Frank Rem is the CEO of TallComponents, a leading provider of PDF oriented .NET components. He blogs at The PDF.
If a PDF document has Reader Extensions enabled, then certain features that are normally only available in Adobe Acrobat are also available in the free Adobe PDF Reader. These features include saving (form) data locally and applying digital signatures. Here is the full list of capabilities.
There is some mixed terminology on this topic. Sometimes the document is said to have reader extensions or to have its usage rights enabled or to have extended usage rights or simply being reader enabled. We believe that (Adobe) reader enabling is most accurate so we will use this for the remainder of the article. A document that has reader extensions enabled will be referred to as simply an enabled document.
How to enable a document
It is only possible to enable a document using an Adobe product or a product that has been licensed by Adobe. You can enable the usage rights using Adobe Acrobat by selecting the ‘Advanced’ > ‘Enable Usage Rights’ menu item. Acrobat will then save the document with enabled usage rights and display the following message:
src=’http://www.planetpdf.com/images/articles/Frank_Rem/RE/01_-_RE.jpg’ width=’475′ height=’327′
alt=’Enable Usage Rights in Adobe Reader dialog.’>
The end user agreement of Adobe Acrobat however only allows this for at most 500 users. Essentially, these documents can only be used within a company, but not publicly on the internet, The legal implications of this are unclear, but basically if you need to distribute documents to more customers you will have to use the Adobe LiveCycle Reader Extensions module to enable documents. This is a very expensive solution and can only be afforded by large organizations. Many of our customers license our technology to avoid either buying Acrobat or Adobe LiveCycle.
Finally, Adobe licensed the company FormRouter to host Adobe LiveCycle Reader Extensions as a service (press release).
Modifying an Enabled Document
Note the last paragraph of the message box above. If you enable the usage rights of a document, then certain modifications are not allowed. For example, if you use Adobe Acrobat to insert new pages to an enabled document it will pop up the following message:
src=’http://www.planetpdf.com/images/articles/Frank_Rem/RE/02_-_RE.jpg’ width=’475′ height=’194′
If you want to get rid of those restrictions, then you can save a copy of the document without usage rights by selecting the ‘File’ > ‘Save a Copy’ menu item. You will then have to enable the document again in a separate step. Presumably, Adobe acrobat does things this way to make users aware of the special status of enabled documents.
Under the Hood
To find out how this works under the hood, we saved a PDF document with enabled usage rights using Adobe Acrobat 8.0 Professional. Next, we opened the document in PDFSpy (our internal tool to analyze PDF documents).
The Catalog dictionary (the root dictionary of a PDF document) of the document has a Perms entry. This entry holds a so-called permissions dictionary. The permissions dictionary has a UR3 entry that points to a signature dictionary. This dictionary is not different from signature dictionaries that are associated with signature fields and the verification is done the same way.
Let’s dive into the UR3 dictionary.
The following image shows the internal structure of the PDF document:
src=’http://www.planetpdf.com/images/articles/Frank_Rem/RE/03_-_RE.jpg’ width=’384′ height=’430′
alt=’Internal structure of a PDF document.’>
The ByteRange entry holds pairs of integers that specify what part of the file is signed. Each pair consists of an offset followed by the length in bytes. So in this case, the signed data consists of the concatenation of two segments: the first 1244 bytes and a second segment that is 10468 bytes long and starts at offset 10778.
The Contents entry holds the signature value. This value is computed from the data that is defined by the ByteRange entry. To compute this value one needs Adobe’s private key (which obviously, we do not have).
The Filter entry specifies what encryption algorithm was used to compute the signature.
The SubFilter entry specifies the encoding of the Contents entry. In this case the ‘adbe.pkcs7.detached’ tells us that the Contents entry (the signature value) is a DER-encoded PKCS#7 binary data object. This type of objects embeds the certificate (public key) that can be used to verify the signature.
The Name entry specifies the person or authority that created the signature (this is Adobe).
The M entry specifies when the signature was created (January 28, 2011, 11:07:12 GMT +1).
If we expand the Reference entry and navigate to the TransformParams entry, then we can see that usage rights are specified in four categories: Annotations, Document, Form and Signature.
src=’http://www.planetpdf.com/images/articles/Frank_Rem/RE/04_-_RE.jpg’ width=’307′ height=’532′
alt=’Expanded Reference entry.’>
The Adobe PDF Reader verifies the signature and if it is OK, then the reader will respect the specified usage rights and allow the user to e.g. save data locally.
How are changes saved?
We opened the document in Adobe PDF Reader 9.0, filled out a text field and then saved the form locally. When we inspected the new file, it appears that PDF Reader saved the changes as an update. So the changes are concatenated to the original file. The update does not include a new signature. This means that a third-party PDF tool should be able to modify the enabled PDF document and save it without breaking the enabled usage rights. Unless Adobe is very strict regarding what the update looks like. E.g. it may check whether the PDF producer of the update is Adobe.
Once in a while a customer asks us if we have a product that enables reader extensions. We do not, for the following reasons:
- Technically, in order to enable a document we would need access to Adobe’s private key in order to create the proper ‘enable’ signature. It will be clear that we do not have access to this key.
- Legally, it EULA of Adobe Reader forbids it to be used with documents that have been enabled by anyone else than Adobe. So even if we could provide a proper signature — there are signs that Adobe’s scheme contains weaknesses — this would potentially be harmful to our customers, as they may face litigation by Adobe.
On the other hand: our software appears to be more restrictive in this respect than necessary. At the moment, our software will almost always invalidate the reader extensions when saving a document. If one uses our software to change an enabled document, and opens it in Adobe Reader, one will get the following message:
src=’http://www.planetpdf.com/images/articles/Frank_Rem/RE/05_-_RE.jpg’ width=’475′ height=’199′
alt=’Expanded Reference entry.’>
When we started writing this article, it was our understanding that it is not possible (as a third party) to modify and save an enabled document without breaking the usage rights. It appears now however that it is possible to change the document up to some level without invalidating the ‘enable’ signature. After all: Adobe Reader changes the document too without updating the enablement signature.
We will investigate whether we can provide similar functionality. It appears that this is not in violation of the Adobe Reader EULA, because in this case our software would not actually enable the document itself, but simply make sure that the existing enabling remains valid.