Previous Next
738
CHAPTER 8 Interactive Features
8.7.2 Signature Interoperability
It is intended that PDF consumer applications allow interoperability between sig-
nature handlers; that is, a PDF file signed with a handler from one vendor must
be able to be validated with a handler from a different vendor.
The SubFilter entry in the signature dictionary specifies the encoding of the sig-
nature value and key information, and the Filter entry specifies the preferred han-
dler to use to validate the signature. Handlers specify the SubFilter encodings
they support; therefore, handlers other than the preferred handler can be used to
validate the signature if necessary or desired.
There are several defined values for the SubFilter entry, all based on public-key
cryptographic standards published by RSA Security and also as part of the stan-
dards issued by the Internet Engineering Task Force (IETF) Public Key Infra-
structure (PKIX) working group; see the Bibliography for references.
PKCS#1 Signatures
The PKCS#1 standard supports several public-key cryptographic algorithms and
digest methods, including RSA encryption, DSA signatures, and SHA-1 and MD5
digests (see the Bibliography for references). For signing PDF files using PKCS#1,
the only recommended value of SubFilter is adbe.x509.rsa_sha1, which uses the
RSA encryption algorithm and SHA-1 digest method. The certificate chain of the
signer is stored in the Cert entry.
PKCS#7 Signatures
When PKCS#7 signatures are used, the value of Contents is a DER-encoded
PKCS#7 binary data object containing the signature. SubFilter can take one of the
following values:
• adbe.pkcs7.detached: No data is encapsulated in the PKCS#7 signed-data field.
• adbe.pkcs7.sha1: The SHA1 digest of the byte range is encapsulated in the
PKCS#7 signed-data field with ContentInfo of type Data.
The PKCS#7 object must conform to the PKCS#7 specification in Internet RFC
2315, PKCS #7: Cryptographic Message Syntax, Version 1.5 (see the Bibliography).
Previous Next