ninja-labs-tech / verify-pdf

Verify pdf signatures in JS
49 stars 39 forks source link

Why multiple certificate in a signed PDF is a must for authentication? #126

Open doronoded opened 9 months ago

doronoded commented 9 months ago

I have a valid document, that after processing with verify-pdf it returns authenticity: false. Looking at the code, I see the that the root cause is that the authenticateSignature() function in verification.js calls verifyCaBundle() that will only return true if there are multiple certificates in the signed PDF (at least 2), and the chain is valid, meaning each certificate is the the issuer of the next:

const verifyCaBundle = (certs) => !!certs
  .find((cert, i) => certs[i + 1] && certs[i + 1].issued(cert));

The PDF I've used (of a brazilian digital ID), the PDF is signed using only one certificate and not a chain, so the verifyCaBundle function returns false, and the authenticity is false.

Is it a must for a PDF to have a certificate chain?