Re: [iText-questions] [SPAM] Re: LTV problem?
Dear Michael, I got it. Many thanks for your help. I finally make the signature LTV-enabled. I just add the CRL of the issuer cert to the signature. It works. Thank you very much! Best regards, Eric On Sun, Dec 29, 2013 at 7:12 AM, mkl m...@wir-sind-cool.org wrote: Eric, Eric Chow wrote The sample1.pdf is signed by the certificate that generated by keytool and the sample2.pdf is signed with the smartcard (PKCS#11). sample1.pdf (58K) http://itext-general.2136553.n4.nabble.com/attachment/4659598/0/sample1.pdf sample2.pdf (48K) http://itext-general.2136553.n4.nabble.com/attachment/4659598/1/sample2.pdf Ok, the main reason why sample1.pdf shows LTV-enabled in Adobe reader is that it is signed using a self-issued/self-signed certificate while real world user certificates usually are issued by other certificates which in turn are issued by still other other ones, which in turn etc. pp. ... Eventually this chain ends in a certificate like yours which is issued by itself. A certificate is signed using its issuer certificate; thus, a self-issued certificate is also known as self-signed certificate. A small 101 on certificates first... Whenever you are checking whether you put some trust in a signature (beyond the mathematical check whether the hash of the document matches with the signature), you try and build that chain as far as possible (verifying whether each certificate actually has been signed by its alleged issuer and checking numerous other attributes, e.g. validity interval and allowed usage purposes) and check whether you have any of these certificates in your local store of trusted certificates; usually the certificates in your trusted certificate store are self-issued certificates. If find no match, you don't trust the signature. Otherwise you obviously trust the certificate you identified (otherwise it would not be in your trusted store, would it?), but the certificates leading to it from your signer certificate inclusively have to be checked some more because they may meanwhile have been revoked (due to stolen keys or misuse). Thus, you query the respective public key infrastructure of the issuing certificate whether the certificate in question is revoked or not using OCSP or CRL queries. To guarantee that the respective responses are no fakes coming from some man-in-the-middle fooling you (after all you do those queries via some anonymous internet route probably infested by bad guys), these responses themselves also are signed. Thus, you have to verify these signatures, too. Etc. Etc. Etc. Fortunately the responses from the PKI of the issuing certificate usually are signed by a very few certificates which makes this process eventually end because of your unlimited trust in the certificates in your trusted store. If at a later time (maybe a much later time) there is a need to re-check the validity of your signature, those PKIs might be offline and the procedure mentioned above may not be repeatable. For such a case, though, it would suffice to have all those information available you collected earlier in your original attempt to verify the signature. Thus, there is a need to store all these validation related information alongside your signature. This is what the CAdES/XAdES/PAdES standards (and others, too) are all about. When Adobe Reader says some signature is LTV-enabled, it essentially has checked whether it finds all the information required for such a later check in the PDF document given the trust in the certificates in the trusted store. (Actually the situation can be somewhat more complicated due to cross-signed certificates, alternative certificate chains, TSLs, time stamps, differing validation modells... On the other hand the actual checks can be somewhat simplified for PKIs often verified against.) In your case sample1.pdf is signed by a self-issued certificate which you most likely have added to your trusted certificates (otherwise Adobe Reader would warn you about this missing trust). As the signer certificate already is a trusted certificate, there is no need for any other validation related information. Thus the document is LTV-enabled. sample2.pdf on the other hand is signed by a user certificate which is issued by some other certificate. Neither the other certificate nor any revocation information for any certificate are available. Thus: not LTV-enabled. By the way, by adding that user certificate itself to the trusted certificates makes Adobe display it as LTV-enabled... ;) (BTW, the signature in sample2.pdf uses the adbe.pkcs7.sha1 subfilter; for interoperable signatures the current PDF standard has been recommending against using it since the last decade.) I hope this helps to understand which information have to be added to a PDF to make it LTV-enabled. Regards, Michael -- View this message in context:
[iText-questions] [SPAM] Re: LTV problem?
