2

I want to sign PDF Files with itextsharp. Since now, i embedded the CRLs into the Signature. This has made my PDF really huge. A 300 KB PDF went up to over 1 MB in size.

So i decided to embed the OCSP-Responses instead of the CRLs.

Here is the particular Code:

byte[] ocsp = null;
if ((chain.Count >= 2) && (ocspClient != null))
{
  ocsp = ocspClient.GetEncoded(list[0], list[1], null);
}
byte[] message = fpkcs.getAuthenticatedAttributeBytes(secondDigest, now, ocsp, crlBytes, sigtype);
byte[] digest = Sign(message, cert);
fpkcs.SetExternalDigest(digest, null, "RSA");
byte[] sourceArray = fpkcs.GetEncodedPKCS7(secondDigest, now, tsaClient, ocsp, crlBytes, sigtype);

If I'm right: In order to have a LTV-enabled Signature, OCSP-Responses of all Certificates (exept the Root-Cert) have to be embedded in the Signature. But if I'm using the above Code, only the OCSP-Response of the Signer-Cert is embedded into the Signature. The CA-Cert is checked online if I open the PDF in Adobe Reader. So the Signature is not LTV-Enabled.

Can anybody tell me how I can embed multiple OCSP-Responses into the Signature?

Many Thanks for any help!!

mkl
  • 90,588
  • 15
  • 125
  • 265
daprodigy23
  • 21
  • 3
  • The iText method `PdfPKCS7.GetEncodedPKCS7` assumes that only a single OCSP response needs to be embedded into the signature container. Thus, if you really need multiple OCSP responses in the signature container itself, you have to patch iText or create the signature container externally. If, on the other hand, you are ok with them in a Document Security Store dictionary, too, consider using `LtvVerification` to add verification according to PAdES-LTV. – mkl Dec 09 '16 at 10:01
  • @mkl: Thanks for your answer. I just want to have a Signature which is LTV-enabled. I tried to patch itext but with no success. I struggled with TagNumbers, Vectors and stuff like that. Do you have a code sample of the `LtvVerification` to add? – daprodigy23 Dec 09 '16 at 14:07
  • You might want to try the code from [this answer](http://stackoverflow.com/a/27906587/1729265). If that does not work, can you provide a sample PDF signed by you? I'd then try and see what is necessary to make it LTV-enabled after the fact. – mkl Dec 09 '16 at 19:27
  • @mkl: The second approach on the linked site did the trick. Thank you so much. You made my day ;-) – daprodigy23 Dec 13 '16 at 09:30
  • Ok, so let's mark this question as a duplicate of it. – mkl Dec 13 '16 at 10:03

0 Answers0