Open JohnPlanetary opened 2 years ago
Could you prepare a pull request with such a feature? This OpenPDF issue could be related: LibrePDF/OpenPDF#86
I'm not a programmer, just a user. I did leave feedback on that issue topic, to bring attention again to it.
I did see here: https://github.com/LibrePDF/OpenPDF/releases/tag/openpdf-1.2.1 that seems to imply OpenPDF is able to produce PAdES Baseline Profiles B/T/LT/LTA with OpenPDF.
I've created a new repository for trying PAdES: https://github.com/intoolswetrust/jsignpdf-pades It doesn't have GUI, just the simple batch mode. It doesn't support visible signatures (yet). Could you give it a try? The snapshots are available in https://s01.oss.sonatype.org/content/repositories/snapshots/com/github/kwart/jsign/jsignpdf-pades-distribution/
Hello @kwart ! First, let me thank you for trying to get these working!
I never used the batch mode. I've try to use it, but I'm not getting it to the B-LTA level, just to B-B level, but it doesn't try to get the CRL for the certificate so it will not even get LTV level for the digital signature. I wasn't able to get any sort of secure timestamp.
Can you provide me the proper command line, because I'm pretty sure it should be something wrong I'm doing, but because there wasn't any example on the help file on how to get timestamped in batch mode I did my best to try to find out.
Also to get PAdES B-LTA with LTV enabled it should try to get the CRL/ OCSP values for all certificates in the signature and timestamp chain, and also add an additional timestamp only (also with the CRL/ OCSP values included for LTV enabled) after applying the first digital certificate with the timestamp included.
I'm using Windows 10 Home OS. For the java I'm using: "Eclipse Temurin™" for Operating system: Windows; Architecture: x64; Package Type: JRE; Version: 19 (available here. https://adoptium.net/temurin/releases/?version=19 ) These version works just fine with the 2.2.0 version of JSignPDF GUI.
I've try:
java -jar jsignpdf-pades.jar -tsh SHA512 -kst WINDOWS-MY C:\Users\Me\Desktop\mydocument.pdf -ha SHA512 -ts http://timestamp.digicert.com -crl -ocsp
but I get the error:
C:\Program Files\Eclipse Adoptium\jre-19.0.1.10-hotspot\bin>java -jar jsignpdf-pades.jar -tsh SHA512 -kst WINDOWS-MY C:\Users\Me\Desktop\mydocument.pdf -ha SHA512 -ts http://timestamp.digicert.com -crl -ocsp
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file -tsh
SEVERE Error occured
eu.europa.esig.dss.model.DSSException: Unable to create FileDocument for File with name '-tsh'
at eu.europa.esig.dss.model.FileDocument.<init>(FileDocument.java:66)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:146)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:78)
I also try:
java -jar jsignpdf-pades.jar -ts http://timestamp.digicert.com -tsh SHA256 -kst WINDOWS-MY -ha SHA256 C:\Users\Me\Desktop\mydocument.pdf -crl -ocsp
It will give the error:
C:\Program Files\Eclipse Adoptium\jre-19.0.1.10-hotspot\bin>java -jar jsignpdf-pades.jar -ts http://timestamp.digicert.com -tsh SHA256 -kst WINDOWS-MY -ha SHA256 C:\Users\Me\Desktop\mydocument.pdf -crl -ocsp
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file -ts
SEVERE Error occured
eu.europa.esig.dss.model.DSSException: Unable to create FileDocument for File with name '-ts'
at eu.europa.esig.dss.model.FileDocument.<init>(FileDocument.java:66)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:146)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:78)
@kwart Great work! Many many thanks I finally found a promising solution for signing according to AdES (DSS/eIDAS) with QESig (PKCS#11 private key on smartcard) that works on Linux.
I tested your latest snapshot for PAdES on Ubuntu 22.04 and my results are:
./jsignpdf-pades.sh -da SHA256 -p11 pkcs11.cfg -kst PKCS11 -pl BASELINE_B document.pdf
Looks OK. Validation with ETSI validator https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation without any problems.
//EDIT:
On the second attempt, the signature with the BASELINE-T format was already successful.
