EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Problemas reading signed PDF with pastEnhanced PAdES signature type

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
Posted: 07/06/2016 13:23:57
by Leovan Tavares (Basic support level)
Joined: 05/30/2016
Posts: 3

Hello all.

We are evaluating SecureBlackbox to PDF (PAdES) signing at my company. Our goal is sign PDFs using long-term PDF signatures.
We followed the how-to's, looked at the code samples and searched the knowledgebase.

We succeed signing the documents with pastBasic type (including timestamp). PDF is read on Acrobat Reader and signature properly validated. But, when we change the signature type from pastBasic to pastEnhanced, Acrobat can no longer validate the signature, reporting that the signature handler isn't recognized. Viewing the signature properties, at 'Verification error' tab, we got the message:

Error during signature verification.

The format of this signature is not supported by this signature method. You may require a newer version of the signature handler.

Below I paste some code snippets in C++ to clarify. I supressed some common parts, but let me know if you need more information.

This is my main code (the docspace::CertificateValidator class is used just to store the trusted and known certificates to be passed to the certificate validator):

* Loading certificates
//Storages to known, signer and trusted certificates
TElMemoryCertStorage knownCertificateStorage(NULL);
TElMemoryCertStorage signerCertificateStorage(NULL);
TElMemoryCertStorage trustedCertificateStorage(NULL);
//Signer certificates
//Root certificate
TElX509Certificate rootCertificate(NULL);
rootCertificate.LoadFromFileAuto(ROOT_CERT, "");
//Root is trusted
trustedCertificateStorage.Add(rootCertificate, false);
signerCertificateStorage.Add(rootCertificate, false);
//Intermediate certificate
TElX509Certificate intCertificate(NULL);
intCertificate.LoadFromFileAuto(INT_CERT, "");
//Intermediate is known
knownCertificateStorage.Add(intCertificate, false);
//Signer certificate
TElX509Certificate signerCertificate(NULL);
signerCertificate.LoadFromFileAuto(SIGNER_CERT, SIGNER_CERT_PASS);
signerCertificateStorage.Add(signerCertificate, true);
//TSA certificates
TElX509Certificate tsaRootCertificate(NULL);
tsaRootCertificate.LoadFromFileAuto(TSA_ROOT_CERT, "");
//Root is trusted
trustedCertificateStorage.Add(tsaRootCertificate, false);
TElX509Certificate tsaCertificate(NULL);
tsaCertificate.LoadFromFileAuto(TSA_CERT, "");
knownCertificateStorage.Add(tsaCertificate, false);
* Object to store the certificates that must be passed to certificate validator
docspace::CertificateValidator cert(&trustedCertificateStorage, &knownCertificateStorage);

* TSA settings
TElHTTPSClient httpsClient(NULL);
TElHTTPTSPClient tspClient(NULL);
tspClient.set_OnTSPError(&tspClient_OnTSPError, NULL);
* Signature handler settings
TElPDFAdvancedPublicKeySecurityHandler signSecHandler(NULL);
signSecHandler.set_PAdESSignatureType(pastEnhanced); // PADES_BASIC = pastBasic / PADES_BES | PADES_EPES | PADES_LTV = pastEnhanced

signSecHandler.set_OnCertValidatorPrepared(&signSecHandler_OnCertValidatorPrepared, &cert);
TFileStream inputStream(pdfFilename, filemodeOpenReadWrite);
TElPDFDocument pdf(NULL);
* Adds new signature
int signIndex = pdf.AddSignature();
TElPDFSignature *sign = pdf.get_Signatures(signIndex);
sign->set_Reason("Assinatura de documento");

time_t t;

And this is the event to set the certificate validator's properties.

void SB_CALLBACK signSecHandler_OnCertValidatorPrepared(void *objCert, TObjectHandle, TElX509CertificateValidatorHandle *hCertValidator, TElX509CertificateHandle hCertificate)
        TElX509Certificate eventCertificate(hCertificate, false);
        TName subject, issuer;
        std::cout << "TElPDFAdvancedPublicKeySecurityHandler.OnCertValidatorPrepared: " << (char *)subject.CommonName << " [" << (char *)issuer.CommonName << "]" << std::endl;

        docspace::CertificateValidator * uCertValidator = (docspace::CertificateValidator *) objCert;

        TElX509CertificateValidator certValidator_(*hCertValidator, false);


        certValidator_.set_CheckCRL(false); // default = true
        certValidator_.set_CheckOCSP(true); // default = true
        certValidator_.set_RevocationCheckPreference(rcpPreferOCSP); // rcpPreferCRL = 0, rcpPreferOCSP = 1, rcpCheckBoth = 2
    catch (SBException E)
        std::cout << "Unexpected error in TElPDFAdvancedPublicKeySecurityHandler.OnCertValidatorPrepared event handler!" << std::endl;
        std::cout << E.what() << std::endl;
        std::cout << "Stack trace: " << E.getErrorStackTrace().c_str() << std::endl;
Posted: 07/06/2016 15:35:49
by Dmytro Bogatskyy (Team)

Thank you for contacting us,

But, when we change the signature type from pastBasic to pastEnhanced, Acrobat can no longer validate the signature, reporting that the signature handler isn't recognized.

What version of Acrobat Reader are you using?

Could you please attach the signed PDF document that we could use to reproduce the issue locally. Please use Helpdesk ( https://www.eldos.com/helpdesk/ ) to post the documents to us privately.
Posted: 07/06/2016 16:44:28
by Leovan Tavares (Basic support level)
Joined: 05/30/2016
Posts: 3

Hi, Dmytro.

Thanks for your quick answer. My mistake not adding the file.
I uploaded it through helpdesk https://www.eldos.com/helpdesk/ticket_edit.php?ID=30156

I've tried with Acrobat 9.5 on Linux and Acrobat DC 2015 on Windows 10.



Topic viewed 770 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!