2

I have been working with iText and GlobalSign to do digital signatures and Certification on PDF files for the past few months and stuck with one problem.

When I just do signing on pdf and then try to enabled LTV it works perfect without any problem but when I do Certification Signing and then try to enable LTV it enables LTV and shows "Changes have been made to this document that are permitted by the certifying party".

Final Output after sign and LTV enabling:

Final Output after sign and ltv enabling

What i want is after enabling LTV with certification the pdf should display "Document has not been modified since this signature was applied".

I have tried to add crlbytes to Signature but it doesn't work

The code used to add the signature to document :

using (FileStream os = new FileStream(dest, FileMode.CreateNew))
{
    PdfReader reader = new PdfReader(src);
    IExternalSignatureContainer external = new MyExternalSignatureContainer(sig);
    MakeSignature.SignDeferred(reader, fieldname, os, external);
}

The code used to add the LTV to document:

using (FileStream fos = new FileStream(dest, FileMode.CreateNew))
{
    PdfReader r = new PdfReader(src);
    PdfStamper stp = new PdfStamper(r, fos, '\0', true);
    LtvVerification v = stp.LtvVerification;
    AcroFields fields = stp.AcroFields;
    List<String> names = fields.GetSignatureNames();
    String sigName = names[names.Count - 1];
    PdfPKCS7 pkcs7 = fields.VerifySignature(sigName);
    if (pkcs7.IsTsp)
    {
        v.AddVerification(sigName, ocsp, crl,
                LtvVerification.CertificateOption.SIGNING_CERTIFICATE,
                LtvVerification.Level.OCSP_CRL,
                LtvVerification.CertificateInclusion.YES);
    }
    else
    {
        foreach (string name in names)
        {
            v.AddVerification(name, ocsp, crl,
                    LtvVerification.CertificateOption.WHOLE_CHAIN,
                    LtvVerification.Level.OCSP_CRL,
                    LtvVerification.CertificateInclusion.NO);
        }
    }

    stp.Close();
    r.Close();
}

Is there any way to make the certifying signature LTV enabled and have message displayed on pdf as "Document has not been modified since this signature was applied"

Edited :

I have tried bellow code as well but it doesn't work

X509Certificate[] mObjX509CertChain = GlobalSignAPI.CreateChain(mStrSigningCertificate, mStrCACertificate);

ICollection<byte[]> crlBytes = new List<byte[]>
{
    mObjX509CertChain[0].GetEncoded(),
    mObjX509CertChain[1].GetEncoded()
};
byte[] mObjBEncodedPKCS7 = mObjPKCS7.GetEncodedPKCS7(mObjByteHash, mObjTSAClient, mObjByteOC, crlBytes, CryptoStandard.CADES);
mkl
  • 90,588
  • 15
  • 125
  • 265
Jitendra Bhargava
  • 21
  • 2
  • I don't understand why you would want the document to say "Document has not been modified since this signature was applied" when you are clearly adding a DSS, which is a change "permitted by the certifying party." If you don't add the LTV information while applying the signature with your `MyExternalSignatureContainer` implementation, adding a DSS is the only way to get LTV. – Bruno Lowagie May 14 '18 at 11:10
  • Thank you bruno lowagie for quick reply. is there any sample code available to add LTV information while applying the signature. I have searched but i didn't found anything. – Jitendra Bhargava May 14 '18 at 11:19
  • I think there is, but I'd had to search myself. Please continue searching. It's just a matter of adding the full certificate chain, OCSP information, etc. – Bruno Lowagie May 14 '18 at 11:47
  • @JitendraBhargava Concerning your edit: You initialize a list for CRLs (`crlBytes`) with certificates (`mObjX509CertChain[0]...`). That doesn't fit. – mkl May 14 '18 at 21:35
  • @mkl what should i initialize crlbytes with ?? Can you help me with this. I got reference from https://stackoverflow.com/questions/38856382/ltv-of-certifying-signatures for crlbytes – Jitendra Bhargava May 15 '18 at 05:38
  • *" I got reference from ... for crlbytes"* - Well, but there CRLs for certificates are retrieved and put into `crlBytes` while you put the certificates themselves into `crlBytes`. – mkl May 15 '18 at 12:41

0 Answers0