CHAPTER 8
738
Interactive Features
8.7.2 Signature Interoperability
It is intended that PDF consumer applications allow interoperability between sig-
nature handlers; that is, a PDF file signed with a handler from one vendor must
be able to be validated with a handler from a different vendor.
The
SubFilter
entry in the signature dictionary specifies the encoding of the sig-
nature value and key information, and the
Filter
entry specifies the preferred han-
dler to use to validate the signature. Handlers specify the
SubFilter
encodings
they support; therefore, handlers other than the preferred handler can be used to
validate the signature if necessary or desired.
There are several defined values for the
SubFilter
entry, all based on public-key
cryptographic standards published by RSA Security and also as part of the stan-
dards issued by the Internet Engineering Task Force (IETF) Public Key Infra-
structure (PKIX) working group; see the Bibliography for references.
PKCS#1 Signatures
The PKCS#1 standard supports several public-key cryptographic algorithms and
digest methods, including RSA encryption, DSA signatures, and SHA-1 and MD5
digests (see the Bibliography for references). For signing PDF files using PKCS#1,
the only recommended value of
SubFilter
is
adbe.x509.rsa_sha1
, which uses the
RSA encryption algorithm and SHA-1 digest method. The certificate chain of the
signer is stored in the
Cert
entry.
PKCS#7 Signatures
When PKCS#7 signatures are used, the value of
Contents
is a DER-encoded
PKCS#7 binary data object containing the signature.
SubFilter
can take one of the
following values:
•
adbe.pkcs7.detached
: No data is encapsulated in the PKCS#7 signed-data field.
•
adbe.pkcs7.sha1
: The SHA1 digest of the byte range is encapsulated in the
PKCS#7 signed-data field with
ContentInfo
of type
Data
.
The PKCS#7 object must conform to the PKCS#7 specification in Internet RFC
2315,
PKCS #7: Cryptographic Message Syntax, Version 1.5
(see the Bibliography).