LTV enabled certificate

[muristan]

I coundn't yet endesive configure to sign a PDF and get it LTV enabled.
I use eToken 5100 and a AATL certificate. To get a valid sign is not a problem. But it's not LTV enabled.
What is important to produce a LTV enabled PDF?

Andreas

[m32]

I have never had such a need and never read the documentation in order to perform such a task.
I think this is related to OCSP (issue #25)

Some links for this subject:
https://stackoverflow.com/questions/26090558/what-does-not-ltv-enabled-mean/26124267
https://stackoverflow.com/questions/51370965/how-can-i-add-pades-ltv-using-itext/51481392#51481392

[m32]

Endesive can't do that yet. After signing the document, generate the dss structure containing the certificates used in the document and the results of checking their validity.

You can get such data, for example, via apache pdfbox:
jars - is a list of libraries from apache pdfbox
java -cp $jars org.apache.pdfbox.examples.signature.validation.AddValidationInformation pdf-signed-cms-m32.pdf

As you can see in the attached files, my certificate from unizeto does not support LTV
pdf-signed-cms-m32.pdf
pdf-signed-cms-m32_ocsp.pdf

[vicpara]

Hi, for LTV signature it seems the code is almost there. If I understand the following links correctly the RevocationInfoArchival' from the Timestamp is the only missing element from the signature. I've tried over the past days to add RevocationInfoArchival' info to the signature without any success. I was wondering if you can provide any guidance in this direction. Or perhaps I'm simply wrong.

The links:

• https://stackoverflow.com/questions/67821453/ltv-enabling-signatures-in-pdf
• https://github.com/wbond/asn1crypto/blob/master/asn1crypto/pdf.py

[m32]

The description of how to work with LTV is, for example: https://www.ssl.com/how-to/long-term-validation-ltv-of-pdf-digital-signatures-in-adobe-acrobat/ but I can't repeat it at home. Maybe it's the certificate's fault

[vicpara]

I may got this wrong but I think if your certificate has a CRL or OCSP property and the OCSP/CRL server is still live and can check its revocation status then LTV should work.
I'm happy to test here with our certificates.

When using a timestamping and OCSP server during signing, the signature itself has all the properties needed for LTV.
All it's left is to add to the PDF a DSS dictionary that references the cert chain, CRL, OCSP, VRI.
I tried to create the DSS dictionary myself but I cannot find a way to pick up the references for the certificates. Also a new pdf trailer is required after DSS dictionary was written in the file and I'm struggling to get it right without corrupting the PDF.

I found more on the structure of the DSS dict, specifications and some examples from other library that implemented the LTV.
https://www.etsi.org/deliver/etsi_ts/102700_102799/10277804/01.01.02_60/ts_10277804v010102p.pdf
https://github.com/hejsan/WeasySign/blob/master/weasysign/globalsign.py#L115

[m32]

WeasySign creates DSS structures and that's the direction, but other things for this time are more important to me if you want and can ... please add code that will solve this problem :), PR always welcome

[ganesharavindh]

I tried to add it like this with reference to WeasySign, but it doesn't work for me LTV is not enabled

Is there anything wrong here? Thanks in advance!

[m32]

@ganesharavindh if it doesn't work then something is wrong, still have no time for this issue