EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Timestamping already created PDF signature

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#26277
Posted: 09/03/2013 10:12:47
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

Hello,

I have a problem with adding a timestamp to an already created PDF signature. I use TElPDFSignature.Timestamp method to do that. The method does not throw any exception but it doesn't seem to do anything at all. There is no new timestamp after the PDF document is closed.
Sometimes the method throws "No enough space to place the timestamp". To avoid this I set TElPDFSignature.ExtraSpace. But this also doesn't seem to take any effect because the exception is still throwing.

My sample code:
Code
TElHTTPSClient HTTPClient = new TElHTTPSClient();
TElHTTPTSPClient TSPClient = new TElHTTPTSPClient();
TSPClient.HTTPClient = HTTPClient;
TSPClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
TSPClient.URL = "http://tsp.iaik.at/tsp/TspRequest";

TElPDFPublicKeySecurityHandler sigHandler = (TElPDFPublicKeySecurityHandler)sig.Handler;
sigHandler.TSPClient = TSPClient;
sigHandler.IgnoreTimestampFailure = true;

sig.ExtraSpace = 1024; //optional
sig.Timestamp();


The above timestamp URL works fine if I create timestamp with signature. Am I missing something?

Thank you.
#26279
Posted: 09/03/2013 11:52:58
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Quote
use TElPDFSignature.Timestamp method to do that. The method does not throw any exception but it doesn't seem to do anything at all. There is no new timestamp after the PDF document is closed.

Then, did you close a document with "Save" parameter set to true? (eg. Document.Close(true); )

Quote
Sometimes the method throws "No enough space to place the timestamp". To avoid this I set TElPDFSignature.ExtraSpace.

The ExtraSpace property wouldn't have any effect if set before calling Timestamp method. It should be set before creating a signature, to reserve extra space in the signature blob. For your timestamp server you need to reserve at least 4KB. (IMHO, 16KB should be enough for 99% of timestamps.)
#26293
Posted: 09/04/2013 06:20:18
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

Quote

Then, did you close a document with "Save" parameter set to true? (eg. Document.Close(true); )


Yes, I did. If I read signature handler's timestamp cout property right after Timestamp method is called, the number is 0. Timestamp service is called correctly but the result is not added to the signature. I'll try SecureBlackbox 11 and let you know.

Quote

The ExtraSpace property wouldn't have any effect if set before calling Timestamp method. It should be set before creating a signature


The reason I want to add a new signature timestamp to an already created signature is that I want to archive this signature (add validation data and document timestamp after a grace period). PAdES-LTV doesn't require signature timestamp, however it is recomended. So, there is really no way how to archive a signature if there is not enough space?
#26295
Posted: 09/04/2013 07:03:31
by Dmytro Bogatskyy (EldoS Corp.)

Quote
The reason I want to add a new signature timestamp to an already created signature is that I want to archive this signature (add validation data and document timestamp after a grace period). PAdES-LTV doesn't require signature timestamp, however it is recomended. So, there is really no way how to archive a signature if there is not enough space?

There is no way to add timestamp to the signature if there is not enough space.
However, the standard way to archive PAdES-LTV signature is to add a document timestamp, which protects the existing document and any validation data.
To create PAdES document timestamp you would need to use TElPDFAdvancedPublicKeySecurityHandler and set PAdESSignatureType to pastDocumentTimestamp, please see:
https://www.eldos.com/documentation/sb...etype.html
Then you would need to set TSPClient property (you don't need to set CertStorage property, like for normal signature).
#26296
Posted: 09/04/2013 08:52:16
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

Quote
Dmytro Bogatskyy wrote:
However, the standard way to archive PAdES-LTV signature is to add a document timestamp, which protects the existing document and any validation data.


I know how to create archive PAdES-LTV signature, I already do that. But before this step, I want to add signature timestamp because it's recomended and I think I know why: If you validate an archived PDF, you have to validate, among other things, validation data including CRLs. If there is no signature timestamp, you don't know when CRL was added to the signature. It could be after the signature certificate was revoked or expired. That's why I need to add signature timestap before archivatin (like in CAdES).


