[ 
https://issues.apache.org/jira/browse/PDFBOX-6215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18094079#comment-18094079
 ] 

Michael Klink commented on PDFBOX-6215:
---------------------------------------

Indeed, here are duplicate streams.

In the file at hand we have
 * duplicates of certificates; different streams containing the same 
certificate are referenced from different VRI dictionaries; the DSS Certs array 
only references one of them;
 * duplicates of OCSP responses; different streams containing the same OCSP 
response are referenced from the same VRI and also from the DSS OCSPs.

This of course is wasteful. In this file it is not that serious, but if the 
same issue can occur for CRLs, this can be substantial as CRLs sometimes are 
several MBs in size.

Whether it is standard compliant, is a bit difficult to say. According to ISO 
32000-2 the certificates, CRLs, and OCSP responses in a VRI dictionary shall be 
selections of the certificates, CRLs, and OCSP responses respectively in the 
DSS dictionary. According to ETSI EN 319 142-1, any values in the Cert, CRL and 
OCSP arrays of a Signature VRI dictionary shall also be present in the DSS 
dictionary. Neither one explicitly refers to stream objects containing the 
certificates, CRLs, or OCSP responses in question. But one may argue that they 
"obviously" are meant.

Having two copies of the same OCSP response in a VRI dictionary is even more 
questionable: The values in a VRI dictionary are intended to be values used for 
verifying the signature in question. The verification routine in question must 
be somewhat weird to need two identical copies of an OCSP response.

Nonetheless, as neither spec is explicitly against multiple stream objects 
containing the same object here, I don't think you can really consider this a 
violation of the standards.

> LTV DSS generation creates duplicate certificate streams
> --------------------------------------------------------
>
>                 Key: PDFBOX-6215
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-6215
>             Project: PDFBox
>          Issue Type: Improvement
>    Affects Versions: 4.0.0
>            Reporter: robo
>            Priority: Minor
>         Attachments: timestamped_LTV.pdf
>
>
> If I run `TestCreateSignature::testCreateSignedTimeStamp` with e.g. 
> `http://timestamp.digicert.com` as TSA, then `AddValidationInformation` adds 
> the incremental update containing the `DSS` dictionary. This works, however, 
> it looks like the same certificates are written more than once to the PDF. 
> I extracted the streams like this:
> {code:java}
> qpdf "timestamped_LTV.pdf" --show-object=[obj] --filtered-stream-data > 
> "obj-[obj].bin"{code}
> and compared them with 
> {code:java}
> sha256sum *.bin | sort{code}
> resutling in:
> {code:java}
> 33846b545a49c9be4903c60e01713c1bd4e4ef31ea65cd95d69e62794f30b941  obj-43.bin
> 33846b545a49c9be4903c60e01713c1bd4e4ef31ea65cd95d69e62794f30b941  obj-49.bin
> 3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c  obj-44.bin
> 3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c  obj-50.bin
> 3e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c  obj-52.bin
> b0765f42a321cf66788b939d350bd958d8bd0361bfb1099528ae0732bf66fae6  obj-45.bin
> b0765f42a321cf66788b939d350bd958d8bd0361bfb1099528ae0732bf66fae6  obj-46.bin
> ca0b1554ecd901ea19dcad8749e9f2648c8d6dfcea1add9d2c2109415bb82ccd  obj-42.bin
> ca0b1554ecd901ea19dcad8749e9f2648c8d6dfcea1add9d2c2109415bb82ccd  
> obj-48.bin{code}
> Pointing to already existing objects with the same content should still be be 
> standard-compliant (I don't see why not, please let me know if this is not 
> correct). Like this, the output could be kept slightly smaller and cleaner.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to