Previous Next
727
SECTION 8.7 Digital Signatures
TABLE 8.102 Entries in a signature dictionary
KEY TYPE VALUE
Type name (Optional) The type of PDF object that this dictionary describes; if present,
must be Sig for a signature dictionary.
Filter name (Required; inheritable) The name of the preferred signature handler to use
when validating this signature. If the Prop_Build entry is not present, it is also
the name of the signature handler that was used to create the signature. If
Prop_Build is present, it can be used to determine the name of the handler
that created the signature (which is typically the same as Filter but is not re-
quired to be). An application may substitute a different handler when verify-
ing the signature, as long as it supports the specified SubFilter format.
Example signature handlers are Adobe.PPKLite, Entrust.PPKEF, CICI.SignIt,
and VeriSign.PPKVS.
SubFilter name (Optional) A name that describes the encoding of the signature value and key
information in the signature dictionary. An application may use any handler
that supports this format to validate the signature.
PDF 1.6 defines the following values for public-key cryptographic signatures:
adbe.x509.rsa_sha1, adbe.pkcs7.detached, and adbe.pkcs7.sha1 (see Section
8.7.2, “Signature Interoperability”). Other values can be defined by third par-
ty developers, subject to the restriction that all names beginning with the
adbe. prefix be reserved for future versions of PDF. All third party names
must be registered with Adobe Systems (see Appendix E).
Contents byte string (Required) The signature value. When ByteRange is present, the value is a
hexadecimal string (see “Hexadecimal Strings” on page 56) representing the
value of the byte range digest. If ByteRange is not present, the value is an ob-
ject digest of the signature dictionary, excluding the Contents entry.
For public-key signatures, Contents is commonly either a DER-encoded
PKCS#1 binary data object or a DER-encoded PKCS#7 binary data object.
Cert array or (Required when SubFilter is adbe.x509.rsa_sha1) An array of byte strings rep-
byte string resenting the X.509 certificate chain used when signing and verifying signa-
tures that use public-key cryptography, or a byte string if the chain has only
one entry. The signing certificate must appear first in the array; it is used to
verify the signature value in Contents, and the other certificates are used to
verify the authenticity of the signing certificate.
If SubFilter is adbe.pkcs7.detached or adbe.pkcs7.sha1, this entry is not
used, and the certificate chain must be put in the PKCS#7 envelope in
Contents.
Previous Next