And signature with the BASELINE-T format the same errors like @JohnPlanetary
./jsignpdf-pades.sh -da SHA256 -p11 pkcs11.cfg -kst PKCS11 -ts MY_qualified_TSA -pl BASELINE_LT document.pdf
FINE PKCS11 provider registered with name SunPKCS11-JSignPdf
FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file testPodpis1.pdf
FINE Signature valid: true
FINE Removing security provider with name SunPKCS11-JSignPdf
FINE Removing security provider with name JSignPKCS11-JSignPdf
SEVERE Error occured
eu.europa.esig.dss.alert.exception.AlertException: Revocation data is missing for one or more certificate(s). [C-B9...: Revocation data is skipped for untrusted certificate chain!; C-27...: Revocation data is skipped for untrusted certificate chain!]
at eu.europa.esig.dss.alert.handler.ThrowAlertExceptionHandler.process(ThrowAlertExceptionHandler.java:41)
at eu.europa.esig.dss.alert.AbstractAlert.alert(AbstractAlert.java:52)
at eu.europa.esig.dss.validation.SignatureValidationContext.checkAllRequiredRevocationDataPresent(SignatureValidationContext.java:922)
at eu.europa.esig.dss.validation.SignedDocumentValidator.assertSignaturesValid(SignedDocumentValidator.java:560)
at eu.europa.esig.dss.validation.SignedDocumentValidator.getValidationData(SignedDocumentValidator.java:525)
at eu.europa.esig.dss.pades.validation.PDFDocumentValidator.getValidationData(PDFDocumentValidator.java:341)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLT.extendSignatures(PAdESLevelBaselineLT.java:70)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:82)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:50)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:222)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:162)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:78)
Certificate is issued by a national authority (EU country) registered on the EUTL list... Thanks.
I tried in Windows 10 x64 Home, and I was able to make the test PDF into: PAdES. B-T and PAdES: B-B, but not to PAdES: B-LT and also not: PAdES: B-LTA
I'm getting the following errors:
java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -ts http://timestamp.digicert.com -pl BASELINE_LT C:\Users\Me\Desktop\teste.pdf
C:\Program Files\Eclipse Adoptium\jre-19.0.1.10-hotspot\bin>java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -ts http://timestamp.digicert.com -pl BASELINE_LT C:\Users\Me\Desktop\teste.pdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file C:\Users\Me\Desktop\teste.pdf
FINE Signature valid: true
SEVERE Error occured
eu.europa.esig.dss.alert.exception.AlertException: Revocation data is missing for one or more certificate(s). [C-281734D4592D1291D27190709CB510B07E22C405D5E0D6119B70E73589F98ACF: Revocation data is skipped for untrusted certificate chain!; C-33846B545A49C9BE4903C60E01713C1BD4E4EF31EA65CD95D69E62794F30B941: Revocation data is skipped for untrusted certificate chain!; C-C7F4E1BE32288920ABE2263ABE1AC4FC4FE6781C2D64D04C807557A023B5B6FA: Revocation data is skipped for untrusted certificate chain!; C-6F4B5D5136A66929620F6A0A952A09459037A0161202FBF6B5D40F3759B31474: Revocation data is skipped for untrusted certificate chain!]
