[
https://issues.apache.org/jira/browse/PDFBOX-2776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17220875#comment-17220875
]
Michael Klink commented on PDFBOX-2776:
---------------------------------------
{quote}And at least in the old iText2.1.7 this is not that hard{quote}
This is both right and wrong.
Yes, iText (v2.1.7, v5.x, v7.x) supports adding revocation information to the
Adobe's Revocation Information signed attribute. That is no magic, though, you
can easily do something similar in PDFBox using BouncyCastle classes.
But no, this is impossible is a number of use cases, in particular there are
many signing services nowadays which just-in-time, while processing a signature
request, create a short-term certificate only for this signature. As you don't
know the signer certificate before signing, you cannot retrieve revocation
information for it in time to consider them when building the signed attributes.
Also PDFBox surely shall cover not only the proprietary Adobe profile "LTV
enabled" but in particular also the PAdES profiles. And non-legacy PAdES
signatures (in particular the nowadays commonly required PAdES Baseline
signatures) *require* that revocation information is added in a revision after
the signed revision, so incremental updates are needed.
> support "Long Term Validation" signature extensions (LTV)
> ---------------------------------------------------------
>
> Key: PDFBOX-2776
> URL: https://issues.apache.org/jira/browse/PDFBOX-2776
> Project: PDFBox
> Issue Type: Improvement
> Components: Signing
> Affects Versions: 2.0.0
> Reporter: Ralf Hauser
> Priority: Major
> Fix For: 3.0.0 PDFBox
>
> Attachments: certified_368835_Sig_de_201026171017_LTV.pdf,
> nonSigPdf-sig1.pdf, notCertified_368835_Sig_en_201026090509.pdf,
> notCertified_368835_Sig_en_201026090509_report.png
>
>
> in recent acrobat readers, every signature is commented w.r.t. "LTV"
> ETSI TS 102 778-4 V1.1.2 (2009-12) Technical Specification
> referenced as part 4 in
> http://en.wikipedia.org/wiki/PAdES
> It would be great if pdf signatures created with PDFBox would assist in
> creatign those.
> Target test setup:
> 1) input of an unsigned PDF-1.5 document
> 2) signature with
> a) local key pair
> b) hsm
> c) remote signature service (e.g. via soap)
> 3) add ocsp response for LTV (crls typically are larger)
> ==> Result: signed pdf where acrobat reader claims it to be "LTV enabled"
> see also PDFBOX-1848
> more in
> http://stackoverflow.com/questions/26090558/ltv-enabled-signature-in-pdf
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
