How to enable timestamping and LTV?

[agunghp]

Hi, is there any way to enable timestamping and LTV using HexaPDF?
Thanks

[gettalong]

No, this is not possible at the moment. However, this is on my TODO list and I'm currently looking into adding support for both.

[agunghp]

Got it. Looking forward for the support

[gettalong]

It is now possible to create PAdES level B-B and B-T)signatures and the latter contain timestamps from a trusted timestamping server. Old-style CMS signatures with a timestamp are also possible.

Those signatures appear as "LTV enabled" in certain viewers but are not LTV.

So this answers part of your question.

[agunghp]

Thank you for the update this is very helpful.

It will be great if it can fully support LTV in the future.

[maxfindel]

Hey @gettalong thanks for this update. The support for PAdES is working great for me. I was looking into adding the DSS information required to have LTV and I noticed that it's added as a sibling Dictionary next to AcroForm, Metadata and Pages as the images show:

To achieve this, I used the "Add Verification Info" option inside Acrobat Reader on the signed PDF and the result was a modified file that has LTV.

To get the CRL and OCSP responses I tried this approach and it worked with my certs (which have CRL and OCSP endpoints). I was able to get a valid response, which can be later added to the PDF.

I think this code could be added to hexapdf as a standalone validation class. This validation can be done after the signature process and then the result can be added to the right dictionary, constructing the data similarly to the signed_data_creator.rb class.

Can you point me in the right direction in order to add the DSS data to the PDF catalog? Thanks!

[gettalong]

What is missing from HexaPDF's signing feature that doesn't allow you to use it? I.e. so that you wouldn't need to depend on a third-party tool for creating the CMS structure. Signing the hash would still need to be done externally - I guess - since you are creating a qualified signature where you need a secure device to sign the hash.

[dmke]

I had started with a DefaultHandler subclass (overriding the #sign method), but I'm not sure anymore why I haven't followed through.

IIRC, the SignedDataCreator required the certificate chain to already be present in #create_signed_attrs, but we could only extract it in the #digest_and_sign_data call (which happened afterwards). There were also multiple warnings and errors in the ETSI conformance checker (but those might have been due to user error).

Thinking about it, it might be sensible to go back to a DefaultHandler subclass. Since the QSCD certificate chain is relatively static, our service can expose them on a separate endpoint, so that the sealer code could cache them locally. On the other hand, it feels like there's not much missing here—but that's something I've told myself (and my boss) on every turn so far :)

[gettalong]

The method #digest_and_sign_data is called before #create_signed_data where the certificates are embedded. So setting them in #digest_and_sign_data should work. Only the signing certificate itself is needed before #digest_and_sign_data.

[gettalong]

IIRC, the SignedDataCreator required the certificate chain to already be present in #create_signed_attrs, but we could only extract it in the #digest_and_sign_data call (which happened afterwards). There were also multiple warnings and errors in the ETSI conformance checker (but those might have been due to user error).

If you like, I could have a look at those PDF files and see if I can find something.

[dmke]

I don't have access to those PDF files anymore. It was early in the development, and large changes happened in rapid succession.

I'm going to spend a little time tomorrow (well... later) restoring a previous version. If you're interested, I may also be able to provide you access to the signature service, so you don't need to play with fixtures.

[funnyphone]

hi maxfindel

It seems that following link is not available now. Could you please share the source patch again? thanks a lot.

The code is a bit long and not so elegant as the rest of the library, but here it is in case you want to use it, Thomas:
https://gist.github.com/maxfindel/af4afccc6261d7053946dbe2dd837b14

[gettalong]

I just tried it and it works for me.

[funnyphone]

hi Thomas, That's great. Thanks a lot.