LTV Long Term Validation

[certifirm]

I am trying to sign pdf with LTV and yes, it's posible.

I am using two signatures (in Spain). One is obtained using DNIe (National Document Identity Electronic). Another it's obtained directly from an Authorithy. (FNMT in Spain)

I am using this command:

java -jar ../SailsBE_dev/JSignPdf/jsignpdf-1.6.4/JSignPdf.jar 1_test.pdf -cl CERTIFIED_NO_CHANGES_ALLOWED --disable-acrobat6-layer-mode --disable-assembly --disable-copy --disable-fill --disable-modify-annotations --disable-modify-content --hash-algorithm SHA512 --keystore-file ../SailsBE_dev/JSignPdf/sign.p12 --keystore-type PKCS12 --keystore-password '' --tsa-server-url http://tsa.izenpe.com --tsa-hash-algorithm SHA512 --out-directory . --out-suffix _firmado --ocsp --ocsp-server-url http://ocspusu.cert.fnmt.es/ocspusu/OcspResponder -llx 5 -lly 80 -urx 300 -ury 30 -V -fs 8 -pg 10000

Well, when I sign a document using the first one, it doesn't verify the OCSP, but it exists in the signature.

Using the second one, aparently the same, it does the verification with OCSP and LTV is enabled in the document.

How is this posible?

Can I force the use of OCSP?

Thanks

[michnovka]

I have the same issue. Any idea please?

[kwart]

Can you elaborate more about:

• steps taken,
• current behavior,
• expected behavior?

The most helpful would be if you could investigate it and send a pull request with a patch.

[michnovka]

@kwart I actually found the issue I have is a bit different. I simply cannot get LTV signature with jsignpdf at all. If I sign using Acrobat Reader, then the signature is LTV. I have no idea why this happens and how the 2 signatures differ. I can sign a sample document with both and send you to have a look if you have time.

I am not a Java developer, I can only read Java. I can help with debugging and testing. I use Czech National ID with Qualified cert from I.CA. Like I said, Acrobat-generated signature shows as LTV, JSignPDF does not. I use the same Qualified TSA on both (again from I.CA).

[michnovka]

@kwart here is the same file signed with the same cert and using the same TSA. One is LTV enabled (the Acrobat one), the other is not (JSignPDF 2.0.0)

pdf_sign_test_acrobat.pdf
pdf_sign_test_signed_jsign.pdf

[JohnPlanetary]

I have no problem in having PDF files signed with timestamp with LTV enabled in JSignPDF 2.0.0.

Your just need to enable, in the advanced view > "TSA/OCSP/CRL", the "Enable CRL" option and the "Enable OCSP" option. And that is all. If something gives error disable the "Enable OCSP" option. Don't enter default OCSP server URL unless your are provided with that specific information.

What may happen is that your need to start the JSignPDF 2.0.0 with more memory allocated if the CRL files from the Digital Signature provider are too big.

In Microsoft Windows create a new shortcut with something looking like:
"C:\Program Files\Java\jre1.8.0_301\bin\javaw.exe" -jar -Xmx2048m "D:\jsignpdf-2.0.0\JSignPdf.jar"
in the destiny path of the shortcut, and in "Begin in":
"C:\Program Files\Java\jre1.8.0_301\bin"

Just need to remember every time Java is updated that the paths must be updated in the shortcut.
The paths need to be adjusted to your specific machine, the above is just a example.

Notice: the resulting PDF file may be huge! If the CRL file of the Digital Signature provider is big... because the program will attempt to download all the CRL files from all the sub-CA's that may exist between the Root CA and the final user certificate.

Your may test just enable the "Enable OCSP" option, and disable the "Enable CRL" option, but at least here I was never able to have the signature to be done with LTV (always get a error) unless I also disable the "Use timestamp server", but your are using a different certificate authority maybe it works in your case.

Basically play with the options to find the option that pleases your the best.

[kwart]

@JohnPlanetary Thanks a lot for sharing the experience and the guide 👍

[JohnPlanetary]

@kwart thank you very much for your wonderful program! And for keeping the program updated, even if less frequently.
Very glad I could be useful in clarifying these doubt.

[dog42]

First of all, I would like to thank you for the development of this tool, I am really glad to have a signing tool that works well on Linux systems.

