Digital signature with timestamp in Java

折月煮酒 提交于 2019-11-30 16:10:25

signed_lipsum.pdf, first version

The time stamp token references as signer some

CN=e-Szigno Test TSA2,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU

which has been issued by

CN=Microsec e-Szigno Test Root CA 2008,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU

with serial number 7.

It does not provide this certificate itself, though, and neither is it provided by the encapsulating signature CMS container nor in some validation related information PDF document section.

Thus, at least on my computer there is no chance of verifying the time stamp token in any way and Adobe Reader is completely right not to accept the time stamp.

Have you provided the certificate in question on your computer in a way appropriate for your Adobe Reader? If you have and it still does not work, please supply it for further tests. If you have not, try to retrieve and provide them.

You might want to beef up the time stamp token itself to include that certificate before including it into the signature.

signed_lipsum.pdf, second version

In the updated file signed_lipsum.pdf the signature time stamp contains a TSA certificate, but it is the wrong one!

Just like in the first version the time stamp references a signer certificate with

  • Subject CN=e-Szigno Test TSA2,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
  • Issuer CN=Microsec e-Szigno Test Root CA 2008,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
  • Serial number 7.

The contained certificate, on the other hand, has

  • Subject CN=e-Szigno Test TSA2,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
  • Issuer CN=Microsec e-Szigno Test Root CA 2008,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU
  • Serial number 5.

I assume that test TSA uses multiple signing devices / soft-tokens with individual certificates and the OP included the wrong one.

You, therefore, might want to include the correct certificate instead.

BTW, the time stamp in the PDF signed by iText contains a certificate matching the references in the stamp...

RFC 3161 time stamp requests can ask the TSA to include the signer certificate automatically. Bouncy Castle allows to set this flag like this:

TimeStampRequestGenerator reqgen = new TimeStampRequestGenerator();
reqgen.setCertReq(true); // <<<<<<<<<<<<<<<<<<<<<<<<<<
TimeStampRequest req = reqgen.generate(TSPAlgorithms.SHA1, data);

Instead of including the certificate yourself, you might try this.

LTV enabled

From the comments:

Just out of curiosity, what extra needs to be added to make a PDF LTV enabled?

To quote Leonard Rosenthol (PDF guru at Adobe):

LTV enabled means that all information necessary to validate the file (minus root certs) is contained within. So this statement [...] would be true.

the PDF is signed correctly and contains all necessary certificates, a valid CRL or OSCP response for every certificate

(Jan 10, 2013; 7:07pm;Leonard Rosenthol on itext-general)

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!