i need to get embedded CRL/OCSP Signer's Certificate & Validity (ex. if expired at time of signing or not ... etc.) on all certificate chain.
Syncfusion PDF library provides support to validate the digital signatures in an existing PDF document. Digital signature validation covers the following steps to ensure the validity of the signatures:
You can use the ValidateSignature method available in the PdfLoadedSignatureField class to validate the digital signature.
You can get the overall status from the IsSignatureValid property available in the PdfSignatureValidationResult class.
Please refer to the code snippet below:
//Load an existing signed PDF document PdfLoadedDocument loadedDocument = new PdfLoadedDocument("Input.pdf"); //Get signature field PdfLoadedSignatureField signatureField = loadedDocument.Form.Fields[0] as PdfLoadedSignatureField;
//X509Certificate2Collection to check the signer's identity using root certificates X509CertificateCollection collection = new X509CertificateCollection(); //Create new X509Certificate2 with the root certificate X509Certificate2 certificate = new X509Certificate2("PDF.pfx", "password123"); //Add the certificate to the collection collection.Add(certificate);
//Validate signature and get the validation result PdfSignatureValidationResult result = signatureField.ValidateSignature(collection); //Checks whether the signature is valid or not SignatureStatus status = result.SignatureStatus; //Checks whether the document is modified or not bool isModified = result.IsDocumentModified; //Signature details string issuerName = signatureField.Signature.Certificate.IssuerName; DateTime validFrom = signatureField.Signature.Certificate.ValidFrom; DateTime validTo = signatureField.Signature.Certificate.ValidTo; string signatureAlgorithm = result.SignatureAlgorithm; DigestAlgorithm digestAlgorithm = result.DigestAlgorithm; //Revocation validation details RevocationResult revocationDetails = result.RevocationResult; RevocationStatus revocationStatus = revocationDetails.OcspRevocationStatus; bool isRevokedCRL = revocationDetails.IsRevokedCRL; //Close the document loadedDocument.Close(true); |
Please refer to the below links for more information:
https://www.syncfusion.com/kb/10777/how-to-validate-digitally-signed-pdf-document-using-c-and-vb-net
Thanks Irfana,,
i am already using the ValidateSignature function , but what i meant is adding two new properties "the revocation signer's certificate and validity" to the LtvVerificationInfo class per each certificate in certificate chain same as the one added recently to the TimeStampInformation (Certificate & IsValid).
Currently, we are analyzing your requirement. We will provide the details shortly.
As of now, we don’t have support to get the OCSP and CRL certificates on our end. We have logged a feature request called “Support to get OCSP and CRL certificates and validity from signature validation results”. Also, we don’t have any immediate plan to implement this feature and we will implement this support in any of our upcoming releases. We usually have an interval of at least three months between releases, at the planning stage for every release cycle, we review all open features. We will let you know when this feature
is implemented.
Please use the below feedback link to track the status of the feature.
Till this feature become available in future releases... does the ValidateSignature() function validates the oscp/crl signer certificate when validating a pdf signature?
For example ...If there is a signature with ocsp or crl either embedded or not (online)... if the ocsp/crl signer certificate was expired during signing time ... will the ValidateSignature() function return a message describing this case in the ValidationErrors property in PdfSignatureValidationResult class?
Till this feature become available in future releases... does the ValidateSignature() function validates the oscp/crl signer certificate when validating a pdf signature? For example ...If there is a signature with ocsp or crl either embedded or not (online)... if the ocsp/crl signer certificate was expired during signing time ... will the ValidateSignature() function return a message describing this case in the ValidationErrors property in PdfSignatureValidationResult class?
|
Yes, the function ValidateSignature() is responsible for validating the validity details of the OCSP and CRL signer certificates. If there are any errors due to expired information, those details will be added to the ValidationError property in the PdfSignatureValidationResult. |
Hello Irfana,
i have an issue regarding last release update that contains the PDFSignerCertifcates
A pdf signed with Signer "Test 1" a signature that is not LTV ... which means that there is no embedded revocation information for some/all of the elements in certificate chain ... so syncfusion shows that one Certificate in PDFSignerCertificate with no CRLCertificate which is correct and this is the same behaviour as adobe reader.
however when adding another second signature with same signer "Test1" but this time LTV signature .. the revocation information is embedded inside the document ... Syncfusion reads all 4 PDFSignerCertificates with all embedded information in the Second signature "by Test 1" which is also correct same as Adobe reader.
