EldoS | Feel safer!

Software components for data protection, secure storage and transfer

LTV Signature using DC Components

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#37569
Posted: 08/26/2016 03:56:11
by Matthias Wyler (Standard support level)
Joined: 01/13/2016
Posts: 5

I have an application that needs to do qualified PDF signatures using DC, that are also LTV compilant.
To do this, i performed the document signature as it is described in the DC Sample and after that i open the PDf and update the signature with the validation information.
Code
[System.Web.Http.ActionName("SetSignature")]
        [System.Web.Http.HttpPost]
        public async Task<IHttpActionResult> SetSignature(int promiseId)
        {
            byte[] content;
            content = await Request.Content.ReadAsByteArrayAsync();
            Guid uid = Guid.Parse(User.Identity.GetUserId());
            var signDoc = (from t in CpsTables.CofCDocumentSignPromises
                where t.SignUser.Uid == uid && !t.Done && t.CofCAttachmentSignPromiseId == promiseId
                select t).FirstOrDefault();
            if (signDoc != null)
            {
                var docRecord = signDoc.Document;
                string signedFile = docRecord.FileName + "_signPrep";
                //signedFile = signedFile.Substring(0, signedFile.Length - 4) + "_signed.pdf";

                TElDCAsyncState state = new TElDCAsyncState();
                MemoryStream input = new MemoryStream(content);
                state.LoadFromStream(input, SBDCXMLEnc.__Global.DCXMLEncoding());

                TElPDFDocument doc = new TElPDFDocument();
                TElPDFAdvancedPublicKeySecurityHandler handler = new TElPDFAdvancedPublicKeySecurityHandler();
                handler.SignatureType = TSBPDFPublicKeySignatureType.pstPKCS7SHA1;
                TElHTTPTSPClient cli = new TElHTTPTSPClient();
                cli.HTTPClient = new TElHTTPSClient();
                cli.URL = "tsa.swisssign.net";
                handler.TSPClient = cli;
                /*handler.AutoCollectRevocationInfo = true;
                handler.IncludeRevocationInfoToAdbeAttribute = true;
                //hnd.revo
                handler.DeepValidation = true;
                handler.ForceCompleteChainValidation = true;
                handler.IgnoreChainValidationErrors = true;*/
                bool success = true;
                using (
                    Stream file = FileUploadHelper.GetStream(signedFile, UploadTypes.CofCAttachment, null, true, true))
                {
                    try
                    {
                        doc.CompleteAsyncOperation(file, state, handler);
                    }
                    catch (Exception ex)
                    {
                        success = false;
                    }
                }

                if (success)
                {
                    //File.Move(signedFile, Path.ChangeExtension(fileName, ".pdf"));
                    //fileName = Path.ChangeExtension(fileName, ".pdf");
                    using (
                        Stream fst = FileUploadHelper.GetStream(signedFile, UploadTypes.CofCAttachment, null, true, true)
                        )
                    {
                        doc = new TElPDFDocument();
                        doc.Open(fst);
                        TElPDFSignature sig = doc.GetSignatureEntry(0);
                        TElPDFAdvancedPublicKeySecurityHandler hnd =
                            (TElPDFAdvancedPublicKeySecurityHandler) sig.Handler;
                        hnd.AutoCollectRevocationInfo = true;
                        hnd.IncludeRevocationInfoToAdbeAttribute = true;
                        //hnd.revo
                        hnd.DeepValidation = true;
                        hnd.ForceCompleteChainValidation = true;
                        hnd.IgnoreChainValidationErrors = true;
                        sig.Update();
                        doc.Close(true);
                    }

                    Guid newDocName = Guid.NewGuid();
                    CofCDocument newDoc = new CofCDocument
                    {
                        CofCId = signDoc.Document.CofCId,
                        Deleted = false,
                        Dirty = false,
                        DocumentNumber = signDoc.Document.DocumentNumber,
                        Extension = ".pdf",
                        FileName = newDocName.ToString(),
                        FileTypeId = signDoc.Document.DocumentFileType.SignedType.FileTypeId,
                        Generated = false,
                        UnSignedDocumentId = signDoc.Document.CofCDocumentId,
                        PredecessorDocumentId =
                            signDoc.Document.PredecessorDocument?.SignedSuccessors?.FirstOrDefault()?.CofCDocumentId
                    };

                    foreach (var item in signDoc.Document.Details)
                    {
                        newDoc.Details.Add(new CofCDocumentDetail
                        {
                            Document = newDoc,
                            Detail = item.Detail
                        });
                    }

