Levandor

pdfservice

2 min read

pdfservice (PDF Signing & Validation)

Role

Kotlin/JVM Spring Boot application providing PDF digital signature operations: validation, preparation, signing, and active component checking. Communicates exclusively via RabbitMQ RPC. This is NOT a Node.js service.

PropertyValue
LanguageKotlin 2.0.20
JVM17 (toolchain)
FrameworkSpring Boot 3.5.8
BuildGradle + axion-release
PDF LibraryApache PDFBox 3.0.5
SignaturesEU DSS (Digital Signature Services) v6.3
CryptoBouncyCastle 1.82, Nimbus JOSE+JWT
CommunicationRabbitMQ (AMQPS) via custom mq-1.4.1.jar

Architecture

graph TB
    esign_oss[["[[esign]]<br/>esign_oss"]] -->|RabbitMQ RPC<br/>AMQPS :5671| pdfservice
    vuer_oss[["[[vuer_oss]]"]] -->|RabbitMQ RPC<br/>AMQPS :5671| pdfservice

    subgraph pdfservice ["pdfservice (Spring Boot)"]
        Validate[ValidateSignatureEndpoint]
        Prepare[PrepareSignatureEndpoint]
        Insert[InsertSignatureEndpoint]
        Check[CheckActiveComponentsEndpoint]
    end

    pdfservice -->|HTTPS| TSA[e-Szigno TSA<br/>Hungarian Test TSA]
    pdfservice --> TLCache[(EU Trust List Cache<br/>/workspace/tl_cache)]

RPC Endpoints (via RabbitMQ)

Queue NameEndpoint ClassPurposeTimeout
pdf-validateValidateSignatureEndpointValidate PDF digital signatures against EU trust lists10s
pdf-prepareSignedDocumentPrepareSignatureEndpointPrepare document hash for external signing10s
pdf-insertSignatureInsertSignatureEndpointInsert CMS signature into prepared PDF10s
pdf-checkActiveComponentsCheckActiveComponentsEndpointCheck for JavaScript/forms in PDF400s

Long Timeout

The active component check has a 6.7-minute timeout (checkActiveComponentRpcTimeoutMs=400000). This suggests potentially expensive PDF analysis.

Key Source Packages

PackagePurpose
service/signature/SigningService, PAdES facade, external CMS, visual signatures
service/validation/PDF validation against EU trust lists, offline validation
service/cryptography/Certificate handling, digest computation, verification
messaging/endpoints/RabbitMQ RPC endpoint implementations
model/Request/response DTOs for all operations

PAdES Signatures

The service implements PAdES (PDF Advanced Electronic Signatures), the EU standard for digitally signing PDF documents. The signing flow:

  1. Prepare: Hash the PDF content and create a signature placeholder
  2. Sign externally: The hash is signed using the signer’s certificate (handled by esign_oss or external system)
  3. Insert: The CMS signature is inserted into the prepared PDF
  4. Timestamp: A trusted timestamp is added from the Hungarian e-Szigno TSA

EU Trusted List Validation

The tl_cache/ directory contains cached EU Trusted Lists from 30+ European countries. This enables offline validation of digital signatures against EU-recognized certificate authorities.

ConfigValue
Cache location/workspace/tl_cache
Trust sourceEU LOTL (List of Trusted Lists)
TSA endpointhttps://bteszt.e-szigno.hu/tsa (Hungarian test TSA)
RabbitMQAMQPS with client certificates
Auto-recoveryDisabled (automaticRecoveryEnabled=false)

Dependencies

LibraryVersionPurpose
Apache PDFBox3.0.5PDF manipulation
EU DSSv6.3Digital signature standards
BouncyCastle1.82Cryptographic operations
Nimbus JOSE+JWT-JWT/JWE handling
mq-1.4.1.jar1.4.1Custom FaceKom MQ connector (bundled in libs/)

Container

PropertyValue
Base imageUBI8 minimal + Java 11
Registryharbor.techteamer.com
Compose fileservices.yml
NetworkHost mode

JVM Version Mismatch

The build toolchain targets JVM 17 (build.gradle.kts) but the Docker image uses Java 11. This is a potential runtime mismatch.

Notable Items

Observations

  • Bundled JAR: The mq-1.4.1.jar in libs/ is a custom FaceKom MQ connector, not fetched from any repository
  • No auto-recovery: queue.options.automaticRecoveryEnabled=false means RabbitMQ connections will not auto-reconnect after failure
  • Older base image: Uses UBI8 while vuer_oss uses UBI9
  • Dual signer: esign tries the new native binary first, falls back to the JAR
  • esign — Electronic signature system (primary consumer)
  • vuer_oss — Backend server (secondary consumer)
  • infrastructure — Container orchestration
  • FaceKom — Platform overview

Graph View