add revocation detail in pdf while signing same

0
votes

I am have digitally signed a pdf using digital token attached in pc using libarary itext sharp to append same, when i open same in adobe reader it shows revocation can not be performed and when i see details then it shows that one of the issuers certificate's revocation is not checked with error : error encountered while BER decoding.

path to my plain signed pdf: https://www.sendspace.com/file/vqgl53

As a solution i thought if i can add CRL information itself in document(my plain signed pdf) then i won't face this problem. So i added code mentioned in this ans : I want to sign a pdf document with ITextSharp and return ltv pdf enabled file

but I am getting exception on line : addLtvForChain(null, ocspClient, crlClient, getCrlHashKey(crlBytes));

IN SUBMETHOD getCrlHashKey ON FIRST LINE : X509Crl crl = new X509Crl(CertificateList.GetInstance(crlBytes));

Exception says :

Unknown object in GetInstance: Org.BouncyCastle.Asn1.DerApplicationSpecific Parameter name: obj

Kindly suggest further.

1
c#pdfitextdigital-signaturecertificate-revocation
The exception appears to indicate that the CRL is broken (or in a non-standard format - which one could call a broken design), so something the provider in question has to fix. I'll look at the example document later.mkl

1 Answers

0
votes

Extending AdobeLtvEnabling

The cause of the exception is that for one certificate the associated CRL is base64 encoded which the AdobeLtvEnabling class does not expect (the expectation here is to retrieve a binary version, no decoding required).

You can extend the AdobeLtvEnabling as follows to also be able to handle base64 encoded CRLs: search the AdobeLtvEnabling method addLtvForChain and replace the CRL handling loop

Console.WriteLine("  with {0} CRLs\n", crl.Count);
foreach (byte[] crlBytes in crl)
{
    validationData.crls.Add(crlBytes);
    addLtvForChain(null, ocspClient, crlClient, getCrlHashKey(crlBytes));
}

with this:

Console.WriteLine("  with {0} CRLs\n", crl.Count);
foreach (byte[] crlBytes in crl)
{
    PdfName hashKey = null;
    byte[] bytes = null;
    try
    {
        hashKey = getCrlHashKey(crlBytes);
        bytes = crlBytes;
    }
    catch (Exception e)
    {
        Console.WriteLine("  CRL decoding exception, assuming Base64 encoding, trying to decode - {0}\n", e.Message);
        bytes = Convert.FromBase64String(new String(Encoding.Default.GetChars(crlBytes)));
        hashKey = getCrlHashKey(bytes);
    }
    validationData.crls.Add(bytes);
    addLtvForChain(null, ocspClient, crlClient, hashKey);
}

Your signature, though

While revocation of the other non-root certificates in question now refers to embedded CRLs, for one certificate there still is an issue, the revocation tab for "SafeScrypt sub-CA for RCAI Class 2 2014 (SAFESCRYPTONLINE_15)" in Adobe Reader shows

CRL processing error
Issuer: cn=SafeScrypt CA 2014, houseIdentifier=II Floor, Tidel Park, street=No.4, Rajiv Gandhi Salai, Taramani, Chennai, st=Tamil Nadu, postalCode=600 113, ou=Certifying Authority, o=Sify Technologies Limited, c=IN
This update: 20180303183000Z
Next update: 20190303182959Z
CRL has expired or is not yet valid

Indeed, a CRL with a next update value of 20190303182959Z is expired and, therefore, cannot be used now for validation without appropriate POEs. So indeed, Adobe Reader ist completely correct in stating that based on that CRL (currently served by the PKI) it cannot determine non-Revocation.

But could it from other information? Well, there is an AIA attribute in the certificate for an OCSP responder that could alternatively be used. But an attempt to use it fails, http://ocsp.safescrypt.com currently accepts no requests. So this is no actual alternative.

All in all this makes the quality of service of this CA appear questionable. If this state continues, you might want to switch to a different CA.