How to check if PDF has been modified before applying signature - pdfbox

I have a simple web application that allows the user to download a pdf containing some dynamic information.

Then the user should sign the document and re-upload it using my application.

Now, I need to check wheter the user has changed the PDF content before signing it.

Is there a way to check this? I've tried checking the byteRange, but it seems that the content of the signed pdf is totally different:

Original file size: 2280
Signed file size: 31485
Byte range: [0, 11433, 29635, 1850]

Thanks in advance.

I assume you sign the PDF with an integrated, embedded signature, not a detached signature file. You don't explicitly say so and locus2k appears to assume otherwise, but for a detached signature your question IMO would not make sense.

> Now, I need to check wheter the user has changed the PDF content before signing it.

This is very difficult because PDF signing services apply a number of different changes to the original PDF before signing, in particular if it doesn't have a prior signature. E.g. they may

• linearize the file (which implies sorting objects in the PDF file in a specific order),
• fix minor errors in it,
• optimize some structures,
• create appearances for form fields without,
• ...

Thus, all the differences you determine must be checked, they may be part of the signing process and not part of a prior manipulation by the user.

Of course you can check specific aspects, e.g.

• extract text from the original file and the signed copy and compare,
• render the original file and the signed copy and compare (allowing for differences only in a predefined signing area),
• ...

but there may be seemingly minor changes you overlook this way but which can considerably change the appearance of the document.

There are some means to make the job easier, e.g. you can sign your original PDF first with an author signature in which you declare which changes you allow to the document. This should make it at least difficult for the user to use unmanipulated standard software to do disallowed changes before signing. Furthermore, this restricts changes by the signing software to incremental updates, preventing complete PDF overhauls.

In your code you then would check for the presence and validity of this author signature by you. If there is no issue in those, you "merely" have to inspect the incremental updates.

Beware, though, even checking whether these incremental updates contain unwanted changes is difficult. On the PDF Insecurity web site a number of attacks are described which until their publication could make a fool out of the validation routines for allowed/disallowed changes of widely used PDF validators, Adobe Acrobat among them.

Thus, your task is definitively non-trivial, even if reduced to incremental update analysis.

There is one main mechanism to be able to do this (MKL partly mentions this):

CERTIFICATION SIGNATURES

There are two different kinds of signatures:

(1) certification signature (also called 'document signature' or author 'signature')

(2) approval signature (also called 'user signature')

Basically you as the document author sign the document with a certification signature. This signature is a bit different than the other ones. (E.g. it has the coordinates 0 0 0 0 and has to be the first signature in the document...) Applying the certification signature has the following advantages:

• the author can specify what the user is allowed to do and what not
• The user can also verify that the document has not been changed (intentional or unintentional) when receiving it
• All changes must be done in the incremental update mode otherwise the user will break the certification signature.

So if you appy a certification signature and the user adds his changes as an incremental update you can then check the incremental update to see what was changed. As indicated by MKL this is however not always trivial and in my opinion depends on your use case:
Is it that you want to know whether a user

(a) changed your dynamic content (filled formfields, added some comment, ...) to extract those changes and process is for further use? Or do you want to know whether a user

(b) did manipulate the PDF, changed some text, added images or the like, so you want to detect fraudulent changes?

Both is possible but of varying complexity. It is easy to extract the changed form data or annotation content. Other changes are a bit more tricky to extract and detect. But this might also depend on the tool you use. Some might offer more support for this than others...

The easiest way is store the hash value of the file before it is sent to the user then hash the file again when the user submits it. If the hashes are different then the file was modified.

I'd recommend using Apaches common-codec to do this something like this:

public String getSha1Hash(Path file) throws IOException {
   try(InputStream is = Files.newInputStream(file)) {
      return DigestUtils.sha1Hex(is);
   }
}

Then in your function that you send the pdf to you can do something like:

Path pdf = pdfPath; //the path to the pdf file
String outgoingHash = getSha1Hash(pdf);
store(pdf, outgoingHash) //store the pdf filename and its hash in a db or some other way

When the user submits the pdf you would then do:

Path pdf = pdfPath; //path to the incoming file. This might be a stream so adjust for that
String incomingHash = getSha1Hash(pdf);
String originalHash = getFileHash(pdf);

if (incomingHash.equals(originalHash)) {
   //handle same hash value (file wasnt modifieD)
} else {
   //handle changed file 
}