Is it possible to create PAdES-B-LT and PAdES-B-LTA documents via REST API?

[nourbakhsh]

Hello,  I am using the "DSS Demonstrations - Version 5.11" and trying to create PAdES-B-LT and PAdES-B-LTA documents with remote signature and remote timestamping from freetsa.org via rest-api. 

PADES-B remote signatures can be easily created by calling "/signature/one-document/getDataToSign" and "/signature/one-document/signDocument". 

Is it possible to use the REST API to create PAdES-B-LT and PAdES-B-LTA Documents with remote timestamps and remote OCSP calls?

Best Regards

[bsanchezb]

Hello,

Yes, it is possible to create -T/-LT/-LTA signatures with REST API. For this you will need to provide the corresponding target signature level within the signature parameters, e.g. for PAdES-BASELINE-T level:

{
  "parameters" : {
      ...
      "signatureLevel" : "PAdES_BASELINE_T",
      ...
  },
  ...
}

You may create the extended signature as a a part of the normal signature creation process (i.e. using the #getDataToSign/#signDocument methods) or separately by extending the existing signature (see #extend method).

Please note that the corresponding settings for the TSP Source and CRL/OCSP sources has to be configured on the server side. For more information about the configuration please see the corresponding chapter of the documentation.

If you use dss-demonstrations webapp, you may provide a spring bean configuration of the TSP Source through the properties file (see tsp-source parameter) as in the example. But you may also do it within the code, as explained in the documentation above. The CRL and OCSP sources are already configured in the demo to fetch the data from online resources.

I hope this will help you.

Best regards, Aleksandr.

[nourbakhsh]

Thanks for your quick reply, it has shown me the path to solve this issue. It would be really nice if there was an easier way to add a custom TSP Source and extend the app with a custom trusted CA eg. by adding them to the "dss.properties" file.

Here my journey if someone else run into this: Change the tsp-config.xml file as below: /dss-demo-bundle-5.11.1/apache-tomcat-8.5.82/webapps/ROOT/WEB-INF/classes/config/tsp-config.xml file: tsp-config.xml.txt

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">

<bean id="tspSource" class="eu.europa.esig.dss.service.tsp.OnlineTSPSource">
    <property name="tspServer" value="https://freetsa.org/tsr " />
</bean>
</beans>

To send OCSP requests in an Test environment where the certificates are not in EUTL it is necessry to set certificateVerifier.setCheckRevocationForUntrustedChains(true) in "DSSBeanConfig.java" or extend it with your custom CA and recompile the code.

After this it is possible to set the signaturparameter to PAdES_BASELINE_LT as mentioned by @bsanchezb

  "parameters" : {
      ...
      "signatureLevel" : "PAdES_BASELINE_LT",
      ...
  },
  ...
}```

[bsanchezb]

Indeed, for non-EU certificate chains, the corresponding trust anchors should be added to the CertificateVerifier or the check for untrusted chains should be disabled as shown in your reply (but please note that it is not a recommended option to be used in production). Thank you for the follow-up reply, I'm sure it will be helpful by the community.

Best regards, Aleksandr.

[samsam002]

I was coming to the repo to ask the same question. So thank for sharing. Indeed, would you please explicit in more details the steps to add the external CA to the demo web app. Thanks in avance