I have just found out that I can add signature timestamp to an enhanced PDF signature, but not to a normal signature. Plus, there is a complication in some cases with lack of space for new timestamp and thus a need to add an extra space while signature creation. These problems don't allow me to additionally create a signature timestamp.
That's why I think it would be better to create a new timestamped countersignature. The only disadvantage of this way is that I need some valid trusted certificate to create the countersignature. But in the end I am able to validate the original signature and determine when validation data was added to the signature.
Do you think this is a good approach?
#26322
Posted: 09/05/2013 05:40:41
by Dmytro Bogatskyy (EldoS Corp.)

Quote
I know how to create archive PAdES-LTV signature, I already do that. But before this step, I want to add signature timestamp because it's recomended and I think I know why: If you validate an archived PDF, you have to validate, among other things, validation data including CRLs. If there is no signature timestamp, you don't know when CRL was added to the signature. It could be after the signature certificate was revoked or expired. That's why I need to add signature timestap before archivatin (like in CAdES).

In fact, signature timestamp, as stated from it name, timestamp a signature value, it doesn't timestamp revocation info and etc. It certifies the time of signing.
Then, CRL has a following information: effective date (this update), next update, issuer signature and etc. So, it is not important when CRL was added to the signature, if CRL issuer certificate is valid then we can trust CRL info.
Archive timestamp (document timestamp) is used before the algorithms, keys and other cryptographic data used at the time the PAdES-LTV signature was built become weak and the cryptographic functions become vulnerable.
Please see:
https://www.eldos.com/sbb/articles/1951.php "4. Certificate Revocation List (CRL)"
https://www.eldos.com/security/articles/6963.php "Part 4: Long Term - PAdES-LTV Profile"
Quote
I have just found out that I can add signature timestamp to an enhanced PDF signature, but not to a normal signature.

TElPDFAdvancedPublicKeySecurityHandler and TElPDFPublicKeySecurityHandler classes uses the same method to create a signature timestamp. So, the only difference between those signatures is in the extra space allocated.
Quote
That's why I think it would be better to create a new timestamped countersignature. The only disadvantage of this way is that I need some valid trusted certificate to create the countersignature. But in the end I am able to validate the original signature and determine when validation data was added to the signature.
Do you think this is a good approach?

The standard approach, as I mentioned before, is to add a document timestamp. However, adding a countersignature is seems to be ok too.
#26323
Posted: 09/05/2013 06:53:39
by Lukas Vyslouzil (Standard support level)
Joined: 08/21/2009
Posts: 20

Quote
Dmytro Bogatskyy wrote:
So, it is not important when CRL was added to the signature, if CRL issuer certificate is valid then we can trust CRL info.


You are right, I used wrog term. But it is important to know, that signer certificate was valid at the time of adding document timestamp. So, if an archived PDF is validated and signature is not timestamped, we presume that document timestamp was created at the time of valid signature certificate. Otherwise we couldn't trust to the creator of the document timestamp. So, maybe it isn't really need to create a signature timestamp before document timestamp and validation data is added.
#26324
Posted: 09/05/2013 09:09:10
by Dmytro Bogatskyy (EldoS Corp.)

Quote
But it is important to know, that signer certificate was valid at the time of adding document timestamp. So, if an archived PDF is validated and signature is not timestamped, we presume that document timestamp was created at the time of valid signature certificate. Otherwise we couldn't trust to the creator of the document timestamp. So, maybe it isn't really need to create a signature timestamp before document timestamp and validation data is added.

If a signature couldn't be validated completely then document timestamp shouldn't be added. But you can't be 100% sure that a third party that added a document timestamp checked the signature or did it correctly. So, if the signer certificate is revoked/expired in the time of validation, but CA certificate, algorithms and etc. wasn't compromised then information from CRL is enough to prove that the certificate was valid at effective date. If CA certificate ever become compromised, then you know when it happen and in this case a document timestamp proves that a document was signed and revocation information was added before this time.
As for signature timestamp, standard sequence of signing would be:
1. Sign document and then add a signature timestamp to certify the time of signing.
2. After some grace period (minutes, hours..., depending on CRL update cycle) add a revocation information.
3. After some period of time add a document timestamp.
If a document timestamp created immediately after signing a document, then yes, there is almost no use of the signature timestamp.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 1616 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!