Reputation: 192
PDF Signature with timestamping from TSA
We are trying to embed Timestamp signature as a unsigned attribute in CMS format but after stamping signature in PDF, PDF viewer giving the signature includes an embeded timestamp but it is invalid message.
We have used internal TSA service (self sigined) TSA and bouncy castle API for crypto and signing operations. But don't know what is happening with timestamp. Could anyone know what is wrong I am doing.
hello_signed.pdf Also added Java code base and signed pdf sample for reference.
Any help would be appreciated.
Upvotes: 3
Views: 2053
Answers (3)
Reputation: 192
AS per TSA RFC 3161, The purpose of the tsa field is to give a hint in identifying the name of the TSA. If present, it MUST correspond to one of the subject names included in the certificate that is to be used to verify the token. However, the actual identification of the entity that signed the response will always occur through the use of the certificate identifier (ESSCertID Attribute) inside a SigningCertificate attribute which is part of the signerInfo (See Section 5 of [ESS]).
for this issue TSA needs to construct tsa GeneralName attribute in a following way. Made below changes in source. Construct tsa with TSA certificate SubjectDN
Not Working
GeneralName gn = new GeneralName(GeneralName.directoryName, new X500Name(cacert.getSubjectX500Principal().getName()));
Working Code
X500Name iss = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded()); GeneralName gn = new GeneralName(GeneralName.directoryName, iss); tkg.setTSA(gn);
Upvotes: 1
Reputation: 96064
There is an issue in the TSTInfo structure, its tsa member is
C = IN,S = MH,L = NSDL,O = NSDL,OU = NSDL,CN = NSDL,E = [email protected]
but your TSA certificate has the inverse subject
E = [email protected],CN = NSDL,OU = NSDL,O = NSDL,L = NSDL,S = MH,C = IN
According to RFC 3161, the purpose of the tsa field is to give a hint in identifying the name of the TSA. If present, it MUST correspond to one of the subject names included in the certificate that is to be used to verify the token.
Thus, an attentive validator cannot use the certificate you supplied for verifying the time stamp.
I don't know whether that's the only issue but it's definitively a show-stopper.
Upvotes: 4
Reputation: 181
This means Acrobat cannot find the certificate used to create the timestamp. Looking at the ASN.1 decode for your PDF signature CMS, it looks like you haven't requested the Timestamp Authority's certificate in the request (search for timeStampToken to take you to the appropriate section of the CMS). In Bouncy Castle this is achieved by calling SetCertReq(true) on the TimeStampRequestGenerator instance as follows:
TimeStampRequestGenerator reqGenerator = new TimeStampRequestGenerator();
// Request the server to also include the signing certificate:
reqGenerator.SetCertReq(true);
When this is set the Timestamping Authority will include the certificate, or more usually the timestamping certificate and its chain, as signed attribute(s) in the SignedCms of the actual timestamp.
To confirm that the certificate is included in the response you can write the timestamping authority's response to a text file as a hex string and decode it using this website https://lapo.it/asn1js/.
Upvotes: 2
Related Questions
- Can you add a timestamped no-tamper-proof to a PDF without "signing" it?
- Steps to include timestamp in PDF signature
- Embedded timestamp could not be verified for certain TSA
- How to add Timestamp attribute to certification detail when signing pdf file
- Digital Signature With TSA Timestamping adding certificates in chain in TSA response PDF Box giving error “not enough space to write signature”
- VRI for Signature TimeStamp
- PDFBox 1.8 - Signing PDF Document using TSA (Time Stamp Autority)
- Digitally Sign and timestamp a PDF in java
- Adding signature timestamp on existing PDF signature
- Offline PDF timestamping using iText