Just like @JohnPlanetary I was also able to create a signed PDF file with timestamp and with LTV enabled. However, this only works if I enable the "Append signature" option. This is the config:

Unfortunately, attaching the signatures only seems to be possible with PDF version >= 1.7., is this right?
But if jsignpdf tries to increase the PDF version an error occurs, because of the selected configuration.

Is this behavior normal/intentional? Or is there actually an error (in the config)?

BTW: sry for the german screenshots

[kwart]

The problem is in hash algorithm requirements. Look at

• https://github.com/intoolswetrust/jsignpdf/blob/JSignPdf_2_0_0/jsignpdf/src/main/java/net/sf/jsignpdf/SignerLogic.java#L181-L194
• https://github.com/intoolswetrust/jsignpdf/blob/JSignPdf_2_0_0/jsignpdf/src/main/java/net/sf/jsignpdf/types/HashAlgorithm.java#L40-L41

So here are the required versions for given algorithm names:

• SHA-1: PDF 1.3
• SHA-256: PDF 1.6
• SHA-384, SHA-512, RIPEMD160: PDF 1.7

[dog42]

@kwart Thank you for the explanation. I have now also found the requirements at Adobe.

[deltazero-cz]

Hi everyone, I can't seem to get LTV going. Using version 2.2.0 on Mac, input file is PDF-1.7.

java -jar jsignpdf-2.2.0/JSignPdf.jar \
  --keystore-type PKCS12 \
  --keystore-file cert.p12 \
  --keystore-password '...' \
  --hash-algorithm SHA512 \
  --tsa-server-url http://tsa.izenpe.com \
  --tsa-hash-algorithm SHA512 \
  --ocsp \
  file.pdf

With or without --crl (huge file), --ocsp or --append, as suggested here before, Acrobat always sees the signature as valid, timestamped, but not LTV enabled.

What am I doing wrong? My CA should support OCSP, not sure wether my cert.p12 does, and I don't know how to check.

Thanks a lot for your help :-)
Love your work

[deltazero-cz]

Hi everyone, just wanted to drop here a little update on LTVs.

Since my previous post, I've discovered that documents signed with using both TSA and CRL are seen as LTV enabled by Acrobat Pro DC. But app has to be freshly started. In other words, if Acrobat opens an unsuccessful attempt on LTV first, it messes up its CRL cache.

Anyways, LTV works for me with CRL. No luck with OCSP, tho.

Cheers!

[tribly]

No matter what combinations I try, Adobe Reader won't rezognize my signatures as LTV enabled.

Last combination was:
jsignpdf: 2.2
pdf version: 1.7
append signature to existing one: check
hash algo: sha512
TSA url: http://zeitstempel.dfn.de
TSA hash algo: sha512
OSCP: check
CLR: check

[JohnPlanetary]

I have no trouble in having the signature LTV enabled
test_signed.pdf
In the example you will need to manually add my self made certificate to your PDF reader in order for it to recognize the certificate as valid and LTV enabled.

Experiment the following tips:

1. In the first (1) signature disable the option "append signature to existing one".
   If you need to add another certificate signature to the same PDF, re-enable the option "append signature to existing one"... these option needs to be activated starting the second signature on forward, but leave it disable when you sign the PDF file the first time.

2. In the certification level use "Not certified", or the option "Form filling allowed" (to allow add new certificate signatures, or update the CRL/ OCSP values for example on Adobe Acrobat Reader).

3. Make sure JSignPDF and the Java program you are using both have Internet access because that is needed to get the CRL and the OCSP values of the certificate, and to get the TimeStamp certificate from the independent Authority.

4. While DFN timestamp is working (at the time of my writing) you may need to mess with the options to make the PDF reader to recognize it, since it doesn't came active in at least Adobe Acrobat Reader by default.
   Your can try:
   https://timestamp.sectigo.com
   If you want it to be recognized world wide.
   or:
   https://timestamp.sectigo.com/qualified
   If you need it to be recognized in European Union.

[tribly]

@JohnPlanetary
Thank you for your answer, I've been able to get a valid LTV Signature by using the https://timestamp.sectigo.com/ server. But I have to disable OCSP and Acrobat is still telling me

The signature includes an embedded timestamp but it could not be verified.

I thought it had something to do with the hash algorithm, but every combination gives the same result.

Edit: Ok, it seems like the sectigo timestamp server isn't supported by Adobe (https://helpx.adobe.com/sign/config/time-stamp-settings/overview.html), using the one from DigiCert (https://knowledge.digicert.com/generalinformation/INFO4231.html) works. But still only without OCSP.