如何为时间戳签名启用LTV并设置不允许的pdf更改? [英] How to enable LTV for a timestamp signature and set the pdf change not allowed?

问题描述

我正在使用 iText 用数字证书签署pdf.现在我可以签名并添加LTV，但是CertificateLevel可以是:

  signatureAppearance.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_FORM_FILLING_AND_ANNOTATIONS); 

我只想设置 PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED .最终结果应如下所示:

  sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED);MakeSignature.signDetached(signatureAppearance，privateKey，"SHA-512"，chain，null，ocspClient，tsaClient，0，MakeSignature.CryptoStandard.CADES); 

如果我使用上述代码进行签名，则使用AdobeLtvEnabling.java添加LTV会在使用ACROBAT检查时提示签名无效，因为添加LTV时文件正在修改不可修改的PDF文件.因此，我该怎么做才能达到最终效果.

解决方案

要获得类似于快照的结果，即不允许更改"和启用了LTV签名"，而没有任何更高版本的签名或文档时间戳，您可以必须

• 要么已经将Adobe验证器要求的所有LTV材料都包含在原始签名的修订本中
• 或使用签名模式，尽管不允许进行任何更改，但仍允许您添加LTV材料.

不幸的是，Adobe Acrobat Reader似乎尚未正确支持后一种变体.

有关详细信息，请参见以下部分.

将所有LTV材料包括在原始签名的修订本中

首先，这并非总是可能的.如果您希望LTV素材具有原始签名版本，则它必须是签名数据的一部分，因此您必须在签名前收集.但是，在许多使用远程签名服务的设置中，您不知道在实际请求签名之前将确切使用哪个签名证书.

但是，如果可以的话(例如，如果您事先知道签名证书)，则可以使用

使用一种签名模式，该模式允许添加LTV素材，但不能添加其他任何内容

或者，您可以通过一种方式对PDF进行签名，尽管获得了不允许更改"的认证，但以后仍可以添加LTV材料.

首先，如果要在应用签名后将LTV素材添加到PDF，必须使用首先为PAdES签名指定的机制.尽管此机制已包含在ISO 32000-2中，但在普通的ISO 32000-1环境中不可用.不过，由于您的屏幕快照是Adobe Acrobat的，所以这对您来说不是问题.

此机制是文档安全存储区.

I am signing a pdf with digital certificate using iText. Now I can sign, and add LTV, but CertificateLevel can just be:

signatureAppearance.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_FORM_FILLING_AND_ANNOTATIONS);

I just want to set PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED. The final result should look like this:

sap.setCertificationLevel(PdfSignatureAppearance.CERTIFIED_NO_CHANGES_ALLOWED);
MakeSignature.signDetached(signatureAppearance, privateKey, "SHA-512", chain, null, ocspClient, tsaClient, 0, MakeSignature.CryptoStandard.CADES);

If i use the above code to sign, then using AdobeLtvEnabling.java to add LTV will prompt the signature to be invalid when using ACROBAT check, because the file is modifying the unmodifiable PDF file when adding LTV. Thus, what can i do to approach the final effect.

解决方案

To get a result like in your snapshot, i.e. both "No changes are allowed" and "Signature is LTV enabled" without any later signature or document timestamp, you have to

• either already include all LTV material the Adobe validator requires into your original signed revision
• or use a signing mode which allows you to append LTV material in spite of no changes being allowed.

Unfortunately the latter variant seems not yet to be properly supported by Adobe Acrobat Reader.

For details see the following sections.

Include all LTV material into the original signed revision

First of all, this is not always possible. If you want to have the LTV material in the original signed revision, it must be part of the signed data, so you have to collect it before signing. In many setups using remote signing services, though, you don't know which signing certificate exactly will be used before actually requesting the signature.

