[Bug]: API 'cert-sign' returns malformed PDF if PDF has owner password

[thepebbler]

output(certified).pdf output(password).pdf

Installation Method

Docker fat

The Problem

My intention (via the API) was to

1. password protect (Owner) a PDF with certain restrictions
2. certify the protected PDF with a single invisible signature

(I previously tried things in reverse ("cert-sign" and then "add-password") which does as I expected, invalidate the signature.)

The "add-password" works as expected, a properly formed PDF with the expected restrictions (cannot extract, cannot print and cannot extract for accessibility) The "cert-sign" does return '200' and does return a PDF file (20kB different) but opening in acrobat gives error 118

I realise (now) that certifying a file that is owner protected is probably a user issue, but

1. I expected a 200 return code to identify it was all 'OK'
2. There is no option in the cert-sign API to provide an Owner password (if that is the issue).

I'm not sure if this is a 'bug' as such (really just the expectation of a 200 return code) as much as a feature request for the ability to sign owner password protected files (through providing the owner password)..

I've included example (sanitised) output PDFs for the add-password and cert-sign. In acrobat these give error 118, I can open them in a browser (Chrome), the main difference seems the certified version has no document information (title etc), the passworded one does..

Version of Stirling-PDF

0.45.6

Last Working Version of Stirling-PDF

No response

Page Where the Problem Occurred

No response

Docker Configuration

Relevant Log Output

Additional Information

No response

Browsers Affected

No response

No Duplicate of the Issue

• [x] I have verified that there are no existing issues raised related to my problem.

[dosubot[bot]]

A similar issue was previously raised and closed: [Feature Request]: detect if PDF has password or encrypted before sending it to function, auto send it to remove-password first ^[1]. This issue was resolved by a pull request that added functionality to handle encrypted PDFs more effectively.

In your case, the problem seems to be related to the inability of the cert-sign API to handle owner password-protected PDFs without providing the owner password. This might require a feature enhancement to allow the API to accept an owner password for signing operations. You might consider proposing this as a feature request if it hasn't been addressed in the latest updates.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[thepebbler]

Thinking about it, is a owner password protected digitally signed PDF even possible?

[dosubot[bot]]

Yes, it is possible to have a digitally signed PDF that is owner password protected. However, the process requires that the signing application or API has access to the owner password to apply the digital signature correctly. Without providing the owner password, the signing operation might not be able to modify the PDF to add the signature, leading to errors or malformed PDFs. In the case of Stirling-PDF, it seems that the cert-sign API does not currently support providing an owner password for signing operations, which could be a limitation in your scenario.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[Ludy87]

Hi @thepebbler I took your password protected file and was able to sign it without any problems

output.password_signed.pdf

[thepebbler]

Hi @thepebbler I took your password protected file and was able to sign it without any problems

output.password_signed.pdf

Thanks, can you elaborate on the process you used? I've just checked on 0.46.1 using the main web front end, signing the same document (output(password).pdf) attached in this email with the same pkcs12 certfile I used last time (and works on a non password protected file) and still get adobe acrobat error 118 on the resulting file.

Also, the file you provided shows as being able to print in Adobe acrobat, the original passworded file shows as not being able to print in adobe acrobat, so that is not being maintained?

[Ludy87]

output.signed.passworded.pdf

Sorry, it was the wrong file.

Sequence:

1. Sign the file
2. Protect the print with the owner password

[thepebbler]

output.signed.passworded.pdf

Sorry, it was the wrong file.

Sequence:

1. Sign the file
2. Protect the print with the owner password Many thanks again!

Interesting..

If I take the original file in this thread (output(password).pdf) and sign it, I get the same 118 error in adobe acrobat. If I then just try to add another owner password to that, with extraction, extraction for accessibility and printing all "prevented", I get this error:

What signature type are you adding? and is it password protected?, mine is a PKCS12 with password..

It also seems odd that a previous owner password protected PDF can be reprotected without you knowing the original owner password?

I'm obviously a bit lost on this, I have re-tried the basic flow of

1. Create PDF (from converting an office document)
2. Signing the PDF with a PKCS12 cert
3. Adding owner password (with the 3 items 'prevented')

On step 3, I get a signature error saying:

[thepebbler]

output.signed.passworded.pdf

Sorry, it was the wrong file.

Sequence:

1. Sign the file
2. Protect the print with the owner password

FYI, the update file you added has signature errors that indicate formatting changes etc:

[Ludy87]

Hi, I just learned that the password protection is removed when signing.