at eu.europa.esig.dss.alert.handler.ThrowAlertExceptionHandler.process(ThrowAlertExceptionHandler.java:41)
at eu.europa.esig.dss.alert.AbstractAlert.alert(AbstractAlert.java:52)
at eu.europa.esig.dss.validation.SignatureValidationContext.checkAllRequiredRevocationDataPresent(SignatureValidationContext.java:922)
at eu.europa.esig.dss.validation.SignedDocumentValidator.assertSignaturesValid(SignedDocumentValidator.java:560)
at eu.europa.esig.dss.validation.SignedDocumentValidator.getValidationData(SignedDocumentValidator.java:525)
at eu.europa.esig.dss.pades.validation.PDFDocumentValidator.getValidationData(PDFDocumentValidator.java:341)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLT.extendSignatures(PAdESLevelBaselineLT.java:70)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:82)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:50)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:222)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:162)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:78)
java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -ts http://timestamp.digicert.com -pl BASELINE_LTA C:\Users\Me\Desktop\teste.pdf
C:\Program Files\Eclipse Adoptium\jre-19.0.1.10-hotspot\bin>java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -ts http://timestamp.digicert.com -pl BASELINE_LTA C:\Users\Me\Desktop\teste.pdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file C:\Users\Me\Desktop\teste.pdf
FINE Signature valid: true
SEVERE Error occured
eu.europa.esig.dss.alert.exception.AlertException: Revocation data is missing for one or more certificate(s). [C-281734D4592D1291D27190709CB510B07E22C405D5E0D6119B70E73589F98ACF: Revocation data is skipped for untrusted certificate chain!; C-33846B545A49C9BE4903C60E01713C1BD4E4EF31EA65CD95D69E62794F30B941: Revocation data is skipped for untrusted certificate chain!; C-C7F4E1BE32288920ABE2263ABE1AC4FC4FE6781C2D64D04C807557A023B5B6FA: Revocation data is skipped for untrusted certificate chain!; C-6F4B5D5136A66929620F6A0A952A09459037A0161202FBF6B5D40F3759B31474: Revocation data is skipped for untrusted certificate chain!]
at eu.europa.esig.dss.alert.handler.ThrowAlertExceptionHandler.process(ThrowAlertExceptionHandler.java:41)
at eu.europa.esig.dss.alert.AbstractAlert.alert(AbstractAlert.java:52)
at eu.europa.esig.dss.validation.SignatureValidationContext.checkAllRequiredRevocationDataPresent(SignatureValidationContext.java:922)
at eu.europa.esig.dss.validation.SignedDocumentValidator.assertSignaturesValid(SignedDocumentValidator.java:560)
at eu.europa.esig.dss.validation.SignedDocumentValidator.getValidationData(SignedDocumentValidator.java:525)
at eu.europa.esig.dss.pades.validation.PDFDocumentValidator.getValidationData(PDFDocumentValidator.java:341)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLT.extendSignatures(PAdESLevelBaselineLT.java:70)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:82)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLTA.extendSignatures(PAdESLevelBaselineLTA.java:50)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLTA.extendSignatures(PAdESLevelBaselineLTA.java:34)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:222)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:162)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:78)
Not sure what is going on. I'm using my own ECC curve (just ECC P521 root and user certificate ECC P521 bellow it, with online CRL file and CRT reference for the programs to be able to get the root certificate), the stable version 2.2.0 is working just fine with them.
On the second attempt, the signature with the BASELINE-T format was already successful. I am sorry.
./jsignpdf-pades.sh -da SHA256 -p11 pkcs11.cfg -kst PKCS11 -ts MY_qualified_TSA -pl BASELINE_T document.pdf
FINE PKCS11 provider registered with name SunPKCS11-JSignPdf
FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file testPodpis1.pdf
FINE Signature valid: true
FINE Removing security provider with name SunPKCS11-JSignPdf
FINE Removing security provider with name JSignPKCS11-JSignPdf
And signature with the BASELINE-T format the same errors like @JohnPlanetary
./jsignpdf-pades.sh -da SHA256 -p11 pkcs11.cfg -kst PKCS11 -ts MY_qualified_TSA -pl BASELINE_LT document.pdf
FINE PKCS11 provider registered with name SunPKCS11-JSignPdf
FINE PKCS11 provider registered with name JSignPKCS11-JSignPdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file testPodpis1.pdf
FINE Signature valid: true
FINE Removing security provider with name SunPKCS11-JSignPdf
FINE Removing security provider with name JSignPKCS11-JSignPdf
SEVERE Error occured
eu.europa.esig.dss.alert.exception.AlertException: Revocation data is missing for one or more certificate(s). [C-B9...: Revocation data is skipped for untrusted certificate chain!; C-27...: Revocation data is skipped for untrusted certificate chain!]
