Re: Enabling LTV (Long Term Validation) for a signed PDF

Tilman Hausherr Tue, 23 Jun 2020 21:25:02 -0700

Hi,

I don't know if this is possible. My understanding would be "no". Youshould ask this on stackoverflow too.

Adding LTV before signing - I have some doubt too, because you would getthe revocation list / the OCSP response before doing the signing. Intheory, a certificate could be revoked in the meantime. So this doesn'tfeel right.


Tilman

Am 24.06.2020 um 05:24 schrieb Chris Parton:

I have one more question. Completely understand if you've got more important 
things to do though :)

Adding LTV to my PDF invalidates my certificate when the MDP permission is set 
to 1 (no changes permitted).

At the moment I'm signing the PDF using CreateSignature, then adding LTV in a 
separate run of AddValidationInformation. My hunch is that the double-saving of 
the PDF is causing the issue.

If you have any thoughts they would be appreciated. In the meanwhile I'll be 
trying to sign and add LTV before saving the PDF.

If it's any use, I've uploaded unsigned, signed, and LTV signed PDFs to this 
public Drive folder: 
https://drive.google.com/drive/folders/15uY98ZJYDnpJCtjf2LTheFg4Zu75BBIY?usp=sharing.
 signed_with_ltv.pdf is the problematic file.

Thanks,
Chris

On 2020/06/23 18:04:19, Tilman Hausherr <thaush...@t-online.de> wrote:

Another problem is that the "highest" certificate does not have an URL
to download the root. So I can't get that one.

A solution would be that you change the code so that you keep a set of
certificates that you trust and look there when one is missing.

Tilman

Am 23.06.2020 um 19:00 schrieb Tilman Hausherr:

Hi,

Yeah, the log output is confusing, I'll improve it slightly to output
what it was searching for. I ran ShowSignature and it's the root
certificate that is missing in the chain.

Tilman

Am 23.06.2020 um 14:59 schrieb Chris Parton:

Hi all, I'm trying to use the example AddValidationInformation[1]
class to add LTV to an existing signed PDF. I've tried with a signed
PDF of my own, and a sample GlobalSign[2] PDF.

In both cases, I get the same error, and a 0kb PDF generated. Logs[4]
are at the bottom of this post.

Steps to reproduce:
   1. git clone g...@github.com:apache/pdfbox.git
   2. cd pdfbox/examples
   3. mvn clean install
   4. Open pdfbox project in IntelliJ
   5. Run AddValidationInformation class, with the downloaded
GlobalSign pdf as a program argument

The GlobalSign PDF has LTV enabled already, but I get the same error
on my own document which doesn't have LTV. For my own document, I can
enable LTV via Adobe Acrobat's UI[3], which makes me think the
document itself is fine.

Can anybody shed some light on why this might be happening? The
recursive traverseChain() method seems to spin until it hits the end
of the certificate chain, and continues to look for an issuer cert.

Thanks so much, I appreciate your help! Let me know if you need any
more information and I'll do my best to provide it.

[1]
https://github.com/apache/pdfbox/blob/2.0.20/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java

[2]
https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf

[3]
https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/#enable

[4] App logs
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
INFO: Get alternative issuer certificate from:
http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
INFO: Get alternative issuer certificate from:
http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
SEVERE: Error getting alternative issuer certificate from
http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
java.io.IOException: No Issuer Certificate found for Cert:
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)

Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
traverseChain
INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for
AATL, O=GlobalSign nv-sa, C=BE
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
SEVERE: Error getting alternative issuer certificate from
http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
java.io.IOException: No Issuer Certificate found for Cert:
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)

Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
traverseChain
INFO: Found the right Issuer Cert! for Cert:
EMAILADDRESS=market...@globalsign.com, CN=Marketing, O="GMO
GlobalSign, Inc.", L=Portsmouth, ST=New Hampshire, C=US
CN=GlobalSign CA 2 for AATL, O=GlobalSign nv-sa, C=BE
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
traverseChain
INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for
AATL, O=GlobalSign nv-sa, C=BE
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Exception in thread "main" java.io.IOException: No Issuer Certificate
found for Cert: CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign
nv-sa, C=BE
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
     at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
     at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org

Re: Enabling LTV (Long Term Validation) for a signed PDF

Reply via email to