Validating PDF Signatures with https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation

December 2, 2021

Validating PDF Signatures with https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation

A Chilkat customer is signing PDFs and then validating using the online tool at https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation

A few errors/warnings were encountered:

1) “The signature is not intact”. <b>This error only happens if the “ltvOcsp” option was set</b> to create an LTV-enabled signature. The source of the “Signature is not intact” error can be found here: https://github.com/esig/dss/blob/master/validation-policy/src/main/java/eu/europa/esig/dss/validation/process/bbb/cv/checks/SignatureIntactCheck.java

When “ltvOcsp” is specified (i.e. we are doing an LTV signature) then Chilkat will send an OCSP request to the OCSP server for each signing certificate. The OCSP responses are placed within the pdfRevocationInfoArchival authenticated attribute of the PKCS7 signature. Also, if countersigning (i.e. signing an already-signed document), then OCSP checks are performed for certs in the existing signature(s), for those certs that have OCSP responders, and only for the cases where an OCSP response is not already in the PDF’s DSS (Document Security Store). You can see this is complicated shit..

The “signature is not intact” error has to do with the additional parts added with LTV validation. At this point, we don’t know the specific cause. It may be that it’s an error specific to the certs used for signing and the OCSP responders involved.

2) “signing time is not present”. This error happens if the signingTime is not included. It’s fixed by adding this line:

    json.UpdateInt("signingTime",1);

In addition, the DSS validator will also need the “signingCertificateV2” authenticated attribute:

    json.UpdateInt("signingCertificateV2",1);

admin

Validating PDF Signatures with https://ec.europa.eu/cefdigital/DSS/webapp-demo/validation

Blogroll

Tags