1. Home
  2. Forum
  3. ASP.NET Core - EJ 2
  4. Enabling LTV in deferred signing of PDF

Enabling LTV in deferred signing of PDF

Hello,


I am trying to get a LTV enabled signature to work in a deferred signing process but both examples from the documentation do not work and somehow produce an invalid signature.

Please refer to the Ticket at https://www.syncfusion.com/forums/160161/prepare-pdf-hash-to-be-signed-and-sign-externally-with-smart-card-not-on-the-same-system for more information on my implementation.

I know there are two different ways of enabling LTV as explained at https://www.syncfusion.com/forums/154546/pdfsignature-enableltv-vs-createlongtermvalidity.


(1) PdfSignature.EnableLTV = true;

(2) PdfSignature.CreateLongTermValidity(certs)


Here is how I would use (1):

// Create a PdfCertificate instance with X509Certificate2 created from certificates stored on USB tokens or elsewhere (deferred sign - no physical access)
PdfCertificate cert = new PdfCertificate(certificate);
PdfSignature signature = new PdfSignature(loadedDocument, loadedDocument.Pages[0], cert, signatureName);
signature.EnableLtv = true;


Here is how I would use (2):

X509Certificate2 certificate = new X509Certificate2(sig.certificateValue); // sig.certificateValue holds the certificate data sent by client
PdfSignature signature = new PdfSignature(loadedDocument, loadedDocument.Pages[0], null, signatureName);
//Create LTV with public certificates
signature.CreateLongTermValidity(new List<X509Certificate2> { certificate });


Both ways produce the following result in the PDF:

"Signature is invalid", "Document has been altered or corrupted since it was signed"


Please let me know if I am doing something wrong here or if there is another way of enabling LTV in deferred signing of PDF.


Thank you and best regards,

Marko


8 Replies
GK Gowthamraj Kumar Syncfusion Team September 13, 2021 01:48 PM UTC

Hi Marko, 

Thank you for contacting Syncfusion support.

 
We have checked the reported issue with provided details on our end, but it is working properly. We have attached the runnable sample for your reference. Please try the sample with your certificate on your end and let us know the result.  

Please refer the below documentation link for more information, 

If still you are facing an same issue, kindly please share the modified sample with input and output document, pfx certificate file, modified sample to reproduce the issue on our end. So, that it will be helpful for us to analyze and assist you further on this.    

Regards, 
Gowthamraj K 


MB Marko Bezjak September 19, 2021 08:42 AM UTC

Hi Gowthamraj,


Thank you for getting back to me.

I have checked the provided sample, and would like to note the differences between having a physical .pfx file accessible on the same system and signing in a deferred process (example: smart card on different system).


In the provided sample you setup the X509Certificate2 and certificate list as follows:

X509Certificate2 digitalID = new X509Certificate2(path, "password");
List<X509Certificate2> certificates = new List<X509Certificate2>();
certificates.Add(digitalID);


I can not do that, as I do not have access to the .pfx file, nor do I have the password, so I do:

X509Certificate2 digitalID = new 509Certificate2(Convert.FromBase64String(sig.certificateValue));
List<X509Certificate2> certificates = new List<X509Certificate2>();
certificates.Add(digitalID);


I would also like to note, that I sign PDF documents in a 2-step deferred process. First the PDF is prepared with an empty signature, and bytes are then signed by a client program. Afterwards the empty signature is replaced with the signed one.


IPdfExternalSigner externalSigner = new ExternalSigner("SHA256", Convert.FromBase64String(sig.base64data));

List<X509Certificate2> publicCertificates = new List<X509Certificate2>();
X509Certificate2 certificate = new X509Certificate2(Convert.FromBase64String(sig.certificateValue));
publicCertificates.Add(certificate);

PdfSignature.ReplaceEmptySignature(inputFileStream, "", outputFileStream, "Signature", externalSigner, publicCertificates);


- Other than LTV, the described process works well and we can successfully sign PDF documents.

