Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

DSSException: Revocation data is missing

I'm using DSS to sign Pdf documents. I need these docs to be timestamped and LTV enabled (PAdES LTV enabled).

I'm running into some issues regarding the Revocation data.

I'm kinda new to this domain so bear with me.

I'm following the instructions and demos provived by DSS itself but to no avail.

I've been successful in signing Pdf's using PAdES B and PAdES T, so I have my TSA service setup correctly.

The problem I'm running into is that everytime I try to Sign a Pdf using LTV I get the following error: "eu.europa.esig.dss.DSSException: Revocation data is missing" and I can't figure out why... This Exception is thrown when calling "service.signDocument(...)" and right after Debugging says

"eu.europa.esig.dss.validation.SignatureValidationContext - No revocation data found for certificate : (...)".

This is my main signing method:

public void createSignature(KeyStore ks, Properties props, File inFile, File outFile, String extraName, boolean visible) throws GeneralSecurityException, IOException {
        PAdESSignatureParameters params = new PAdESSignatureParameters();

        DSSDocument toSignDocument = new FileDocument(inFile);
        DSSDocument signedDocument;

        try(Pkcs12SignatureToken token = new Pkcs12SignatureToken(
                props.getKeystore(), new KeyStore.PasswordProtection(props.getPassword()))) {

            List<DSSPrivateKeyEntry> keys = token.getKeys();

            params.setDigestAlgorithm(DigestAlgorithm.SHA256);
            params.setSigningCertificate(keys.get(0).getCertificate());
            params.setCertificateChain(keys.get(0).getCertificateChain());
            params.setSignatureLevel(props.signatureProperties().getSignatureLevel());

            CertificateVerifier verifier = new CommonCertificateVerifier();
            PAdESService service = new PAdESService(verifier);
            DataLoader dataLoader = new CommonsDataLoader();
            OnlineTSPSource onlineTSPSource;

            verifier.setTrustedCertSource(new TrustedListsCertificateSource());
            verifier.setCrlSource(onlineCRLSource());
            verifier.setOcspSource(ocspSource());
            verifier.setDataLoader(dataLoader());
            onlineTSPSource = new OnlineTSPSource(TSA_URL);
            onlineTSPSource.setDataLoader(new CommonsDataLoader("application/timestamp-query"));
            onlineTSPSource.setPolicyOid(POLICY_ID);
            service.setTspSource(onlineTSPSource);

            ToBeSigned dataToSign = service.getDataToSign(toSignDocument, params);

            DigestAlgorithm digestAlgorithm = params.getDigestAlgorithm();
            SignatureValue signValue = token.sign(dataToSign, digestAlgorithm, keys.get(0));

            signedDocument = service.signDocument(toSignDocument, params, signValue);
            signedDocument.save(outFile.getCanonicalPath());

        } catch (IOException e) {
            e.printStackTrace();
        }
    }

Some minor helper methods:

private OnlineCRLSource onlineCRLSource() {
    OnlineCRLSource onlineCRLSource = new OnlineCRLSource();
    onlineCRLSource.setDataLoader(dataLoader());
    return onlineCRLSource;
}

private OnlineOCSPSource ocspSource() {
    OnlineOCSPSource onlineOCSPSource = new OnlineOCSPSource();
    onlineOCSPSource.setDataLoader(ocspDataLoader());
    return onlineOCSPSource;
}

private OCSPDataLoader ocspDataLoader() {
    OCSPDataLoader ocspDataLoader = new OCSPDataLoader();
    ocspDataLoader.setContentType("application/ocsp-response");
    ocspDataLoader.setProxyConfig(null);
    return ocspDataLoader;
}

private CommonsDataLoader dataLoader() {
    CommonsDataLoader dataLoader = new CommonsDataLoader();
    dataLoader.setProxyConfig(null);
    return dataLoader;
}

Relevant Maven dependencies:

<dependency>
    <groupId>com.github.librepdf</groupId>
    <artifactId>openpdf</artifactId>
    <version>1.2.21</version>
</dependency>

<dependency>
    <groupId>org.digidoc4j.dss</groupId>
    <artifactId>dss-pades-openpdf</artifactId>
    <version>5.4.d4j.1</version>
</dependency>

<dependency>
    <groupId>org.digidoc4j</groupId>
    <artifactId>digidoc4j</artifactId>
    <version>3.2.0</version>
</dependency>
like image 346
Asfourhundred Avatar asked Jul 29 '19 09:07

Asfourhundred


1 Answers

Although this is an old question, in case someone stumbles on the same issue: When using a test TSA, without revocation data, you must add verifier.setCheckRevocationForUntrustedChains(true); This is included in the dss example eu.europa.esig.dss.cookbook.example.sign.SignXmlXadesLTTest

like image 198
EliasSp Avatar answered Sep 22 '22 07:09

EliasSp