We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date

Digital Sigature Get OCSP/CRL Signer's Certificate and Validity

i need to get embedded CRL/OCSP Signer's Certificate & Validity (ex. if expired at time of signing or not ... etc.) on all certificate chain.




27 Replies

IJ Irfana Jaffer Sadhik Syncfusion Team February 13, 2023 06:12 AM UTC

Syncfusion PDF library provides support to validate the digital signatures in an existing PDF document. Digital signature validation covers the following steps to ensure the validity of the signatures:

  • Validate the document modification.
  • Validate the certificate chain.
  • Ensure the signature with timestamp time.
  • Check the revocation status of the certificate with OCSP and CRL.
  • Ensure multiple digital signatures.

You can use the ValidateSignature method available in the PdfLoadedSignatureField class to validate the digital signature.

You can get the overall status from the IsSignatureValid property available in the PdfSignatureValidationResult class.

Please refer to the code snippet below:

//Load an existing signed PDF document

PdfLoadedDocument loadedDocument = new PdfLoadedDocument("Input.pdf");

//Get signature field

PdfLoadedSignatureField signatureField = loadedDocument.Form.Fields[0] as PdfLoadedSignatureField;

 

//X509Certificate2Collection to check the signer's identity using root certificates

X509CertificateCollection collection = new X509CertificateCollection();

//Create new X509Certificate2 with the root certificate

X509Certificate2 certificate = new X509Certificate2("PDF.pfx", "password123");

//Add the certificate to the collection

collection.Add(certificate);

 

//Validate signature and get the validation result

PdfSignatureValidationResult result = signatureField.ValidateSignature(collection);

//Checks whether the signature is valid or not

SignatureStatus status = result.SignatureStatus;

//Checks whether the document is modified or not

bool isModified = result.IsDocumentModified;

//Signature details

string issuerName = signatureField.Signature.Certificate.IssuerName;

DateTime validFrom = signatureField.Signature.Certificate.ValidFrom;

DateTime validTo = signatureField.Signature.Certificate.ValidTo;

string signatureAlgorithm = result.SignatureAlgorithm;

DigestAlgorithm digestAlgorithm = result.DigestAlgorithm;

//Revocation validation details

RevocationResult revocationDetails = result.RevocationResult;

RevocationStatus revocationStatus = revocationDetails.OcspRevocationStatus;

bool isRevokedCRL = revocationDetails.IsRevokedCRL;

//Close the document

loadedDocument.Close(true);


Please refer to the below links for more information:

https://help.syncfusion.com/file-formats/pdf/working-with-digitalsignature#digital-signature-validation

https://www.syncfusion.com/kb/10777/how-to-validate-digitally-signed-pdf-document-using-c-and-vb-net





JA Jacobs replied to Irfana Jaffer Sadhik February 13, 2023 06:50 AM UTC

Thanks Irfana,,
i am already using the ValidateSignature function , but what i meant is adding two new properties "the revocation signer's certificate and validity" to the LtvVerificationInfo class  per each certificate in certificate chain same as the one added recently to the TimeStampInformation  (Certificate & IsValid).







IJ Irfana Jaffer Sadhik Syncfusion Team February 14, 2023 11:30 AM UTC

Currently, we are analyzing your requirement. We will provide the details shortly.



MK Moorthy Karunanithi Syncfusion Team February 16, 2023 02:52 PM UTC

As of now, we don’t have support to get the OCSP and CRL certificates on our end. We have logged a feature request called “Support to get OCSP and CRL certificates and validity from signature validation results”. Also, we don’t have any immediate plan to implement this feature and we will implement this support in any of our upcoming releases. We usually have an interval of at least three months between releases, at the planning stage for every release cycle, we review all open features. We will let you know when this feature

is implemented.


Please use the below feedback link to track the status of the feature.

https://www.syncfusion.com/feedback/41225/support-to-get-ocsp-and-crl-certificates-and-validity-from-signature-validation



JA Jacobs replied to Moorthy Karunanithi February 16, 2023 02:56 PM UTC

OK ... Thanks Moorthy



JA Jacobs March 21, 2023 02:32 PM UTC

Till this feature become available in future releases... does the ValidateSignature() function validates the oscp/crl signer certificate when validating a pdf signature?

