In a recent article I showed how to add a digital signature to a PDF document using PDFMU. In this article I will demonstrate how to find out, given a PDF document, who signed the document. I will show two methods of achieving this:
More specifically, I will show how to find out the CN component of the distinguished name (DN) of the document's signer. Before I describe the procedure, let me describe how information is organized in a PDF signature.
Every signature in a PDF document contains a certificate chain. The certificate chain is a list of one or more certificates. Each of these certificates belongs to a specific person or organization. A certificate chain typically proves that some certification authority believes that the signer's certificate actually belongs to the entity it identifies. In such case, as long as I trust the certification authority and the signature is valid, I can be sure that the document was signed by the entity identified by the signer's certificate.
When we are trying to find out who signed a document, we are most interested in the signer's certificate. This is the first one in the chain and is present in every signature.
A distinguished name (DN) is a text string that identifies an entity (for example a person or an organization). Every certificate contains two DNs: Subject and Issuer. The Subject DN identifies the owner of the certificate, so the Subject DN of the signer's certificate identifies the signer.
A DN is a structured string, for example:
CN=William J. Blazkowicz,O=Office of Secret Actions,L=Milwaukee,ST=Wisconsin,C=US,Eemail@example.com
A DN consists of several named attributes. If the DN describes a person, the attribute CN (common name) typically contains the person's full name.
To review, the information is organized hierarchically in the following manner:
PDF document -> list of signatures -> a signature -> certificate chain -> signer's certificate -> Subject DN -> CN
In the following sections we will look at ways how to find the Subject DN and specifically CN of the signer's certificate. We will use the document signed.pdf for demonstration purposes; feel free to follow the steps we take.
signed.pdfin Acrobat Reader
View -> Show/Hide -> Navigation Panes -> Signatures
The Signature Panel lists all the signatures in the document along with the corresponding revision numbers. Each signature description contains the Subject CN, so you can quickly check the CN directly in the Signature Panel.
How can you view the complete signer's DN?
You can see the complete DN in the text box.
pdfmu inspect signed.pdf
pdfmu. In Windows, you can achieve this by adding the directory "pdfmu/target/exe" to the environment variable PATH.
A common output looks like this:
[...] Number of signatures: 1 Number of document revisions: 1 Signature field name: Signature1 Signature covers the whole document: Yes Document revision: 1 of 1 Signature metadata: Name is not set. Reason: Location: Date and time: Fri Mar 04 14:59:29 CET 2016 Certificate chain: Number of certificates: 2 Certificate 0 (the signing certificate): Type: X.509 Self-signed: No Subject: Common name: William J. Blazkowicz Email address: firstname.lastname@example.org Organization: Office of Secret Actions Locality: Milwaukee State or province: Wisconsin Country code: US Issuer: Common name: Office of Secret Actions CA Organization: Office of Secret Actions Locality: London Country code: GB Certificate 1: Type: X.509 Self-signed: Yes Subject: Common name: Office of Secret Actions CA Organization: Office of Secret Actions Locality: London Country code: GB Issuer: Common name: Office of Secret Actions CA Organization: Office of Secret Actions Locality: London Country code: GB
The attributes of the signer's DN, including the signer's CN (common name),
can be found in the section
Certificate 0 (the signing certificate) -> Subject.
I have shown two ways of determining the identity of the signer of a PDF document. Adobe Reader is especially suitable when we need to determine the signer using a computer that already has Adobe Reader installed. PDFMU is especially suitable when we want to process the signer's identity automatically or when we prefer working in the terminal. It is, however, necessary to keep in mind that PDFMU does not verify the validity of the signature or the certificate chain.