at eu.europa.esig.dss.alert.handler.ThrowAlertExceptionHandler.process(ThrowAlertExceptionHandler.java:41)
at eu.europa.esig.dss.alert.AbstractAlert.alert(AbstractAlert.java:52)
at eu.europa.esig.dss.validation.SignatureValidationContext.checkAllRequiredRevocationDataPresent(SignatureValidationContext.java:922)
at eu.europa.esig.dss.validation.SignedDocumentValidator.assertSignaturesValid(SignedDocumentValidator.java:560)
at eu.europa.esig.dss.validation.SignedDocumentValidator.getValidationData(SignedDocumentValidator.java:525)
at eu.europa.esig.dss.pades.validation.PDFDocumentValidator.getValidationData(PDFDocumentValidator.java:341)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLT.extendSignatures(PAdESLevelBaselineLT.java:70)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:82)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:50)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:222)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:162)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:78)
Certificate is issued by a national authority (EU country) registered on the EUTL list... Thanks.
Thanks, guys, for sharing all the information. I'm looking into the missing revocation data issue now.
I've added some new config parameters.
Options:
--digest-algorithm, -da
Digest algorithm used in the signature
Default: SHA256
Possible Values: [SHA1, SHA224, SHA256, SHA384, SHA512, SHA3_224, SHA3_256, SHA3_384, SHA3_512, SHAKE128, SHAKE256, SHAKE256_512, RIPEMD160, MD2, MD5, WHIRLPOOL]
--disable-critical-extensions-check
Don't check if all certificate critical extensions are known
Default: false
--disable-key-usage-check
Don't check certificate key-usage field in the keystore
Default: false
--disable-validity-check
Don't check certificate validity in the keystore
Default: false
--help, -h
Prints this help
--key-alias, -ka
Key alias to be used for signing
--key-password, -kp
Key password
--keystore-file, -ksf
Keystore file to be used
--keystore-password, -ksp
KeyStore password
--keystore-type, -kst
Keystore type to be loaded
--list-keys, -lk
Command listing signing key aliases in the specified keystore
Default: false
--list-keystore-types, -lkt
Command listing available keystore types
Default: false
--out-directory, -d
Directory to write the signed PDFs to. If not provided, the source
directory of input PDF file is used.
--out-suffix, -os
Signed file suffix to be attached to the original name
Default: _signed
--pades-level, -pl
PAdES level
Default: BASELINE_B
Possible Values: [BASELINE_B, BASELINE_T, BASELINE_LT, BASELINE_LTA]
--pkcs11-config, -p11
Config file for SunPKCS11 and JSignPKCS11 providers
--trust-certificate-file
File path to a trusted X.509 certificate
Default: []
--trust-certificate-url
URL to a trusted X.509 certificate
Default: []
--trust-keystore-file
File path to a truststore
--trust-keystore-password
Truststore password
--trust-keystore-type
Truststore type
Default: pkcs12
--trust-lotl-url
URL to a List Of Trusted Lists
Default: []
--trust-use-default-lotl
Use default List Of Trusted Lists (EU)
Default: false
--tsa-key-file, -tskf
KeyStore file for TSA client-certificate authentication
--tsa-key-file-type, -tskt
KeyStore type for TSA client-certificate authentication
--tsa-key-password, -tskp
KeyStore password for TSA client-certificate authentication
--tsa-password, -tsp
Password for TSA Basic authentication
--tsa-policy-oid
TSA policy OID
--tsa-server-url, -ts
Timestamp server URL
--tsa-user, -tsu
Username for TSA Basic authentication
-P11
PKCS11 provider configuration parameter
Syntax: -P11key=value
Default: {}
You don't need to provide PKCS11 config file directly, but the properties can be specified on the command line too:
./jsignpdf-pades.sh -P11library=/usr/lib/libeToken.so -P11slot=0 -P11name=test -kst JSIGNPKCS11 -ksp 12345678 ...
I'm not able to test it today with a valid certificate. But I hope something like the following could work:
... -pl BASELINE_LTA -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem --trust-use-default-lotl /home/kwart/test.pdf
Thanks for the update @kwart !
