0

I am have digitally signed a pdf using digital token attached in pc using libarary itext sharp to append same, when i open same in adobe reader it shows revocation can not be performed and when i see details then it shows that one of the issuers certificate's revocation is not checked with error : error encountered while BER decoding.

path to my plain signed pdf: https://www.sendspace.com/file/vqgl53

As a solution i thought if i can add CRL information itself in document(my plain signed pdf) then i won't face this problem. So i added code mentioned in this ans : I want to sign a pdf document with ITextSharp and return ltv pdf enabled file

but I am getting exception on line : addLtvForChain(null, ocspClient, crlClient, getCrlHashKey(crlBytes));

IN SUBMETHOD getCrlHashKey ON FIRST LINE : X509Crl crl = new X509Crl(CertificateList.GetInstance(crlBytes));

Exception says :

Unknown object in GetInstance: Org.BouncyCastle.Asn1.DerApplicationSpecific Parameter name: obj

Kindly suggest further.

Jubin Justifies
  • 397
  • 4
  • 12
Urmi_VV_Developer
  • 71
  • 12
  • 1
    The exception appears to indicate that the CRL is broken (or in a non-standard format - which one could call a broken design), so something the provider in question has to fix. I'll look at the example document later. – mkl Jun 05 '19 at 11:23

1 Answers1

0

Extending AdobeLtvEnabling

The cause of the exception is that for one certificate the associated CRL is base64 encoded which the AdobeLtvEnabling class does not expect (the expectation here is to retrieve a binary version, no decoding required).

You can extend the AdobeLtvEnabling as follows to also be able to handle base64 encoded CRLs: search the AdobeLtvEnabling method addLtvForChain and replace the CRL handling loop

Console.WriteLine("  with {0} CRLs\n", crl.Count);
foreach (byte[] crlBytes in crl)
{
    validationData.crls.Add(crlBytes);
    addLtvForChain(null, ocspClient, crlClient, getCrlHashKey(crlBytes));
}

with this:

Console.WriteLine("  with {0} CRLs\n", crl.Count);
foreach (byte[] crlBytes in crl)
{
    PdfName hashKey = null;
    byte[] bytes = null;
    try
    {
        hashKey = getCrlHashKey(crlBytes);
        bytes = crlBytes;
    }
    catch (Exception e)
    {
        Console.WriteLine("  CRL decoding exception, assuming Base64 encoding, trying to decode - {0}\n", e.Message);
        bytes = Convert.FromBase64String(new String(Encoding.Default.GetChars(crlBytes)));
        hashKey = getCrlHashKey(bytes);
    }
    validationData.crls.Add(bytes);
    addLtvForChain(null, ocspClient, crlClient, hashKey);
}

Your signature, though

While revocation of the other non-root certificates in question now refers to embedded CRLs, for one certificate there still is an issue, the revocation tab for "SafeScrypt sub-CA for RCAI Class 2 2014 (SAFESCRYPTONLINE_15)" in Adobe Reader shows

CRL processing error
Issuer: cn=SafeScrypt CA 2014, houseIdentifier=II Floor, Tidel Park, street=No.4, Rajiv Gandhi Salai, Taramani, Chennai, st=Tamil Nadu, postalCode=600 113, ou=Certifying Authority, o=Sify Technologies Limited, c=IN
This update: 20180303183000Z
Next update: 20190303182959Z
CRL has expired or is not yet valid

Indeed, a CRL with a next update value of 20190303182959Z is expired and, therefore, cannot be used now for validation without appropriate POEs. So indeed, Adobe Reader ist completely correct in stating that based on that CRL (currently served by the PKI) it cannot determine non-Revocation.

But could it from other information? Well, there is an AIA attribute in the certificate for an OCSP responder that could alternatively be used. But an attempt to use it fails, http://ocsp.safescrypt.com currently accepts no requests. So this is no actual alternative.

All in all this makes the quality of service of this CA appear questionable. If this state continues, you might want to switch to a different CA.

mkl
  • 90,588
  • 15
  • 125
  • 265
  • I updated my code as per your answers, Error is resolved and exception was handled, but main goal was to append CRL data in pdf so that it should not show identity unknown in adobe reader when i open it, after adding your code Final signed pdf : https://www.sendspace.com/file/0zlpxq ,it is still showing identity unknown. – Urmi_VV_Developer Jun 06 '19 at 07:01
  • In your question you said the problem was *"in adobe reader it shows revocation can not be performed"*, now you say *"that it should not show identity unknown"*. These are two totally different issues! – mkl Jun 06 '19 at 07:50
  • No, Reason behind "Identity unknown" is because in adobe reader it shows revocation can not be performed"- these 2 problems are interconnected. please help me in resolving same or correct me if i am wrong. – Urmi_VV_Developer Jun 06 '19 at 07:55
  • 1
    Well, if you look into the details (Certificate Viewer, select SAFESCRYPTONLINE_15, tab Revocation, "Problems encountered...", tab "Text View"), you'll read "This update: 20180303183000Z Next update: 20190303182959Z CRL has expired or is not yet valid". Thus, the CRL provided by SafeScrypt for that CA certificate has only been valid until March this year. Thus, embedding now doesn't help, instead ask SafeScrypt to bring their infrastructure uptodate. – mkl Jun 06 '19 at 08:40
  • Thanks for your help I am able to add LTV, Can you please help in understanding that how to add certificate provisioned timestamp while enabling LTV. refer this SS: https://www.zeta-uploader.com/en/307710765 – Urmi_VV_Developer Dec 23 '19 at 11:04
  • *"Can you please help in understanding that how to add certificate provisioned timestamp while enabling LTV."* - Adobe LTV enabling does not require a timestamp, at least not according to the information I have seen about it. Thus, time stamping won't happen *while enabling LTV*. – mkl Dec 23 '19 at 16:30
  • I have added this code while before signature, `var url = "http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23"; var tsc = new TSAClientBouncyCastle(url, null, null, 4096, "SHA-512"); MakeSignature.SignDetached(signatureAppearance, signature, chain, null, null, tsc, 0, CryptoStandard.CADES);` - This embeds timestamp but then while adding ltv on this line `PdfPKCS7 pdfPKCS7 = fields.VerifySignature(name);` - it throws exception. – Urmi_VV_Developer Dec 24 '19 at 06:35
  • Please make that a question in its own right, include the stack trace of the exception in question, and share example pdfs. During the Christmas holidays I'm hardly ever at a PC, mostly only on smart phone. An actual answer by me based on a deep analysis, therefore, likely will take some time. – mkl Dec 24 '19 at 09:00
  • this is newly posted question on above matter : https://stackoverflow.com/questions/59469148/add-timestamp-for-hardware-token-digital-signature-and-adding-ltv-not-working , Thanks. – Urmi_VV_Developer Dec 24 '19 at 12:55