Eric, Eric Chow wrote The sample1.pdf is signed by the certificate that generated by keytool and the sample2.pdf is signed with the smartcard (PKCS#11). sample1.pdf (58K) http://itext-general.2136553.n4.nabble.com/attachment/4659598/0/sample1.pdf sample2.pdf (48K) http://itext-general.2136553.n4.nabble.com/attachment/4659598/1/sample2.pdf Ok, the main reason why sample1.pdf shows LTV-enabled in Adobe reader is that it is signed using a self-issued/self-signed certificate while real world user certificates usually are issued by other certificates which in turn are issued by still other other ones, which in turn etc. pp. ... Eventually this chain ends in a certificate like yours which is issued by itself. A certificate is signed using its issuer certificate; thus, a self-issued certificate is also known as self-signed certificate. A small 101 on certificates first... Whenever you are checking whether you put some trust in a signature (beyond the mathematical check whether the hash of the document matches with the signature), you try and build that chain as far as possible (verifying whether each certificate actually has been signed by its alleged issuer and checking numerous other attributes, e.g. validity interval and allowed usage purposes) and check whether you have any of these certificates in your local store of trusted certificates; usually the certificates in your trusted certificate store are self-issued certificates. If find no match, you don't trust the signature. Otherwise you obviously trust the certificate you identified (otherwise it would not be in your trusted store, would it?), but the certificates leading to it from your signer certificate inclusively have to be checked some more because they may meanwhile have been revoked (due to stolen keys or misuse). Thus, you query the respective public key infrastructure of the issuing certificate whether the certificate in question is revoked or not using OCSP or CRL queries. To guarantee that the respective responses are no fakes coming from some man-in-the-middle fooling you (after all you do those queries via some anonymous internet route probably infested by bad guys), these responses themselves also are signed. Thus, you have to verify these signatures, too. Etc. Etc. Etc. Fortunately the responses from the PKI of the issuing certificate usually are signed by a very few certificates which makes this process eventually end because of your unlimited trust in the certificates in your trusted store. If at a later time (maybe a much later time) there is a need to re-check the validity of your signature, those PKIs might be offline and the procedure mentioned above may not be repeatable. For such a case, though, it would suffice to have all those information available you collected earlier in your original attempt to verify the signature. Thus, there is a need to store all these validation related information alongside your signature. This is what the CAdES/XAdES/PAdES standards (and others, too) are all about. When Adobe Reader says some signature is LTV-enabled, it essentially has checked whether it finds all the information required for such a later check in the PDF document given the trust in the certificates in the trusted store. (Actually the situation can be somewhat more complicated due to cross-signed certificates, alternative certificate chains, TSLs, time stamps, differing validation modells... On the other hand the actual checks can be somewhat simplified for PKIs often verified against.) In your case sample1.pdf is signed by a self-issued certificate which you most likely have added to your trusted certificates (otherwise Adobe Reader would warn you about this missing trust). As the signer certificate already is a trusted certificate, there is no need for any other validation related information. Thus the document is LTV-enabled. sample2.pdf on the other hand is signed by a user certificate which is issued by some other certificate. Neither the other certificate nor any revocation information for any certificate are available. Thus: not LTV-enabled. By the way, by adding that user certificate itself to the trusted certificates makes Adobe display it as LTV-enabled... ;) (BTW, the signature in sample2.pdf uses the adbe.pkcs7.sha1 subfilter; for interoperable signatures the current PDF standard has been recommending against using it since the last decade.) I hope this helps to understand which information have to be added to a PDF to make it LTV-enabled. Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659604.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics,
Re: [iText-questions] [SPAM] Re: LTV problem?
Dear Michael, I tried to use keytool to generate a keystore and sign the PDF. It shows LTV-enabled in Adobe reader. I also use the same method to sign the PDF with PKCS#11 (Smartcard) but the output signed PDF not LTV-enabled What's the difference? Best regards, Eric On Fri, Dec 27, 2013 at 12:49 PM, Eric Chow eric...@gmail.com wrote: Dear Michael, Thanks for your help. Because of my dummy and leak of knowledge in LTV, would you please to show me a simple example to sign a PDF that LTV-enabled with option 2? Best regards, Eric On Fri, Dec 27, 2013 at 3:58 AM, mkl m...@wir-sind-cool.org wrote: Eric Chow wrote I used the following code to add the LTV to the existed signed PDF. The attached PDF is the result. But it shows LTV not enabled . in the Adobe Reader XI. test_signed_LTV.pdf (346K) http://itext-general.2136553.n4.nabble.com/attachment/4659584/0/test_signed_LTV.pdf Your signature contains both a CRL and a time stamp both of which have signatures in their own right. Unfortunately the LtvVerification.addVerification overload you use only inspects the outer signatures. Thus, you have three options, 1. Include all the CRLs / OCSP responses required to verify the certificates of the outer signature, the CRL and OCSP response signatures, and timestamp already in the original signature; in this case you do not need to add extra validation related information. In your case only one CRL is embedded which most likely does not contain the information required for verifying the three signatures used. 2. Don't use CRLs, OCSP reponses or time stamps in the original signature but do add the whole signature chain (in your case there only is the signer certificate). In this case the LtvVerification.addVerification overload you use should add all required information. 3. Collect all validation related information required for all signatures already present in the PDF and in the collected information, and use the other LtvVerification.addVerification overload to add these information. Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659590.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
[iText-questions] [SPAM] Re: LTV problem?
