|

iText - General

Embed a CRL or OCSP response to a signature that already exists in the PDF

View: New views

7 Messages — Rating Filter: Alert me

	Embed a CRL or OCSP response to a signature that already exists in the PDF by Daniel Uribe :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. I have documents that were signed with Adobe CDS certificates using iText, including a secure timestamp. It seems that for long-term validation we also need to add the OCSP response or CRL (depending on the certificate we use, since each one supports a different method). Is it possible to modify the PKCS 7 structure just to add one of these without invalidating the signature itself? I read this is something that Acrobat offers, to enable end-users to sign documents while they are offline, adding the online portions (secure timestamp, CRL and OCSP response) to the signatures later. Thank you, Daniel Uribe ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
	Re: Embed a CRL or OCSP response to a signature that already exists in the PDF by Paulo Soares-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Timestamp may be added later as it's an unsigned attribute but not CRL or OCSP. CRL and OCSP are signed attributes and in practice the PKCS7 must be regenerated and re-signed. Paulo > -----Original Message----- > From: Uribe-Herrerias, Daniel [mailto:daniel.uribe@...] > Sent: Thursday, October 29, 2009 5:49 PM > To: itext-questions@... > Subject: [iText-questions] Embed a CRL or OCSP response to a > signature that already exists in the PDF > > I have documents that were signed with Adobe CDS certificates > using iText, including a secure timestamp. It seems that for > long-term validation we also need to add the OCSP response or > CRL (depending on the certificate we use, since each one > supports a different method). Is it possible to modify the > PKCS 7 structure just to add one of these without > invalidating the signature itself? I read this is something > that Acrobat offers, to enable end-users to sign documents > while they are offline, adding the online portions (secure > timestamp, CRL and OCSP response) to the signatures later. > > > > Thank you, > > Daniel Uribe > > Aviso Legal: Esta mensagem é destinada exclusivamente ao destinatário. Pode conter informação confidencial ou legalmente protegida. A incorrecta transmissão desta mensagem não significa a perca de confidencialidade. Se esta mensagem for recebida por engano, por favor envie-a de volta para o remetente e apague-a do seu sistema de imediato. É proibido a qualquer pessoa que não o destinatário de usar, revelar ou distribuir qualquer parte desta mensagem. Disclaimer: This message is destined exclusively to the intended receiver. It may contain confidential or legally protected information. The incorrect transmission of this message does not mean the loss of its confidentiality. If this message is received by mistake, please send it back to the sender and delete it from your system immediately. It is forbidden to any person who is not the intended receiver to use, distribute or copy any part of this message. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
	Re: Embed a CRL or OCSP response to a signature that already exists in the PDF by Leonard Rosenthol-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message OR... You can use the method described in PAdES (ETSI TS 102778) Part 4 called LTV that is fully supported by Acrobat/Reader 9.1 and later. Leonard -----Original Message----- From: Paulo Soares [mailto:psoares@...] Sent: Thursday, October 29, 2009 2:38 PM To: Post all your questions about iText here Subject: Re: [iText-questions] Embed a CRL or OCSP response to a signature that already exists in the PDF Timestamp may be added later as it's an unsigned attribute but not CRL or OCSP. CRL and OCSP are signed attributes and in practice the PKCS7 must be regenerated and re-signed. Paulo > -----Original Message----- > From: Uribe-Herrerias, Daniel [mailto:daniel.uribe@...] > Sent: Thursday, October 29, 2009 5:49 PM > To: itext-questions@... > Subject: [iText-questions] Embed a CRL or OCSP response to a signature > that already exists in the PDF > > I have documents that were signed with Adobe CDS certificates using > iText, including a secure timestamp. It seems that for long-term > validation we also need to add the OCSP response or CRL (depending on > the certificate we use, since each one supports a different method). > Is it possible to modify the PKCS 7 structure just to add one of these > without invalidating the signature itself? I read this is something > that Acrobat offers, to enable end-users to sign documents while they > are offline, adding the online portions (secure timestamp, CRL and > OCSP response) to the signatures later. > > > > Thank you, > > Daniel Uribe > > Aviso Legal: Esta mensagem ? destinada exclusivamente ao destinat?rio. Pode conter informa??o confidencial ou legalmente protegida. A incorrecta transmiss?o desta mensagem n?o significa a perca de confidencialidade. Se esta mensagem for recebida por engano, por favor envie-a de volta para o remetente e apague-a do seu sistema de imediato. ? proibido a qualquer pessoa que n?o o destinat?rio de usar, revelar ou distribuir qualquer parte desta mensagem. Disclaimer: This message is destined exclusively to the intended receiver. It may contain confidential or legally protected information. The incorrect transmission of this message does not mean the loss of its confidentiality. If this message is received by mistake, please send it back to the sender and delete it from your system immediately. It is forbidden to any person who is not the intended receiver to use, distribute or copy any part of this message. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
