LTV 启用 PDF 签名
LTV enabling signatures in PDF
据我所知,
有两种方法可以做到这一点
- 正在添加 DSS 词典
- 在签名时在签名中嵌入 CRL 或 OCSP 响应
DSS 方式似乎有效,Adobe 将签名识别为启用了 LTV。第二种方式更适合我们的应用程序,所以我仍然尝试让它工作。我在将 OCSP 响应添加到签名时遇到问题,因此我只尝试添加证书和 CRL。如果我错了请纠正我,但据我所知,应该将 CRL 或 OCSP 响应添加到签名中。有没有必要两者兼顾?我收集签名证书及其根证书,还有 TSA 证书及其根证书。之后,我获取所有 CRL。所有这些都是在签名和时间戳之前添加的。仅添加证书和 CRL 似乎不起作用,因为 Adobe 无法将签名识别为已启用 LTV。我真的不明白我做错了什么,所以感谢您的帮助!
Store crlStore = new JcaCRLStore(crls);
gen.addCRLs(crlStore);
Store certStore = new JcaCertStore(certList);
gen.addCertificates(certStore);
您做错的是将 CRL 放入通常用于 CRL 的 CMS 签名容器元素中。但是,在集成 PDF 签名的情况下,情况就不同了;这里 CRL 应该在一个特殊的签名属性中。
查看已指定此属性的 ISO 32000-1:
The PKCS#7 object should contain the following:
...
- Revocation information as an signed attribute (PDF 1.6): This attribute may include all the revocation information that is necessary to carry out revocation checks for the signer's certificate and its issuer certificates. Since revocation information is a signed attribute, it must be obtained before the computation of the digital signature. This means that the software used by the signer must be able to construct the certification path and the associated revocation information. If one of the elements cannot be obtained (e.g. no connection is possible), a signature with this attribute will not be possible.
...
12.8.3.3.2 Revocation Information
The adbe Revocation Information attribute:
adbe-revocationInfoArchival OBJECT IDENTIFIER ::=
{ adbe(1.2.840.113583) acrobat(1) security(1) 8 }
The value of the revocation information attribute can include any of the following data types:
- Certificate Revocation Lists (CRLs), described in RFC 3280 (see the Bibliography): CRLs are generally large and therefore should not be embedded in the PKCS#7 object.
- Online Certificate Status Protocol (OCSP) Responses, described in RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol — OCSP (see the Bibliography): These are generally small and constant in size and should be the data type included in the PKCS#7 object.
- Custom revocation information: The format is not prescribed by this specification, other than that it be encoded as an OCTET STRING. The application should be able to determine the type of data contained within the OCTET STRING by looking at the associated OBJECT IDENTIFIER.
adbe's Revocation Information attribute value has ASN.1 type RevocationInfoArchival:
RevocationInfoArchival ::= SEQUENCE {
crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL
ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL
otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL
}
OtherRevInfo ::= SEQUENCE {
Type OBJECT IDENTIFIER
Value OCTET STRING
}
据我所知,
有两种方法可以做到这一点- 正在添加 DSS 词典
- 在签名时在签名中嵌入 CRL 或 OCSP 响应
DSS 方式似乎有效,Adobe 将签名识别为启用了 LTV。第二种方式更适合我们的应用程序,所以我仍然尝试让它工作。我在将 OCSP 响应添加到签名时遇到问题,因此我只尝试添加证书和 CRL。如果我错了请纠正我,但据我所知,应该将 CRL 或 OCSP 响应添加到签名中。有没有必要两者兼顾?我收集签名证书及其根证书,还有 TSA 证书及其根证书。之后,我获取所有 CRL。所有这些都是在签名和时间戳之前添加的。仅添加证书和 CRL 似乎不起作用,因为 Adobe 无法将签名识别为已启用 LTV。我真的不明白我做错了什么,所以感谢您的帮助!
Store crlStore = new JcaCRLStore(crls);
gen.addCRLs(crlStore);
Store certStore = new JcaCertStore(certList);
gen.addCertificates(certStore);
您做错的是将 CRL 放入通常用于 CRL 的 CMS 签名容器元素中。但是,在集成 PDF 签名的情况下,情况就不同了;这里 CRL 应该在一个特殊的签名属性中。
查看已指定此属性的 ISO 32000-1:
The PKCS#7 object should contain the following:
...
- Revocation information as an signed attribute (PDF 1.6): This attribute may include all the revocation information that is necessary to carry out revocation checks for the signer's certificate and its issuer certificates. Since revocation information is a signed attribute, it must be obtained before the computation of the digital signature. This means that the software used by the signer must be able to construct the certification path and the associated revocation information. If one of the elements cannot be obtained (e.g. no connection is possible), a signature with this attribute will not be possible.
...
12.8.3.3.2 Revocation Information
The adbe Revocation Information attribute:
adbe-revocationInfoArchival OBJECT IDENTIFIER ::= { adbe(1.2.840.113583) acrobat(1) security(1) 8 }The value of the revocation information attribute can include any of the following data types:
- Certificate Revocation Lists (CRLs), described in RFC 3280 (see the Bibliography): CRLs are generally large and therefore should not be embedded in the PKCS#7 object.
- Online Certificate Status Protocol (OCSP) Responses, described in RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol — OCSP (see the Bibliography): These are generally small and constant in size and should be the data type included in the PKCS#7 object.
- Custom revocation information: The format is not prescribed by this specification, other than that it be encoded as an OCTET STRING. The application should be able to determine the type of data contained within the OCTET STRING by looking at the associated OBJECT IDENTIFIER.
adbe's Revocation Information attribute value has ASN.1 type RevocationInfoArchival:
RevocationInfoArchival ::= SEQUENCE { crl [0] EXPLICIT SEQUENCE of CRLs, OPTIONAL ocsp [1] EXPLICIT SEQUENCE of OCSP Responses, OPTIONAL otherRevInfo [2] EXPLICIT SEQUENCE of OtherRevInfo, OPTIONAL } OtherRevInfo ::= SEQUENCE { Type OBJECT IDENTIFIER Value OCTET STRING }