search

lovele0107 / signatures-conformance-checker

7 stars 0 forks source link

PAdES: Warning when using a pdfRevocationInfoArchival attribute #42

Open syjwg opened 1 year ago

syjwg commented 1 year ago

Only way to get Adobe Reader to successfully show information about a Long Term Validation (LTV) signature is to include a signed pdfRevocationInfoArchival (OID 1.2.840.113583.1.1.8) attribut. The validator will however show a Warning when this is included and our customers are not happy with that.

Location-{CodeTest}:Contents/CAdESSignature/content/signedData/signerInfos/signerInfo[1]
/signedAttrs/attribute[4]/attrValues/UnknownName[1]-{UnknownComponent}
An unknown attribute, defined by OID 1.2.840.113583.1.1.8 has been reached.
Its contents and their processing are unknown to the AdESCC. No further checks will be done to this component

Adobe Reader will show "Signature is LTV enabled" for the attached file. signed-and-ltv-enabled.pdf

syjwg commented 1 year ago

Just saw that this has been reported previously in https://github.com/lovele0107/signatures-conformance-checker/issues/5 but now you will have an uploaded PDF to check.

jccruellas commented 1 year ago

Dear syjwg,

First of all, thank you very much indeed for using PAdESCC and your valuable comment.

As far as I am aware, ISO 32000-2, specifies, I I have correctly understood, that this attribute may not be used when the Subfilter value is ETSI.CAdES.detached. In ETSI EN 319 142-1, clause 6.3, additional requirement l specifies:

l) The Signature Dictionary shall contain a value of ETSI.CAdES.detached for the key SubFilter

This means that the PAdESCC, being a conformance checker of PAdES signature initially sticks to what is specified and required by the ETSI EN. In addition, ISO 32000-2 bans the usage of the attribute that you mention.

A couple of additional comments:

  1. If my understanding of ISO 32000-2 is correct and your signature sets the value of Subfilter to ETSI.CAdES.detached, then I would say that you are breaking a requirement of this document. If you set the value of Subfilter to a different value, then your signature is not identified as a PAdES signature.
  2. I may raise this issue to ETSI ESI TC in order to get the views of the committee, as in the end, is the whole TC the responsible of PAdES specification and the ultimate source of advice on how to proceed with this issue

Best regards Juan Carlos