	Re: Embed a CRL or OCSP response to a signature that already exists in the PDF by Paulo Soares-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message You are right, of course, it can be done with a DSS dictionary. Paulo > -----Original Message----- > From: Leonard Rosenthol [mailto:lrosenth@...] > Sent: Thursday, October 29, 2009 6:54 PM > To: Post all your questions about iText here > Subject: Re: [iText-questions] Embed a CRL or OCSP response > to a signature that already exists in the PDF > > OR... > > You can use the method described in PAdES (ETSI TS 102778) > Part 4 called LTV that is fully supported by Acrobat/Reader > 9.1 and later. > > Leonard > > -----Original Message----- > From: Paulo Soares [mailto:psoares@...] > Sent: Thursday, October 29, 2009 2:38 PM > To: Post all your questions about iText here > Subject: Re: [iText-questions] Embed a CRL or OCSP response > to a signature that already exists in the PDF > > Timestamp may be added later as it's an unsigned attribute > but not CRL or OCSP. CRL and OCSP are signed attributes and > in practice the PKCS7 must be regenerated and re-signed. > > Paulo > > > -----Original Message----- > > From: Uribe-Herrerias, Daniel [mailto:daniel.uribe@...] > > Sent: Thursday, October 29, 2009 5:49 PM > > To: itext-questions@... > > Subject: [iText-questions] Embed a CRL or OCSP response to > a signature > > that already exists in the PDF > > > > I have documents that were signed with Adobe CDS certificates using > > iText, including a secure timestamp. It seems that for long-term > > validation we also need to add the OCSP response or CRL > (depending on > > the certificate we use, since each one supports a different > method). > > Is it possible to modify the PKCS 7 structure just to add > one of these > > without invalidating the signature itself? I read this is something > > that Acrobat offers, to enable end-users to sign documents > while they > > are offline, adding the online portions (secure timestamp, CRL and > > OCSP response) to the signatures later. > > > > > > > > Thank you, > > > > Daniel Uribe Aviso Legal: Esta mensagem é destinada exclusivamente ao destinatário. Pode conter informação confidencial ou legalmente protegida. A incorrecta transmissão desta mensagem não significa a perca de confidencialidade. Se esta mensagem for recebida por engano, por favor envie-a de volta para o remetente e apague-a do seu sistema de imediato. É proibido a qualquer pessoa que não o destinatário de usar, revelar ou distribuir qualquer parte desta mensagem. Disclaimer: This message is destined exclusively to the intended receiver. It may contain confidential or legally protected information. The incorrect transmission of this message does not mean the loss of its confidentiality. If this message is received by mistake, please send it back to the sender and delete it from your system immediately. It is forbidden to any person who is not the intended receiver to use, distribute or copy any part of this message. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
	Re: Embed a CRL or OCSP response to a signature that already exists in the PDF by Daniel Uribe :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Thank you Paulo and Leonard for your quick response and help, I really appreciate it. I am reading the PAdES LTV Profile (ETSI TS 102-778-4) document, but if only Adobe Reader/Acrobat 9.1 and above support it, it may not work for me, since the system is supposed to support 7.0 and above. If this is the only option, I may have to go with the difficult choice of resigning every document that is missing the revocation information. Do any of you know if this method to read long term validation information from a DSS dictionary works in older versions of Adobe Reader/Acrobat? Do you have any examples or information on how to add the CRL or OCSP responses to the DSS dictionary? The signing with timestamp is currently just using something similar to what’s provided at http://itextpdf.sourceforge.net/howtosign.html and I am not sure if that uses the DSS dictionary, if it doesn’t, I am not sure the Long Term Validation information could be added this way. Thanks again, Daniel Uribe ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
	Re: Embed a CRL or OCSP response to a signature that already exists in the PDF by Leonard Rosenthol-3 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. No, Acrobat/Reader 9.1 are the first versions to support LTV/DSS. All earlier versions will ignore it. You will need to add the necessary code to iText to write DSS dictionaries – no such support exists today. Leonard From: Uribe-Herrerias, Daniel [mailto:daniel.uribe@...] Sent: Friday, October 30, 2009 11:44 AM To: itext-questions@... Subject: Re: [iText-questions] Embed a CRL or OCSP response to a signature that already exists in the PDF Thank you Paulo and Leonard for your quick response and help, I really appreciate it. I am reading the PAdES LTV Profile (ETSI TS 102-778-4) document, but if only Adobe Reader/Acrobat 9.1 and above support it, it may not work for me, since the system is supposed to support 7.0 and above. If this is the only option, I may have to go with the difficult choice of resigning every document that is missing the revocation information. Do any of you know if this method to read long term validation information from a DSS dictionary works in older versions of Adobe Reader/Acrobat? Do you have any examples or information on how to add the CRL or OCSP responses to the DSS dictionary? The signing with timestamp is currently just using something similar to what’s provided at http://itextpdf.sourceforge.net/howtosign.html and I am not sure if that uses the DSS dictionary, if it doesn’t, I am not sure the Long Term Validation information could be added this way. Thanks again, Daniel Uribe ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
	Re: Embed a CRL or OCSP response to a signature that already exists in the PDF by Daniel Uribe :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. I will have to go with resigning them, then. Thank you very much for the quick responses and help. Daniel ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/