Embed both OCSP and CRL to a certified PDF
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
Embed both OCSP and CRL to a certified PDF
by Daniel Uribe
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
I am trying to make sure documents that we certify have
all the long term validation information that’s needed. In this specific
case, the certificate chain looks like this: [Adobe Our organizational certificate indicates that the method
for checking revocation is OCSP, while the Geotrust CA for Adobe only relies on
CRLs. It is not enough to only include the OCSP response, since all
certificates (except the root) in the certificate chain need to have their
revocation information embedded in order for long term validation to work. I have tried with the example for timestamps and OCSP at http://itextpdf.sourceforge.net/howtosign.html,
just adding the CRLs as well. It seems the OCSP response for our organization
certificate is correctly embedded, since when I open the file in Adobe Reader
it shows as embedded in the details. However, the CRL for the Geotrust CA for
Adobe doesn’t seem to be embedded, details show that it is reading it
from a CRL that Adobe Reader downloaded. To test long term validation, I
cleared the CRL cache for Reader, went offline and moved my clock forward. Sure
enough, the signature showed as invalid since it doesn’t have all the
necessary revocation information for long term validation. I have even tried to only use CRLs (since our
organizational certificate also has a CRL distribution point), but it seems
that the fact that the organizational certificate indicates OCSP as the method
in the Authority Info Access field makes Adobe prefer that over the embedded
CRLs. Here is the code that I am using: // At this point, the private key,
certificates and CRLs are already loaded int contentEstimated = 8500; byte[] ocsp = null; if (chain.length >= 2) {
String url = PdfPKCS7.getOCSPURL((X509Certificate)chain[0]);
if (url != null && url.length() > 0) {
ocsp = new
OcspClientBouncyCastle((X509Certificate)chain[0], (X509Certificate)chain[1],
url).getEncoded();
contentEstimated += ocsp.length * 2;
} } TSAClient
tsc = new
TSAClientBouncyCastle(tsURL, null, null); PdfReader
reader = new PdfReader(sourcePDF); FileOutputStream
fout = new FileOutputStream(targetPDF); PdfStamper
stp = PdfStamper.createSignature(reader,
fout, '\0'); PdfSignatureAppearance
sap = stp.getSignatureAppearance(); sap.setReason("This document is authentic and
accurate."); sap.setLocation(" sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED); sap.setCrypto(null, chain, crls.toArray(new CRL[0]), null); PdfSignature
dic = new
PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED); dic.setReason(sap.getReason()); dic.setLocation(sap.getLocation()); dic.setDate(new PdfDate(sap.getSignDate())); sap.setCryptoDictionary(dic);
HashMap
exc = new HashMap(); exc.put(PdfName.CONTENTS, new Integer(contentEstimated * 2 + 2)); sap.preClose(exc); PdfPKCS7
sgn = new
PdfPKCS7((PrivateKey) key, chain, crls.toArray(new CRL[0]), "SHA1", null, false); InputStream
data = sap.getRangeStream(); MessageDigest
messageDigest = MessageDigest.getInstance("SHA1"); byte buf[] = new byte[8192]; int n; while ((n = data.read(buf)) > 0) {
messageDigest.update(buf, 0, n); } byte hash[] = messageDigest.digest(); Calendar
cal = Calendar.getInstance(); byte sh[] = sgn.getAuthenticatedAttributeBytes(hash,
cal, ocsp); sgn.update(sh,
0, sh.length); byte[] encodedSig = sgn.getEncodedPKCS7(hash, cal, tsc,
ocsp); if (contentEstimated + 2 < encodedSig.length)
throw new Exception("Not enough space"); byte[] paddedSig = new byte[contentEstimated]; System.arraycopy(encodedSig, 0, paddedSig, 0,
encodedSig.length); PdfDictionary
dic2 = new
PdfDictionary(); dic2.put(PdfName.CONTENTS, new PdfString(paddedSig).setHexWriting(true)); sap.close(dic2); I know it is possible to embed both, at least with Adobe
products, since I just saw a PDF also using the same root and intermediate CA
chain that has both the OCSP response for the end certificate and the CRL for
the GeoTrust CA for Adobe embedded. That sample can be found at http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_admin_guide_8.x.pdf?version=1
Any help, guidance or samples are greatly appreciated. Best regards, Daniel Uribe ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/ |
|
|
Re: Embed both OCSP and CRL to a certified PDF
by Andreas Kuehne-2
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Hi Daniel, did you try to embed the CRL as an authenticated attribute ? This should do the job ... Greetings Andreas From: "Uribe-Herrerias, Daniel" <daniel.uribe@...> To: itext-questions@... Sent: Fri, November 6, 2009 7:03:46 PM Subject: [iText-questions] Embed both OCSP and CRL to a certified PDF I am trying to make sure documents that we certify have all the long term validation information that’s needed. In this specific case, the certificate chain looks like this:
[Adobe Root CA ] -> [ Geotrust CA for Adobe] -> [Our organizational certificate we use for signing]
Our organizational certificate indicates that the method for checking revocation is OCSP, while the Geotrust CA for Adobe only relies on CRLs. It is not enough to only include the OCSP response, since all certificates (except the root) in the certificate chain need to have their revocation information embedded in order for long term validation to work.
