Signature validation in 7.3.2 shows "Unsigned signature field with object number" instead of signature

p.van.nes · May 18, 2021, 1:52pm

For this issue i used aPDF/A-2A document and WebViewer versie 7.3.2. The document is signed and contains two signatures. When opened in Adobe Acrobat the certificate and signatures are validated successfully.

(sorry cannot add a screenshot, ‘new users’ are limited to add one screenshot)

In my WebViewer instance the FullAPI is enabled and an certificate is added as an trustedcertificate.

instance.verificationOptions.addTrustedCertificates(['./assets/quovadis.cer']) ;

When opening the document in the WebViewer for each certificate the message/error Unsigned signature field with object number is shown.

Also the alt text shows compontent_signaturePanel instead of Signatures (or something similar)
No errors or warnings are logged to the console, so have no clues what could be wrong.

Any ideas or suggestions how to proceed ?

Cheers,
Peter

05.18.2021 16:06 Seems the added certificate is an intermediate certifcate. Renamed the certificate and now added the complete chain to the list of trusted certificates. Adding these does not change the results.

addTrustedCertificates(['./assets/QuoVadisTrustlink.cer',
'./assets/QuoVadisEUIssuingCA.cer']) ;

Oscar_Zhang · May 18, 2021, 6:12pm

Are you be able to share with me the certificate files:
QuoVadisTrustlink.cer
QuoVadisEUIssuingCA.cer

and also the PDF you are using?

(If you cannot attach files, you can upload them to some cloud storage Google Drive/Dropbox and give me a downloadable link).

Oscar

p.van.nes · May 19, 2021, 6:30am

Hi Oscar,

Although the certification path in the PDF document contained two certificates,

 QuoVadis EU Issuing Certification Authority G4
  QuoVadis Trustlink B.V.

reviewing of the QuoVadis EU Issuing Certification Authority G4 revealed that this was not the
root CA. The complete chain is:

 QuoVadis Root CA 1 G3
  QuoVadis Enterprise Trust CA 1 G3
    QuoVadis EU Issuing Certification Authority G4
	  QuoVadis Trustlink B.V.

Although it should not be necessary to add the complete chain of certificates, but only the root CA, i added all 4 certificates to the list of trusted certificates. This also made no differences.

you can download a sample test document with the corresponding certificates here;

https://drive.google.com/drive/folders/1Qd1a0zPFXfTH1ZWzEz_BhvruK5UtLo7-?usp=sharing

Oscar_Zhang · May 20, 2021, 12:38am

Hi,
I cannot access that file, can you approve my request to view that google drive file?

Thanks,
Oscar

p.van.nes · May 20, 2021, 5:08am

(post deleted by author)

Oscar_Zhang · June 1, 2021, 1:34am

Sorry for the late response.

From the API: PDFTron WebViewer Class: VerificationOptions
function addTrustedCertificate takes “ArrayBuffer | Int8Array | Uint8Array | Uint8ClampedArray” as parameter. If you want to pass an URL, you may want to use function: addTrustedCertificateFromURL PDFTron WebViewer Class: VerificationOptions

Can you give it a try and let me know if it works?

Oscar

p.van.nes · June 3, 2021, 10:25am

No Worries.

VerificationOptions is a member of the WebViewerInstance. When i do follow the documentation of the member VerificationOpions, the only shown method is addTrustedCertificates. According to the documentation,
this method accepts An array of URLs, and/or instance of the File type, and/or a Binary Array datatype that contain the X.509 Public Key Certificates to be used for validating Digital Signatures on a document.

So when i run the simplified example below it should be able to load the certificate correctly.

WebViewer({
licenseKey: '',
preloadWorker: 'pdf',
path: 'assets/webviewer',
streaming: false,
fullAPI: true,
disableLogs: true,
enableAnnotations: false,
isReadOnly: true
}, document.getElementById('viewer')).then(instance => {
  pdftronInstance = instance;
  const {docViewer, verificationOptions } = instance;    
     verificationOptions.addTrustedCertificates(['./assets/QuoVadisRootCA1G3_PEM.cer']);
 ...
 })

This seems to me an implementation similar to the PDFTron Digital Signature Validation Sample. Also replacing the QuoVadis certificate with the default certificate in the PDFTron sample, https://…waiver.cer, does not make a difference. Still get the ‘Unsigned signature field’ error.

When i use the addTrustedCertificateFromURL method from the PDFNet.VerificationOptions as shown in the example below.

