Hi,
That file is not LTV enabled.
I had a look into the bachelor thesis of Alexis Suter (who contributed
most of the validation code). He mentions that the CRLs or OCSP
responses could be put into the signed attributes, and that he abandoned
this strategy because of the intention of "late validation".
Adobe mentions this too: "Since revocation information is a signed
attribute, it must be obtained before the computation of the digital
signature."
Maybe the thing mentioned in that stackoverflow question is that.
I'm thinking of putting at least a warning or an error into the
AddValidation example re: certification.
Tilman
Am 24.06.2020 um 08:18 schrieb Chris Parton:
The GlobalSign PDF at
https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf
has LTV with no changes permitted, so it must be possible somehow.
I did some deeper digging on Stack Overflow and found
https://stackoverflow.com/questions/38856382/ltv-of-certifying-signatures, which states it's
possible to enable LTV by "Embedding the crl bytes & ocsp response in the signature
at signing time".
I'll look more closely at this before posting my own question. Thanks!
On 2020/06/24 04:24:25, Tilman Hausherr <thaush...@t-online.de> wrote:
Hi,
I don't know if this is possible. My understanding would be "no". You
should ask this on stackoverflow too.
Adding LTV before signing - I have some doubt too, because you would get
the revocation list / the OCSP response before doing the signing. In
theory, a certificate could be revoked in the meantime. So this doesn't
feel right.
Tilman
Am 24.06.2020 um 05:24 schrieb Chris Parton:
I have one more question. Completely understand if you've got more important
things to do though :)
Adding LTV to my PDF invalidates my certificate when the MDP permission is set
to 1 (no changes permitted).
At the moment I'm signing the PDF using CreateSignature, then adding LTV in a
separate run of AddValidationInformation. My hunch is that the double-saving of
the PDF is causing the issue.
If you have any thoughts they would be appreciated. In the meanwhile I'll be
trying to sign and add LTV before saving the PDF.
If it's any use, I've uploaded unsigned, signed, and LTV signed PDFs to this
public Drive folder:
https://drive.google.com/drive/folders/15uY98ZJYDnpJCtjf2LTheFg4Zu75BBIY?usp=sharing.
signed_with_ltv.pdf is the problematic file.
Thanks,
Chris
On 2020/06/23 18:04:19, Tilman Hausherr <thaush...@t-online.de> wrote:
Another problem is that the "highest" certificate does not have an URL
to download the root. So I can't get that one.
A solution would be that you change the code so that you keep a set of
certificates that you trust and look there when one is missing.
Tilman
Am 23.06.2020 um 19:00 schrieb Tilman Hausherr:
Hi,
Yeah, the log output is confusing, I'll improve it slightly to output
what it was searching for. I ran ShowSignature and it's the root
certificate that is missing in the chain.
Tilman
Am 23.06.2020 um 14:59 schrieb Chris Parton:
Hi all, I'm trying to use the example AddValidationInformation[1]
class to add LTV to an existing signed PDF. I've tried with a signed
PDF of my own, and a sample GlobalSign[2] PDF.
In both cases, I get the same error, and a 0kb PDF generated. Logs[4]
are at the bottom of this post.
Steps to reproduce:
1. git clone g...@github.com:apache/pdfbox.git
2. cd pdfbox/examples
3. mvn clean install
4. Open pdfbox project in IntelliJ
5. Run AddValidationInformation class, with the downloaded
GlobalSign pdf as a program argument
The GlobalSign PDF has LTV enabled already, but I get the same error
on my own document which doesn't have LTV. For my own document, I can
enable LTV via Adobe Acrobat's UI[3], which makes me think the
document itself is fine.
Can anybody shed some light on why this might be happening? The
recursive traverseChain() method seems to spin until it hits the end
of the certificate chain, and continues to look for an issuer cert.
Thanks so much, I appreciate your help! Let me know if you need any
more information and I'll do my best to provide it.
[1]
https://github.com/apache/pdfbox/blob/2.0.20/examples/src/main/java/org/apache/pdfbox/examples/signature/validation/AddValidationInformation.java
[2]
https://storage.pardot.com/707663/57753/globalsign_parchment_digital_signatures_case_study.pdf
[3]
https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/#enable
[4] App logs
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
INFO: Get alternative issuer certificate from:
http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
INFO: Get alternative issuer certificate from:
http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
SEVERE: Error getting alternative issuer certificate from
http://secure.globalsign.com/cacert/gsaatlsha2g2.crt
java.io.IOException: No Issuer Certificate found for Cert:
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
traverseChain
INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for
AATL, O=GlobalSign nv-sa, C=BE
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
getAlternativeIssuerCertificate
SEVERE: Error getting alternative issuer certificate from
http://secure.globalsign.com/cacert/gsaatl2sha2g2.crt
java.io.IOException: No Issuer Certificate found for Cert:
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getAlternativeIssuerCertificate(CertInformationCollector.java:291)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:211)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
traverseChain
INFO: Found the right Issuer Cert! for Cert:
EMAILADDRESS=market...@globalsign.com, CN=Marketing, O="GMO
GlobalSign, Inc.", L=Portsmouth, ST=New Hampshire, C=US
CN=GlobalSign CA 2 for AATL, O=GlobalSign nv-sa, C=BE
Jun. 23, 2020 10:51:19 PM
org.apache.pdfbox.examples.signature.validation.CertInformationCollector
traverseChain
INFO: Found the right Issuer Cert! for Cert: CN=GlobalSign CA 2 for
AATL, O=GlobalSign nv-sa, C=BE
CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign nv-sa, C=BE
Exception in thread "main" java.io.IOException: No Issuer Certificate
found for Cert: CN=GlobalSign CA for AATL - SHA256 - G2, O=GlobalSign
nv-sa, C=BE
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:257)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.traverseChain(CertInformationCollector.java:250)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.processSignerStore(CertInformationCollector.java:182)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getCertInfo(CertInformationCollector.java:109)
at
org.apache.pdfbox.examples.signature.validation.CertInformationCollector.getLastCertInfo(CertInformationCollector.java:87)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.doValidation(AddValidationInformation.java:130)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.validateSignature(AddValidationInformation.java:108)
at
org.apache.pdfbox.examples.signature.validation.AddValidationInformation.main(AddValidationInformation.java:588)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: users-h...@pdfbox.apache.org