I have tried with the example for timestamps and OCSP at http://itextpdf.sourceforge.net/howtosign.html, just adding the CRLs as well. It seems the OCSP response for our organization certificate is correctly embedded, since when I open the file in Adobe Reader it shows as embedded in the details. However, the CRL for the Geotrust CA for Adobe doesn’t seem to be embedded, details show that it is reading it from a CRL that Adobe Reader downloaded. To test long term validation, I cleared the CRL cache for Reader, went offline and moved my clock forward. Sure enough, the signature showed as invalid since it doesn’t have all the necessary revocation information for long term validation.
I have even tried to only use CRLs (since our organizational certificate also has a CRL distribution point), but it seems that the fact that the organizational certificate indicates OCSP as the method in the Authority Info Access field makes Adobe prefer that over the embedded CRLs.
Here is the code that I am using:
// At this point, the private key, certificates and CRLs are already loaded
int contentEstimated = 8500;
byte[] ocsp = null; if (chain.length >= 2) { String url = PdfPKCS7.getOCSPURL((X509Certificate)chain[0]); if (url != null && url.length() > 0) { ocsp = new OcspClientBouncyCastle((X509Certificate)chain[0], (X509Certificate)chain[1], url).getEncoded(); contentEstimated += ocsp.length * 2; } }
TSAClient tsc = new TSAClientBouncyCastle(tsURL, null, null);
PdfReader reader = new PdfReader(sourcePDF); FileOutputStream fout = new FileOutputStream(targetPDF); PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0'); PdfSignatureAppearance sap = stp.getSignatureAppearance(); sap.setReason("This document is authentic and accurate."); sap.setLocation(" USA "); sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED); sap.setCrypto(null, chain, crls.toArray(new CRL[0]), null);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED); dic.setReason(sap.getReason()); dic.setLocation(sap.getLocation()); dic.setDate(new PdfDate(sap.getSignDate())); sap.setCryptoDictionary(dic); HashMap exc = new HashMap(); exc.put(PdfName.CONTENTS, new Integer(contentEstimated * 2 + 2)); sap.preClose(exc);
PdfPKCS7 sgn = new PdfPKCS7((PrivateKey) key, chain, crls.toArray(new CRL[0]), "SHA1", null, false); InputStream data = sap.getRangeStream(); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte buf[] = new byte[8192]; int n; while ((n = data.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte hash[] = messageDigest.digest(); Calendar cal = Calendar.getInstance();
byte sh[] = sgn.getAuthenticatedAttributeBytes(hash, cal, ocsp); sgn.update(sh, 0, sh.length);
byte[] encodedSig = sgn.getEncodedPKCS7(hash, cal, tsc, ocsp);
if (contentEstimated + 2 < encodedSig.length) throw new Exception("Not enough space");
byte[] paddedSig = new byte[contentEstimated]; System.arraycopy(encodedSig, 0, paddedSig, 0, encodedSig.length);
PdfDictionary dic2 = new PdfDictionary(); dic2.put(PdfName.CONTENTS, new PdfString(paddedSig).setHexWriting(true)); sap.close(dic2);
I know it is possible to embed both, at least with Adobe products, since I just saw a PDF also using the same root and intermediate CA chain that has both the OCSP response for the end certificate and the CRL for the GeoTrust CA for Adobe embedded. That sample can be found at http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_admin_guide_8.x.pdf?version=1
Any help, guidance or samples are greatly appreciated.
Best regards, Daniel Uribe ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/ |
|
|
Re: Embed both OCSP and CRL to a certified PDF
by Paulo Soares-3
::
Rate this Message:
Some parts of this message have been removed.
Learn more about Nabble's security policy.
Currently only one validation is inserted having OCSP priority. There's nothing preventing both OCSP and CRL together other than I (wrongly) assuming that nobody would want both at the same time.
Paulo
From: Uribe-Herrerias, Daniel [daniel.uribe@...] Sent: Friday, November 06, 2009 6:03 PM To: itext-questions@... Subject: [iText-questions] Embed both OCSP and CRL to a certified PDF I am trying to make sure documents that we certify have all the long term validation information that’s needed. In this specific case, the certificate chain looks like this:
[Adobe Root CA] -> [Geotrust CA for Adobe] -> [Our organizational certificate we use for signing]
Our organizational certificate indicates that the method for checking revocation is OCSP, while the Geotrust CA for Adobe only relies on CRLs. It is not enough to only include the OCSP response, since all certificates (except the root) in the certificate chain need to have their revocation information embedded in order for long term validation to work.
