Hello again, I came up with a situation, which is not a bug, instead it's a
kind of question for the professionals like you: I have a certificate issued by
a Comodo, and it has 3 upper-level certificates up to the root (total of 4
certs with mine included).I installed the certificate in the Windows Cert Store
(personal store). When I digitally sign a PDF with iText using the certificate
from the store (exported with the .NET functions X509Certificate2.Export), the
Acrobat Pro in my computer can open it and validates the signatures ok.If I
copy that PDF to another computer, Acrobat says it cannot validate the
signature which is fine since I didn't install the Comodo cert there. BUT, if I
export the certificate as a PFX file from Windows Store (using MMC and the
export wizard), and select the option to create a PFX file AND include the
whole chain, and use that PFX to sign the PDF file, Adobe can verify it in
OTHER computers without the certificate being installed locally (the PFX has
the whole chain and that's what Adobe seem to check). Now, these are the
questions:1) I've noticed that opening the 2nd PDF (signed with the PFX) takes
much longer than the first (signed with the exported cert). I guess Adobe
verifies the chain, and that's the source of the opening lag. So, what is the
recommended approach when signing PDF documents? To install the certificate in
the target computers? or to embed the whole chain into the PDF? I know it's a
trade-off (speed vs practicity), but my question points to what the
world/iso/enterprises or experience recommend. 2) Why can't the PKCS12Store
class (from BouncyCastle) build the whole chain when using an exported
certificate from the store? If I use the BC classes like this: byte[]
certbytes = cert.Export(X509ContentType.Pkcs12, "password"); // cert is the
.NET X509Certificate2
Stream fs = new MemoryStream(certbytes);
pk12 = new Pkcs12Store(fs, "password".ToCharArray());
X509CertificateEntry[] ce = pk12.GetCertificateChain(alias); // this builds an
array of just 1 element instead of 4.Org.BouncyCastle.X509.X509Certificate[]
chain = new Org.BouncyCastle.X509.X509Certificate[ce.Length];
for (int k = 0; k < ce.Length; ++k)
chain[k] = ce[k].Certificate; // only MY certificate is added, not the
parents.
That was NOT a critisism but a technical question, since when I use Windows
Store exported certificates, I must build the chain myself using the .NET
classes (like X509Chain.Create+X509Chain.Build and then convert the
certificates to BC certificates). In case you wonder why I need the whole
chain, I've seen that for the OCSP response to be included in the signature,
there must be at least 2 certificates in the chain. Maybe I'm missing
something... Thanks for your time, suggestions and answers.Regards,Alex
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