I've tried again: java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -pl BASELINE_LTA -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem C:\sign\SignPDFs\mydocument.pdf
But I still get the same error:
C:\Program Files\Eclipse Adoptium\jre-19.0.1.10-hotspot\bin>java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -pl BASELINE_LTA -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem C:\sign\SignPDFs\mydocument.pdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file C:\sign\SignPDFs\mydocument.pdf
FINE Signature valid: true
SEVERE Error occured
eu.europa.esig.dss.alert.exception.AlertException: Revocation data is missing for one or more certificate(s). [C-6F4B5D5136A66929620F6A0A952A09459037A0161202FBF6B5D40F3759B31474: Revocation data is skipped for untrusted certificate chain!]
at eu.europa.esig.dss.alert.handler.ThrowAlertExceptionHandler.process(ThrowAlertExceptionHandler.java:41)
at eu.europa.esig.dss.alert.AbstractAlert.alert(AbstractAlert.java:52)
at eu.europa.esig.dss.validation.SignatureValidationContext.checkAllRequiredRevocationDataPresent(SignatureValidationContext.java:922)
at eu.europa.esig.dss.validation.SignedDocumentValidator.assertSignaturesValid(SignedDocumentValidator.java:560)
at eu.europa.esig.dss.validation.SignedDocumentValidator.getValidationData(SignedDocumentValidator.java:525)
at eu.europa.esig.dss.pades.validation.PDFDocumentValidator.getValidationData(PDFDocumentValidator.java:341)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLT.extendSignatures(PAdESLevelBaselineLT.java:70)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:82)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLTA.extendSignatures(PAdESLevelBaselineLTA.java:50)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLTA.extendSignatures(PAdESLevelBaselineLTA.java:34)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:222)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:166)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:80)
I even added FreeTSA.org certificates: https://freetsa.org/files/tsa.crt https://freetsa.org/files/cacert.pem
To the Eclipse Adoptium cert store, using the free & open source KeyStore Explorer (https://github.com/kaikramer/keystore-explorer) but nothing changed.
Where is JSignPDF-PADES checking the certificates to say the aren't trusted? Here they are both on the Windows Certificate Store, and on the Eclipse Adoptium cert store. I don't know where more to put them.
But eventually there should be some option to totally ignore the "untrusted" status, or to make them trusted immediately, because many Timestamp services around the world will never be trusted by default, even if they locally are totally legal or even mandatory.
IMO your problem is not with the trust of the TSA certificate but with the trust of the signing certificate. And there was also an issue in the code for LOTL handling.
The following command should work for the EU-trusted certs now:
jsignpdf-pades-0.1.0-SNAPSHOT/jsignpdf-pades.sh -P11library=/usr/lib/libeToken.so -P11slot=0 -P11name=test \
-kst JSIGNPKCS11 -ksp 12345678 -pl BASELINE_LTA \
-ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem \
--trust-use-default-lotl \
/home/kwart/test.pdf
FINE PKCS11 provider registered with name SunPKCS11-test
FINE PKCS11 provider registered with name JSignPKCS11-test
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file /home/kwart/test.pdf
FINE Signature valid: true
FINE Removing security provider with name SunPKCS11-test
FINE Removing security provider with name JSignPKCS11-test
FINE Temporary PKCS11 config file was deleted.
or with the full LOTL URL specification:
jsignpdf-pades-0.1.0-SNAPSHOT/jsignpdf-pades.sh -P11library=/usr/lib/libeToken.so -P11slot=0 -P11name=test \
-kst JSIGNPKCS11 -ksp 12345678 -pl BASELINE_LTA \
-ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem \
--trust-lotl-url https://ec.europa.eu/tools/lotl/eu-lotl.xml \
/home/kwart/test.pdf
How can I force the Trust of the signing certificate? I have add it to both Windows Certificate Store and to Eclipse Adoptium certificates store. What else can I do?