WebViewer({
licenseKey: '',
preloadWorker: 'pdf',
path: 'assets/webviewer',
streaming: false,
fullAPI: true,
disableLogs: true,
enableAnnotations: false,
isReadOnly: true
}, document.getElementById('viewer')).then(instance => {
  pdftronInstance = instance;
  const {docViewer, PDFNet } = instance;   
  
  (async () => {
    await PDFNet.initialize();
    const verificationOptions = new PDFNet.VerificationOptions();
    await verificationOptions.
      addTrustedCertificateFromURL('https://pdftron.s3.amazonaws.com/downloads/pl/waiver.cer');
})()

 ...
 })

I got get an stacktrace when executing the addTrustedCertificateFromURL. When monitoring the http request for the waiver.cer from the developer network tools i can see that the certificate is retrieved successfully.

e983130b-494d-4406-8125-a28ce7f1cb38:1 Pthread aborting at Error
	at abort (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:15015)
	at <anonymous>:wasm-function[527]:0x22897    at Naa (<anonymous>:wasm-function[14876]:0x848dcd)
	at Module.dynCall_viii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:695980)
	at invoke_viii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:245043)
	at WW (<anonymous>:wasm-function[6396]:0x374e2d)
	at f9 (<anonymous>:wasm-function[15920]:0x868238)
	at Module.dynCall_iiii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:686480)
	at invoke_iiii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:229864)
	at <anonymous>:wasm-function[16857]:0x897b2d
abort@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x22897
Naa@042ffeea:0x848dcd
Module.dynCall_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
WW@042ffeea:0x374e2d
f9@042ffeea:0x868238
Module.dynCall_iiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_iiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x897b2d
Xaa@042ffeea:0x84638e
Module.dynCall_viiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_viiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x8302ea
Naa@042ffeea:0x848dcd
Module.dynCall_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x848ee6
(anonymous)@042ffeea:0x8497c4baa@042ffeea:0x85792d
Module.dynCall_vi@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_vi@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x8498d3
Q8@042ffeea:0x86ad80
Module.dynCall_ii@e983130b-494d-4406-8125-a28ce7f1cb38:1
onmessage@PDFNetThreadedWasm.worker.js:1

Using latest nightly build 7.3.2-20210602 makes no difference

Also the Alt text for signature tab is ‘component_SignaturePanel’, should be a more descriptive name like ‘Signatures’ similar to ‘Thumbnails’ and ‘Outlines’. This can also be reproduced/shown in the PDFTron Digital Signature Validation Sample.

Cheers,
Peter

p.van.nes · June 21, 2021, 6:31am

Hi Oscar,

Do you have some feedback, how to analyse this issue further ?

Cheers,
Peter

p.van.nes · June 29, 2021, 2:50pm

Quiet here…

Finally found the cause, really unexpected but setting the license key through the Webviewer option ‘licenseKey’ or through PDFNet.initialize seems to cause the issue. When not setting the licensekey, thus running in Demo mode, the certificate validation does work.

Any followup on this ?
please ?

Oscar_Zhang · June 30, 2021, 7:52am

I apologize that for some reason, I lost track of this support ticket.

I am glad you finally figured this out.

As for your question regarding the license key:
I don’t think you need to pass your license key to run the demo mode. Because I checked the source code for the Digital signature validation sample
And this is the options that we passed to WebViewer:

WebViewer(
        {
          path: '../../../lib',
          documentType: 'pdf',
          initialDoc: 'https://pdftron.s3.amazonaws.com/downloads/pl/waiver-signed.pdf',
          showLocalFilePicker: true,
          annotationAdmin: true,
          fullAPI: true,
          config: script,
        },
        viewerElement
      ).then(function(instance) {});

Just curious before when you did not include a license key in the WebViewer option, did you accidentally passed an empty string as the key?

Oscar

p.van.nes · June 30, 2021, 8:00am

Hi Oscar,

We indeed do not use the license key to run in demo mode. It is even impossible to run in demo mode using a license key (obviously). I needed to expand the PDFTron Webviewer with the signature validation, but as it seems it currently only works when running in demo mode.

Created an incident (#23179) where i added an example based on the Digitial signature validation sample to reproduce the issue. In demo mode it works fine, after adding the license it stops working properly.

Oscar_Zhang · June 30, 2021, 8:27am

I have received your code and license key in #23179, let’s move the conversion to there.

Oscar

Oscar_Zhang · July 2, 2021, 8:57am

I finally figured out the cause of this issue:
The provided license key doesn’t have “Digital Signature Verify” add-on

(Discussion about the missing license add-on has been moved to support ticket #23179)

Oscar