I have one more question. Completely understand if you've got more important things to do though :)
Adding LTV to my PDF invalidates my certificate when the MDP permission is set to 1 (no changes permitted). At the moment I'm signing the PDF using CreateSignature, then adding LTV in a separate run of AddValidationInformation. My hunch is that the double-saving of the PDF is causing the issue. If you have any thoughts they would be appreciated. In the meanwhile I'll be trying to sign and add LTV before saving the PDF. If it's any use, I've uploaded unsigned, signed, and LTV signed PDFs to this public Drive folder: https://drive.google.com/drive/folders/15uY98ZJYDnpJCtjf2LTheFg4Zu75BBIY?usp=sharing. signed_with_ltv.pdf is the problematic file. Thanks, Chris On 2020/06/23 18:04:19, Tilman Hausherr <thaush...@t-online.de> wrote: > Another problem is that the "highest" certificate does not have an URL > to download the root. So I can't get that one. > > A solution would be that you change the code so that you keep a set of > certificates that you trust and look there when one is missing. > > Tilman > > Am 23.06.2020 um 19:00 schrieb Tilman Hausherr: > > Hi, > > > > Yeah, the log output is confusing, I'll improve it slightly to output > > what it was searching for. I ran ShowSignature and it's the root > > certificate that is missing in the chain. > > > > Tilman > > > > Am 23.06.2020 um 14:59 schrieb Chris Parton: > >> Hi all, I'm trying to use the example AddValidationInformation[1] > >> class to add LTV to an existing signed PDF. I've tried with a signed > >> PDF of my own, and a sample GlobalSign[2] PDF. > >> > >> In both cases, I get the same error, and a 0kb PDF generated. Logs[4] > >> are at the bottom of this post. > >> > >> Steps to reproduce: > >> 1. git clone g...@github.com:apache/pdfbox.git > >> 2. cd pdfbox/examples > >> 3. mvn clean install > >> 4. Open pdfbox project in IntelliJ > >> 5. Run AddValidationInformation class, with the downloaded > >> GlobalSign pdf as a program argument > >> > >> The GlobalSign PDF has LTV enabled already, but I get the same error > >> on my own document which doesn't have LTV. For my own document, I can > >> enable LTV via Adobe Acrobat's UI[3], which makes me think the > >> document itself is fine. > >> > >> Can anybody shed some light on why this might be happening? The > >> recursive traverseChain() method seems to spin until it hits the end > >> of the certificate chain, and continues to look for an issuer cert. > >> > >> Thanks so much, I appreciate your help! Let me know if you need any > >> more information and I'll do my best to provide it. > >> > >> [1] > >> https://github.com/apache/pdfbox/blob/2.0.20/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java > >> > >> [2] > >> https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf > >> > >> [3] > >> https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/#enable > >> > >> [4] App logs > >> Jun. 23, 2020 10:51:19 PM > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >> getAlternativeIssuerCertificate > >> INFO: Get alternative issuer certificate from: > >> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt > >> Jun. 23, 2020 10:51:19 PM > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >> getAlternativeIssuerCertificate > >> INFO: Get alternative issuer certificate from: > >> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt > >> Jun. 23, 2020 10:51:19 PM > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >> getAlternativeIssuerCertificate > >> SEVERE: Error getting alternative issuer certificate from > >> http://secure.globalsign.com/cacert/gsaatlsha2g2.crt > >> java.io.IOException: No Issuer Certificate found for Cert: > >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588) > >> > >> Jun. 23, 2020 10:51:19 PM > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >> traverseChain > >> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for > >> AATL, O=GlobalSign nv-sa, C=BE > >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >> Jun. 23, 2020 10:51:19 PM > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >> getAlternativeIssuerCertificate > >> SEVERE: Error getting alternative issuer certificate from > >> http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt > >> java.io.IOException: No Issuer Certificate found for Cert: > >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588) > >> > >> Jun. 23, 2020 10:51:19 PM > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >> traverseChain > >> INFO: Found the right Issuer Cert! for Cert: > >> EMAILADDRESS=market...@globalsign.com, CN=Marketing, O="GMO > >> GlobalSign, Inc.", L=Portsmouth, ST=New Hampshire, C=US > >> CN=GlobalSign CA 2 for AATL, O=GlobalSign nv-sa, C=BE > >> Jun. 23, 2020 10:51:19 PM > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector > >> traverseChain > >> INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for > >> AATL, O=GlobalSign nv-sa, C=BE > >> CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE > >> Exception in thread "main" java.io.IOException: No Issuer Certificate > >> found for Cert: CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign > >> nv-sa, C=BE > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109) > >> at > >> org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108) > >> at > >> org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588) > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > >> For additional commands, e-mail: users-h...@pdfbox.apache.org > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > > For additional commands, e-mail: users-h...@pdfbox.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org > For additional commands, e-mail: users-h...@pdfbox.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org For additional commands, e-mail: users-h...@pdfbox.apache.org
