Hi Lei, all,
On Mon, Jun 22, 2020 at 10:54:12PM -0700, Lei Zhang <
the...@chromium.org> wrote:
> I'm not a crypto expert, but I would prefer not to avoid dragging too
> much PKI, CA, and signature handler code into PDFium. So if PDFium can
> just provide APIs to support digital signatures, and those interested
> in digital signatures can connect the two parts, that level of
> integration sounds good to me.
One last thing, I forgot to ask in the initial mail...
public/fpdf_signature.h now has a set of experimental APIs that do most
of this. One more API I have in mind is a bit more low-level, so I
thought I would bring it up here before investing effort in coding.
Suppose a pdfium client wants to determine if the signature is
"complete". This is a reasonable ask, Acrobat provides this information
on its UI. If there is a single signature, that's easy: the byte range
is available via FPDFSignatureObj_GetByteRange(), and client code can
require that it covers everything other than the signature itself.
Things get more complicated with multiple signatures. Strictly speaking,
a second signature invalidates the first one, since adding a 2nd
signature makes the 1st one not cover the whole document anymore. In
real life, this is too strict though, Acrobat doesn't enforce this,
either.
Using Acrobat, a user does not get a warning when a document is signed
multiple times. It warns only if there are unsigned incremental updates
between the signatures or after the last one. This ensures that no
unwanted content is added after signing (without triggering a "signature
is incomplete" warning), but multiple signatures keep working.
Now the question: what API to expose in pdfium to help client code do a
similar test?
I would suggest that we expose a set of byte offsets, each denoting the
end of the EOF token of a trailer ("end of incremental update" for any
non-first part). This has the benefit that pdfium client code has the
info it needs, and we can delegate the fine-grained policy to client
code, especially as the PDF reference does not seem to specify this
policy in an explicit way. The API would be a bit low-level, though.
Would a gerrit change doing this be accepted?
Thanks,
Miklos