Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PDF Signature with timestamping from TSA

Tags:

pdf

electronic-signature

We are trying to embed Timestamp signature as a unsigned attribute in CMS format but after stamping signature in PDF, PDF viewer giving the signature includes an embeded timestamp but it is invalid message.

Adobe PDF Message

enter image description here

We have used internal TSA service (self sigined) TSA and bouncy castle API for crypto and signing operations. But don't know what is happening with timestamp. Could anyone know what is wrong I am doing.

hello_signed.pdf Also added Java code base and signed pdf sample for reference.

Any help would be appreciated.

like image 945
Nikhil Wankhade Avatar asked Jan 30 '26 09:01

Nikhil Wankhade

2 Answers

There is an issue in the TSTInfo structure, its tsa member is

C = IN,S = MH,L = NSDL,O = NSDL,OU = NSDL,CN = NSDL,E = [email protected]

but your TSA certificate has the inverse subject

E = [email protected],CN = NSDL,OU = NSDL,O = NSDL,L = NSDL,S = MH,C = IN

According to RFC 3161, the purpose of the tsa field is to give a hint in identifying the name of the TSA. If present, it MUST correspond to one of the subject names included in the certificate that is to be used to verify the token.

Thus, an attentive validator cannot use the certificate you supplied for verifying the time stamp.

I don't know whether that's the only issue but it's definitively a show-stopper.

like image 170
mkl Avatar answered Feb 01 '26 01:02

mkl

This means Acrobat cannot find the certificate used to create the timestamp. Looking at the ASN.1 decode for your PDF signature CMS, it looks like you haven't requested the Timestamp Authority's certificate in the request (search for timeStampToken to take you to the appropriate section of the CMS). In Bouncy Castle this is achieved by calling SetCertReq(true) on the TimeStampRequestGenerator instance as follows:

        TimeStampRequestGenerator reqGenerator = new TimeStampRequestGenerator();
        // Request the server to also include the signing certificate:
        reqGenerator.SetCertReq(true);

When this is set the Timestamping Authority will include the certificate, or more usually the timestamping certificate and its chain, as signed attribute(s) in the SignedCms of the actual timestamp.

To confirm that the certificate is included in the response you can write the timestamping authority's response to a text file as a hex string and decode it using this website https://lapo.it/asn1js/.

like image 21
Peter G Avatar answered Feb 01 '26 01:02

Peter G

Sign in to Comment

Related questions

Junit report as PDF, preferably with Maven
How do I programmatically access files in Windows Phone 7's Office Hub / Extend the Office Hub

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!