Add separate signature and separate ocsp bytes to PDF with iText

0
votes

I have an array with signature bytes and an array with ocsp bytes to add ltv information to my pdf. The signature is a timestamp signature. Now I try to add this information to a pdf file which works with

//add signature
PdfLiteral pdfLiteral = (PdfLiteral) pdfSignature.get( PdfName.CONTENTS );
byte[] outc = new byte[ ( pdfLiteral.getPosLength( ) - 2 ) / 2 ];
Arrays.fill( outc, (byte) 0 );
System.arraycopy( externalSignature, 0, outc, 0, externalSignature.length );
PdfDictionary dic2 = new PdfDictionary( );
PdfString pdfString = new PdfString( outc ).setHexWriting( true );
dic2.put( PdfName.CONTENTS, pdfString );

pdfSignatureAppearance.close( dic2 );

... 

//add LTV
for ( String sigName : stamper.getAcroFields( ).getSignatureNames( ) ) {
        addVerification = validation.addVerification(
                sigName, // Signature Name
                ocspColl, // OCSP
                crlColl, // CRL
                null // certs
        );
    }

validation.merge( );
stamper.close( );

OK, this works. But in the signature I have to set the flag certification level 1 (no changes are allowed) and my application will not work. Because with adding LTV I change the document. I tried creating my own DSS-dictionary and add it to my document but it failed. Anyone who can help, please? Thanks in advance

1
javapdfitextsignature

1 Answers

0
votes

As a member of the ISO committee for ISO-32000-2, I have access to the specification, so allow me to explain a couple of things.

There can be 3 types of signatures (*) in a PDF document:

  • At most one certification signature (aka author signature),
  • One or more approval signatures (aka recipient signatures),
  • Any number of document time stamp signatures (of which the SubFilter value is ETSI.RFC3161).

(*) There is a fourth type, called a usage rights signature, but that will be deprecated in PDF 2.0.

Source: section 12.8.1 entitled "General" in section 12.8 entitled "Digital Signatures" of ISO 32000-2 (Draft)

You are talking about a document time stamp signature (added for LTV reasons), but you are also talking about DocMDP (MDP stands for Modification Detection and Prevention).

MDP is available for certification signatures only:

The DocMDP transform method shall be used to detect modifications relative to a signature field that is signed by the author of a document (the person applying a certification signature). A document can contain only one signature field that contains a DocMDP transform method. It enables the author to specify what changes shall be permitted to be made to the document and what changes invalidate the author’s signature.

Source: section 12.8.2.2.1 entitled "General" in section 12.8.2.2 entitled "DocMDP" of ISO 32000-2 (Draft)

Granted, you can add a Reference entry to the signature dictionary that contains "An array of signature reference dictionaries".

A signature reference dictionary can have a TransformMethod entry with values:

  • DocMDP: Used to detect modifications to a document relative to a signature field that is signed by the originator of a document.
  • FieldMDP: Used to detect modifications to a list of form fields specified in TransformParams.

Source: Table 259 "Entries in a signature reference dictionary" in section 12.8.1 of ISO 32000-1

If MDP is what you want, you can use DocMDP in case of certification signatures, and FieldMDP in case of other signatures. However, if we look at the Reference entry in Table 255: Entries in a signature dictionary, we see that "If SubFilter is ETSI.RFC3161, this entry shall not be used."

In other words, you can't have a DocMDP or FieldMDP for Document time stamps. That's kind of normal, because as we read in section 12.8.5.1 "General" of section 12.8.5 "Document time-stamp (DTS) dictionary":

A document time-stamp dictionary establishes the exact contents of the complete PDF file at the time indicated in the time-stamp token.

It doesn't say anything about the ability to set a flag to "certification level 1 (no changes are allowed)". That's not what a document time stamp is for. It is normal that the code fails.

Setting the certification level is something that can only be done with the first signature, in case that signature is a certification signature. Whoever told you to set the certification level using a document time stamp signature (ETSI.RFC3161) is asking you to do something that is impossible according to the upcoming ISO standard for PDF 2.0.

If your follow-up question is: then how was it done in ISO 32000-1, then the answer is simple: document timestamp signatures didn't exist in ISO 32000-1.