0

I'm learning how to addLtv from this link

my workflow is for 2 signers:

signer 1:

  • prepare empty signature (with NO_CERTIFIED certification level)
  • generate hash and get p7s
  • inject p7s to pdf for signer 1
  • addLtv for signer 1 ---> I am not sure on this step

signer 2:

  • prepare empty signature from the pdf that already signed by signer 1 (with NO_CHANGES_ALLOWED certification level)
  • generate hash and get p7s for signer 2
  • inject p7s to pdf for signer 2
  • addLtv for signer 2 ---> I am not sure on this step

in this workflow, the certificate for signer 2 will be invalid, any idea how to addLtv for this workflow?

Is it common practice if I change the last signer to NO_CERTIFIED so his certificate will not invalid and I add another signer (like just a timestamp) to make it NO_CHANGES_ALLOWED? or is there any better way to accomplish this workflow?

enter image description here

Usama Abdulrehman
  • 1,041
  • 3
  • 11
  • 21
Don2
  • 313
  • 3
  • 12
  • Please share an example PDF with that issue for analysis. There actually are a number of reasons for this problem requiring different measures to resolve it. – mkl May 28 '20 at 17:03
  • http://apps.primteksolusindo.com/iText7Test.zip – Don2 May 29 '20 at 02:50
  • Could you please sign again but use a PDF instead that uses cross reference tables and not cross reference streams, let alone object streams? E.g. [this one](https://github.com/mkl-public/testarea-itext7/raw/master/src/test/resources/mkl/testarea/itext7/content/test.pdf). – mkl May 29 '20 at 10:49
  • I don't know how to do that with iText – Don2 May 29 '20 at 11:47
  • Instead of your original file (generated by MS Word, I assume), simply use the file I linked above. As you sign in append mode, the original file determines how iText creates cross references. – mkl May 29 '20 at 12:38
  • https://apps.primteksolusindo.com/test_result.zip – Don2 May 29 '20 at 13:11
  • "Sorry, no page here!.." under that link – mkl May 29 '20 at 13:30
  • https://apps.primteksolusindo.com/test_results.zip – Don2 May 29 '20 at 13:35

1 Answers1

0

There are two problems in your code that correctly make Adobe Reader report issues. I'm not sure yet, though, whether after fixing them Adobe Reader will be happy.

The issues in your work flow are:

  • Certification signature as second signature
  • PAdES ESIC extension only declared after first signature

Certification signature as second signature

First of all, your code applies a normal approval signature (PdfSigner.NOT_CERTIFIED set by signer.SetCertificationLevel) as first signature and then a certification signature (PdfSigner.CERTIFIED_NO_CHANGES_ALLOWED set by signer.SetCertificationLevel) as second one.

This is not allowed. According to the PDF specification ISO 32000-1:

A PDF document may contain [...]

At most one certification signature (PDF 1.5). [...] The signature dictionary shall contain a signature reference dictionary (see Table 253) that has a DocMDP transform method. [...]

A document can contain only one signature field that contains a DocMDP transform method; it shall be the first signed field in the document.

(sections 12.8.1 and 12.8.2.2.1 of ISO 32000-1)

And according to ISO 32000-2:

A PDF document may contain the following standard types of signatures: [...]

One or more approval signatures (also known as recipient signatures). These shall follow the certification signature if one is present.

(section 12.8.1 of ISO 32000-2)

Either way, approval signatures must follow the certification signature, not precede it.

(The change between the specification versions most likely has been made to allow document time stamps to precede the certification signature.)

Thus, already immediately after the second signature had been applied, Adobe Reader should have complained!

There is a way, though, to change the certification level in a later approval signature: If your PDF validator supports ISO 32000-1 with Adobe Supplement with ExtensionLevel 3 or ISO 32000-2, FieldMDP transforms can be used to this effect.

Please read this answer for some information on this option.

