Add revocation information to signature using iText7

Question

I am producing Long Term signature. I am trying to add revocation information (Crls, OCSP Responses, Certificate Chain) to the signature as an unsigned attributes but the revocation information is not been embedded in the final signature. Following is the code snippet:

        Stream outputStream = new MemoryStream();

        List<byte[]> ocspCollection = new List<byte[]>();
        List<byte[]> crlCollection = new List<byte[]>();
        List<byte[]> certsCollection = new List<byte[]>();

        Stream readerStream = new MemoryStream(signedDocument);
        PdfReader pdfReader = new PdfReader(readerStream);
        PdfSigner pdfSigner = new PdfSigner(pdfReader, outputStream, new StampingProperties().UseAppendMode());

        LtvVerification ltvVerification = new LtvVerification(pdfSigner.GetDocument());

        X509Chain chain = new X509Chain();
        chain.Build(signerCertificate);

        foreach (X509ChainElement item in chain.ChainElements)
        {
            byte[] certBytes = item.Certificate.Export(X509ContentType.Cert);
            certsCollection.Add(certBytes);
        }

        foreach (byte[] ocsp in revocationInfo.OCSPResponses)
        {
            ocspCollection.Add(ocsp);
        }

        foreach (byte[] crlBytes in revocationInfo.CRLs)
        {
            crlCollection.Add(crlBytes);
        }

        bool revocationInfoAdded = ltvVerification.AddVerification(signingRequest.FieldName, ocspCollection, crlCollection, certsCollection);

ltvVerification.AddVerification() method returns true in response.

Please find the signed document from below link: https://1drv.ms/b/s!AvIgyv7xAxxoihGn9aFbe9TQSps4?e=eKPdn8

Any help in this regard is highly appreciated. Regards

Please share the contents of `revocationInfo` to allow reproducing the issue. `ltvVerification.AddVerification` simply adds all it is given to the document... — mkl, Feb 20 '20 at 11:57
I don't see you calling `ltvVerification.Merge()` after `AddVerification`. That call is required... — mkl, Feb 20 '20 at 12:05
@mkl Please find the revocation info content from the following link: https://1drv.ms/u/s!AvIgyv7xAxxoihRsi-dTozjqoSpo?e=mgvUWP I was calling ltvVerification.Merge() but that does not add anything to the solution of the issue. — Muddassir Awan, Feb 20 '20 at 12:07

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

Some working code

You used a PdfSigner (which only makes sense when also applying a signature or document time stamp but you provided only the already signed file) and have some variables I do not have here. Thus, I essentially wrote an example based on a mere PdfDocument and your shared files without those extra variables:

using (PdfReader pdfReader = new PdfReader("LTV Doc-Revocation Info Issue.pdf"))
using (PdfWriter pdfWriter = new PdfWriter("LTV Doc-Revocation Info Issue-WithRevocation.pdf"))
using (PdfDocument pdfDocument = new PdfDocument(pdfReader, pdfWriter, new StampingProperties().UseAppendMode()))
{
    List<byte[]> ocspCollection = new List<byte[]>();
    List<byte[]> crlCollection = new List<byte[]>();
    List<byte[]> certsCollection = new List<byte[]>();
    ocspCollection.Add(File.ReadAllBytes(@"Ocsp"));
    crlCollection.Add(File.ReadAllBytes(@"Crl.crl"));

    LtvVerification ltvVerification = new LtvVerification(pdfDocument);
    ltvVerification.AddVerification("SH_SIGNATURE_532546", ocspCollection, crlCollection, certsCollection);
    ltvVerification.Merge();
}

Inspecting the result one sees:

In particular the provided OCSP response and the provided CRL are embedded in the PDF, so the iText LtvVerification class does its job.

Possible issues in your project

First of all your say:

I am trying to add revocation information (Crls, OCSP Responses, Certificate Chain) to the signature as an unsigned attributes

This already indicates a mismatch: You use the LtvVerification class, and so do I in the working code above. This class does not change the embedded CMS containers. It does not add the revocation information to the unsigned attributes of the embedded CMS container but instead to the DSS (Document Security Store) structure of the PDF.