You can provide a remote CA certificate URL:
jsignpdf-pades-0.1.0-SNAPSHOT/jsignpdf-pades.sh -P11library=/usr/lib/libeToken.so -P11slot=0 -P11name=test \
-kst JSIGNPKCS11 -ksp 12345678 -pl BASELINE_LTA \
-ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem \
--trust-certificate-url https://www.postsignum.cz/files/ca/postsignum_qca4_sub.pem \
/home/kwart/test.pdf
or the local one:
wget https://www.postsignum.cz/files/ca/postsignum_qca4_sub.pem
jsignpdf-pades-0.1.0-SNAPSHOT/jsignpdf-pades.sh -P11library=/usr/lib/libeToken.so -P11slot=0 -P11name=test \
-kst JSIGNPKCS11 -ksp 12345678 -pl BASELINE_LTA \
-ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem \
--trust-certificate-file postsignum_qca4_sub.pem \
/home/kwart/test.pdf
I though, the truststore option will work too, but it doesn't :thinking:
keytool -importcert -noprompt -alias ca -file postsignum_qca4_sub.pem -keystore keystore.p12 -storepass 123456 -storetype PKCS12
jsignpdf-pades-0.1.0-SNAPSHOT/jsignpdf-pades.sh -P11library=/usr/lib/libeToken.so -P11slot=0 -P11name=test \
-kst JSIGNPKCS11 -ksp 12345678 -pl BASELINE_LTA \
-ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem \
--trust-keystore-file keystore.p12 --trust-keystore-password 123456 --trust-keystore-type PKCS12 \
/home/kwart/test.pdf
Well, I've include the url for the CA Root Certificate, but I get the same error.
The CA certificate is at: http://myid.online.pt/myidrsarootg2.crt (PEM format) The CRL is at: http://myid.online.pt/myidrsarootg2.crl (DER format) I can create PAdES B-LTA documents in another program with my current configuration without any trouble, but not in these JSignPDF PAdES test version.
java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -pl BASELINE_LTA -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem --trust-certificate-url http://myid.online.pt/myidrsarootg2.crt C:\sign\SignPDFs\mydocument.pdf
C:\Program Files\Eclipse Adoptium\jre-19.0.1.10-hotspot\bin>java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -pl BASELINE_LTA -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem --trust-certificate-url http://myid.online.pt/myidrsarootg2.crt C:\sign\SignPDFs\mydocument.pdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file C:\sign\SignPDFs\mydocument.pdf
FINE Signature valid: true
SEVERE Error occured
eu.europa.esig.dss.alert.exception.AlertException: Revocation data is missing for one or more certificate(s). [C-6F4B5D5136A66929620F6A0A952A09459037A0161202FBF6B5D40F3759B31474: Revocation data is skipped for untrusted certificate chain!]
at eu.europa.esig.dss.alert.handler.ThrowAlertExceptionHandler.process(ThrowAlertExceptionHandler.java:41)
at eu.europa.esig.dss.alert.AbstractAlert.alert(AbstractAlert.java:52)
at eu.europa.esig.dss.validation.SignatureValidationContext.checkAllRequiredRevocationDataPresent(SignatureValidationContext.java:922)
at eu.europa.esig.dss.validation.SignedDocumentValidator.assertSignaturesValid(SignedDocumentValidator.java:560)
at eu.europa.esig.dss.validation.SignedDocumentValidator.getValidationData(SignedDocumentValidator.java:525)
at eu.europa.esig.dss.pades.validation.PDFDocumentValidator.getValidationData(PDFDocumentValidator.java:341)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLT.extendSignatures(PAdESLevelBaselineLT.java:70)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineT.extendSignatures(PAdESLevelBaselineT.java:82)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLTA.extendSignatures(PAdESLevelBaselineLTA.java:50)
at eu.europa.esig.dss.pades.signature.PAdESLevelBaselineLTA.extendSignatures(PAdESLevelBaselineLTA.java:34)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:222)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:166)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:80)
I also tried my National ID card (EU), but I get a (different) error:
java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -pl BASELINE_LTA -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem C:\sign\SignPDFs\mydocument.pdf
