Re: Enabling LTV (Long Term Validation) for a signed PDF

Tue, 23 Jun 2020 17:29:32 -0700 

Hi Tilman,

Thanks for your insight. In CertInformationCollector#traverseChain, I check for 
a missing certInfo.issuerUrl and populate it with 
"http://secure.globalsign.com/cacert/root-r3.crt";, which did the trick. (For 
anyone else who comes across this thread, you will need to use the URL for the 
issuer of the highest certificate in your PDF).

I don't think I would have figured this out without your help, I really 
appreciate you taking the time.

The code now looks like this:
if (certInfo.issuerUrl == null) {
    certInfo.issuerUrl = "http://secure.globalsign.com/cacert/root-r3.crt";;
}
getAlternativeIssuerCertificate(certInfo, maxDepth);

On 2020/06/23 18:04:19, Tilman Hausherr <thaush...@t-online.de> wrote: 
> Another problem is that the "highest" certificate does not have an URL 
> to download the root. So I can't get that one.
> 
> A solution would be that you change the code so that you keep a set of 
> certificates that you trust and look there when one is missing.
> 
> Tilman
> 
> Am 23.06.2020 um 19:00 schrieb Tilman Hausherr:
> > Hi,
> >
> > Yeah, the log output is confusing, I'll improve it slightly to output 
> > what it was searching for. I ran ShowSignature and it's the root 
> > certificate that is missing in the chain.
> >
> > Tilman
> >
> > Am 23.06.2020 um 14:59 schrieb Chris Parton:
> >> Hi all, I'm trying to use the example AddValidationInformation[1] 
> >> class to add LTV to an existing signed PDF. I've tried with a signed 
> >> PDF of my own, and a sample GlobalSign[2] PDF.
> >>
> >> In both cases, I get the same error, and a 0kb PDF generated. Logs[4] 
> >> are at the bottom of this post.
> >>
> >> Steps to reproduce:
> >>   1. git clone g...@github.com:apache/pdfbox.git
> >>   2. cd pdfbox/examples
> >>   3. mvn clean install
> >>   4. Open pdfbox project in IntelliJ
> >>   5. Run AddValidationInformation class, with the downloaded 
> >> GlobalSign pdf as a program argument
> >>
> >> The GlobalSign PDF has LTV enabled already, but I get the same error 
> >> on my own document which doesn't have LTV. For my own document, I can 
> >> enable LTV via Adobe Acrobat's UI[3], which makes me think the 
> >> document itself is fine.
> >>
> >> Can anybody shed some light on why this might be happening? The 
> >> recursive traverseChain() method seems to spin until it hits the end 
> >> of the certificate chain, and continues to look for an issuer cert.
> >>
> >> Thanks so much, I appreciate your help! Let me know if you need any 
> >> more information and I'll do my best to provide it.
> >>
> >> [1] 
> >> https://github.com/apache/pdfbox/blob/2.0.20/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
> >>
> >> [2] 
> >> https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf
> >>
> >> [3] 
> >> https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/#enable
> >>
> >> [4] App logs
> >> Jun. 23, 2020 10:51:19 PM 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector 
> >> getAlternativeIssuerCertificate
> >> INFO: Get alternative issuer certificate from: 
> >> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
> >> Jun. 23, 2020 10:51:19 PM 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector 
> >> getAlternativeIssuerCertificate
> >> INFO: Get alternative issuer certificate from: 
> >> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
> >> Jun. 23, 2020 10:51:19 PM 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector 
> >> getAlternativeIssuerCertificate
> >> SEVERE: Error getting alternative issuer certificate from 
> >> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
> >> java.io.IOException: No Issuer Certificate found for Cert: 
> >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
> >>
> >> Jun. 23, 2020 10:51:19 PM 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector 
> >> traverseChain
> >> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for 
> >> AATL, O=GlobalSign nv-sa, C=BE
> >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >> Jun. 23, 2020 10:51:19 PM 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector 
> >> getAlternativeIssuerCertificate
> >> SEVERE: Error getting alternative issuer certificate from 
> >> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
> >> java.io.IOException: No Issuer Certificate found for Cert: 
> >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
> >>
> >> Jun. 23, 2020 10:51:19 PM 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector 
> >> traverseChain
> >> INFO: Found the right Issuer Cert! for Cert: 
> >> EMAILADDRESS=market...@globalsign.com, CN=Marketing, O="GMO 
> >> GlobalSign, Inc.", L=Portsmouth, ST=New Hampshire, C=US
> >> CN=GlobalSign CA 2 for AATL, O=GlobalSign nv-sa, C=BE
> >> Jun. 23, 2020 10:51:19 PM 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector 
> >> traverseChain
> >> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for 
> >> AATL, O=GlobalSign nv-sa, C=BE
> >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
> >> Exception in thread "main" java.io.IOException: No Issuer Certificate 
> >> found for Cert: CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign 
> >> nv-sa, C=BE
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
> >>     at 
> >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> >> For additional commands, e-mail: users-h...@pdfbox.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> > For additional commands, e-mail: users-h...@pdfbox.apache.org
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
> For additional commands, e-mail: users-h...@pdfbox.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org

Reply via email to