Eric Chow, Eric Chow wrote I tried to use keytool to generate a keystore and sign the PDF. It shows LTV-enabled in Adobe reader. I also use the same method to sign the PDF with PKCS#11 (Smartcard) but the output signed PDF not LTV-enabled Please provide samples of both to compare their respective structure. That been said, if I remember correctly, your recent example in this thread did not include all the certificates in the certificate chain. That may be one issue. Regards,Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659597.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Re: [iText-questions] [SPAM] Re: LTV problem?
Dear Michael, I found that in sample1.pdf, it only has a signed certificate. In sample2.pdf, there are three levels of certificate: - Issuer ROOT cert (A) - Issuer signed cert (B) - my personal cert (C) Do I need to add the (A) and (B) to the .addVerification(...) ? Just add the certificate or their CRLs and OCSPs ? Anyway, how can I get those certificates from (C) ? Best regards, Eric On Sat, Dec 28, 2013 at 9:53 AM, Eric Chow eric...@gmail.com wrote: Hi Michael, The sample1.pdf is signed by the certificate that generated by keytool and the sample2.pdf is signed with the smartcard (PKCS#11). Best regards, Eric On Sat, Dec 28, 2013 at 3:52 AM, mkl m...@wir-sind-cool.org wrote: Eric Chow, Eric Chow wrote I tried to use keytool to generate a keystore and sign the PDF. It shows LTV-enabled in Adobe reader. I also use the same method to sign the PDF with PKCS#11 (Smartcard) but the output signed PDF not LTV-enabled Please provide samples of both to compare their respective structure. That been said, if I remember correctly, your recent example in this thread did not include all the certificates in the certificate chain. That may be one issue. Regards,Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659597.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
[iText-questions] [SPAM] Re: LTV problem?
Eric Chow wrote I used the following code to add the LTV to the existed signed PDF. The attached PDF is the result. But it shows LTV not enabled . in the Adobe Reader XI. test_signed_LTV.pdf (346K) http://itext-general.2136553.n4.nabble.com/attachment/4659584/0/test_signed_LTV.pdf Your signature contains both a CRL and a time stamp both of which have signatures in their own right. Unfortunately the LtvVerification.addVerification overload you use only inspects the outer signatures. Thus, you have three options, 1. Include all the CRLs / OCSP responses required to verify the certificates of the outer signature, the CRL and OCSP response signatures, and timestamp already in the original signature; in this case you do not need to add extra validation related information. In your case only one CRL is embedded which most likely does not contain the information required for verifying the three signatures used. 2. Don't use CRLs, OCSP reponses or time stamps in the original signature but do add the whole signature chain (in your case there only is the signer certificate). In this case the LtvVerification.addVerification overload you use should add all required information. 3. Collect all validation related information required for all signatures already present in the PDF and in the collected information, and use the other LtvVerification.addVerification overload to add these information. Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659590.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Re: [iText-questions] [SPAM] Re: LTV problem?
Dear Michael, Thanks for your help. Because of my dummy and leak of knowledge in LTV, would you please to show me a simple example to sign a PDF that LTV-enabled with option 2? Best regards, Eric On Fri, Dec 27, 2013 at 3:58 AM, mkl m...@wir-sind-cool.org wrote: Eric Chow wrote I used the following code to add the LTV to the existed signed PDF. The attached PDF is the result. But it shows LTV not enabled . in the Adobe Reader XI. test_signed_LTV.pdf (346K) http://itext-general.2136553.n4.nabble.com/attachment/4659584/0/test_signed_LTV.pdf Your signature contains both a CRL and a time stamp both of which have signatures in their own right. Unfortunately the LtvVerification.addVerification overload you use only inspects the outer signatures. Thus, you have three options, 1. Include all the CRLs / OCSP responses required to verify the certificates of the outer signature, the CRL and OCSP response signatures, and timestamp already in the original signature; in this case you do not need to add extra validation related information. In your case only one CRL is embedded which most likely does not contain the information required for verifying the three signatures used. 2. Don't use CRLs, OCSP reponses or time stamps in the original signature but do add the whole signature chain (in your case there only is the signer certificate). In this case the LtvVerification.addVerification overload you use should add all required information. 3. Collect all validation related information required for all signatures already present in the PDF and in the collected information, and use the other LtvVerification.addVerification overload to add these information. Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659590.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
[iText-questions] [SPAM] Re: LTV problem?