Embedding revocation data as unsigned attributes of the embedded CMS signature container actually is not possible in an interoperable way: You either use the signed adbe-revocationInfoArchival attribute in the CMS container or the DSS outside of the CMS container.

(Some validators accept revocation data embedded CAdES-style in the unsigned attributes but strictly speaking that is forbidden in PAdES and not interoperable in PDF 2.0.)

So if you actually want to embed the revocation data in the CMS container, provide them to the PdfSigner signing method of your choice, they all explicitly or implicitly accept revocation data to embed,

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype)

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype, SignaturePolicyInfo signaturePolicy)

public virtual void SignDetached(IExternalSignature externalSignature, X509Certificate[] chain,
    ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient,
    int estimatedSize, PdfSigner.CryptoStandard sigtype, SignaturePolicyIdentifier signaturePolicy)

or

public virtual void SignExternalContainer(IExternalSignatureContainer externalSignatureContainer,
    int estimatedSize)

The former three explicitly accept CRL and OCSP clients (which can be implemented to provide pre-existing CRLs and OCSPs) while the latter gets the full CMS container from the given IExternalSignatureContainer implementation, so in that implementation you can add any information to it you want.

Thanks for the quick help and make me understand the scenario. Thumbs up — Muddassir Awan, Feb 20 '20 at 14:40
@Mehdi *"how can i do that using DSS signature with JAVA ?"* - What exactly is the problem you're facing? Are you not sure how to port the code above to Java? Or do you want something somewhat different? — mkl, Jan 28 '22 at 17:35
in fact what I'm looking for is how to integrate the CRL file or/and the OSCP response in the signature voici le code que j'utilise pour signer en JAVA : https://stackoverflow.com/questions/66993643/ensure-ltv-verification-using-dss-cms-container — Mehdi, Jan 28 '22 at 21:09
In the referenced question you appear to look for a way using eSig DSS. This question is focused on iText 7. Thus, what is your library of choice? Furthermore, you want to integrate CRLs and OCSP responses. Are URLs to receive them from included in the certificates? Also, what validation model do you use? Strict ETSI style? Lax Adobe style? Something else? — mkl, Jan 29 '22 at 10:49
@mkl, I don't know, I'm still new to the signing world so what I'm trying to do is check for certificate revocation (using eSig Dss of course) and embed that response in the signature. So that I arrive at the end that at the opening of the PDF we can see that the verification has been made — Mehdi, Jan 31 '22 at 09:29
If you want to mainly use eSig DSS, you can embed revocation information by extending the signatures to PAdES-B-LT with eSig DSS. — mkl, Jan 31 '22 at 10:56
Exactly, but technically I don't know how I can retrieve the revocation information or the CRL file in the DPF signature — Mehdi, Jan 31 '22 at 15:14
*"I don't know how I can retrieve the revocation information or the CRL file in the DPF signature"* - please explain; above you said you were looking for *how to integrate the CRL file or/and the OSCP response in the signature* and now you want to retrieve the revocation information. So what are you actually looking for? — mkl, Jan 31 '22 at 17:16
I am trying to insert the information into the signature. I just misspoke — Mehdi, Jan 31 '22 at 17:37
As you use eSig DSS to create your signature to start with, I assume you create PAdES signatures. In that case please be aware that when integrating revocation information PAdES-style, you don't add them to the signature container but instead in an additional incremental update separately to the document. If you were not aware, you'd probably need a short excursion explaining the different kinds of PDF signatures and their respective ways of achieving LTV. — mkl, Jan 31 '22 at 18:23
actually I am still new in this world of signature. Most of the code I found on dss github explains to use the CommonVerifier object. Can you please give me an example or a way to start ! — Mehdi, Jan 31 '22 at 19:24

Add revocation information to signature using iText7

1 Answers1

Some working code

Possible issues in your project

Linked