C:\Program Files\Eclipse Adoptium\jre-19.0.1.10-hotspot\bin>java -jar jsignpdf-pades.jar -da SHA256 -kst WINDOWS-MY -pl BASELINE_LTA -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem C:\sign\SignPDFs\mydocument.pdf
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
INFO Signing PDF file C:\sign\SignPDFs\mydocument.pdf
FINE Signature valid: true
SEVERE Error occured
eu.europa.esig.dss.model.DSSException: Unable to save a document. Reason : Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.saveDocumentIncrementally(PdfBoxSignatureService.java:422)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.checkEncryptedAndSaveIncrementally(PdfBoxSignatureService.java:406)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.signDocumentAndReturnDigest(PdfBoxSignatureService.java:230)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.signDocument(PdfBoxSignatureService.java:166)
at eu.europa.esig.dss.pdf.AbstractPDFSignatureService.sign(AbstractPDFSignatureService.java:294)
at eu.europa.esig.dss.pades.signature.PAdESService.signDocument(PAdESService.java:218)
at com.github.intoolswetrust.jsignpdf.pades.Main.signFiles(Main.java:166)
at com.github.intoolswetrust.jsignpdf.pades.Main.main(Main.java:80)
Caused by: java.io.IOException: Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
at org.apache.pdfbox.pdfwriter.COSWriter.writeExternalSignature(COSWriter.java:845)
at org.apache.pdfbox.pdfwriter.COSWriter.doWriteSignature(COSWriter.java:793)
at org.apache.pdfbox.pdfwriter.COSWriter.visitFromDocument(COSWriter.java:1199)
at org.apache.pdfbox.cos.COSDocument.accept(COSDocument.java:452)
at org.apache.pdfbox.pdfwriter.COSWriter.write(COSWriter.java:1435)
at org.apache.pdfbox.pdmodel.PDDocument.saveIncremental(PDDocument.java:1412)
at eu.europa.esig.dss.pdf.pdfbox.PdfBoxSignatureService.saveDocumentIncrementally(PdfBoxSignatureService.java:420)
... 7 more
I use the Windows Certificate store, to do the signing, but it goes to the chip in the card, and I get the proper request for the PIN, like in other applications. I think the CRL's of the national ID are many and big! It needs to allow a big file. They all have OCSP, but if they fail, or the program is not trying just OCSP, it will try to download the CRLs.
The current stable version of JSignPDF also gives me troubles with the National ID, I have to use " -Xmx2048m " to initiate the JSignPDF, but in these test version that trick is not working for me.
1) Root CA cert
2) Second CA Cert
http://ocsp.multicert.com/ocsp http://pkiroot.multicert.com/crl/root_mc_crl.crl
3) Certificate CA that signs the Final CA
http://trust.ecee.gov.pt/ecraiz.crt
http://crls.ecee.gov.pt/crls/ARL.crl
4) Final CA that signs the certificate:
http://ocsp.root.cartaodecidadao.pt/publico/ocsp http://pki.cartaodecidadao.pt/publico/lrc/cc_ec_cidadao_crl004_crl.crl
5) On the certificate it self:
http://ocsp.asc.cartaodecidadao.pt/publico/ocsp
http://pki.cartaodecidadao.pt/publico/lrc/cc_sub-ec_cidadao_assinatura_crl0014_delta_p0004.crl
http://pki.cartaodecidadao.pt/publico/lrc/cc_sub-ec_cidadao_assinatura_crl0014_p0004.crl
@kwart @JohnPlanetary Many thanks, for me it works perfectly!
I tested it for BASELINE_LT:
./jsignpdf-pades.sh -da SHA256 -p11 pkcs11.cfg -kst PKCS11 -ts MY_TSA_URL -pl BASELINE_LT --trust-lotl-url https://ec.europa.eu/tools/lotl/eu-lotl.xml --trust-certificate-file MYeID_ROOT_CERT.der --trust-certificate-file MY_TSA_ROOT_CERT.pem.crt test.pdf
@kwart @JohnPlanetary BASELINE-LTA works too, great, thanks a lot! And would it be possible to add just a separate timestamp?
I tested again, but using ECC P-521 Root and signing certificate, and with that I was successful in signing up to PAdES B-LTA the PDF file, but the program isn't getting the CRL and OCSP values for both timestamps (incorporated in the first signing certificate and standalone one).
Also, the official national (EU) ID RSA 2048 bit SHA256 in the card, and my own Root and signing certificate with RSA 16384 bit SHA512 aren't working. I keep getting eu.europa.esig.dss.model.DSSException: Unable to save a document. Reason : Can't write signature, not enough space; adjust it with SignatureOptions.setPreferredSignatureSize
error.
