EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDF - add revocation info

Posted: 03/05/2013 04:17:53
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20


is there a way how to add a revocation information into non-enhanced PDF signature? In other words, how to add a revocation information into signature using TElPDFPublicKeySecurityHandler class (not TElPDFAdvancedPublicKeySecurityHandler).
Your PAdES sample application shows how to do that for enhanced signatures only. But there should be a way for standard signatures. Am I right? Thank you.
Posted: 03/05/2013 04:22:39
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

You can do this using TElPDFPublicKeySecurityHandler.RevocationInfo and its methods.
Posted: 03/05/2013 04:22:54
by Ken Ivanov (Team)

Hello Lukas,

Use the TElPDFPublicKeySecurityHandler.RevocationInfo object to specify the revocation information, in form of CRLs and OCSP responses, to be included to the signature. Note that the generic security handler won't collect the revocation information for you (unlike the advanced handler does), so you will have to collect it yourselves.
Posted: 03/05/2013 06:08:16
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

I tried to do this:

handler.RevocationInfo.Assign(m_LocalRevInfo, false);


int idx = handler.RevocationInfo.AddCRL();
TElCertificateRevocationList crl = handler.RevocationInfo.get_CRLs(idx);

For both cases, the document stays unchanged after its closing. The problem probably is I can't call TElPDFSignature.Update method. It is called in PAdES sample but for TElPDFAdvancedPublicKeySecurityHandler handler. For TElPDFPublicKeySecurityHandler handler the exception is always thrown: SBPDFSecurity.EElPDFPublicKeySecurityHandlerError; Message: "Unsupported feature".
Posted: 03/05/2013 06:12:34
by Ken Ivanov (Team)

There is no way to update revocation information in an existing signature, as it is stored in a signed signature attribute. In other words, revocation information should be added to the signature at the moment of signing.
Posted: 03/05/2013 06:26:14
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

But for enhanced signatures it is possible. It was my original question. I didn't mentioned that I want to do it for an already existing signature, sorry. My goal is to archive a PDF signature. So, for enhanced PDF signatures it is possible to add validation data somehow but for standard signatures it is not?
Posted: 03/05/2013 06:34:02
by Ken Ivanov (Team)


Advanced (PAdES) signatures use different approach to storing revocation information. In PAdES case, revocation information is appended to the document in a form of so-called DSS (document security store) object without affecting the original signature. Generic signatures implemented in the standard handler do not support DSS.
Posted: 03/05/2013 06:47:22
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

So, if a standard PDF signature does not already contain validation data, there is no way how to archive the signature. Am I right?
Posted: 03/05/2013 06:57:32
by Ken Ivanov (Team)

The only way to archive a generic signature is to convert it to advanced (PAdES) signature by performing appropriate upgrade actions (adding DSS and document timestamp elements). This implies that processing software needs to support PAdES, as it won't be able to 'see' revocation information otherwise.
Posted: 03/05/2013 06:58:43
by Ken Ivanov (Team)

A small correction to the above post: you won't be able to archive a signature that doesn't have a signature timestamp embedded.



Topic viewed 2298 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!