iText adding ltv info

0
votes

I'm trying to 'complete to ltv' a pdf that is already signed and i found this code using itext:

http://developers.itextpdf.com/question/how-enable-ltv-timestamp-signature

public void addLtv(String src, String dest, OcspClient ocsp, CrlClient crl, TSAClient tsa)
throws IOException, DocumentException, GeneralSecurityException {

    PdfReader r = new PdfReader(src);
    FileOutputStream fos = new FileOutputStream(dest);
    PdfStamper stp = PdfStamper.createSignature(r, fos, '\0', null, true);
    LtvVerification v = stp.getLtvVerification();
    AcroFields fields = stp.getAcroFields();
    List<String> names = fields.getSignatureNames();
    String sigName = names.get(names.size() - 1);
    PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
    if (pkcs7.isTsp()) {
        v.addVerification(sigName, ocsp, crl,
            LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
            LtvVerification.Level.OCSP_CRL,
            LtvVerification.CertificateInclusion.NO);
    }
    else {
        for (String name : names) {
            v.addVerification(name, ocsp, crl,
                LtvVerification.CertificateOption.WHOLE_CHAIN,
                LtvVerification.Level.OCSP_CRL,
                LtvVerification.CertificateInclusion.NO);
        }
    }
    PdfSignatureAppearance sap = stp.getSignatureAppearance();
    LtvTimestamp.timestamp(sap, tsa, null);
}

I read it has a 'problem' with Adobe because the timestamp applied is not recognized as LTV-enabled and suggests applying a new dss to solve this.

My questions:

  • Can this info be added before applying the timestamp? If i'm adding a dss to complete, i could add TSA timestamp info (ocsp, crl...) too (maybe with a fake sign to get info) and then apply the timestamp without needing a new dss again.

    • If yes... this is approved by ETSI? Can iText handle it? I noticed that addVerification adds info from signatures already included, but seems i can't add the required info with this method. There's another way to add 'free' verifications or addVerification let's me and i didn't notice?

    • If no... Why? Then why i not need to timestamp again the new dss added?

As you can see... i'm not an expert and i need some help.

Thanks a lot for your help!

1
javapdfitext

1 Answers

2
votes

My questions:

  • Can this info be added before applying the timestamp? If i'm adding a dss to complete, i could add TSA timestamp info (ocsp, crl...) too (maybe with a fake sign to get info) and then apply the timestamp without needing a new dss again.
    • If yes... this is approved by ETSI? Can iText handle it? I noticed that addVerification adds info from signatures already included, but seems i can't add the required info with this method. There's another way to add 'free' verifications or addVerification let's me and i didn't notice?
    • If no... Why? Then why i not need to timestamp again the new dss added?

Technically you can add any validation related information before applying the signature / time stamp the relate to. Actually you even have to do this in case of ol'fashioned ISO 32000-1 signatures which required validation information to be in a signed attribute.

Whether such information are accepted by verifiers, depends.

ETSI TS 102 778-4 V1.1.1 says:

4.3 Validation Process

It is recommended that that validation process be as follows:

  1. The "latest" document Time-stamp should be validated at current time with validation data collected at the current time.

  2. The "inner" document Time-stamp should be validated at previous document Time-stamp time with the validation data present (and time-stamped for the successive enveloping time-stamps) in the previous DSS.

  3. The signature and the signature Time-stamp should be validated at the latest innermost LTV document Timestamp time using the validation data stored in the DSS and time-stamped (by the successive enveloping timestamps)

Validation of documents without document Time-stamps is outside the scope of this profile.

If a verifier validates according to these recommendations, it will not accept your validation information as you want it to, at least it will not recognize the time stamp stamping the information for its validation.

But as these only are recommendations and other TS or EN documents might recommend differently, the verifiers you are interested in may accept your validation information as desired by you.