endesive icon indicating copy to clipboard operation
endesive copied to clipboard

Published 20 hours ago verified publisher icon m32

LTV enabled certificate

Open muristan opened this issue 4 years ago • 9 comments

I coundn't yet endesive configure to sign a PDF and get it LTV enabled. I use eToken 5100 and a AATL certificate. To get a valid sign is not a problem. But it's not LTV enabled. What is important to produce a LTV enabled PDF?

Andreas

muristan avatar Mar 03 '21 15:03 muristan

I have never had such a need and never read the documentation in order to perform such a task. I think this is related to OCSP (issue #25)

Some links for this subject: https://stackoverflow.com/questions/26090558/what-does-not-ltv-enabled-mean/26124267 https://stackoverflow.com/questions/51370965/how-can-i-add-pades-ltv-using-itext/51481392#51481392

m32 avatar Mar 03 '21 18:03 m32

Endesive can't do that yet. After signing the document, generate the dss structure containing the certificates used in the document and the results of checking their validity.

You can get such data, for example, via apache pdfbox: jars - is a list of libraries from apache pdfbox java -cp $jars org.apache.pdfbox.examples.signature.validation.AddValidationInformation pdf-signed-cms-m32.pdf

As you can see in the attached files, my certificate from unizeto does not support LTV pdf-signed-cms-m32.pdf pdf-signed-cms-m32_ocsp.pdf

m32 avatar Mar 14 '21 11:03 m32

Hi, for LTV signature it seems the code is almost there. If I understand the following links correctly the RevocationInfoArchival' from the Timestamp is the only missing element from the signature. I've tried over the past days to add RevocationInfoArchival' info to the signature without any success. I was wondering if you can provide any guidance in this direction. Or perhaps I'm simply wrong.

The links:

  • https://stackoverflow.com/questions/67821453/ltv-enabling-signatures-in-pdf
  • https://github.com/wbond/asn1crypto/blob/master/asn1crypto/pdf.py

vicpara avatar Nov 01 '22 16:11 vicpara

The description of how to work with LTV is, for example: https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/ but I can't repeat it at home. Maybe it's the certificate's fault

m32 avatar Nov 01 '22 19:11 m32

I may got this wrong but I think if your certificate has a CRL or OCSP property and the OCSP/CRL server is still live and can check its revocation status then LTV should work. I'm happy to test here with our certificates.

When using a timestamping and OCSP server during signing, the signature itself has all the properties needed for LTV. All it's left is to add to the PDF a DSS dictionary that references the cert chain, CRL, OCSP, VRI. I tried to create the DSS dictionary myself but I cannot find a way to pick up the references for the certificates. Also a new pdf trailer is required after DSS dictionary was written in the file and I'm struggling to get it right without corrupting the PDF.

I found more on the structure of the DSS dict, specifications and some examples from other library that implemented the LTV. https://www.etsi.org/deliver/etsi_ts/102700_102799/10277804/01.01.02_60/ts_10277804v010102p.pdf https://github.com/hejsan/WeasySign/blob/master/weasysign/globalsign.py#L115

vicpara avatar Nov 07 '22 20:11 vicpara

WeasySign creates DSS structures and that's the direction, but other things for this time are more important to me if you want and can ... please add code that will solve this problem :), PR always welcome

m32 avatar Nov 09 '22 20:11 m32

I tried to add it like this with reference to WeasySign, but it doesn't work for me LTV is not enabled image Is there anything wrong here? Thanks in advance!

ganesharavindh avatar Nov 28 '22 11:11 ganesharavindh

@ganesharavindh if it doesn't work then something is wrong, still have no time for this issue

m32 avatar Nov 28 '22 13:11 m32