I'm guessing somewhere in the code it is needed to greatly increase the signaturesize, not sure if there is more than one setting for that [signing signature(s) and timestamping signature(s)] but they need to be increased otherwise will give error and will not sign the document. And to be clear, they both work in another application up to PAdES B-LTA without problems.
There isn't yet HASH command for the timestamp, correct? I was able to get SHA512 for the signature but the timestamp was SHA256. Most timestamp services use SHA256, but some also use SHA384 and even SHA512.
The only command that worked until now on my Windows Machine (PAdES B-LTA):
java -jar C:\sign\signpdfs\jsignpdf-pades.jar -da SHA512 -kst WINDOWS-MY -ts https://freetsa.org/tsr --trust-certificate-url https://freetsa.org/files/cacert.pem -pl BASELINE_LTA --trust-certificate-url https://freetsa.org/files/tsa.crt --trust-certificate-file C:\sign\signpdfs\eccroot.crt C:\sign\signpdfs\test.pdf
Having to specify where the certificates are is kinda of problematic even for me, the program will need to somehow figure it out without the need for user intervention. Also many people won't be using certificates from the EU list, even if they are in EU, so it needs also to be sort out to make sure it will work both with EU official certificates and any other certificates including self made ones, so that it is as much future proof as possible.
Unfortunately I fail when trying to produce an LTV signature with JSignPDF 2.2.2. And I assume it has to do with my certificate structure. My signature certificate is issued by an Intermediate CA, so for full LTV CRL information two CRLs need to be added to the signature (from Intermediate CA and from Root CA).
On my server all http requests are rerouted to https. In my signature certificate the Authority Information Access URL and the CRL URL are on https, but in the CA certificates they are not yet.
I get an LTV signature when signing with Adobe Reader, and the resulting files are about 50 KB bigger than the files from JSignPDF. Seems Adobe Reader can handle that http/https stuff, but JSignPDF has trouble with it.
To get LTV status it needs to get CRL and or OCSP values from url's in the certificate chain of the digital certificate used to sign. You should try to see if you can install the Root and intermediate certificates used in the operating system and see if it helps the program to find the url's correctly. The Java program must have access to the Internet to get the data from CRL/ OCSP servers.
You can leave the Certification level at any other option other than "No change allow", to allow the pdf to receive that data that activates LTV from Adobe Acrobat Reader. You can see here: https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/#enable how to do it (is in the end of the article) on the Adobe Acrobat Reader. You need to save the file to keep that LTV enabled. Also, for some unknown reason to me, it doesn't always work, meaning, it may not work at all, or it will appear to work and a few days after you open the file again and the file isn't LTV enabled. I couldn't find why, shouldn't happen, but happens.
You should try to see if you can install the Root and intermediate certificates used in the operating system and see if it helps the program to find the url's correctly.
They are installed and trusted in my Windows Certificate Store.
The Java program must have access to the Internet to get the data from CRL/ OCSP servers.
It has, since it gets a timestamp from a Sectigo server.
After signing I get a message like "loading CRL from ...", "size of the downloaded CRL...", but only for one CRL, and not for the other.
CRL's and OCSP's servers all over the place do seem to have trouble from times to times, so it may just be that they aren't working, or the size of the file is really big! And takes a long time to download even if you have a fast connection because the server may be slow. In my national ID card it can make a 120 KB file have like 50 MB! It does take a while to download. If they would only use OCSP's servers I think the files would be smaller, but with CRL files they are usually much bigger. There is nothing I can do on the options for my use case, since in many cases there isn't even an OCSP server referenced in the intermediate and/ or final certificate.
It would be nice for JSignPDF to sign PDF files to conform to ETSI EN 319 142-1 V1.1.0 (2016-02) (PAdES digital signatures) ( https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.00_30/en_31914201v010100v.pdf ) B-LTA level.
6 6.1. Signature levels d) B-LTA level provides requirements for the incorporation of electronic time-stamps that allow validation of the signature long time after its generation. This level aims to tackle the long term availability and integrity of the validation material.