Please let me know if there is any more code or information that you would need. The main difference between the sample and how I do it, is that I sign PDF documents in a deferred process.

Best regards,

Marko


GK Gowthamraj Kumar Syncfusion Team September 20, 2021 02:15 PM UTC

Hi Marko, 

Thank you for contacting Syncfusion support. 
  
We suspect this issue might be related to the certificate does not have OCSP responses or CRLs information. Please ensure whether the public certificate must contains the OCSP responses or CRLs information and let us know the result.  

We have attached the sample and output screenshot for your reference, please try the sample from below, 
Screenshot: 
 

If still you are facing an same issue, kindly please share the modified sample with input and output document, public pfx certificate string to reproduce the issue on our end. So, that it will be helpful for us to analyze and assist you further on this.     

Regards, 
Gowthamraj K 


MB Marko Bezjak September 27, 2021 08:41 PM UTC

Hi Gowthamraj,

Thank you for the provided sample.

I can confirm that the sample defines the exact process I am using.

There are two differences though. I use the CMS cryptographic standard and SHA256 digest algorithm. 


What I can definitely confirm at this point is that my issue is directly connected to missing OCSP/CLR information. 

If I sign the same PDF document directly in Adobe Reader DC the text in the Revocation tab of the certificate information says:

"The selected certificate is considered valid because it has not been revoked as verified using the Online Certificate Status Protocol (OCSP) response that was embedded in the signature."




While the text in the revocation tab of the document signed with our code says:

"The selected certificate is considered valid because it has not been revoked as verified in real-time using the Online Certificate Status Protocol (OCSP) obtained on-line."



So from my understanding, the OCSP had to be obtained in real-time online, thus meaning that the document is not LTV enabled, as it does not embed the required OCSP response.

I hope this helps out a bit.


Best regards,
Marko


GK Gowthamraj Kumar Syncfusion Team September 28, 2021 01:24 PM UTC

Hi Marko, 
 
Thank you for your update. 
 
Currently, we are checking possibility of the issue on our end and we will update the further details on September 30th 2021.

 
Meanwhile, we request you to share the input and output document, public pfx certificate string to reproduce the issue on our end. So, that it will be helpful for us to analyze and assist you further on this.      
 
Regards, 
Gowthamraj K 


GK Gowthamraj Kumar Syncfusion Team September 30, 2021 01:15 PM UTC

Hi Marko, 
 
We regret for the inconvenience caused, 
 
We are facing the complexity to trace the actual root cause for signature invalid with enabling LTV while deferred signing. Currently, we are working on this high priority and will update further details on October 4th, 2021 without any further delay.   
 
Meanwhile, we request you to share the input and output document, public pfx certificate string to reproduce the issue on our end. So, that it will be helpful for us to analyze and assist you further on this.    
 
Regards, 
Gowthamraj K 


SV Surya Venkatesan Syncfusion Team October 4, 2021 10:49 AM UTC

Hi Marko,


Thank you for your patience.


We confirmed the issue “Signature is invalid while enabling LTV with deferred signing” as a defect in our product. We will include the fix for this issue in our weekly NuGet release, which will be available on October 12th, 2021.


Please use the below feedback link to track the status of the reported bug.

https://www.syncfusion.com/feedback/29173/signature-is-invalid-while-enabling-ltv-with-deferred-signing


Note: If you require patch for the reported issue in any of our Essential Studio Main or SP release version, then kindly let us know the version, so that we can provide a patch in that version based on our SLA policy.


Please let us know if you need any further assistances in this.


Regards,

Surya V


GK Gowthamraj Kumar Syncfusion Team October 12, 2021 11:44 AM UTC

Hi Marko, 
 
Thank you for your patience. 
 
We have included the fix for the reported issue “Signature is invalid while enabling LTV with deferred signing” in our latest weekly NuGet release (v19.3.0.45). Please use the below link to download our latest weekly NuGet,      
 
Please let us know if you have any concerns on this. 
 
Regards 
Gowthamraj K 


Loader.
Up arrow icon