specification, @JakubMelka 's implementation is conforming to the requirements. The In-Document visualizations of signature validity has been deprecated years ago. Adobe and other popular viewers are providing the feature because of backward compatibility.

The reason, I believe, for the deprecation of in-document visualization is to thwart attempts to edit a pdf into a "valid signed pdf" by just placing a green checkbox. The PDF specs wanted to move the visible signs of pdf validation out of the page to Application UI. Application UI cannot be controlled by the PDF file contents. Thus, it is way more reliable when it comes to checking validation status. Further reading - Stackoverflow answer on PDF Sign Appearance by mkl

But I do understand the practical need for the visible change of the Signature Appearance when the signature gets validated successfully. Many institutions have formed their rules around this feature. I have even seen institutions suggesting users to add the signer's certificate to the Trusted List, in order to get the green-tick validation on their documents. Not having this feature might be a big blocker to that section of users.

I'd vouch for this feature as well.

JakubMelka / PDF4QT

Can it be possible to trust a certificate like in acrobat? #161