EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDF Adding newer CRL for same certificate

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#32725
Posted: 03/24/2015 05:35:23
by Honza Duba (Standard support level)
Joined: 10/06/2014
Posts: 6

Hello,
I'am trying to implement PAdES archiving. I have PDF with all certificates and CRLs for all of them. After time i need to add new version of CRL which has This update newer then signature time. I succesfull downloaded it:
Code
string location = cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name.get_Names(0).UniformResourceIdentifier;
MemoryStream replyStream = new MemoryStream();
TElHTTPSClient httpClient = new TElHTTPSClient();
httpClient.OutputStream = replyStream;
int replyCode = httpClient.Get(location);
replyStream.Position = 0;
crl = new TElCertificateRevocationList();
crl.Location = location;
crl.LoadFromStream(replyStream, (int)replyStream.Length);

then I add it to corresponding pdf document signature
Code
int idx = handler.CustomRevocationInfo.AddCRL();
handler.CustomRevocationInfo.get_CRLs(idx).Assign(crl)

and update this signature and close document
Code
sig.Update();
doc.Close(true);
doc.Dispose();
docStream.Close();
docStream.Dispose();

But file doesn't change. It is saved with new time, but content is same, not a byte changed.
#32726
Posted: 03/24/2015 06:02:17
by Ken Ivanov (EldoS Corp.)

Hi Honza,

What you wish to achieve is called incremental archiving. This should be done in a bit different way - primarily due to the fact that the existing signature window in the document can't be extended, you can only append newer information to the end of the document.

To update the signature with fresh revocation information, please do the following:

1. Open the document and get the TElPDFAdvancedPublicKeySecurityHandler object assigned to the existing signature.

2. Configure the handler to operate in a desired way by adjusting AutoCollectRevocationInfo, IgnoreChainValidationErrors and other properties. Provide custom revocation elements via handler.CustomRevocationInfo property if necessary.

3. Call the Update() method of the needed TElPDFSignature object.

4. If needed, certify the update with a document timestamp. A document timestamp is a special kind of PDF signature created by a third party timestamping service. If you need such certification, please add a new TElPDFSignature object to the current document and provide a new security handler for it (with PAdESSignatureType property set to TSBPAdESSignatureType.pastDocumentTimestamp and TSPClient pointing to a properly configured TSP client object).

5. Close the document, passing true as the Save parameter.

The C# PAdES sample shipped with SecureBlackbox distribution (see btnUpdSig_Click()) provides a more comprehensive guidance on updating the signature and setting up a document timestamp signature handler.

Cheers,

Ken
#32727
Posted: 03/24/2015 06:47:23
by Honza Duba (Standard support level)
Joined: 10/06/2014
Posts: 6

I thought that it is what I'm doing.
I have document witch is already timestamped and CRL is included, by the way, with the same program with your components. But I need to add updated version of CRL. Let have specific case:
PDF file with one signature and timestamp Signing time: 12. 11. 2014 13:59:30
All 6 certificates included in the file (signing certificate, its issuers certificate and its issuers which is root for signing person and timestamp CA)
There are four CRLs in the file, three of them ok, with ThisUpdate newer then 12. 11. 2014 13:59:30.
But one CRL which is included has ThisUpdate 12.11.2014 6:34:20, NextUpdate 13.11.2014 6:34:20 and Extensions.CRLNumber 37184, for this issuer i want to add second CRL downloaded today. I'm able to download it and today it has ThisUpdate 24.3.2015 11:20:06, NextUpdate 25.6.2015 11:20:06 and Number 39765. But when i try to add it, as seen in my previous post, nothing happens.
#32728
Posted: 03/24/2015 07:10:41
by Ken Ivanov (EldoS Corp.)

Hi Honza,

Thank you for checking that. Could you please try adding the poIncludeAllRevInfoToDSS flag to PAdESOptions flag set and check if it changes anything?

Cheers,

Ken
#32729
Posted: 03/24/2015 07:40:38
by Honza Duba (Standard support level)
Joined: 10/06/2014
Posts: 6

I have there:
Code
Stream docStream = File.Open(filename, FileMode.Open);
TElPDFDocument doc = new TElPDFDocument();
doc.Open(docStream);
TElPDFSignature sig = doc.get_Signatures(0);
TElPDFAdvancedPublicKeySecurityHandler handler = (sig.Handler as TElPDFAdvancedPublicKeySecurityHandler);
handler.AutoCollectRevocationInfo = false;
handler.DeepValidation = false;
handler.ForceCompleteChainValidation = false;
handler.PAdESOptions |= (SBPAdES.Unit.poIncludeAllRevInfoToDSS | SBPAdES.Unit.poCreateVRIDictionaries);
#32730
Posted: 03/24/2015 07:53:59
by Honza Duba (Standard support level)
Joined: 10/06/2014
Posts: 6

Whole code:
Code
            SBUtils.Unit.SetLicenseKey(my licence);
            SBPDF.Unit.Initialize();
            SBPDFSecurity.Unit.Initialize();
            SBPAdES.Unit.Initialize();
            // change PDF handler priority
            SBPDF.Unit.UnregisterSecurityHandler(TElPDFPublicKeySecurityHandler.MetaClass.Instance);
            SBPDF.Unit.UnregisterSecurityHandler(TElPDFAdvancedPublicKeySecurityHandler.MetaClass.Instance);
            SBPDF.Unit.RegisterSecurityHandler(TElPDFAdvancedPublicKeySecurityHandler.MetaClass.Instance);
            SBPDF.Unit.RegisterSecurityHandler(TElPDFPublicKeySecurityHandler.MetaClass.Instance);
            SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory();
            SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory();


            Stream docStream = File.Open(pdf filename, FileMode.Open);
            TElPDFDocument doc = new TElPDFDocument();
            doc.Open(docStream);
            TElPDFSignature sig = doc.get_Signatures(0);
            TElPDFAdvancedPublicKeySecurityHandler handler = (sig.Handler as TElPDFAdvancedPublicKeySecurityHandler);
            handler.AutoCollectRevocationInfo = false;
            handler.DeepValidation = false;
            handler.ForceCompleteChainValidation = false;
            handler.PAdESOptions = (SBPAdES.Unit.poIncludeAllRevInfoToDSS | SBPAdES.Unit.poCreateVRIDictionaries);
            TElX509Certificate cert = handler.Certificates.get_Certificates(2);
            string location = cert.Extensions.CRLDistributionPoints.get_DistributionPoints(0).Name.get_Names(0).UniformResourceIdentifier;
            MemoryStream replyStream = new MemoryStream();
            TElHTTPSClient httpClient = new TElHTTPSClient();
            httpClient.OutputStream = replyStream;
            int replyCode = httpClient.Get(location);
            replyStream.Position = 0;
            TElCertificateRevocationList crl = new TElCertificateRevocationList();
            crl.Location = location;
            crl.LoadFromStream(replyStream, (int)replyStream.Length);
            int idx = handler.CustomRevocationInfo.AddCRL();
            handler.CustomRevocationInfo.get_CRLs(idx).Assign(crl);
            sig.Update();
            doc.Close(true);
            doc.Dispose();
            docStream.Close();
            docStream.Dispose();
#32732
Posted: 03/24/2015 16:32:25
by Ken Ivanov (EldoS Corp.)

Honza,

Would you mind continuing the discussion in the help desk? We need to send you some files and the forum does not support large attachments. I've created a ticket for you - you will receive an e-mail notification with all the details shortly.

Cheers,

Ken
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.

Reply

Statistics

Topic viewed 1156 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!