Hello Tilman,
In fact you're very right about CRL URLs...
I've noticed that class CertInformationHelper was constantly failing in method
getCrlUrlFromExtensionValue, so I've updated it in order to make
AddValidationInformation finish (sorry I forgot to mention it earlier).
Please take a look at my changes in code of that method, marked with #XXXX PS
20191101.
I've used FreeTSA (freetsa.org) as timestamp server, and since it is a free
online TSA, it's possible that it's response isn't proper.
However, I've used that TSA because I was constantly getting errors related to
certificate of timestamp validation, when I was using another TSA which was
even payed (served by PKS, one of registered national CAs).
That is probably another issue that might be addressed, but I'd write you more
about it when I find a way how to present you with test data.
/**
* Gets the first CRL URL from given extension value. Structure has to
be
* built as in 4.2.1.14 CRL Distribution Points of RFC 2459.
*
* @param extensionValue to get the extension value from
*
* @return first CRL- URL or null
* @throws IOException when there is a problem with the extensionValue
*/
protected static String getCrlUrlFromExtensionValue(byte[]
extensionValue) throws IOException
{
ASN1Sequence asn1Seq = (ASN1Sequence)
JcaX509ExtensionUtils.parseExtensionValue(extensionValue);
Enumeration<?> objects = asn1Seq.getObjects();
while (objects.hasMoreElements())
{
DLSequence obj = (DLSequence) objects.nextElement();
DERTaggedObject derTagged = (DERTaggedObject)
obj.getObjectAt(0);
derTagged = (DERTaggedObject) derTagged.getObject();
// #XXXX PS 20191101: Precaution in case if it is not
an instance of DERTaggedObject (it can be DLSequence).
if (!(derTagged.getObject() instanceof DERTaggedObject))
{
System.out.println("CertInformationHelper.getCrlUrlFromExtensionValue: Skipped
instance of '" + derTagged.getObject().getClass().getSimpleName() + "'.");
continue;
}
derTagged = (DERTaggedObject) derTagged.getObject();
if (!(derTagged.getObject() instanceof DEROctetString))
{
// happens with SampleSignedPDFDocument.pdf
continue;
}
DEROctetString uri = (DEROctetString)
derTagged.getObject();
String url = new String(uri.getOctets());
// TODO Check for: DistributionPoint ::= SEQUENCE (see
RFC 2459), multiples can be possible.
// return first http(s)-Url for crl
if (url.startsWith("http"))
{
// #XXXX PS 20191101: Print out URL found.
System.out.println("CertInformationHelper.getCrlUrlFromExtensionValue: url = '"
+ String.valueOf(url) + "'.");
return url;
}
}
return null;
}
Good night and best regards,
Predrag
-----Original Message-----
From: Tilman Hausherr [mailto:thaush...@t-online.de]
Sent: Wednesday, November 13, 2019 9:54 PM
To: users@pdfbox.apache.org
Subject: Re: After adding validation information, Adobe Reader says Signature
is not LTV enabled
Am 13.11.2019 um 01:45 schrieb Predrag Stojković:
>
> Hello all.
>
> I’m trying to use Apache PDFBox 2.0.17 to ellectronically sign some
> documents, including LTV information.
>
> I have followed the examples provided in class CreateSignature to sign
> the document, and in class AddValidationInformation to add LTV
> information.
>
> After adding LTV information, size of the PDF file is increased from
> 230KB to 252KB, so additional information was added in deed.
>
> But, Adobe Reader in Signature panel still shows the label „Signature
> is not LTV enabled...“.
>
> Can you please check the attached files and figure out what’s wrong?
>
I have been unable to verify the signature and to create an LTV with
AddValidationInformation. The later had an unimplemented part, (several CRL
URLs) so I wonder how it worked at all for you (I just fixed that)...
Signature verification didn't work because of a problem with the OCSP response
for "EMAILADDRESS=busile...@gmail.com, CN=www.freetsa.org, OU=Root CA, O=Free
TSA, L=Wuerzburg, ST=Bayern, C=DE" at http://www.freetsa.org:2560.
On my machine Adobe says nothing about LTV at all. Which is probably as bad.
I wonder if maybe the AddValidationInformation swallows the exception instead
of failing. Or maybe OCSP isn't checked at all. More at a later time (must
sleep now).
Tilman
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
