Add documentation for all PDF tools

docs/tools/validate-signature-pdf.md

@@ -0,0 +1,74 @@
+---
+title: Validate Signature
+description: Verify digital signatures in PDF files. Check certificate validity, signer identity, document integrity, and trust chain status.
+---
+
+# Validate Signature
+
+Upload a signed PDF and this tool extracts every digital signature, identifies the signer, checks certificate validity, and reports whether the document has been modified since signing. You can also provide a trusted certificate to verify the signature chain.
+
+## How It Works
+
+1. Upload a signed PDF file. Validation starts automatically.
+2. The tool displays a summary: number of signatures found, how many are valid.
+3. Each signature gets a detailed card showing signer name, issuer, dates, and status.
+4. Optionally upload a **trusted certificate** (.pem, .crt, .cer, .der) to verify the signature against a specific trust anchor. Re-validation runs automatically.
+
+## What Gets Checked
+
+### Signature Parsing
+
+The tool extracts PKCS#7 signature objects from the PDF, decodes the ASN.1 structure, and pulls out the signer's X.509 certificate along with any certificate chain embedded in the signature.
+
+### Certificate Validity
+
+- **Expiration**: Is the certificate currently within its valid date range?
+- **Self-signed detection**: Is the certificate its own issuer?
+- **Trust chain**: When a trusted certificate is provided, does the signer's certificate chain back to it?
+
+### Document Coverage
+
+- **Full coverage**: The signature covers the entire PDF file, meaning no bytes were added or changed after signing.
+- **Partial coverage**: The signature covers only part of the file. This can indicate modifications were made after signing (not necessarily malicious -- incremental saves produce partial coverage).
+
+## Signature Details
+
+Each signature card shows:
+
+- **Signed By**: Common name, organization, and email from the signer's certificate
+- **Issuer**: The Certificate Authority that issued the signer's certificate
+- **Signed On**: The timestamp embedded in the signature
+- **Valid From / Valid Until**: The certificate's validity period
+- **Reason**: Why the document was signed (if provided)
+- **Location**: Where it was signed (if provided)
+- **Coverage Status**: Full or Partial
+- **Trust Badge**: Trusted or Not in trust chain (only when a custom certificate is provided)
+
+### Technical Details
+
+Expand the technical details section for:
+
+- Serial number of the signer's certificate
+- Digest algorithm (SHA-256, SHA-512, etc.)
+- Signature algorithm (RSA with SHA-256, ECDSA with SHA-256, etc.)
+- Error messages for invalid signatures
+
+## Use Cases
+
+- Verifying a digitally signed contract before countersigning
+- Auditing signed documents to confirm they have not been tampered with
+- Checking whether a certificate has expired since the document was signed
+- Validating signatures against your organization's root certificate
+- Inspecting the signing details of government or legal documents
+
+## Tips
+
+- A self-signed certificate does not mean the signature is invalid -- it means the signer's identity cannot be verified through a trusted third party. This is common for internal documents.
+- Partial coverage does not always indicate tampering. Many PDF workflows add incremental updates (like a second signature) that create partial coverage.
+- Upload your organization's root or intermediate certificate as the trusted certificate to get trust chain verification.
+
+## Related Tools
+
+- [Digital Signature](./digital-sign-pdf) -- sign PDFs with your own certificate
+- [Flatten PDF](./flatten-pdf) -- flatten a PDF before signing to prevent post-signature modifications
+- [Remove Metadata](./remove-metadata) -- clean a PDF before applying a signature