Search code examples
itext7

How to add Ltv & CRL (offline) while injecting .p7s to a Pdf?

I inject p7s to a Pdf using code below:

        PdfWriter pdfWriter = new PdfWriter("results/final1.pdf");
        PdfDocument document = new PdfDocument(new PdfReader("results/prepared1.pdf"), pdfWriter, new StampingProperties().UseAppendMode());
        Stream output = new FileStream("results/signed1.pdf", FileMode.Create);

        ExternalInjectingSignatureContainer container2 = new ExternalInjectingSignatureContainer(_p7s);

        List<byte[]> crlCollection = new List<byte[]>();
        crlCollection.Add(File.ReadAllBytes(@"ks/mycrls.crl"));

        PdfSigner.SignDeferred(document, "Signature1", output, container2);

Found this

I found this

I tried it as below:

        ICrlClient clrClient = new CrlClientOffline(File.ReadAllBytes(@"ks/mycrls.crl"));
        addLTV("results/signed1.pdf", "results/final1.pdf", null, clrClient, null);

I did not see the Ltv enabled?

No Ltv

but the result is: Revocation checks were not performed.

Revocation checks were not performed

addLtv

public static void addLTV(String src, String dest, IOcspClient ocsp, ICrlClient crl, ITSAClient itsaClient)
    {
        PdfReader reader = new PdfReader(src);
        PdfWriter writer = new PdfWriter(dest);
        PdfDocument pdfDoc = new PdfDocument(reader, writer, new StampingProperties().UseAppendMode());
        LtvVerification v = new LtvVerification(pdfDoc);
        SignatureUtil signatureUtil = new SignatureUtil(pdfDoc);
        IList<string> names = signatureUtil.GetSignatureNames();
        String sigName = names[names.Count - 1];
        PdfPKCS7 pkcs7 = signatureUtil.ReadSignatureData(sigName);
        if (pkcs7.IsTsp())
        {
            v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
                LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
        }
        else
        {
            foreach (var name in names)
            {
                v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
                    LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.YES);
                v.Merge();
            }
        }

        pdfDoc.Close();
    }

ExternalInjectingSignatureContainer

internal class ExternalInjectingSignatureContainer :IExternalSignatureContainer
{
    public ExternalInjectingSignatureContainer(byte[] signature)
    {
        Signature = signature;
    }

    public void ModifySigningDictionary(PdfDictionary signDic)
    {

    }

    public byte[] Sign(Stream data)
    {
        return Signature;
    }

    public byte[] Signature;
}

I want to improve it by adding the CRL Info (Offline), I have created a .crl file but I don't know how to add the crl while injecting .p7s?

TimeStamp

I know this is not related to this question, but after this I will add a timestamp to the signature, where can I find free timestamp (for development purpose)?

any help would be appreciated..

many thanks in advance

Don

Solution

  • How to add Ltv & CRL (offline) while injecting .p7s to a Pdf?

    This depends on the profile of the PDF signatures you create and the capabilities of the validators.

    PKCS#7 Signatures as used in ISO 32000

    The PDF standard, ISO 32000 both in part 1 and part 2, in section 12.8.3.3 ("PKCS#7 Signatures as used in ISO 32000" / "CMS (PKCS #7) signatures") defined a profile for CMS signatures in PDFs.

    This profile requires Revocation information to be included in the CMS container as an signed attribute.

    Judging by your previous questions, you create the CMS signature container itself externally. To embed CRLs according to this profile, therefore, you have to update your external code producing the CMS container or (if some service not implemented by you creates those signatures) ask the signature creation service provider to update their code producing the CMS container to include the CRL in a signed attribute as detailed in ISO 32000 section 12.8.3.3.2 ("Revocation Information" / "Revocation of CMS-based signatures").

    CAdES signatures as used in PDF

    ETSI originally in TS 102 778, updated in EN 319 142, defined profiles (PAdES profiles) for CAdES signatures in PDFs. CAdES is a special profile of CMS. A rundown of these profiles has been copied into the updated PDF specification ISO 32000-2, section 12.8.3.4 ("CAdES signatures as used in PDF").

    These profiles require revocation information to be embedded in an incremental update after the signed revision in a Document Security Store structure of PDF objects.

    To embed CRLs according to these profiles, therefore, you take the signed PDF and add the CRL afterwards. This essentially is what your addLTV example does.

    Why Revocation checks were not performed

    In comments you mention that you use PAdES and add the CRL using your addLTV example but that Adobe Reader tells you that "Revocation checks were not performed."

    If you read the text underneath that message, the cause becomes clear:

    The selected certificate does not chain up to a certificate designated as trusted anchor (see the Trust Tab for details). The result is that revocation checks were not performed on this certificate.

    If your validator cannot trace your signer certificate back (in a certificate chain) to a certificate it explicitly trusts, validation stops with an unknown validity. Revocation checks only make sense if the validator trusts the issuer of the signer certificate (directly or indirectly); only in this case of trust by issuer the validator needs to verify whether the issuer revoked the certificate.