Help coderanch get a
new server
by contributing to the fundraiser
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

PDF signing

Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I'm trying to sign PDF file by Java (code below). If I uderstand the principle well, signing means writing some information to PDF and
from then on it doesn't matter, if I have some certficate installed or not.

The mystery is that I on my PC see the sign as invalid, : "Selected certificate has error: Invalid principle restriction" (roughly translated)
whereas all my colleagues from our company see it as valid. Very strange.

Some explanation?  Thanks.

Saloon Keeper
Posts: 27928
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One thing that can be confusing about "PDF signatures" is that a Google search will turn up as many, if not more hits on how to stamp a handwritten signature image into a PDF as it does on digitally signed documents. Which is what we want here.

Digital signing is not the same as encryption although similar mechanisms are involved, You can sign a document and still have it perfectly readable by everyone. The signature is simply a certification that the document that they are reading has not been tampered with.

To digitally sign (and/or encrypt) a PDF, you must have a standard 2-part public/private key mechanism. The private key is used to sign, the public key is used to confirm (and/or decrypt). However, you cannot operate self-contained. To make the mechanism work, you have to have a certified public key. Otherwise I could take a PDF, change it, sign it myself and give you my bogus key and it would look legitimate, even though it wasn't. So just as with webapp servers, the decryption key must be certified via a "chain of trust". Meaning that the public cert has to be blessed by a certificate issuer who in turn is blessed perhaps by another certificate issuer all the way up until you get to one of the master certs that are built into the reader system.

So while the recipient doesn't have to have an explicit key in hand, they do have to have something that will vouch for the cert in the PDF itself.

Adobe Reader contains a set of master certs. Linux PDF readers may use the poppler library which references the OS master certs directory (/etc/pki). Java also comes with certs builr in.
Everybody's invited. Even this tiny ad:
We need your help - Coderanch server fundraiser
    Bookmark Topic Watch Topic
  • New Topic