iText adding ltv info

Question

I'm trying to 'complete to ltv' a pdf that is already signed and i found this code using itext:

http://developers.itextpdf.com/question/how-enable-ltv-timestamp-signature

public void addLtv(String src, String dest, OcspClient ocsp, CrlClient crl, TSAClient tsa)
throws IOException, DocumentException, GeneralSecurityException {

    PdfReader r = new PdfReader(src);
    FileOutputStream fos = new FileOutputStream(dest);
    PdfStamper stp = PdfStamper.createSignature(r, fos, '\0', null, true);
    LtvVerification v = stp.getLtvVerification();
    AcroFields fields = stp.getAcroFields();
    List<String> names = fields.getSignatureNames();
    String sigName = names.get(names.size() - 1);
    PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
    if (pkcs7.isTsp()) {
        v.addVerification(sigName, ocsp, crl,
            LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
            LtvVerification.Level.OCSP_CRL,
            LtvVerification.CertificateInclusion.NO);
    }
    else {
        for (String name : names) {
            v.addVerification(name, ocsp, crl,
                LtvVerification.CertificateOption.WHOLE_CHAIN,
                LtvVerification.Level.OCSP_CRL,
                LtvVerification.CertificateInclusion.NO);
        }
    }
    PdfSignatureAppearance sap = stp.getSignatureAppearance();
    LtvTimestamp.timestamp(sap, tsa, null);
}

I read it has a 'problem' with Adobe because the timestamp applied is not recognized as LTV-enabled and suggests applying a new dss to solve this.

My questions:

Can this info be added before applying the timestamp? If i'm adding a dss to complete, i could add TSA timestamp info (ocsp, crl...) too (maybe with a fake sign to get info) and then apply the timestamp without needing a new dss again.
- If yes... this is approved by ETSI? Can iText handle it? I noticed that addVerification adds info from signatures already included, but seems i can't add the required info with this method. There's another way to add 'free' verifications or addVerification let's me and i didn't notice?
- If no... Why? Then why i not need to timestamp again the new dss added?

As you can see... i'm not an expert and i need some help.

Thanks a lot for your help!

score 2 · Accepted Answer · answered Sep 27 '16 at 16:53

My questions:

Can this info be added before applying the timestamp? If i'm adding a dss to complete, i could add TSA timestamp info (ocsp, crl...) too (maybe with a fake sign to get info) and then apply the timestamp without needing a new dss again.

If yes... this is approved by ETSI? Can iText handle it? I noticed that addVerification adds info from signatures already included, but seems i can't add the required info with this method. There's another way to add 'free' verifications or addVerification let's me and i didn't notice?

If no... Why? Then why i not need to timestamp again the new dss added?

Technically you can add any validation related information before applying the signature / time stamp the relate to. Actually you even have to do this in case of ol'fashioned ISO 32000-1 signatures which required validation information to be in a signed attribute.

Whether such information are accepted by verifiers, depends.

ETSI TS 102 778-4 V1.1.1 says:

4.3 Validation Process

It is recommended that that validation process be as follows:

The "latest" document Time-stamp should be validated at current time with validation data collected at the current time.

The "inner" document Time-stamp should be validated at previous document Time-stamp time with the validation data present (and time-stamped for the successive enveloping time-stamps) in the previous DSS.

The signature and the signature Time-stamp should be validated at the latest innermost LTV document Timestamp time using the validation data stored in the DSS and time-stamped (by the successive enveloping timestamps)

Validation of documents without document Time-stamps is outside the scope of this profile.

If a verifier validates according to these recommendations, it will not accept your validation information as you want it to, at least it will not recognize the time stamp stamping the information for its validation.

But as these only are recommendations and other TS or EN documents might recommend differently, the verifiers you are interested in may accept your validation information as desired by you.

Thanks a lot mkl :D From my point of view, i think the "latest ts" then can be still validated at the current time. I understand that it's not exactly what ETSI says but fits with Adobe LTV-enabled... and doesn't break ETSI validation process, there's just "useless extra info". Adding a dss after timestamping is 'near' the same, right? — Diadev, Sep 27 '16 at 17:49
Last question: using iText 5.5.9, how can i add validation data from a different TSA cert before timestamping? LtvVerification.addVerification() only works with the included info and don't let me add "external validation data", isn't it? Again thanks — Diadev, Sep 27 '16 at 17:49
*"LtvVerification.addVerification() only works with the included info and don't let me add "external validation data", isn't it?"* - That method has an overload which accepts externally generated validation data. Unfortunately even that overload expects that the those data refer to an existing signature. Thus, I would propose not using the existing `LtvVerification` at all and merely add your validation data to a stamper like the `LtvVerification`methods `createDss()`, `updateDss()`, and `outputDss` do it minus the `vri` stuff. There actually is no magic in it. — mkl, Sep 28 '16 at 07:40
@Diadev I just scanned the validation part of ETSI EN 319 102-1 V1.1.1 "Creation and Validation of AdES Digital Signatures". The contents are *what ETSI says* on how to verify. It seems to me that it looks for validation information for a time stamp in the next outer layer, i.e. in particular at the time of the next outer time stamp (or at the current time if no further time stamp exists). — mkl, Sep 28 '16 at 08:14
For code that LTV enables a signed PDF look at [this answer](https://stackoverflow.com/a/51481392/1729265). — mkl, Jul 23 '18 at 14:52

iText adding ltv info

1 Answers1

4.3 Validation Process