EldoS | Feel safer!

Software components for data protection, secure storage and transfer

DC for creating LTV Compilant signatures

Posted: 01/14/2016 10:19:13
by Matthias Wyler (Standard support level)
Joined: 01/13/2016
Posts: 5

I'm trying to create LTV Compilant Signatures using the DC Components. Using the DC Sample as base, i have set AutoCollectionRevocationInfo, ForceCompleteChainValidation, DeepValidation and IncludeRevocationInfoToAdobeAttribute to true and configured a TSA using the TSPClient Property of the TElPDFAdvancedPublicKeySecurityHandler object used for signing.

What I have now is a signed PDF, saying that there is an embedded Timestamp, but Acrobat Reader keeps complaining, that the Signature is not LTV Compilant and will expire 09/22/2017.

my modified FinishSigning - Method of Result.Aspx.cs looks like this:
protected void FinishSigning(ref String fileName, byte[] signature)
            TElDCAsyncState state = new TElDCAsyncState();
            MemoryStream input = new MemoryStream(signature);
            state.LoadFromStream(input, SBDCXMLEnc.__Global.DCXMLEncoding());
            TElPDFDocument doc = new TElPDFDocument();
            //TElPDFPublicKeySecurityHandler handler = new TElPDFPublicKeySecurityHandler();
            TElPDFAdvancedPublicKeySecurityHandler handler = new TElPDFAdvancedPublicKeySecurityHandler();
            handler.PAdESSignatureType = TSBPAdESSignatureType.pastDocumentTimestamp;
            handler.AutoCollectRevocationInfo = true;
            handler.ForceCompleteChainValidation = true;
            handler.DeepValidation = true;
            handler.IncludeRevocationInfoToAdbeAttribute = true;
            handler.HashAlgorithm = SBConstants.__Global.SB_ALGORITHM_DGST_SHA256;
            handler.CustomName = "Adobe.PPKMS";
            handler.TSPClient = new TElHTTPTSPClient
                HTTPClient = new TElHTTPSClient(),
                URL = "--my tsa url goes here--"

       FileStream file = new FileStream(fileName, FileMode.Open, FileAccess.ReadWrite);
                doc.CompleteAsyncOperation(file, state, handler);

            File.Move(fileName, Path.ChangeExtension(fileName, ".pdf"));
            fileName = Path.ChangeExtension(fileName, ".pdf");
Posted: 01/14/2016 10:51:11
by Eugene Mayevski (Team)

Thank you for contacting us.

Before we proceed with with DC signing , could you please try to do the same operation in regular, non-DC mode? This will let us understand if the difficulties are specific to DC mode or to signing itself.

Sincerely yours
Eugene Mayevski
Posted: 01/14/2016 11:35:01
by Matthias Wyler (Standard support level)
Joined: 01/13/2016
Posts: 5

Hi Eugene,

thanks for the response.
When I sign a File using the PADESDemo, it works fine.
I checked the following flags in the add-signature dialog:
- Create enhanced Signature
- Request a Timestamp
- Automatically collect revocation information
- ignore chain validation errors

the ignore validation check was needed, because otherwise the application complained, that the chain-validation has failed. If i check the signature after signing it shows me all revocation information, the timestamp. Chain validation still fails after re-opening the file with the pades demo.

when i open the DC-Signed file with the pades demo, i can see, that only the certificates are included, but not the revocation information.
Posted: 01/14/2016 12:13:04
by Ken Ivanov (Team)

Hi Matthias,

When building a DC-driven signing process, you would find the following considerations useful:

1. For several reasons, revocation information is collected on the pre-signing stage. That is, if you need to build an advanced signature (e.g. PAdES) purely with DC, you must have your signing certificate available for the handler on the pre-signing stage. There is obviously no need for the private key to be available.

2. In many cases, including those where you can't provide the signing certificate on the pre-signing stage of your DC scheme, it is more reasonable to use a two-step approach for creating advanced signatures:

- on the first step you use DC to sign your document without caring about validation information (this is what you do now). As an outcome of this step you get a generic (non-AdES) signature.

- on the second step you update the signature by extending the document with the missing validation information. This is what the PAdES sample calls 'Signature update'. On this step you collect the missing CRLs, OCSPs and certificates, insert them to document and, optionally, finish with Document Timestamp. As a result you get a complete LTV-signed document.

You can do a quick PoC by creating a signed document as you do now, and then feeding it to the PAdES sample for updating. Please remember to check 'Automatically Collect Validation Information and 'Ignore Chain Validation Errors' boxes so that the sample was able to collect the whole set of validation elements for you independently of the local trust settings.

If the PoC works for you, you can base your application on it by extending it with signature updating functionality from the sample. If it doesn't, I would suggest that we continue the discussion in our secure help desk environment, as we would need to see examples of the signed documents you get to guide you further.

Posted: 01/15/2016 03:36:17
by Matthias Wyler (Standard support level)
Joined: 01/13/2016
Posts: 5

Perfect! that does the trick. thank you very much



Topic viewed 2400 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!