1

I am using this flow for performing digital signatures using external trust service provider.

I have integrated this approach to add timestamp to my current certifying signature.

Using these, I am able to perform signature timestamp with embedded trusted timestamp.

In my DSS dictionary of PDF, I have added revocation information before calling saveIncrementalForExternalSigning. But I am unable to add revocation information and certificates for timestamp since timestamp token is not available before saveIncrementalForExternalSigning. Later on, when I get the timestamp token, I am making changes to DSS dictionary but they are not being reflected in output PDF. Below is my source code flow:

public ByteArrayOutputStream getSignedStream(PDDocument document, SignRequest request, Certificate[] certificateChain) throws Exception {

// adding revocation info for signature
validationService.addValidationInformation(document, certificateChain);

ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
ExternalSigningSupport externalSigningSupport = document.saveIncrementalForExternalSigning(outputStream);

InputStream inputStream = request.getDocument();
CMSSignedData signedData = generateCMSSignedData(certificateChain, externalSigningSupport, inputStream, signParams...);

MessageDigest digest = MessageDigest.getInstance("SHA-256");
//Initialized TSAClient
tsaClient = new TimestampClient(new URL(options.getUrl()),
    options.getUsername(), options.getPassword(), digest);

//Here, timestampToken is generated using the signedData Inputstream
signedData = TimestampUtil.addSignedTimeStamp(signedData, tsaClient, document);

//Using above timestamp token, certificates and revocation information is available now.
CMSSignedData data = new CMSSignedData(TSAUtil.token);
TimeStampToken timeStampToken = new TimeStampToken(data);
Store certificatesStore = timeStampToken.getCertificates();
TSAUtil.certificates = TSARevocationInfoUtil.convertCertificates(certificatesStore);

/*trying to add revocation info for timestamp to DSS dictionary, which is not being reflected in output document */
validationService.addValidationInformation(document, certificateChain);

byte[] cmsSignature = signedData.getEncoded();
externalSigningSupport.setSignature(cmsSignature);

return outputStream; }

Also, with certifying signatures, I want to use DocMDP permission as 1 (No changes allowed). So, I cannot save the document multiple times.

Please suggest, how can I update DSS dictionary for certificates of embedded signature timestamp without corrupting the document and in compliance with docMDP permission as 1.

Himanshu Jindal
  • 113
  • 1
  • 8
Qazazazaz
  • 11
  • 4
  • @mkl any suggestions on this? – Qazazazaz Jul 17 '23 at 09:53
  • Strictly speaking, *"DocMDP permission as 1"* by itself is not a problem because even in that case an incremental update containing only DSS additions is allowed by the specs (both ETSI EN 319 142-1 and ISO 32000-2). Unfortunately, Adobe Acrobat has a bug in this regard and erroneously reports DSS updates as disallowed. Apparently you want to make Adobe Acrobat happy in spite of its bug. This means that you cannot have incremental updates after the revision with the signature. This in turn means that you need to have all validation related information (also for the time stamp!) before signing. – mkl Jul 17 '23 at 12:25
  • Essentially, therefore, you have to know the time stamp certificate in advance (or a small set of candidate certificates) and add its (their) validation related information together with the information for the signer certificate. If that's no option, you'll have to use incremental updates, probably with a higher MDP level value. – mkl Jul 17 '23 at 13:59
  • Thanks @mkl for the suggestions in this matter. I was not aware that it's Acrobat's bug. I decided to not to add timestamp validation information in case of DocMDP permission as 1, since it is not mandatory as per PDF Specs. Also, for getting timestamp certs and validation information before the getting the actual timestamp, I will need an additional call to generate dummy timestamp token, which will give me the required validation info. This extra call seems like a hack and not the actual solution. I will add the timestamp validation information for DocMDP permission 2 and 3. – Qazazazaz Jul 17 '23 at 20:05
  • *"I was not aware that it's Acrobat's bug."* - The PAdES basics are introduced in ETSI EN 319 142-1 and ISO 32000-2, and both indicate that even with MDP level 1 adding incremental updates updating DSS are allowed. Thus, a software that understands and supports the PAdES basics consequentially must allow such updates. - *" I will add the timestamp validation information for DocMDP permission 2 and 3."* - that's the safest way – mkl Jul 18 '23 at 14:10
  • Just to add, even PDFBox sample for Document Timestamp is generating error : "No changes to the document are permitted due to DocMDP transform parameters dictionary" when I try to use input PDF with DocMDP Permission as 1. – Qazazazaz Jul 19 '23 at 06:46
  • Well, pdfbox tries to behave very much like Acrobat, both in good and in bad ways... – mkl Jul 19 '23 at 07:13

0 Answers0