0

I'm fighting with creating signature with timestamp on my pdf file. After many attempts we succeeded and signed PDF file. Adobe verified this file but there is one mistake with timestamp. There is information about:

Signature is timestamped but the timestamp could not be verified

Is this signature was created inproperly?

There is a code

public String signByPfxCert(String filePath) {

        String postfix = "-signed";
        try {
            PdfReader reader = new PdfReader(filePath);
            OutputStream os = new FileOutputStream(filePath + postfix);

            PdfStamper stamper = PdfStamper.createSignature(reader, os, '\0');
            PdfSignatureAppearance appearance = stamper.getSignatureAppearance();
            appearance.setReason("REASON");
            appearance.setLocation("LOCATION");

            Security.addProvider(new BouncyCastleProvider());

            FileInputStream fis = new FileInputStream(getClass().getClassLoader().
                    getResource("clientcert.pfx").getFile());
            String password = "pwd12345";


            KeyStore ks = KeyStore.getInstance("PKCS12");
            ks.load(fis, password.toCharArray());
            String alias = ks.aliases().nextElement();

            PrivateKey pk = (PrivateKey) ks.getKey(alias, password.toCharArray());
            X509Certificate cert = (X509Certificate) ks.getCertificate(alias);

            com.itextpdf.text.pdf.security.TSAClient tsc = new TSAClientBouncyCastle(tsaUrl);
            ExternalDigest digest = new BouncyCastleDigest();
            ExternalSignature signature = new PrivateKeySignature(pk, "SHA-1", "BC");

            MakeSignature.signDetached(appearance, digest, signature, new Certificate[]{cert}, null, null, tsc, 0,
                    MakeSignature.CryptoStandard.CMS);


            if (fis.available() != 0) {
                fis.close();
            }

            File originalFile = new File(filePath);

            File signedFile = new File(filePath + postfix);

            boolean deleteOriginal = originalFile.delete();
            File destination = new File(filePath);
            boolean rename = signedFile.renameTo(destination);

            if(deleteOriginal && rename){
                return destination.getName();
            }else {
                return "";
            }


        } catch (Exception e) {
            e.printStackTrace();
        }

        return "";
    }
mkl
  • 90,588
  • 15
  • 125
  • 265
Algeroth
  • 785
  • 3
  • 12
  • 29
  • Please share an example PDF signed and timestamped by your code. But why are you using SHA-1? That algorithm has been considered insecure for a number of years and has been [broken in practice](https://shattered.it/)! – mkl Jun 06 '18 at 12:57
  • Check that your timestamp CA is recognized by Acrobat or it will never work. – Paulo Soares Jun 06 '18 at 14:56
  • https://www.dropbox.com/s/h2p9mtafzb55pqm/testowy-pdf.pdf?dl=0 <- its a created by me signed pdf. @mkl, you right, I should change it to SHA-256. Paulo Soares , I added this certificate to trusted certificates in Adobe Reader – Algeroth Jun 06 '18 at 15:27
  • If I sign pdf by certificate which exists on my PC, then it's works, but when I open pdf which was created and signed by PFX existing on the server, then in my case I see this info about this timestamp which could not be verified. – Algeroth Jun 06 '18 at 15:56
  • Please check the Adobe Reader version which says that *the timestamp could not be verified.* I assume that it is an older version because a current Reader with current trusted list information accepts the TSA certificate because it is on the EUTL. – mkl Jun 06 '18 at 20:02
  • It's probably the newest ( DC 18.01 ). I wonder why the pfx certificate generated on my computer works and the certificate generated on the Linux server is not working properly with Adobe Reader – Algeroth Jun 07 '18 at 07:32
  • *"It's probably the newest"* - then it appears not to receive its trusted certificates updates. As mentioned above, the time stamp can be verified by current Adobe Reader with current trusted certificate information. – mkl Jun 07 '18 at 09:24
  • I checked and it's up to date. I don't have any updates in queue – Algeroth Jun 07 '18 at 09:55
  • Then please make some screen shots and share them here, first the [signature panel](https://i.stack.imgur.com/rcMte.png) with all sections opened, then the [Signature Properties](https://i.stack.imgur.com/y0chv.png) opened via the context menu, then the [Advanced Signature Properties](https://i.stack.imgur.com/SAHi0.png) via the bottom left button, then the [Certificate Viewer](https://i.stack.imgur.com/EKlPw.png) via the "Show Certificate" button, and finally the ["Trust tab" of the Certificate Viewer](https://i.stack.imgur.com/HlmxK.png). Set Adobe Reader to an English GUI for this, please. – mkl Jun 08 '18 at 15:19
  • That being said, I just read your comment *"I wonder why the pfx certificate generated on my computer works and the certificate generated on the Linux server is not working properly with Adobe Reader"* again... Does that mean the example signed and timestamped file you shared in an earlier comment is a file you created on your computer and which also works for you while only those PDFs signed on your server show issues? If that were the case, please also share an example file signed on your server, an example file you observe the problem with; obviously we need a problem file, not one working. – mkl Jun 08 '18 at 15:27

0 Answers0