0

I inject p7s to a Pdf using code below:

        PdfWriter pdfWriter = new PdfWriter("results/final1.pdf");
        PdfDocument document = new PdfDocument(new PdfReader("results/prepared1.pdf"), pdfWriter, new StampingProperties().UseAppendMode());
        Stream output = new FileStream("results/signed1.pdf", FileMode.Create);

        ExternalInjectingSignatureContainer container2 = new ExternalInjectingSignatureContainer(_p7s);

        List<byte[]> crlCollection = new List<byte[]>();
        crlCollection.Add(File.ReadAllBytes(@"ks/mycrls.crl"));

        PdfSigner.SignDeferred(document, "Signature1", output, container2);

Found this

I found this

I tried it as below:

        ICrlClient clrClient = new CrlClientOffline(File.ReadAllBytes(@"ks/mycrls.crl"));
        addLTV("results/signed1.pdf", "results/final1.pdf", null, clrClient, null);

I did not see the Ltv enabled?

No Ltv

but the result is: Revocation checks were not performed.

Revocation checks were not performed

addLtv

public static void addLTV(String src, String dest, IOcspClient ocsp, ICrlClient crl, ITSAClient itsaClient)
    {
        PdfReader reader = new PdfReader(src);
        PdfWriter writer = new PdfWriter(dest);
        PdfDocument pdfDoc = new PdfDocument(reader, writer, new StampingProperties().UseAppendMode());
        LtvVerification v = new LtvVerification(pdfDoc);
        SignatureUtil signatureUtil = new SignatureUtil(pdfDoc);
        IList<string> names = signatureUtil.GetSignatureNames();
        String sigName = names[names.Count - 1];
        PdfPKCS7 pkcs7 = signatureUtil.ReadSignatureData(sigName);
        if (pkcs7.IsTsp())
        {
            v.AddVerification(sigName, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
                LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.NO);
        }
        else
        {
            foreach (var name in names)
            {
                v.AddVerification(name, ocsp, crl, LtvVerification.CertificateOption.WHOLE_CHAIN,
                    LtvVerification.Level.OCSP_CRL, LtvVerification.CertificateInclusion.YES);
                v.Merge();
            }
        }

        pdfDoc.Close();
    }

ExternalInjectingSignatureContainer

internal class ExternalInjectingSignatureContainer :IExternalSignatureContainer
{
    public ExternalInjectingSignatureContainer(byte[] signature)
    {
        Signature = signature;
    }

    public void ModifySigningDictionary(PdfDictionary signDic)
    {

    }

    public byte[] Sign(Stream data)
    {
        return Signature;
    }

    public byte[] Signature;
}

I want to improve it by adding the CRL Info (Offline), I have created a .crl file but I don't know how to add the crl while injecting .p7s?

TimeStamp

I know this is not related to this question, but after this I will add a timestamp to the signature, where can I find free timestamp (for development purpose)?

any help would be appreciated..

many thanks in advance

Don

Don2
  • 313
  • 3
  • 12
  • Which kind of pdf signatures do you create? ISO 32000-1 style interoperable ones? Or PAdES style ones? Or a mixture? Depending on your answer you can/must add CRLs in different ways. – mkl May 25 '20 at 05:13
  • for now I use PAdES – Don2 May 25 '20 at 05:22
  • According to the edit of your question you have a different problem altogether. In the certificate viewer screenshot one can read that the certificate does not chain up to a certificate designated as trusted anchor. There is no need for a validator to run revocation checks if it does not have any reason to trust the certificate to start with. So no matter how much revocation information you add, it will be ignored unless you configure your validator to trust the issuer of your certificate (or the issuer's issuer, etc). – mkl May 25 '20 at 05:50
  • I see, there is nothing to do here until I trust the certificate? .. how about the Ltv? .. why I did not see the Ltv? – Don2 May 25 '20 at 06:03
  • If there is no trust to start with, there is no reason for a validator to check whether trust has been revoked. Adobe Reader only mentions revocation information if it uses it. – mkl May 25 '20 at 06:08
  • Thanks, I tried to trust it locally and it works now, btw, do you know what is the free timestamp for testing and dev purpose? – Don2 May 25 '20 at 09:12
  • You may want to try `https://www.freetsa.org/. I have no firsthand experience as I usually use my employer's (non-free) tsa. – mkl May 25 '20 at 09:25

1 Answers1

1

How to add Ltv & CRL (offline) while injecting .p7s to a Pdf?

This depends on the profile of the PDF signatures you create and the capabilities of the validators.

PKCS#7 Signatures as used in ISO 32000

The PDF standard, ISO 32000 both in part 1 and part 2, in section 12.8.3.3 ("PKCS#7 Signatures as used in ISO 32000" / "CMS (PKCS #7) signatures") defined a profile for CMS signatures in PDFs.

This profile requires Revocation information to be included in the CMS container as an signed attribute.

Judging by your previous questions, you create the CMS signature container itself externally. To embed CRLs according to this profile, therefore, you have to update your external code producing the CMS container or (if some service not implemented by you creates those signatures) ask the signature creation service provider to update their code producing the CMS container to include the CRL in a signed attribute as detailed in ISO 32000 section 12.8.3.3.2 ("Revocation Information" / "Revocation of CMS-based signatures").

CAdES signatures as used in PDF

ETSI originally in TS 102 778, updated in EN 319 142, defined profiles (PAdES profiles) for CAdES signatures in PDFs. CAdES is a special profile of CMS. A rundown of these profiles has been copied into the updated PDF specification ISO 32000-2, section 12.8.3.4 ("CAdES signatures as used in PDF").

These profiles require revocation information to be embedded in an incremental update after the signed revision in a Document Security Store structure of PDF objects.

To embed CRLs according to these profiles, therefore, you take the signed PDF and add the CRL afterwards. This essentially is what your addLTV example does.

Why Revocation checks were not performed

In comments you mention that you use PAdES and add the CRL using your addLTV example but that Adobe Reader tells you that "Revocation checks were not performed."

If you read the text underneath that message, the cause becomes clear:

The selected certificate does not chain up to a certificate designated as trusted anchor (see the Trust Tab for details). The result is that revocation checks were not performed on this certificate.

If your validator cannot trace your signer certificate back (in a certificate chain) to a certificate it explicitly trusts, validation stops with an unknown validity. Revocation checks only make sense if the validator trusts the issuer of the signer certificate (directly or indirectly); only in this case of trust by issuer the validator needs to verify whether the issuer revoked the certificate.

Community
  • 1
  • 1
mkl
  • 90,588
  • 15
  • 125
  • 265