We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date

Digital Sigature Get OCSP/CRL Signer's Certificate and Validity

i need to get embedded CRL/OCSP Signer's Certificate & Validity (ex. if expired at time of signing or not ... etc.) on all certificate chain.




27 Replies

IJ Irfana Jaffer Sadhik Syncfusion Team February 13, 2023 06:12 AM UTC

Syncfusion PDF library provides support to validate the digital signatures in an existing PDF document. Digital signature validation covers the following steps to ensure the validity of the signatures:

  • Validate the document modification.
  • Validate the certificate chain.
  • Ensure the signature with timestamp time.
  • Check the revocation status of the certificate with OCSP and CRL.
  • Ensure multiple digital signatures.

You can use the ValidateSignature method available in the PdfLoadedSignatureField class to validate the digital signature.

You can get the overall status from the IsSignatureValid property available in the PdfSignatureValidationResult class.

Please refer to the code snippet below:

//Load an existing signed PDF document

PdfLoadedDocument loadedDocument = new PdfLoadedDocument("Input.pdf");

//Get signature field

PdfLoadedSignatureField signatureField = loadedDocument.Form.Fields[0] as PdfLoadedSignatureField;

 

//X509Certificate2Collection to check the signer's identity using root certificates

X509CertificateCollection collection = new X509CertificateCollection();

//Create new X509Certificate2 with the root certificate

X509Certificate2 certificate = new X509Certificate2("PDF.pfx", "password123");

//Add the certificate to the collection

collection.Add(certificate);

 

//Validate signature and get the validation result

PdfSignatureValidationResult result = signatureField.ValidateSignature(collection);

//Checks whether the signature is valid or not

SignatureStatus status = result.SignatureStatus;

//Checks whether the document is modified or not

bool isModified = result.IsDocumentModified;

//Signature details

string issuerName = signatureField.Signature.Certificate.IssuerName;

DateTime validFrom = signatureField.Signature.Certificate.ValidFrom;

DateTime validTo = signatureField.Signature.Certificate.ValidTo;

string signatureAlgorithm = result.SignatureAlgorithm;

DigestAlgorithm digestAlgorithm = result.DigestAlgorithm;

//Revocation validation details

RevocationResult revocationDetails = result.RevocationResult;

RevocationStatus revocationStatus = revocationDetails.OcspRevocationStatus;

bool isRevokedCRL = revocationDetails.IsRevokedCRL;

//Close the document

loadedDocument.Close(true);


Please refer to the below links for more information:

https://help.syncfusion.com/file-formats/pdf/working-with-digitalsignature#digital-signature-validation

https://www.syncfusion.com/kb/10777/how-to-validate-digitally-signed-pdf-document-using-c-and-vb-net





JA Jacobs replied to Irfana Jaffer Sadhik February 13, 2023 06:50 AM UTC

Thanks Irfana,,
i am already using the ValidateSignature function , but what i meant is adding two new properties "the revocation signer's certificate and validity" to the LtvVerificationInfo class  per each certificate in certificate chain same as the one added recently to the TimeStampInformation  (Certificate & IsValid).







IJ Irfana Jaffer Sadhik Syncfusion Team February 14, 2023 11:30 AM UTC

Currently, we are analyzing your requirement. We will provide the details shortly.



MK Moorthy Karunanithi Syncfusion Team February 16, 2023 02:52 PM UTC

As of now, we don’t have support to get the OCSP and CRL certificates on our end. We have logged a feature request called “Support to get OCSP and CRL certificates and validity from signature validation results”. Also, we don’t have any immediate plan to implement this feature and we will implement this support in any of our upcoming releases. We usually have an interval of at least three months between releases, at the planning stage for every release cycle, we review all open features. We will let you know when this feature

is implemented.


Please use the below feedback link to track the status of the feature.

https://www.syncfusion.com/feedback/41225/support-to-get-ocsp-and-crl-certificates-and-validity-from-signature-validation



JA Jacobs replied to Moorthy Karunanithi February 16, 2023 02:56 PM UTC

OK ... Thanks Moorthy



JA Jacobs March 21, 2023 02:32 PM UTC

Till this feature become available in future releases... does the ValidateSignature() function validates the oscp/crl signer certificate when validating a pdf signature?

For example ...If there is a signature with ocsp or crl either embedded or not (online)... if the ocsp/crl signer certificate was expired during signing time ... will the ValidateSignature() function return a message describing this case in the ValidationErrors property in PdfSignatureValidationResult class?



IJ Irfana Jaffer Sadhik Syncfusion Team March 22, 2023 10:43 AM UTC

Till this feature become available in future releases... does the ValidateSignature() function validates the oscp/crl signer certificate when validating a pdf signature?

For example ...If there is a signature with ocsp or crl either embedded or not (online)... if the ocsp/crl signer certificate was expired during signing time ... will the ValidateSignature() function return a message describing this case in the ValidationErrors property in PdfSignatureValidationResult class?

 

Yes, the function ValidateSignature() is responsible for validating the validity details of the OCSP and CRL signer certificates.

If there are any errors due to expired information, those details will be added to the ValidationError property in the PdfSignatureValidationResult.



JA Jacobs replied to Irfana Jaffer Sadhik March 23, 2023 10:37 AM UTC

Thanks



JA Jacobs July 18, 2023 02:04 PM UTC

Hello Irfana,

i have an issue regarding last release update that contains the PDFSignerCertifcates

A pdf signed with Signer "Test 1" a signature that is not LTV ... which means that there is no embedded revocation information for some/all of the elements in certificate chain ... so syncfusion shows that one Certificate in PDFSignerCertificate with no CRLCertificate which is correct and this is the same behaviour as adobe reader.