0

When should I addLtv? after or before injecting .p7s?

We have 2 signers, 1st signer certification level is 0 (NO_CERTIFIED) and the 2nd signer certification level is 1 (NO_CHANGES_ALLOWED).

We use the code below to addLtv

PdfDocument pdfDoc = new PdfDocument(new PdfReader("results/signer1_signed.pdf"), 
            new PdfWriter("results/signer1_signed_ltv.pdf"), new StampingProperties().UseAppendMode());

LtvVerification v = new LtvVerification(pdfDoc);
SignatureUtil signatureUtil = new SignatureUtil(pdfDoc);
IList<string> names = signatureUtil.GetSignatureNames();
String sigName = names[names.Count - 1];
PdfPKCS7 pkcs7 = signatureUtil.ReadSignatureData(sigName);
if (pkcs7.IsTsp())
{
    v.AddVerification(sigName, null, null, LtvVerification.CertificateOption.WHOLE_CHAIN,
        LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
}
else
{
    foreach (var name in names)
    {
        v.AddVerification(name, null, null, LtvVerification.CertificateOption.WHOLE_CHAIN,
            LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
        v.Merge();
    }
}

If we run it after .p7s injected then it will break the certificate, but if we run it when Pdf preparation then it unable to get value the signature data because the signature field have not yet ready.

mkl
  • 90,588
  • 15
  • 125
  • 265
Don2
  • 313
  • 3
  • 12
  • *"when should I addLtv? after or before injecting .p7s?"* - that completely depends on the kind of signatures you create: If you create ISO 32000-1 style signatures (foremost with a **adbe.pkcs7.detached** subfilter) and have to deal with ISO 32000-1 validators, you ***have to* add LTV information beforehand**, there is no alternative way in that case. If you create PAdES style signatures (with a **ETSI.CAdES.detached** subfilter), in particular in case of a BASELINE profile, you ***have to* add LTV information afterwards**. If your use case is a different one, please describe it. – mkl May 19 '20 at 08:10
  • yes, I create PAdES style with CAdES.detached subfilter, do you have a link or example for this? – Don2 May 25 '20 at 05:52

0 Answers0