BFO PDF Library 2.28 - security and signatures

BFO PDF Library 2.28 / Report Generator 1.2.7

Today we released version 2.28 of our PDF Library, and 1.2.7 of Report Generator which is a refresh to pick up the PDF Library changes.

Security: XML External Entity attack

Regrettably there is a security fix in this release relating to an XML External Entity attack, which we've written up and emailed customers about seperately (if you haven't seen it, email us for the details). As far as we can tell this is not something that's being actively exploited, but upgrading or applying one of the mitigations we describe is still a good idea.

GlobalSign Qualified Signature Service

A few years ago we added support for GlobalSign's original Digital Signing Service, which we wrote up in this article. We're pleased to announce support for their new Qualified Signing Service, which allows the application of eIDAS compliant signatures to the PDF as a service. This topic gets its own blog article.

Other Signature changes

As well as the GlobalSign QSS service, we've been hard at work on Digital Signatures in this release. The SigningEngine interface (used by anyone implementing their own Signature Handler) has had two new methods added, which is why we had to bump the version number to 2.28. The methods let you supply your own OCSP Responses and CRLs, something we've also added to the AcrobatSignatureHandlerFactory class and addValidationInformation() method, so customers dealing with high volumes of Digital Signatures from with specific CAs can manage this information themselves.

A small but useful change for anyone signing with network or hardware based solutions is that we no longer need to "double sign" to calculate the size the signature is going to be - signing a batch of dummy data first to work out how big the signature is, so we can allocate that much space in the file for the real signature. We now determine the size based on the signing key.

Signature Validation has been improved. Provided a signature has been verified immediately after the file is loaded, we can then track changes made to the PDF that will invalidate the signature when the PDF is saved. To put this in context, signature validity is calculated on PDF file, so while the PDF is being edited in memory, the validity state is undefined. Working around that lets us can track changes that will invalidate the file when its saved, which is useful for customers using our Swing "PDF Viewer" classes. Changes to the PDF will reset the validity state of any signatures, and validating will reflect the current state of the file. This mirrors the interface of tools like Acrobat much more closely.

Finally, we've added a SignaturePolicy class, because the rules for whether a Signature is valid or not do, unfortunately, change over time. This class is where that reality is implemented - it's very much a placeholder at this stage. When PDF signatures are ever updated to properly handle policies, this is where the changes will be.

Non-signature changes

As always this release comes with the usual catalogue of small changes.

We've improved our number formatter - a shallow but very wide-ranging change that will impact every PDF we create. A PDF contains objects, and the majority of those objects are numbers. We use our class to format these rather than java.text.DecimalFormat. Why? Because its 17 times faster.

We are always, always chasing performance, and when saving a PDF this method is called a lot. Our old implementation rounded the last few signinficant figures incorrectly, that's now fixed, although the difference is almost literally imperceptible. Only binary comparisons of a PDF will be able to tell the difference.

Finally, in the previous version we corrected the version numbers of the PDFs we generate in a few cases. In particular, PAdES signatures properly require a PDF 2.0 header but are often applied to PDF 1.x documents. Of course this has exposed bugs in some workflows that relied on the incorrect numbers, so we've put a specific workaround for this when saving a PDF/A file, and the version can be set manually too if required. See the CHANGELOG for details on this, and other changes in this release.


The security issue we fixed makes this an important download, but if you're working with Digital Signatures or just want to keep up-to-date with the latest fixes, release 2.28 is available at as usual..