1

I am validating a PDF documentby creating a validation tool.How can i check whether the document is LTV enabled or not ? Also If its ltv enabled how can i get the embeddedOCSPResponse / embeddedCRLresponse from the document itself.

neeraj bali
  • 21
  • 3

1 Answers1

1

How can i check whether the document is LTV enabled or not ?

Adobe Acrobat shows a valid signature is "LTV enabled" if during validation of that signature the validation related information embedded in the PDF sufficed and no extra data needed to be downloaded. (For some backgrounds read other answers here on stack overflow concerning the Adobe "LTV enabled" profile, e.g. this one.)

But the requirements of the validation process depend on the configuration of the Adobe Acrobat installation itself and its runtime environment. Thus, you cannot in general say that some PDF signature is "LTV enabled", at best you can say so in relation to some specific configuration of Adobe Acrobat.

Even then, though, this is difficult as the validation algorithms in Adobe Acrobat are not specified. Conceptually they are based on known standards but on one hand these standards do cut implementers some slack and on the other hand there are some quirks in Acrobat that go even beyond that.

What you can do, is implement a best effort validation feature in which you also check whether external data is necessary for validation in excess to what is included in the PDF in question.

If its ltv enabled how can i get the embeddedOCSPResponse / embeddedCRLresponse from the document itself.

Have at look at the code in this question. It shows how to extract CRLs embedded in signed Adobe revocation data attribute, namely using pkcs7.getCRLs() for the PdfPKCS7 pkcs7 retrieved from AcroFields.verifySignature for the signature in question. Similarly you can use pkcs7.getOcsp() to retrieve an OCSP response from that attribute. Unfortunately only the last such response is held here, to get all of them you have to tweak PdfPKCS7 a bit.

Then have a look at the code in this answer to that question. It shows how to retrieve validation related information from the DSS dictionary of the PDF.

mkl
  • 90,588
  • 15
  • 125
  • 265
  • point1: LTV enabled or not -> I am not looking into Adobe Acrobat, i simple want how to retrieve LTV info from the Document through IText 7. – neeraj bali Feb 16 '22 at 10:37
  • Point2: pkcs7.getCRLs(), pkcs7.getOcsp() : it checks online... not offline from the document itself. – neeraj bali Feb 16 '22 at 10:39
  • @neerajbali *"LTV enabled or not -> I am not looking into Adobe Acrobat, i simple want how to retrieve LTV info from the Document through IText 7."* - Ah, in that case the term "LTV enabled" led me astray as I only know it as the name of the Adobe proprietary profile. – mkl Feb 16 '22 at 12:04
  • @neerajbali *"pkcs7.getCRLs(), pkcs7.getOcsp() : it checks online... not offline from the document itself."* - That's wrong. `getCRLs` returns the list of CRLs from the signed Adobe **RevocationInfoArchival** attribute from within the signature container, and similarly `getOcsp` returns the first OCSP response from the signed Adobe **RevocationInfoArchival** attribute from within the signature container. Thus, these methods do *not* check online! – mkl Feb 17 '22 at 07:20
  • if you try to run offline ..i mean without internet connection pkcs7.getCRLs(), pkcs7.getOcsp() throws connection refused error: URL , that means it check online ocsp response... i might be wrong but this is what i digged. – neeraj bali Feb 17 '22 at 09:13
  • @neeraj Look into the code, `PdfPKCS7.getCRLs()` is a one-liner, `return crls`, and so is `PdfPKCS7.getOcsp()`, `return basicResp`. They cannot throw what you claim they do. Maybe the `pkcs7` object you use is not a `PdfPKCS7` instance, or maybe the `PdfPKCS7` is not the original iText 7 class of that name, or it is that class with some additional aspect applied to change the original behavior. Or maybe you use these method calls immediately as parameters of a call of a method in your own code and misinterpret the source of that exception. You might want to share the stack trace for analysis. – mkl Feb 17 '22 at 10:01