NOW, the first signature is converted from non-LTV to LTV because it is reading all embedded revocation information from inside the document that were added by the other LTV signature by same signer Test 1 instead of local cache ... so now Adobe reader shows that the first signature is LTV and has embedded revocation information.
Syncfusion is reading the same, first signature is now LTV and IsCRLEmbedded is now = true and can read the validfrom/to dates and can detect that there is one CRL Certificate for but still cannot get the CRL Certificate itself (= nothing) .... this for the Test1 signer certificate ..... and also cannot get the 3 other PDFSignerCertifcates for the rest of elements in certificate chain which can be detected by Adobe.
Please check the attached files
After conducting a deep investigation of all the signatures, we discovered that the first signature was signed with the "EndCertOnly" option, while the other signatures were signed with the "WholeChain" option. As a result, the three signer certificates and related CRL certificates are not included when considering only the first signature.
We analyzed the signature information to extract the root and intermediate certificates. However, since the signature is signed with the "EndCertOnly" option, we are unable to provide a similar result as Adobe does. Unfortunately, our current functionality does not allow us to identify the root and other intermediate chain certificates from the signature information with the "EndCertOnly" signing.
Due to these limitations, we are unable to proceed further with this document at the moment.
Thanks Irfana ... your analysis is correct, but why syncfusion can show embedded crl in first signature and can detect an existing crl certificate in end certificate but equals nothing...?
Adobe can share crl information between different signature with same certificate if any of signatures has revocation info embedded in document
Is there any plan to support this kind of behavior?
We discovered that Adobe has displayed the root and intermediate chain certificates, each with its respective EndCertOnly signed signature, using the Document Security Store (DSS) certification information. We intend to implement a similar feature to achieve the same results as Adobe. Additionally, we will include this functionality as part of our enhancement support to obtain time stamp signer details. We will keep you informed once this feature becomes available.
Please use the below feedback link to track the status of the feature.
That's great news ...
Thanks Irfana and Syncfusion team.
I will be waiting for this release.
Hello Irfana,
Will the timestamp embedded signer be released along with reading DSS certificate information in service pack 1 at end of july?
Thank you for patience,
In our latest release, 2023 Volume 2 SP1, we have added support for obtaining the timestamp embedded signer's information, along with the ability to read DSS certificate details.
To retrieve the timestamp embedded signer details, you can use the following code example:
//Loads an existing document. PdfLoadedDocument document = new PdfLoadedDocument("Input.pdf"); //Gets the signature field. PdfLoadedSignatureField signatureField = document.Form.Fields[0] as PdfLoadedSignatureField; //Validates signature and gets the validation result. PdfSignatureValidationResult result = signatureField.ValidateSignature(); //Gets signer certificates PdfSignerCertificate[] certifcate = result.TimeStampInformation.SignerCertificates; //Close the document. document.Close(true);
|
We are glad to announce that our Essential Studio 2023 Volume 2 Service Pack release v22.2.5 is rolled out and is available for download under the following link.
We thank you for your support and appreciate your patience in waiting for this release. Please get in touch with us if you would require any further assistance.
i tested the new release , and the two requests are working correctly 😊
Thanks Irfana for your usual support.
However i noticed another difference between syncfusion and adobe that was already in previous release
if there is two LTV signatures with whole chain like (second and third signature in attached document) that have separate crl files embedded in document and have the same crl issuer ... adobe reads each corresponding CRL information , while syncfusion reads the latest one for both
Please check the below screen shots (igone the timezone difference +3 in adobe )
1st signature by Test 1 (no chain no ltv ... reads the crl information from DSS of ... so now LTV)
Syncfusion same as Adobe
Valid from 12/07/2023 08:45:28
Valid To 13/07/2023 08:45:28
2nd signature by Test128 February 2022 (full chain ltv ... crl embedded in document)
Syncfusion different than Adobe
Syncfusion (readsw latest from DSS)
Valid from 12/07/2023 08:45:28
Valid To 13/07/2023 08:45:28
Adobe (reads crl info from its related signature)
Valid from 12/07/2023 06:13:05
Valid To 13/07/2023 06:13:05
3rd signature by Test 1 (full chain ltv )
Syncfusion same as Adobe
Valid from 12/07/2023 08:45:28
Valid To 13/07/2023 08:45:28
Currently, we are analyzing the reported problem with provided details on our end and we will update further details on August 8th, 2023.