PAdES ESIC extension only declared after first signature

Your first signature is applied without the document declaring that any PDF extensions apply. Thus, a PDF validator may assume that for signature validation the base ISO 32000-1 rules apply, in particular that a certification level of "no changes allowed" indeed means that no changes are allowed. Only if an appropriate extension is declared and the PDF validator supports it, this rule may differ. In particular

  • ESIC extension level 1 (as per ETSI TS 102 778-4 and EN 319 142-1) or
  • ADBE extension level 5 (as per ETSI TS 102 778-4) or
  • ADBE extension level 8 (as per ETSI EN 319 142-1)

should indicate that, as ISO 32000-2 meanwhile puts it,

Changes to a PDF that are incremental updates which include only the data necessary to add DSS’s and/or document timestamps to the document shall not be considered as changes to the document

The LTV adding code of iText in your PDFs then declares an ESIC extension level 5. I'm not sure where that comes from, whether there is another TS or EN mentioning that level or whether the ESIC and ADBE levels have been mishmashed.

Thus, already with your first signature you should declare one of the extensions mentioned above.

If document is your PdfDocument instance before or while you apply the first signature (you may have to retrieve it from your PdfSigner signer using signer.GetDocument()), you can declare an extension like this:

PdfDeveloperExtension extension = new iText.Kernel.Pdf.PdfDeveloperExtension
        (PdfName.ESIC, PdfName.Pdf_Version_1_7, 1);
document.GetCatalog().AddDeveloperExtension(extension);

Alternatively your should set your PDF version to 2.0 when signing. This may cause other issues, though.

Community
  • 1
  • 1
mkl
  • 90,588
  • 15
  • 125
  • 265
  • Thanks, I don’t understand with “Certification signature as second signature”, I tried to only use 1 signer with NO_CHANGES_ALLOWED cert level, the same problem still occurs. – Don2 May 29 '20 at 23:45
  • And for “ Certification signature as second signature”, My understanding is we will not be able to add cert level to NO_CHANGES_ALLOWED if we want to add Ltv to the last signer, CMIIW – Don2 May 29 '20 at 23:47
  • Do you have a pdf example that shows multiple signers with last signer is cert level is NO_CHANGES_ALLOWED with Ltv Enabled to all signers (include the last signer)? – Don2 May 29 '20 at 23:50
  • First of all: yes, probably the same issue occurs if the first signature is certified with no changes allowed, but your question was about a scenario where you added a certification signature as second signature, and that is definitively forbidden. I didn't say that that was the only issue. On the contrary. – mkl May 30 '20 at 06:13
  • Thanks mkl, it looks like we can not addLtv after NO_CHANGES_ALLOWED applied, cmiiw. One more thing: I try to NOT to addLtv to all signers and I trust both signer’s certs using Adobe, hmmm it shows Signature is Ltv Enable .. strange? Or I confuse. – Don2 May 30 '20 at 06:36
  • In particular I mentioned that there is a second problem: already with the first signature you should declare that your pdf is subject to an extended specification, not pure ISO 32000-1. You do that by adding an extension entry. In your pdf an extension entry is added with the first set of LTV information. This allows the pdf viewer to assume that the signature is to be validated according to the base specification only, and that would mean that no changes allowed means no changes allowed. – mkl May 30 '20 at 06:40
  • It *should be possible* to add ltv information after a no-changes-allowed signature if the pdf starts out declaring that it is subject to the ETSI extensions and/or PDF-2. Whether Adobe reader allows that (I.e. whether Adobe reader is implemented correctly), I don't know. I've not yet knowingly seen Adobe reader do so. – mkl May 30 '20 at 06:45
  • “...first signature you should declare that your pdf is subject to an extended specification”, I don’t find the way for declaring it to an extended specs, Do you have the itext7 link or article that explain about how to do this? – Don2 May 30 '20 at 06:52
  • *"I try to NOT to addLtv to all signers and I trust both signer’s certs using Adobe, hmmm it shows Signature is Ltv Enable .. strange? Or I confuse"* - not strange. If you trust a certificate explicitly, there is no need for revocation information, your direct trust suffices. Only if you trust indirectly, by trusting the issuer, you have to check whether that issuer has revoked the issued signer certificate. – mkl May 30 '20 at 06:58
  • *"I don’t find the way for declaring it to an extended specs, Do you have the itext7 link or article that explain about how to do this?"* - I'll try to find something next week. – mkl May 30 '20 at 06:59