Signature validation in 7.3.2 shows "Unsigned signature field with object number" instead of signature

For this issue i used aPDF/A-2A document and WebViewer versie 7.3.2. The document is signed and contains two signatures. When opened in Adobe Acrobat the certificate and signatures are validated successfully.

(sorry cannot add a screenshot, ‘new users’ are limited to add one screenshot)

In my WebViewer instance the FullAPI is enabled and an certificate is added as an trustedcertificate.

instance.verificationOptions.addTrustedCertificates(['./assets/quovadis.cer']) ;

When opening the document in the WebViewer for each certificate the message/error Unsigned signature field with object number is shown.

image

Also the alt text shows compontent_signaturePanel instead of Signatures (or something similar)
No errors or warnings are logged to the console, so have no clues what could be wrong.

Any ideas or suggestions how to proceed ?

Cheers,
Peter

05.18.2021 16:06 Seems the added certificate is an intermediate certifcate. Renamed the certificate and now added the complete chain to the list of trusted certificates. Adding these does not change the results.

addTrustedCertificates(['./assets/QuoVadisTrustlink.cer',
'./assets/QuoVadisEUIssuingCA.cer']) ;

Are you be able to share with me the certificate files:
QuoVadisTrustlink.cer
QuoVadisEUIssuingCA.cer

and also the PDF you are using?

(If you cannot attach files, you can upload them to some cloud storage Google Drive/Dropbox and give me a downloadable link).

Oscar

Hi Oscar,

Although the certification path in the PDF document contained two certificates,

 QuoVadis EU Issuing Certification Authority G4
  QuoVadis Trustlink B.V.

reviewing of the QuoVadis EU Issuing Certification Authority G4 revealed that this was not the
root CA. The complete chain is:

 QuoVadis Root CA 1 G3
  QuoVadis Enterprise Trust CA 1 G3
    QuoVadis EU Issuing Certification Authority G4
	  QuoVadis Trustlink B.V. 

Although it should not be necessary to add the complete chain of certificates, but only the root CA, i added all 4 certificates to the list of trusted certificates. This also made no differences.

you can download a sample test document with the corresponding certificates here;

https://drive.google.com/drive/folders/1Qd1a0zPFXfTH1ZWzEz_BhvruK5UtLo7-?usp=sharing

Hi,
I cannot access that file, can you approve my request to view that google drive file?

Thanks,
Oscar

(post deleted by author)

Sorry for the late response.

From the API: PDFTron WebViewer Class: VerificationOptions
function addTrustedCertificate takes “ArrayBuffer | Int8Array | Uint8Array | Uint8ClampedArray” as parameter. If you want to pass an URL, you may want to use function: addTrustedCertificateFromURL PDFTron WebViewer Class: VerificationOptions

Can you give it a try and let me know if it works?

Oscar

No Worries.

VerificationOptions is a member of the WebViewerInstance. When i do follow the documentation of the member VerificationOpions, the only shown method is addTrustedCertificates. According to the documentation,
this method accepts An array of URLs, and/or instance of the File type, and/or a Binary Array datatype that contain the X.509 Public Key Certificates to be used for validating Digital Signatures on a document.

So when i run the simplified example below it should be able to load the certificate correctly.

WebViewer({
licenseKey: '',
preloadWorker: 'pdf',
path: 'assets/webviewer',
streaming: false,
fullAPI: true,
disableLogs: true,
enableAnnotations: false,
isReadOnly: true
}, document.getElementById('viewer')).then(instance => {
  pdftronInstance = instance;
  const {docViewer, verificationOptions } = instance;    
     verificationOptions.addTrustedCertificates(['./assets/QuoVadisRootCA1G3_PEM.cer']);
 ...
 })

This seems to me an implementation similar to the PDFTron Digital Signature Validation Sample. Also replacing the QuoVadis certificate with the default certificate in the PDFTron sample, https://…waiver.cer, does not make a difference. Still get the ‘Unsigned signature field’ error.

When i use the addTrustedCertificateFromURL method from the PDFNet.VerificationOptions as shown in the example below.

WebViewer({
licenseKey: '',
preloadWorker: 'pdf',
path: 'assets/webviewer',
streaming: false,
fullAPI: true,
disableLogs: true,
enableAnnotations: false,
isReadOnly: true
}, document.getElementById('viewer')).then(instance => {
  pdftronInstance = instance;
  const {docViewer, PDFNet } = instance;   
  
  (async () => {
    await PDFNet.initialize();
    const verificationOptions = new PDFNet.VerificationOptions();
    await verificationOptions.
      addTrustedCertificateFromURL('https://pdftron.s3.amazonaws.com/downloads/pl/waiver.cer');
})()

 ...
 })

I got get an stacktrace when executing the addTrustedCertificateFromURL. When monitoring the http request for the waiver.cer from the developer network tools i can see that the certificate is retrieved successfully.

e983130b-494d-4406-8125-a28ce7f1cb38:1 Pthread aborting at Error
	at abort (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:15015)
	at <anonymous>:wasm-function[527]:0x22897    at Naa (<anonymous>:wasm-function[14876]:0x848dcd)
	at Module.dynCall_viii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:695980)
	at invoke_viii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:245043)
	at WW (<anonymous>:wasm-function[6396]:0x374e2d)
	at f9 (<anonymous>:wasm-function[15920]:0x868238)
	at Module.dynCall_iiii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:686480)
	at invoke_iiii (blob:http://localhost:1337/e983130b-494d-4406-8125-a28ce7f1cb38:1:229864)
	at <anonymous>:wasm-function[16857]:0x897b2d
abort@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x22897
Naa@042ffeea:0x848dcd
Module.dynCall_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
WW@042ffeea:0x374e2d
f9@042ffeea:0x868238
Module.dynCall_iiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_iiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x897b2d
Xaa@042ffeea:0x84638e
Module.dynCall_viiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_viiii@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x8302ea
Naa@042ffeea:0x848dcd
Module.dynCall_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_viii@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x848ee6
(anonymous)@042ffeea:0x8497c4baa@042ffeea:0x85792d
Module.dynCall_vi@e983130b-494d-4406-8125-a28ce7f1cb38:1
invoke_vi@e983130b-494d-4406-8125-a28ce7f1cb38:1
(anonymous)@042ffeea:0x8498d3
Q8@042ffeea:0x86ad80
Module.dynCall_ii@e983130b-494d-4406-8125-a28ce7f1cb38:1
onmessage@PDFNetThreadedWasm.worker.js:1

Using latest nightly build 7.3.2-20210602 makes no difference

Also the Alt text for signature tab is ‘component_SignaturePanel’, should be a more descriptive name like ‘Signatures’ similar to ‘Thumbnails’ and ‘Outlines’. This can also be reproduced/shown in the PDFTron Digital Signature Validation Sample.

Cheers,
Peter