We confirmed the issue “The CRL is failed to extract from DSS which is related to the PdfSignerCertificate” as a defect in our product and we will include the fix into our upcoming weekly NuGet release, which will be available on August 22nd, 2023.
Please use the below feedback link to track the status of the reported bug.
Note: If you require a patch for the reported issue in any of our Essential Studio Main or SP release version, then kindly let us know the version, so that we can provide a patch in that version based on our SLA policy.
Disclaimer: “Inclusion of this solution in the weekly release may change due to other factors including but not limited to QA checks and works reprioritization.”
Thanks Ravikumar ... waiting for the fix 😊
i have another issue with TimeStampInformation.SignerCertificates , it returns only two elements in chain from embedded timestamp in signature , however it should return 4 elements.
can you please have a look into it? pdf attached
Currently, we are analyzing the reported problem with provided details
on our end and we will update further details on August 21st, 2023
We found that we were only able to obtain 2 certificates from the TimeStamp information. However, Adobe has shown the main certificate chain and another middle certificate from the Document Security Store (DSS) certification details. Right now, we're investigating how Adobe correctly links the main and middle certificates from the DSS collection. We'll provide more information on this by August 23rd, 2023.
Thanks Santhiya for your usual support 😊
I appreciate syncfusion team usual efforts 🙏
We confirmed the issue “The CRL is failed to extract from DSS which is related to the PdfSignerCertificate” as a defect in our product and we will include the fix into our upcoming weekly NuGet release, which will be available on August 22nd, 2023. Please use the below feedback link to track the status of the reported bug. Note: If you require a patch for the reported issue in any of our Essential Studio Main or SP release version, then kindly let us know the version, so that we can provide a patch in that version based on our SLA policy. Disclaimer: “Inclusion of this solution in the weekly release may change due to other factors including but not limited to QA checks and works reprioritization.”
|
We have included the fix for the reported issue “The CRL is failed to extract from DSS which is related to the PdfSignerCertificate” in our latest weekly NuGet release (v22.2.10). Please use the below link to download our latest weekly NuGet, https://www.nuget.org/packages/Syncfusion.Pdf.WinForms/22.2.10 |
We found that we were only able to obtain 2 certificates from the TimeStamp information. However, Adobe has shown the main certificate chain and another middle certificate from the Document Security Store (DSS) certification details. Right now, we're investigating how Adobe correctly links the main and middle certificates from the DSS collection. We'll provide more information on this by August 23rd, 2023. |
We confirmed the issue “Timestamp signer root and intermediate certificate are not extracted properly from DSS” as a defect in our product and we will include the fix into our upcoming weekly NuGet release, which will be available on August 29th, 2023. Please use the below feedback link to track the status of the reported bug. Note: If you require a patch for the reported issue in any of our Essential Studio Main or SP release version, then kindly let us know the version, so that we can provide a patch in that version based on our SLA policy. Disclaimer: “Inclusion of this solution in the weekly release may change due to other factors including but not limited to QA checks and works reprioritization.” Please let us know if you have any concerns on this
|
Thanks Ravikumar
I really appreciate syncfusion team efforts.
I will check the fix and will be waiting for next week update.
We have included the fix for the reported issue “Timestamp signer root and intermediate certificate are not extracted properly from DSS” in our latest weekly NuGet release (v22.2.11). Please use the below link to download our latest weekly NuGet,
https://www.nuget.org/packages/Syncfusion.Pdf.WinForms/22.2.11
Thanks Santhiya
This is to confirm that i checked latest release and found that both issues were fixed.
The CRL is failed to extract from DSS which is related to the PdfSignerCertificate
Timestamp signer root and intermediate certificate are not extracted properly from DSS
Thanks again for your usual support
Most welcome.