Eric, Eric Chow wrote tsaClient = new TSAClientBouncyCastle(TSA_URL, TSA_ACCNT, TSA_PASSW, 6500, sha256); [...] v.merge(); On Wed, Dec 18, 2013 at 3:45 AM, mkl lt; mkl@ gt; wrote: In that case can you supply a PDF resulting from your code calling addVerification? I meant not the code (which has been posted before) but the output of that code when the input is the PDF you posted here before. I don't have the certificates in question at hand here, let alone installed in some key store. Whenever I run your code, therefore, I'm likely to get a different (and obviously insufficient) output than you do. Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659569.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
[iText-questions] [SPAM] Re: LTV problem?
Eric, Eric Chow wrote Do you mean the output PDF (signed PDF)? I attach it here. Please check! I tried to use iText-rups to show the document structure, but cannot see the DSS catalog. test_signed.pdf (295K) lt;http://itext-general.2136553.n4.nabble.com/attachment/4659570/0/test_signed.pdfgt; That sample is somewhat irritating. I would have expected at least one additional revision after the original signed one but in your case the signed revision is the last one. Thus, just to make sure, in your code LtvVerification v = stamper.getLtvVerification(); AcroFields af = stamper.getAcroFields(); for (String sigName : af.getSignatureNames()) { [...] } v.merge(); which PdfStamper stamper do you work on? Is it the PdfStamper you retrieved to create the signature with or is it a stamper you opened for the already signed file? Using that code on the PdfStamper you create the original signature with won't work because the code adds validation related information for already existing signatures only. If you used that code on a PdfStamper working on a PdfReader containing the PDF already containing the original signature, please post more of the code doing that... Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659572.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Re: [iText-questions] [SPAM] Re: LTV problem?
I used the PdfStamper to create the signature. This does not work, right? I will try to open a signed PDF and try to add the verification again. Thanks. I will post the results if there is any problem but need to wait until 26th. Best regards, Eric On Wed, Dec 18, 2013 at 7:30 PM, mkl m...@wir-sind-cool.org wrote: Eric, Eric Chow wrote Do you mean the output PDF (signed PDF)? I attach it here. Please check! I tried to use iText-rups to show the document structure, but cannot see the DSS catalog. test_signed.pdf (295K) lt; http://itext-general.2136553.n4.nabble.com/attachment/4659570/0/test_signed.pdfgt ; That sample is somewhat irritating. I would have expected at least one additional revision after the original signed one but in your case the signed revision is the last one. Thus, just to make sure, in your code LtvVerification v = stamper.getLtvVerification(); AcroFields af = stamper.getAcroFields(); for (String sigName : af.getSignatureNames()) { [...] } v.merge(); which PdfStamper stamper do you work on? Is it the PdfStamper you retrieved to create the signature with or is it a stamper you opened for the already signed file? Using that code on the PdfStamper you create the original signature with won't work because the code adds validation related information for already existing signatures only. If you used that code on a PdfStamper working on a PdfReader containing the PDF already containing the original signature, please post more of the code doing that... Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659572.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
[iText-questions] [SPAM] Re: LTV problem?
Eric, Eric Chow wrote The certificate chain is available. In that case can you supply a PDF resulting from your code calling addVerification? Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659566.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
Re: [iText-questions] [SPAM] Re: LTV problem?
tsaClient = new TSAClientBouncyCastle(TSA_URL, TSA_ACCNT, TSA_PASSW, 6500, sha256); LtvVerification v = stamper.getLtvVerification(); AcroFields af = stamper.getAcroFields(); for (String sigName : af.getSignatureNames()) { v.addVerification( sigName, ocspClient, new CrlClientOnline(chain), LtvVerification.CertificateOption.WHOLE_CHAIN, LtvVerification.Level.OCSP, LtvVerification.CertificateInclusion.YES); } v.merge(); Regards, Eric On Wed, Dec 18, 2013 at 3:45 AM, mkl m...@wir-sind-cool.org wrote: Eric, Eric Chow wrote The certificate chain is available. In that case can you supply a PDF resulting from your code calling addVerification? Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659566.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php
[iText-questions] [SPAM] Re: LTV problem?
Eric, Eric Chow wrote As you can see I already added the OcspClient and CrlClientOnline to the verification, what else I need to added? Do the certificates in question contain the information required for easy OCSP/CRL access? AIA and CRL distribution point? Is the certificate chain available when adding the validation information? You might want to post a sample PDF with added validation information for inspection. Regards, Michael -- View this message in context: http://itext-general.2136553.n4.nabble.com/LTV-problem-tp4659550p4659561.html Sent from the iText - General mailing list archive at Nabble.com. -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831iu=/4140/ostg.clktrk ___ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a registered trademark of 1T3XT BVBA. Many questions posted to this list can (and will) be answered with a reference to the iText book: http://www.itextpdf.com/book/ Please check the keywords list before you ask for examples: http://itextpdf.com/themes/keywords.php