I have tried with the example for timestamps and OCSP at http://itextpdf.sourceforge.net/howtosign.html, just adding the CRLs as well. It seems the OCSP response for our organization certificate is correctly embedded, since when I open the file in Adobe Reader it shows as embedded in the details. However, the CRL for the Geotrust CA for Adobe doesn’t seem to be embedded, details show that it is reading it from a CRL that Adobe Reader downloaded. To test long term validation, I cleared the CRL cache for Reader, went offline and moved my clock forward. Sure enough, the signature showed as invalid since it doesn’t have all the necessary revocation information for long term validation.
I have even tried to only use CRLs (since our organizational certificate also has a CRL distribution point), but it seems that the fact that the organizational certificate indicates OCSP as the method in the Authority Info Access field makes Adobe prefer that over the embedded CRLs.
Here is the code that I am using:
// At this point, the private key, certificates and CRLs are already loaded
int contentEstimated = 8500;
byte[] ocsp = null; if (chain.length >= 2) { String url = PdfPKCS7.getOCSPURL((X509Certificate)chain[0]); if (url != null && url.length() > 0) { ocsp = new OcspClientBouncyCastle((X509Certificate)chain[0], (X509Certificate)chain[1], url).getEncoded(); contentEstimated += ocsp.length * 2; } }
TSAClient tsc = new TSAClientBouncyCastle(tsURL, null, null);
PdfReader reader = new PdfReader(sourcePDF); FileOutputStream fout = new FileOutputStream(targetPDF); PdfStamper stp = PdfStamper.createSignature(reader, fout, '\0'); PdfSignatureAppearance sap = stp.getSignatureAppearance(); sap.setReason("This document is authentic and accurate."); sap.setLocation("USA"); sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED); sap.setCrypto(null, chain, crls.toArray(new CRL[0]), null);
PdfSignature dic = new PdfSignature(PdfName.ADOBE_PPKLITE, PdfName.ADBE_PKCS7_DETACHED); dic.setReason(sap.getReason()); dic.setLocation(sap.getLocation()); dic.setDate(new PdfDate(sap.getSignDate())); sap.setCryptoDictionary(dic); HashMap exc = new HashMap(); exc.put(PdfName.CONTENTS, new Integer(contentEstimated * 2 + 2)); sap.preClose(exc);
PdfPKCS7 sgn = new PdfPKCS7((PrivateKey) key, chain, crls.toArray(new CRL[0]), "SHA1", null, false); InputStream data = sap.getRangeStream(); MessageDigest messageDigest = MessageDigest.getInstance("SHA1"); byte buf[] = new byte[8192]; int n; while ((n = data.read(buf)) > 0) { messageDigest.update(buf, 0, n); } byte hash[] = messageDigest.digest(); Calendar cal = Calendar.getInstance();
byte sh[] = sgn.getAuthenticatedAttributeBytes(hash, cal, ocsp); sgn.update(sh, 0, sh.length);
byte[] encodedSig = sgn.getEncodedPKCS7(hash, cal, tsc, ocsp);
if (contentEstimated + 2 < encodedSig.length) throw new Exception("Not enough space");
byte[] paddedSig = new byte[contentEstimated]; System.arraycopy(encodedSig, 0, paddedSig, 0, encodedSig.length);
PdfDictionary dic2 = new PdfDictionary(); dic2.put(PdfName.CONTENTS, new PdfString(paddedSig).setHexWriting(true)); sap.close(dic2);
I know it is possible to embed both, at least with Adobe products, since I just saw a PDF also using the same root and intermediate CA chain that has both the OCSP response for the end certificate and the CRL for the GeoTrust CA for Adobe embedded. That sample can be found at http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_admin_guide_8.x.pdf?version=1
Any help, guidance or samples are greatly appreciated.
Best regards, Daniel Uribe Aviso Legal: Esta mensagem é destinada exclusivamente ao destinatário. Pode conter informação confidencial ou legalmente protegida. A incorrecta transmissão desta mensagem não significa a perca de confidencialidade. Se esta mensagem for recebida por engano, por favor envie-a de volta para o remetente e apague-a do seu sistema de imediato. É proibido a qualquer pessoa que não o destinatário de usar, revelar ou distribuir qualquer parte desta mensagem. Disclaimer: This message is destined exclusively to the intended receiver. It may contain confidential or legally protected information. The incorrect transmission of this message does not mean the loss of its confidentiality. If this message is received by mistake, please send it back to the sender and delete it from your system immediately. It is forbidden to any person who is not the intended receiver to use, distribute or copy any part of this message. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ iText-questions mailing list iText-questions@... https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/ |
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
