EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problemas reading signed PDF with pastEnhanced PAdES signature type

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#37166
Posted: 07/06/2016 13:23:57
by Leovan Tavares (Basic support level)
Joined: 05/30/2016
Posts: 3

Hello all.

We are evaluating SecureBlackbox to PDF (PAdES) signing at my company. Our goal is sign PDFs using long-term PDF signatures.
We followed the how-to's, looked at the code samples and searched the knowledgebase.

We succeed signing the documents with pastBasic type (including timestamp). PDF is read on Acrobat Reader and signature properly validated. But, when we change the signature type from pastBasic to pastEnhanced, Acrobat can no longer validate the signature, reporting that the signature handler isn't recognized. Viewing the signature properties, at 'Verification error' tab, we got the message:
Quote

Error during signature verification.

The format of this signature is not supported by this signature method. You may require a newer version of the signature handler.


Below I paste some code snippets in C++ to clarify. I supressed some common parts, but let me know if you need more information.

This is my main code (the docspace::CertificateValidator class is used just to store the trusted and known certificates to be passed to the certificate validator):


Code
/*
* Loading certificates
*/
//Storages to known, signer and trusted certificates
TElMemoryCertStorage knownCertificateStorage(NULL);
TElMemoryCertStorage signerCertificateStorage(NULL);
TElMemoryCertStorage trustedCertificateStorage(NULL);
//Signer certificates
//Root certificate
TElX509Certificate rootCertificate(NULL);
rootCertificate.LoadFromFileAuto(ROOT_CERT, "");
//Root is trusted
trustedCertificateStorage.Add(rootCertificate, false);
signerCertificateStorage.Add(rootCertificate, false);
//Intermediate certificate
TElX509Certificate intCertificate(NULL);
intCertificate.LoadFromFileAuto(INT_CERT, "");
//Intermediate is known
knownCertificateStorage.Add(intCertificate, false);
//Signer certificate
TElX509Certificate signerCertificate(NULL);
signerCertificate.LoadFromFileAuto(SIGNER_CERT, SIGNER_CERT_PASS);
signerCertificateStorage.Add(signerCertificate, true);
//TSA certificates
//Root
TElX509Certificate tsaRootCertificate(NULL);
tsaRootCertificate.LoadFromFileAuto(TSA_ROOT_CERT, "");
//Root is trusted
trustedCertificateStorage.Add(tsaRootCertificate, false);
//Server
TElX509Certificate tsaCertificate(NULL);
tsaCertificate.LoadFromFileAuto(TSA_CERT, "");
knownCertificateStorage.Add(tsaCertificate, false);
/*
* Object to store the certificates that must be passed to certificate validator
*/
docspace::CertificateValidator cert(&trustedCertificateStorage, &knownCertificateStorage);

/*
* TSA settings
*/
TElHTTPSClient httpsClient(NULL);
TElHTTPTSPClient tspClient(NULL);
tspClient.set_OnTSPError(&tspClient_OnTSPError, NULL);
tspClient.set_HTTPClient(httpsClient);
tspClient.set_URL(TSA_URL);
tspClient.set_HashAlgorithm(SB_ALGORITHM_DGST_SHA256);
/*
* Signature handler settings
*/
TElPDFAdvancedPublicKeySecurityHandler signSecHandler(NULL);
signSecHandler.set_CertStorage(signerCertificateStorage);
signSecHandler.set_PAdESSignatureType(pastEnhanced); // PADES_BASIC = pastBasic / PADES_BES | PADES_EPES | PADES_LTV = pastEnhanced
signSecHandler.set_TSPClient(tspClient);
signSecHandler.set_CustomName("Adobe.PPKLite");
signSecHandler.set_SignatureType(pstPKCS7SHA1);
//LTV
signSecHandler.set_AutoCollectRevocationInfo(true);
signSecHandler.set_DeepValidation(true);
signSecHandler.set_ForceCompleteChainValidation(true);
signSecHandler.set_IncludeRevocationInfoToAdbeAttribute(true);

//Events
signSecHandler.set_OnCertValidatorPrepared(&signSecHandler_OnCertValidatorPrepared, &cert);
/*
* PDF
*/
TFileStream inputStream(pdfFilename, filemodeOpenReadWrite);
TElPDFDocument pdf(NULL);
pdf.Open(inputStream);
/*
* Adds new signature
*/
int signIndex = pdf.AddSignature();
TElPDFSignature *sign = pdf.get_Signatures(signIndex);
sign->set_Handler(signSecHandler);
sign->set_Invisible(true);
sign->set_Reason("Assinatura de documento");

sign->set_SignatureType(stDocument);
time_t t;
time(&t);
sign->set_SigningTime(t);
pdf.Close(true);


And this is the event to set the certificate validator's properties.

Code
void SB_CALLBACK signSecHandler_OnCertValidatorPrepared(void *objCert, TObjectHandle, TElX509CertificateValidatorHandle *hCertValidator, TElX509CertificateHandle hCertificate)
{
    try
    {
        TElX509Certificate eventCertificate(hCertificate, false);
        TName subject, issuer;
        eventCertificate.get_SubjectName(subject);
        eventCertificate.get_IssuerName(issuer);
        std::cout << "TElPDFAdvancedPublicKeySecurityHandler.OnCertValidatorPrepared: " << (char *)subject.CommonName << " [" << (char *)issuer.CommonName << "]" << std::endl;

        docspace::CertificateValidator * uCertValidator = (docspace::CertificateValidator *) objCert;

        TElX509CertificateValidator certValidator_(*hCertValidator, false);

        certValidator_.AddTrustedCertificates(uCertValidator->getTrustedCertStorage());
        certValidator_.AddKnownCertificates(uCertValidator->getKnownCertStorage());

        certValidator_.set_CheckCRL(false); // default = true
        certValidator_.set_CheckOCSP(true); // default = true
        certValidator_.set_RevocationCheckPreference(rcpPreferOCSP); // rcpPreferCRL = 0, rcpPreferOCSP = 1, rcpCheckBoth = 2
        certValidator_.set_IgnoreCABasicConstraints(true);
    }
    catch (SBException E)
    {
        std::cout << "Unexpected error in TElPDFAdvancedPublicKeySecurityHandler.OnCertValidatorPrepared event handler!" << std::endl;
        std::cout << E.what() << std::endl;
        std::cout << "Stack trace: " << E.getErrorStackTrace().c_str() << std::endl;
    }
}
#37168
Posted: 07/06/2016 15:35:49
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us,

Quote
But, when we change the signature type from pastBasic to pastEnhanced, Acrobat can no longer validate the signature, reporting that the signature handler isn't recognized.

What version of Acrobat Reader are you using?

Could you please attach the signed PDF document that we could use to reproduce the issue locally. Please use Helpdesk ( https://www.eldos.com/helpdesk/ ) to post the documents to us privately.
#37169
Posted: 07/06/2016 16:44:28
by Leovan Tavares (Basic support level)
Joined: 05/30/2016
Posts: 3

Hi, Dmytro.

Thanks for your quick answer. My mistake not adding the file.
I uploaded it through helpdesk https://www.eldos.com/helpdesk/ticket_edit.php?ID=30156

I've tried with Acrobat 9.5 on Linux and Acrobat DC 2015 on Windows 10.

Reply

Statistics

Topic viewed 393 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!