                    FileUploadHelper.MoveFile(signedFile, newDoc.FileName, UploadTypes.CofCAttachment, null);
                    CpsTables.CofCDocuments.Add(newDoc);
                    signDoc.Done = true;
                    CpsTables.SaveChanges();
                    return Ok();
                }

                return InternalServerError();
            }


Adobe Reader accepts the signature als LTV capable and verifies the signature without errors.
Anyway, Other PDF-Readers, such as PDF-XChange Editor and others complain, that the PDF has been changed after signing.

Now my question:
Let's assume, I know which certificate is used to sign BEFORE the DC Component gets the AsyncState for signing. Would it be possible to embed the validation information for the used certificate in the Preparation-phase of signing on the server? and how would this be done?
#37571
Posted: 08/26/2016 07:05:17
by Ken Ivanov (EldoS Corp.)

Hi Matthias,

Thank you for contacting us.

There are ways to do that, still I doubt if that would actually help. This is because (1) the technique of insertion of the signature doesn't change for scenarios where the revocation information is inserted before and after the DC routine, (2) you will anyway need to add the LTV-specific pieces (a DSS object and a document timestamp) for the signature to be LTV-compliant.

Anyway, before we go ahead with that, could you please check if the other PDF readers manage to validate similar signatures created in non-distributed way? The reason for their validation failures may lay in a different plane.

Ken
#37577
Posted: 08/26/2016 10:02:07
by Matthias Wyler (Standard support level)
Joined: 01/13/2016
Posts: 5

Hi Ken

Thank you for your response.

I tried to perform a signature using the pades sample in the pdfblackbox folder.

the Result is as follows:
- Adobe Reader -> Signature is LTV compilant
- PDF-XChange Editor -> Signature is LTV compilant AND (and this is different compared with the DC - signing) Document is unchanged, which is exactly what i want.
- SwissSigner (i don't know how accurate the messages of this tool are..) -> Signature is LTV Compilant BUT i claims that there are no revocation-checks embedded, which seems to be like a contradiction in terms.

anyway the successful validation by this swiss-signer tool is not a requirement to me, the acceptance as it comes with the pades sample (LTV compilant and unchanged) for the PDF-XChange Editor IS a requirement.


There is one more point that is interesting and maybe worth mentioning:
If I sign a Document using that SwissSigner tool and validate the signature using the swiss-signer tool, it claims that:
- The Signature is LTV
- Timestamped
- All revocation information that is required is embedded

When i open the same file using the pades sample:
- The signature is NOT LTV
- NOT Timestamped
- contains NO revocation information

If you want to test the swiss-signer too, you can get it at https://postsuisseid.ch/installersswin

I can also attach a document that was signed using swisssign if you like to do some tests with it.

Is it possible that multiple standards exist in how signatures are created/embedded/whatever?
#37578
Posted: 08/27/2016 10:16:12
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote

I can also attach a document that was signed using swisssign if you like to do some tests with it.

Yes, please use Helpdesk ( https://www.eldos.com/helpdesk/ ) to post the documents to us privately.
Quote

Is it possible that multiple standards exist in how signatures are created/embedded/whatever?

If you are asking about revocation information, then it is possible to embed revocation information into the signature or to the Document Security Store (DSS). The PAdES signature handler embed revocation information into the signature at the moment of signing, and to the DSS when the signature is updated.
Placing revocation information into DSS is required to make a signature conformant to LT-Level or LTA-Level (Long Term or Long Term with Archive time-stamps) according to ETSI TS 103 172 standard. And the term LTV (Long-Term Validation) implies that all information necessary to validate the signature (excluding root certificates) is contained within the PDF file (doesn't matter if it is in DSS or in the signature).

Quote
Would it be possible to embed the validation information for the used certificate in the Preparation-phase of signing on the server? and how would this be done?

You can use TElPDFAdvancedPublicKeySecurityHandler.CustomRevocationInfo to embed custom revocation information. Or you can enable AutoCollectRevocationInfo property and pass a public certificate to CertStorage property in DC mode, in this case the component should collect revocation information for signing certificate and embed it to the signature.

Reply

Statistics

Topic viewed 539 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!