Bug 446298 - PDF signature certificate chain validation
Summary: PDF signature certificate chain validation
Status: RESOLVED FIXED
Alias: None
Product: okular
Classification: Applications
Component: PDF backend (show other bugs)
Version: unspecified
Platform: Other Linux
: NOR wishlist
Target Milestone: ---
Assignee: Okular developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-30 20:43 UTC by gustavo
Modified: 2024-06-26 12:48 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments
messages from Adobe Reader (53.01 KB, image/png)
2021-11-30 20:43 UTC, gustavo
Details
another message panel from Adobe Reader (209.55 KB, image/png)
2021-11-30 20:43 UTC, gustavo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description gustavo 2021-11-30 20:43:12 UTC
Created attachment 144101 [details]
messages from Adobe Reader

I have recently checked that Poppler can provide both:

1. signed PDF content verification (i.e. content was not changed after signature)
2. identify verification, given trusted CA certificates (inserted into the Firefox NSS cert db)

Reference:

https://gitlab.freedesktop.org/poppler/poppler/-/issues/896#note_1172603

It seems to me that oKular when it says "the signature is cryptographically valid" it refers to 1), which might not be 100% clear to whoever sees that message. Ideally oKular would be able to perform 1 and 2, like Poppler does, and display different messages depending on whether both checks are performed or only the first so that the users understands the level of validation.

I am attaching the messages from Adobe Reader to illustrate the idea.
Comment 1 gustavo 2021-11-30 20:43:53 UTC
Created attachment 144102 [details]
another message panel from Adobe Reader
Comment 2 Bug Janitor Service 2024-01-24 20:12:18 UTC
A possibly relevant merge request was started @ https://invent.kde.org/graphics/okular/-/merge_requests/917
Comment 3 Sune Vuorela 2024-06-26 12:48:28 UTC
Git commit 0bd2c9cfa0304734572a2a36a7fbce8e74dcb8ff by Sune Vuorela.
Committed on 26/06/2024 at 12:02.
Pushed by sune into branch 'master'.

Use async signature validation

Also, show information about the validity of the certificate used for
the signature

M  +26   -0    core/form.h
M  +9    -8    core/signatureutils.h
M  +27   -0    generators/poppler/formfields.cpp
M  +10   -0    generators/poppler/formfields.h
M  +4    -0    generators/poppler/pdfsignatureutils.cpp
M  +1    -0    generators/poppler/pdfsignatureutils.h
M  +2    -0    gui/signatureguiutils.cpp
M  +10   -1    gui/signaturemodel.cpp

https://invent.kde.org/graphics/okular/-/commit/0bd2c9cfa0304734572a2a36a7fbce8e74dcb8ff