Open certifirm opened 5 years ago
I have the same issue. Any idea please?
Can you elaborate more about:
The most helpful would be if you could investigate it and send a pull request with a patch.
@kwart I actually found the issue I have is a bit different. I simply cannot get LTV signature with jsignpdf at all. If I sign using Acrobat Reader, then the signature is LTV. I have no idea why this happens and how the 2 signatures differ. I can sign a sample document with both and send you to have a look if you have time.
I am not a Java developer, I can only read Java. I can help with debugging and testing. I use Czech National ID with Qualified cert from I.CA. Like I said, Acrobat-generated signature shows as LTV, JSignPDF does not. I use the same Qualified TSA on both (again from I.CA).
@kwart here is the same file signed with the same cert and using the same TSA. One is LTV enabled (the Acrobat one), the other is not (JSignPDF 2.0.0)
I have no problem in having PDF files signed with timestamp with LTV enabled in JSignPDF 2.0.0.
Your just need to enable, in the advanced view > "TSA/OCSP/CRL", the "Enable CRL" option and the "Enable OCSP" option. And that is all. If something gives error disable the "Enable OCSP" option. Don't enter default OCSP server URL unless your are provided with that specific information.
What may happen is that your need to start the JSignPDF 2.0.0 with more memory allocated if the CRL files from the Digital Signature provider are too big.
In Microsoft Windows create a new shortcut with something looking like: "C:\Program Files\Java\jre1.8.0_301\bin\javaw.exe" -jar -Xmx2048m "D:\jsignpdf-2.0.0\JSignPdf.jar" in the destiny path of the shortcut, and in "Begin in": "C:\Program Files\Java\jre1.8.0_301\bin"
Just need to remember every time Java is updated that the paths must be updated in the shortcut. The paths need to be adjusted to your specific machine, the above is just a example.
Notice: the resulting PDF file may be huge! If the CRL file of the Digital Signature provider is big... because the program will attempt to download all the CRL files from all the sub-CA's that may exist between the Root CA and the final user certificate.
Your may test just enable the "Enable OCSP" option, and disable the "Enable CRL" option, but at least here I was never able to have the signature to be done with LTV (always get a error) unless I also disable the "Use timestamp server", but your are using a different certificate authority maybe it works in your case. Basically play with the options to find the option that pleases your the best.
@JohnPlanetary Thanks a lot for sharing the experience and the guide :+1:
@kwart thank you very much for your wonderful program! And for keeping the program updated, even if less frequently. Very glad I could be useful in clarifying these doubt.
First of all, I would like to thank you for the development of this tool, I am really glad to have a signing tool that works well on Linux systems.
Just like @JohnPlanetary I was also able to create a signed PDF file with timestamp and with LTV enabled. However, this only works if I enable the "Append signature" option. This is the config:
Unfortunately, attaching the signatures only seems to be possible with PDF version >= 1.7., is this right? But if jsignpdf tries to increase the PDF version an error occurs, because of the selected configuration.
Is this behavior normal/intentional? Or is there actually an error (in the config)?
BTW: sry for the german screenshots
The problem is in hash algorithm requirements. Look at
So here are the required versions for given algorithm names:
SHA-1
: PDF 1.3SHA-256
: PDF 1.6SHA-384
, SHA-512
, RIPEMD160
: PDF 1.7@kwart Thank you for the explanation. I have now also found the requirements at Adobe.
Hi everyone, I can't seem to get LTV going. Using version 2.2.0 on Mac, input file is PDF-1.7.
java -jar jsignpdf-2.2.0/JSignPdf.jar \
--keystore-type PKCS12 \
--keystore-file cert.p12 \
--keystore-password '...' \
--hash-algorithm SHA512 \
--tsa-server-url http://tsa.izenpe.com \
--tsa-hash-algorithm SHA512 \
--ocsp \
file.pdf
With or without --crl
(huge file), --ocsp
or --append
, as suggested here before, Acrobat always sees the signature as valid, timestamped, but not LTV enabled.
What am I doing wrong? My CA should support OCSP, not sure wether my cert.p12 does, and I don't know how to check.
Thanks a lot for your help :-)
Love your work
Hi everyone, just wanted to drop here a little update on LTVs.
Since my previous post, I've discovered that documents signed with using both TSA and CRL are seen as LTV enabled by Acrobat Pro DC. But app has to be freshly started. In other words, if Acrobat opens an unsuccessful attempt on LTV first, it messes up its CRL cache.
Anyways, LTV works for me with CRL. No luck with OCSP, tho.
Cheers!
No matter what combinations I try, Adobe Reader won't rezognize my signatures as LTV enabled.
Last combination was: jsignpdf: 2.2 pdf version: 1.7 append signature to existing one: check hash algo: sha512 TSA url: http://zeitstempel.dfn.de TSA hash algo: sha512 OSCP: check CLR: check
I have no trouble in having the signature LTV enabled test_signed.pdf In the example you will need to manually add my self made certificate to your PDF reader in order for it to recognize the certificate as valid and LTV enabled.
