CODEWITHSUNDEEP
javapdfbox
blinkbink
blinkbink

Reputation: 107

PDFBox Add Validation Information on Certification Signature

how to add validation information on PDF during signing if signature use Certification

SigUtils.setMDPPermission(doc, signature, 1);

cause warning message on function tell addValidationInformation.validateSignature(inPath, outFile) :

PDF is certified to forbid changes, some readers may report the document as invalid despite that the PDF specification allows DSS additions

i call addValidationInformation function after signing doc, signing.signPDF();

what i have tried with this function :

private void makeLTV() {
        try {
            COSDictionary catalogDict = doc.getDocumentCatalog().getCOSObject();
            catalogDict.setNeedToBeUpdated(true);
            byte[][] certs = new byte[certificateChain.length][];
            for (int i = 0; i < certificateChain.length; i++) {
                certs[i] = certificateChain[i].getEncoded();
            }
            // Assign byte array for storing certificate in DSS Store.
            List<CRL> crlList = new ArrayList<CRL>();
            List<OCSPResp> ocspList = new ArrayList<OCSPResp>();
            for (int i = 0; i < certificateChain.length; i++) {
                X509Certificate cert = (X509Certificate) certificateChain[i];
                if (!cert.getIssuerDN().equals(cert.getSubjectDN())) {
                    X509Certificate issuerCert = (X509Certificate) certificateChain[i + 1];
                    if (issuerCert != null) {
                        OCSPResp ocspResp;
                        ocspResp = new GetOcspResp().getOcspResp(cert, issuerCert);
                        if (ocspResp != null) {
                            ocspList.add(ocspResp);
                        }
                    }

                    crlList.addAll(new DssHelper().readCRLsFromCert(cert));
                }
            }
            byte[][] crls = new byte[crlList.size()][];
            for (int i = 0; i < crlList.size(); i++) {
                crls[i] = ((X509CRL) crlList.get(i)).getEncoded();
                LogSystem.info("set CRL data");
            }
            byte[][] ocsps = new byte[ocspList.size()][];
            for (int i = 0; i < ocspList.size(); i++) {
                ocsps[i] = ocspList.get(i).getEncoded();
            }
            Iterable<byte[]> certifiates = Arrays.asList(certs);
            COSDictionary dss = new DssHelper().createDssDictionary(certifiates, Arrays.asList(crls),
                    Arrays.asList(ocsps));
            catalogDict.setItem(COSName.getPDFName("DSS"), dss);

  
        } catch (Exception e) {
            // TODO Auto-generated catch block
            LogSystem.error(e.toString());
            e.printStackTrace();
        }

before doc.addSignature(signature, signatureInterface, signatureOptions);

Upvotes: 0

Views: 615

Answers (1)

bsanchezb
bsanchezb

Reputation: 108

PDF is certified to forbid changes, some readers may report the document as invalid despite that the PDF specification allows DSS additions

Well, the LTV level addition is indeed allowed to PDF documents even with restricted MDP permissions. See "Table 257 — Entries in the DocMDP transform parameters dictionary" of ISO 32000-2:

P number (Optional) The access permissions granted for this document. Changes to a PDF that are incremental updates which include only the data necessary to add DSS’s 12.8.4.3, "Document Security Store (DSS)" and/or document timestamps 12.8.5, "Document timestamp (DTS) dictionary" to the document shall not be considered as changes to the document as defined in the choices below.

So technically speaking you are allowed to add validation data to a PDF signature. However, you need to take into account the practical aspect of this change. For example, the most commonly used application for reading electronic signatures Adobe, more likely, will invalidate such change. The problem here, that the "extension" of a signature with a validation data and/or a timestamp may involve other changes within a PDF document, which may be not considered as part of the allowed changes, as there is no formal guidance on either how to create such signature nor as validate them.

For your information, ETSI standardization group is currently working on a new set of standards that should provide a formal guidance for validation of different AdES signature formats. So maybe in the future this part will be clarified.

For the implementation part of the LTV level addition, I would recommend to add validation data to your signature after the production time of a first timestamp (signature-time-stamp or a PDF document timestamp), that will ensure that the revocation data is fresh and can be considered during the validation process (see "5.2.5 Revocation freshness checker" of EN 319 102-1). For this you will need to add the revocation data to a signed document within a new incremental update (revision). For this you will need to use the method

pdDocument.saveIncremental(...)

executed on a signed PDDocument.

Upvotes: 1

Related Questions