SECTION 8.7
727
Digital Signatures
TABLE 8.102 Entries in a signature dictionary
KEY
TYPE
VALUE
Type
name
name
(Optional)
The type of PDF object that this dictionary describes; if present,
must be
Sig
for a signature dictionary.
(Required; inheritable)
The name of the preferred signature handler to use
when validating this signature. If the
Prop_Build
entry is not present, it is also
the name of the signature handler that was used to create the signature. If
Prop_Build
is present, it can be used to determine the name of the handler
that created the signature (which is typically the same as
Filter
but is not re-
quired to be). An application may substitute a different handler when verify-
ing the signature, as long as it supports the specified
SubFilter
format.
Example signature handlers are
Adobe.PPKLite
,
Entrust.PPKEF
,
CICI.SignIt
,
and
VeriSign.PPKVS
.
(Optional)
A name that describes the encoding of the signature value and key
information in the signature dictionary. An application may use any handler
that supports this format to validate the signature.
PDF 1.6 defines the following values for public-key cryptographic signatures:
adbe.x509.rsa_sha1
,
adbe.pkcs7.detached
, and
adbe.pkcs7.sha1
(see Section
ty developers, subject to the restriction that all names beginning with the
adbe.
prefix be reserved for future versions of PDF. All third party names
must be registered with Adobe Systems (see Appendix E).
Filter
SubFilter
name
Contents
byte string
(Required)
The signature value. When
ByteRange
is present, the value is a
hexadecimal string (see “Hexadecimal Strings” on page 56) representing the
value of the byte range digest. If
ByteRange
is not present, the value is an ob-
ject digest of the signature dictionary, excluding the
Contents
entry.
For public-key signatures,
Contents
is commonly either a DER-encoded
PKCS#1 binary data object or a DER-encoded PKCS#7 binary data object.
Cert
array or
byte string
(Required when
SubFilter
is
adbe.x509.rsa_sha1
)
An array of byte strings rep-
resenting the X.509 certificate chain used when signing and verifying signa-
tures that use public-key cryptography, or a byte string if the chain has only
one entry. The signing certificate must appear first in the array; it is used to
verify the signature value in
Contents
, and the other certificates are used to
verify the authenticity of the signing certificate.
If
SubFilter
is
adbe.pkcs7.detached
or
adbe.pkcs7.sha1
, this entry is not
used, and the certificate chain must be put in the PKCS#7 envelope in
Contents
.