1

I am getting embedded timestamp could not be verified for TSA : http://timestamp.digicert.com

Embedded timestamp issue

but with same sample code and TSA : http://ts.quovadisglobal.com/eu . It works fine

I am using PDFBox example for singing a document https://github.com/apache/pdfbox/blob/trunk/examples/src/main/java/org/apache/pdfbox/examples/signature/CreateSignatureBase.java

Signed sample files

Vas K
  • 93
  • 9
  • For analysis please share an example PDF illustrating the issue. – mkl Apr 04 '22 at 14:41
  • I have attached both the files – Vas K Apr 05 '22 at 05:25
  • I get "403 Forbidden" for both links. – mkl Apr 05 '22 at 09:24
  • According to the Wikipedia, "In March 2019, access to Zippyshare was blocked for visitors in the United Kingdom, with a HTTP 403 error message displayed. No reason was given for the block, and it is unclear why Zippyshare decided to block users from the UK.[2] Zippyshare became similarly unavailable in Germany in April 2019[5] and in Spain in June 2019, also with no explanation.[6]" That explains it. According to the same article, Zippyshare has a questionable reputation anyways. – mkl Apr 05 '22 at 09:34
  • Sorry for inconvenience. I have uploaded both documents to a GitHub repo and shared the updated link – Vas K Apr 05 '22 at 10:47

1 Answers1

2

If you compare the trust tabs of the Acrobat time stamp certificate viewer ("Show Signature Properties..." -> "Advanced Properties..." -> "Show Certificate..."), the problem becomes clear:

not working working
not trusted trusted

As you can read at the top of that tab in case of the working time stamp,

This certificate is directly trusted in your trusted certificates list. Source of Trust obtained from European Union Trusted Lists (EUTL).

and in case of the not working time stamp,

This certificate is not trusted.

(If you click through the certificate chain, you'll see the same again and again, not trusted.)

Looking into the Adobe Acrobat Trusted Certificates, one currently sees

trusted DigiCert certificates

So indeed, the G4 DigiCert certificates used to sign your problem time stamp are not trusted by Adobe Acrobat. Thus, Acrobat cannot verify the time stamp.

But have a look at the validity dates of the intermediary certificate and the TSA certificate,

  • DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA is valid from 2022/03/23 02:00:00 +02'00' and
  • DigiCert Timestamp 2022 - 2 is valid from 2022/03/29 02:00:00 +02'00'.

They have been issued less then 2 weeks ago! Maybe they simply are not yet on the Adobe trust lists (AATL / EUTL). I've seen relevant trust anchors taking months to be included in those lists. Thus, it's not unlikely that Adobe Acrobat will become able to validate those time stamps over time.

mkl
  • 90,588
  • 15
  • 125
  • 265