Closed cristianpaul0 closed 2 months ago
The signing time is already checked but it does not use an embedded timestamp but the signed attribute 'signing-time' if available and else the /M entry in the signature dictionary. Both are included in the signature.
I will add some informational output for an embedded timestamp.
Looks like that data is under /Type /Annot but i dont really now (yet) how to dump that using cli and would that look in ruby script to be able to read it and perform more validations
You can have a look at https://github.com/gettalong/hexapdf/blob/master/lib/hexapdf/digital_signature/cms_handler.rb#L82 and https://github.com/gettalong/hexapdf/blob/master/lib/hexapdf/digital_signature/handler.rb#L84 to see how signature verification works in HexaPDF.
You can subclass the CMSHandler
and provide a custom one via the configuration option 'signature.sub_filter_map' the value of which can be seen here https://github.com/gettalong/hexapdf/blob/master/lib/hexapdf/configuration.rb#L495-L500.
Maybe this discussion can point you in the right direction @cristianpaul0 https://github.com/gettalong/hexapdf/discussions/201
@cristianpaul0 The next version of HexaPDF will have a CMSHandler#embedded_tsa_signature
method that returns the PKCS7 object for the embedded timestamp signature. This is used by HexaPDF to provide the signing time and to add informational output to the #verify
result which is also used by hexapdf info
.
Would be really usefull to check for embeeded timestamp information/LTV if present in a PDF, Sofware like Acrobat Reader uses this information to validate if PDF's signature validation its OK