iText and PDF Signing with LTV Doesn't show OCSP and CRL of TimeStamp

1
votes

I'm new at iText. I want to sign a PDF and Add LTV to it. Signing PDF is good but when I want to add LTV to PDF, It doesn't shows me OCSP and CRL information of TimeStamp Certificate. Firstly I want to describe how I'm doing signing. - My Certificate Chain: Signing Cert, Signing Cert Root, TimeStamp Cert, TimeStamp Cert Root. (Am I forgot anything in Chain ? )

For Signing the PDF, I'm using: 

MakeSignature.SignDetached(signatureAppearance, externalSignature, chain, crlList, ocsp2, tsa1, 0, CryptoStandard.CMS);

After that I'm adding LTV for signature and TimeStamp. 

            PdfReader r = new PdfReader(this.Source);
            FileStream fos = new FileStream(this.Output, FileMode.Create);
            PdfStamper stp = PdfStamper.CreateSignature(r, fos, '\0', null, true);
            LtvVerification v = stp.LtvVerification;
            AcroFields fields = stp.AcroFields;
            List<String> names = fields.GetSignatureNames();
            String sigName = names[names.Count - 1];
            PdfPKCS7 pkcs7 = fields.VerifySignature(sigName);


            if (pkcs7.IsTsp)
                v.AddVerification(sigName, this.ocspClient, this.crlClient, LtvVerification.CertificateOption.SIGNING_CERTIFICATE, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
            else
            foreach (String name in names)
                    v.AddVerification(name, this.ocspClient, this.crlClient, LtvVerification.CertificateOption.WHOLE_CHAIN, LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
            PdfSignatureAppearance sap = stp.SignatureAppearance;

            LtvTimestamp.Timestamp(sap, this.tsaClient, null);

I'm executing this two times, one for Signature, second for TimeStamp. And This is Result from Adobe:

1

As you can see there is no problem for Signing certificate. I can see OCSP information embedded in PDF. But When I control timeStamp certificate, I can see that there is no OCSP - CRL information to be shown.

1

Second picture indicates the timestamp certificate. How can I embed OCSP and CRL for Timestamp certificate ?

PDF Link: https://onedrive.live.com/redir?resid=607F56E75A4158B3!4560&authkey=!AMOR4lHaSTvF2LM&ithint=file%2cpdf

Thank You.

1
c#pdfitextsigning

1 Answers

2
votes

Signing PDF is good but when I want to add LTV to PDF, It doesn't shows me OCSP and CRL information of TimeStamp Certificate.

When I control timeStamp certificate, I can see that there is no OCSP - CRL information to be shown.

How can I embed OCSP and CRL for Timestamp certificate ?

Your images indicate that by it you mean Adobe Reader. And that it doesn't show you OCSP and CRL information, makes you think that they are not embedded in the document.

This conclusion is wrong, though. If you look closely at the message

Revocation tab

you'll recognize that it says that

  • revocation checks have not been performed because
  • the certificate is a trust anchor or above one and
  • Adobe Reader never checks for revocation of such certificates because
  • it considers them inherently trustworthy.

And it does not say that it missed revocation information.

So Adobe Reader doesn't even look for revocation information for your certificate and, therefore, it doesn't matter how much revocation information for that certificate you add, Adobe Reader will never show that information unless you reconfigure the Reader.

If you want to see revocation information for that certificate, you have to remove it from the Adobe Reader trust anchors and instead trust its issuer.

If it is self-signed, though, you're out of luck. But in that case revocation information generally would be meaningless anyway.

If you want an actual analysis whether or not the revocation information has been embedded, please supply the PDF in question.

Addendum: The Code

Some observations concerning your code:

  1. Your code assumes that all required validation related information for the inner signatures are present if the outermost signature of a PDF is a document timestamp. This need not be the case:

    a. the document timestamp may merely have been applied to timestamp the PDF, there is no requirement to add complete VRI first;

    b. sufficient validation related information for LTV is not absolute, it may differ from context to context, especially based on which certificates are trust anchors.

    Thus, your treatment of PDFs with an outermost document timestamp is very optimistic (concerning the presence of validation information in the PDF).

  2. Your code assumes that there are no usable validation related information in the PDF if the outermost signature is not a document timestamp, and it also assumes that it can still retrieve all required information online. This need not be the case:

    a. the document may contain multiple signatures, then timestamped validation related information for all of them, and then one additional signature. In that case you try to embed unnecessarily much.

    b. even PDFs without document timestamp may contain all required validation information using the older, pre-PAdES mechanisms. In this case you also try to embed unnecessarily much.

    c. the information you unnecessarily try to embed may not be available anymore online. This would make your code behave different from your expectations.

    Thus, your treatment of PDFs without an outermost document timestamp is very pessimistic (concerning the presence of validation information in the PDF) and very optimistic (concerning the online availability of such information).

  3. Your code does not seem to embed validation related information for the signatures in the CRLs and OCSP responses. This might cause a verifier to fail LTV verification.

  4. Your code as final action timestamps the document. This obviously may introduce a lack of validation information for the certificates related to that very timestamp.

    BTW, if the time stamp certificate you focused on in your question is the certificate of the final time stamp, then your assumption that neither CRL nor OCSP responses for it are embedded, may be correct --- after all you don't embed any intentionally.

Addendum: The sample document

The sample PDF has 3 signature fields, one regular signature and two document time stamps. The certificates backing them are not by a CA automatically trusted by Adobe Reader, so I had to retrieve the respective root certificates and to configure Adobe Reader to trust them. In case of the signature that was easy: the root certificate had been added to the embedded signature container. In the case of the timestamps I had to retrieve the root certificate from here.

For the regular signature I get the same revocation tab as the OP, i.e. signer certificate is trusted according to the embedded OCSP response.

And for both timestamp signatures the tab looks like this:

Revocation tab new

Thus, revocation information is embedded in the PDF for the time stamps, too. It is important, though, not to tell Adobe Reader to trust the time stamping certificate (Kamu SM Zaman Damgasi Sunucusu Surum 3) itself but the root certificate (Kamu SM Kök Sertifika Hizmet Sağlayıcısı - Sürüm 5). Otherwise Adobe Reader believes you and does trust that timestamping certificate unconditionally and does not even check for revocation.

In the light of item 3 above please be aware that you are in luck concerning the final document time stamp: Your code does not add revocation information for it, and only because you already have embedded a CRL for the first time stamp, a CRL valid until next September, your second time stamp (created for the same certificate) also has its validation information.