If it is possible, though, i.e. if you know the signing certificate in advance, you can use the class AdobeLtvEnabling from this stack overflow answer to include the information like this:

PdfStamper stamper = PdfStamper.createSignature(...);

AdobeLtvEnabling adobeLtvEnabling = new AdobeLtvEnabling(stamper);
OcspClient ocsp = new OcspClientBouncyCastle();
CrlClient crl = new CrlClientOnline();
adobeLtvEnabling.addLtvForChain(YOUR_SIGNER_CERTIFICATE, ocsp, crl, PdfName.A);
adobeLtvEnabling.outputDss();

[...preparing your signature...]
MakeSignature.signDetached(...);

(CreateSignatureComodo test testCreateLtvNoChangesAllowedCertification)

You might have to make the AdobeLtvEnabling methods addLtvForChain and outputDss public for this as AdobeLtvEnabling originally wsn't intended to be used like this.

The result:

Use a signing mode which allows appending LTV material but nothing else

Alternatively you can sign your PDF in a way that allows later addition of LTV material in spite of a "no changes allowed" certification.

To start with, it is necessary to make use of a mechanism first specified for PAdES signatures if you want to add LTV material to a PDF after applying the signature it is meant for. While this mechanism has meanwhile been included in ISO 32000-2, it is not available in a plain ISO 32000-1 context. As your screenshot is of a Adobe Acrobat, though, that shouldn't be an issue for you.

This mechanism are the document security stores. Both the iText class LtvVerification and the class AdobeLtvEnabling from this stack overflow answer fill such stores in a PDF.

Is it allowed to add these document security stores in spite of a "no changes allowed" certification? — It depends...

If your PDF is a PDF-2.0: yes. ISO 32000-2 characterizes the changes allowed or disallowed by some certification like this:

Changes to a PDF that are incremental updates which include only the data necessary to add DSS’s 12.8.4.3, "Document Security Store (DSS)" and/or document timestamps 12.8.5, "Document timestamp (DTS) dictionary" to the document shall not be considered as changes to the document as defined in the choices below.

(ISO 32000-2, Table 257 — Entries in the DocMDP transform parameters dictionary)

If your PDF is a PDF-1.x with the PAdES extensions enabled: yes. ETSI EN 319 142-1 requires

DocMDP restrictions (see ISO 32000-1 1, clause 12.8.2.2) shall not apply to incremental updates to a PDF document containing a DSS dictionary and associated VRI, Certs, CRLs and OCSPs.

...

When evaluating the DocMDP restrictions (see ISO 32000-1 1, clause 12.8.2.2) the presence of a Document Time-stamp dictionary item shall be ignored.

(ETSI EN 319 142-1 V1.1.1, section 5.4 Validation data and archive validation data attributes)

If your PDF is a plain PDF-1.x, though: no!

If you want to use this option and add LTV information after signing, therefore, make sure your originally certified PDF is a PDF-2 or has at least the PAdES extensions enabled.

While iText 5 does not support PDF-2, creating a PAdES style signature with it adds the PAdES extensions.

Thus, if you certify PAdES-style, you should be able to LTV-enable the signature even if the certification is "no changes allowed".

Support by Adobe Acrobat Reader DC 2019.008.20080

Having done some tests extending a no-changes allowed certified PDF with only LTV information, the PDF being either marked as PDF-1.7 with the appropriate ETSI and Adobe extensions or as PDF-2.0, it appears that Adobe Acrobat supports neither ETSI EN 319 142-1 nor ISO 32000-2 fully yet: In all tests it considered the certification as broken, cf. CreateSignatureComodo test testCreateNoChangesAllowedCertificationAndLtv.

For the time being, therefore, to get a document with LTV enabled no-changes-allowed certification and to have Adobe Acrobat recognize this, one only has the first option above, i.e. including all LTV material into the original signed revision.

A work-around might be to create the certification with form-filling-allowed, then adding LTV information, and then signing with another (approval) signature which changes the document to no-changes-allowed via its field lock dictionary and its FieldMDP transform, cf. CreateSignatureComodo test testCreateCertificationAndLtvAndNoChangesAllowed. As the incremental update of that signature can be removed by a knowledgeable person, though, this is far from perfect.

The result for the work-around:

这篇关于如何为时间戳签名启用LTV并设置不允许的pdf更改?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！