Reputation: 125
Adobe Acrobat timestamp error
I'm testing an RFC 3161 Timestamp Server, and I'm using Foxit Reader, Xolido Sign Desktop and Adobe Acrobat Pro DC to timestamp PDFs. I can make timestamps ok with Foxit Reader and Xolido, but Adobe Acrobat returns "Error durante la firma. El nombre TSA no coincide" which is something like "Signature error. TSA name doesn't match". I have searched and TSA server name in Adobe config is whichever you want, I have tested exactly with the subject of the certificate, just the common name, etc. The server returns certificate subject as TSA name in Timestamp Response, but it seems to be ok. I have no clue why Adobe says it and Foxit and Xolido are ok.
I added a FoxitReader Screen after validate the timestamp.
Foxit Reader dialog says "Signature valid. Signed by TimestampTest. Document was not modified since it was signed. The signature is a document timestamp from secure time etc."
PDF timestamp example with Foxit Reader
Upvotes: 1
Views: 1682
Answers (1)
Reputation: 125
Well, I finally solved the problem. I found the same "tsa name mismatch" error using OpenSSL, and reading the OpenSSL source code I saw it was a local comparison between TSA name and certificate subject in the timestamp token. My server is using BouncyCastle, and when you create TSAName from X500 subject, because of "standard things", it reverses de Subject RDNs, (e.g. it swaps C=Foo, O=SomeOrg, etc), because TSA name is a GeneralName object and not an X500Name object.
I reverse the subject, then create the token TSA name and now both Openssl and Adobe validates ok.
In the server I have now:
tsTokenGen.setTSA(new GeneralName(reverseX500Name(new X500Name(tsuName))));
public static X500Name reverseX500Name(final X500Name name) {
RDN[] orig = name.getRDNs();
int n = orig.length;
RDN[] _new = new RDN[n];
for (int i = 0; i < n; i++) {
_new[i] = orig[n - 1 - i];
}
return new X500Name(_new);
}
OpenSSL equivalent error is INT_TS_RESP_VERIFY_TOKEN, and it can throw de error in ts_rsp_verify.c line 459 (line relative to OpenSSL version).
Upvotes: 1
Related Questions
- Steps to include timestamp in PDF signature
- Embedded timestamp could not be verified for certain TSA
- Adobe Reader shows embedded qualified timestamp could not be verified
- PDF signing with timestamp: certificate details does not appear in timestamp properties
- Signed pdf missing timestamp from timestamp server
- the signature includes en embedded timeStamp but it could not be verified
- PAdES Signature Attribute signingTime forbidden
- How to add time stamp with pdfbox and TimeStampToken
- Timestamp Validation in Adobe Reader / Acrobat fails: Document was changed or damaged
- Offline PDF timestamping using iText