Experiment the following tips: 1) In the first (1) signature disable the option "append signature to existing one". If you need to add another certificate signature to the same PDF, re-enable the option "append signature to existing one"... these option needs to be activated starting the second signature on forward, but leave it disable when you sign the PDF file the first time.
2) In the certification level use "Not certified", or the option "Form filling allowed" (to allow add new certificate signatures, or update the CRL/ OCSP values for example on Adobe Acrobat Reader).
3) Make sure JSignPDF and the Java program you are using both have Internet access because that is needed to get the CRL and the OCSP values of the certificate, and to get the TimeStamp certificate from the independent Authority.
4) While DFN timestamp is working (at the time of my writing) you may need to mess with the options to make the PDF reader to recognize it, since it doesn't came active in at least Adobe Acrobat Reader by default. Your can try: https://timestamp.sectigo.com If you want it to be recognized world wide. or: https://timestamp.sectigo.com/qualified If you need it to be recognized in European Union.
@JohnPlanetary Thank you for your answer, I've been able to get a valid LTV Signature by using the https://timestamp.sectigo.com/ server. But I have to disable OCSP and Acrobat is still telling me
The signature includes an embedded timestamp but it could not be verified.
I thought it had something to do with the hash algorithm, but every combination gives the same result.
Edit: Ok, it seems like the sectigo timestamp server isn't supported by Adobe (https://helpx.adobe.com/sign/config/time-stamp-settings/overview.html), using the one from DigiCert (https://knowledge.digicert.com/generalinformation/INFO4231.html) works. But still only without OCSP.
The server from Sectigo definitely works, I've been using for a long time. Sectigo is on the "Adobe Approved Trust List Members" ( https://timestamp.sectigo.com ) and on the "European Union Trusted Lists" (https://timestamp.sectigo.com/qualified) As your can see at: https://helpx.adobe.com/acrobat/kb/approved-trust-list1.html (in US section) https://helpx.adobe.com/document-cloud/kb/european-union-trust-lists.html (in the ES - Spain section)
Sectigo supports: SHA256, SHA384 and SHA512. But in the https://timestamp.sectigo.com it responds with SHA384 hash to any of the requests. In the https://timestamp.sectigo.com/qualified it responds with SHA256 hash to any of the requests.
Your may need to update the Adobe Acrobat Reader to the latest version. At least on Windows it works perfectly, on other operating system I don't know.
Your can try to go on the Adobe Acrobat Reader to "Edit" > "Preferences..." > "Trust manager" (or something similar) and update manually the trust lists. It should have at least "AATL", and if the operating system is configured with a country of EU it should also have the "EUTL" (not sure if outside the EU that list also appears or not in the screen).
If Adobe can't verify the timestamp maybe your need to see if the Firewall is not blocking the connection, or maybe even try to use some other Internet connection. When JSignPDF applies the timestamp unfortunately currently the application doesn't add the offline OCSP/ CRL values that allow Adobe Acrobat Reader to check offline if the signature was valid at the time of apply of the timestamp, and it needs to go online and contact the timestamp OCSP/ CRL server to check. Maybe some future version of JSignPDF adds the offline OCSP/ CRL values for the timestamp part, but for now that is not happening.
Thank you for your answer. I've made one mistake: I didn't understand that you have to set the TSA hash algorithm
separately. It's working now as expected!
Edit: CRL is working. OSCP only (without CRL), doesn't get LTV-enabled by Acrobat. Neither online nor offline. I don't know if it's a jsignpdf bug since the logs are telling me that the OCSP info is put into the document, or Acrobat just somehow doesn't recognize the option. Guess I'll just stay with CRL for now.
It depends entirely on the provider of the digital signature, if they are using OCSP, and/ or CRL... some just use OCSP, others just CRL, others a mix of OCSP and CRL... and OCSP seems to fail more then CRL for some reason that I don't know why.
OCSP seems better, because it usually produces a smaller digital signature keeping files smaller... but sometimes CRL is needed and there is no alternative (OCSP).
I am trying to sign pdf with LTV and yes, it's posible.
I am using two signatures (in Spain). One is obtained using DNIe (National Document Identity Electronic). Another it's obtained directly from an Authorithy. (FNMT in Spain)
I am using this command:
java -jar ../SailsBE_dev/JSignPdf/jsignpdf-1.6.4/JSignPdf.jar 1_test.pdf -cl CERTIFIED_NO_CHANGES_ALLOWED --disable-acrobat6-layer-mode --disable-assembly --disable-copy --disable-fill --disable-modify-annotations --disable-modify-content --hash-algorithm SHA512 --keystore-file ../SailsBE_dev/JSignPdf/sign.p12 --keystore-type PKCS12 --keystore-password '' --tsa-server-url http://tsa.izenpe.com --tsa-hash-algorithm SHA512 --out-directory . --out-suffix _firmado --ocsp --ocsp-server-url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -llx 5 -lly 80 -urx 300 -ury 30 -V -fs 8 -pg 10000
Well, when I sign a document using the first one, it doesn't verify the OCSP, but it exists in the signature.
Using the second one, aparently the same, it does the verification with OCSP and LTV is enabled in the document.
How is this posible?
Can I force the use of OCSP?
Thanks