For example ...If there is a signature with ocsp or crl either embedded or not (online)... if the ocsp/crl signer certificate was expired during signing time ... will the ValidateSignature() function return a message describing this case in the ValidationErrors property in PdfSignatureValidationResult class?



IJ Irfana Jaffer Sadhik Syncfusion Team March 22, 2023 10:43 AM UTC

Till this feature become available in future releases... does the ValidateSignature() function validates the oscp/crl signer certificate when validating a pdf signature?

For example ...If there is a signature with ocsp or crl either embedded or not (online)... if the ocsp/crl signer certificate was expired during signing time ... will the ValidateSignature() function return a message describing this case in the ValidationErrors property in PdfSignatureValidationResult class?

 

Yes, the function ValidateSignature() is responsible for validating the validity details of the OCSP and CRL signer certificates.

If there are any errors due to expired information, those details will be added to the ValidationError property in the PdfSignatureValidationResult.



JA Jacobs replied to Irfana Jaffer Sadhik March 23, 2023 10:37 AM UTC

Thanks



JA Jacobs July 18, 2023 02:04 PM UTC

Hello Irfana,

i have an issue regarding last release update that contains the PDFSignerCertifcates

A pdf signed with Signer "Test 1" a signature that is not LTV ... which means that there is no embedded revocation information for some/all of the elements in certificate chain ... so syncfusion shows that one Certificate in PDFSignerCertificate with no CRLCertificate which is correct and this is the same behaviour as adobe reader.




however when adding another second signature with same signer "Test1" but this time LTV signature .. the revocation information is embedded inside the document ... Syncfusion reads all 4 PDFSignerCertificates with all embedded information in the Second signature "by Test 1" which is also  correct same as Adobe reader.




NOW, the first signature is converted from non-LTV to LTV because it is reading all embedded revocation information from inside the document that were added by the other LTV signature by same signer Test 1 instead of local cache ... so now Adobe reader shows that the first signature is LTV and has embedded revocation information.

Syncfusion is reading the same, first signature is now LTV and IsCRLEmbedded is now = true and can read the validfrom/to dates and can detect that there is one CRL Certificate for but still cannot get the CRL Certificate itself (= nothing) .... this for the Test1 signer certificate ..... and also cannot get the 3 other PDFSignerCertifcates for the rest of elements in certificate chain which can be detected by Adobe.






Please check the attached files


Attachment: test_425aa26a.zip


IJ Irfana Jaffer Sadhik Syncfusion Team July 20, 2023 12:53 PM UTC

After conducting a deep investigation of all the signatures, we discovered that the first signature was signed with the "EndCertOnly" option, while the other signatures were signed with the "WholeChain" option. As a result, the three signer certificates and related CRL certificates are not included when considering only the first signature.



We analyzed the signature information to extract the root and intermediate certificates. However, since the signature is signed with the "EndCertOnly" option, we are unable to provide a similar result as Adobe does. Unfortunately, our current functionality does not allow us to identify the root and other intermediate chain certificates from the signature information with the "EndCertOnly" signing.


Due to these limitations, we are unable to proceed further with this document at the moment.



JA Jacobs July 20, 2023 01:03 PM UTC

Thanks Irfana ... your analysis is correct, but why syncfusion can show embedded crl in first signature and can detect an existing crl certificate in end certificate but equals nothing...?

Adobe can share crl information between different signature with same certificate if any of signatures has revocation info embedded in document 

Is there any plan to support this kind of behavior?



IJ Irfana Jaffer Sadhik Syncfusion Team July 21, 2023 12:10 PM UTC

We discovered that Adobe has displayed the root and intermediate chain certificates, each with its respective EndCertOnly signed signature, using the Document Security Store (DSS) certification information. We intend to implement a similar feature to achieve the same results as Adobe. Additionally, we will include this functionality as part of our enhancement support to obtain time stamp signer details. We will keep you informed once this feature becomes available.


Please use the below feedback link to track the status of the feature.

https://www.syncfusion.com/feedback/45142/support-to-get-revocation-certificates-and-validity-from-signature-embedded



JA Jacobs July 21, 2023 12:14 PM UTC

That's great news ... 

Thanks Irfana and Syncfusion team.

I will be waiting for this release.



JA Jacobs July 27, 2023 04:54 PM UTC

Hello Irfana,

Will the timestamp embedded signer be released along with reading DSS certificate information in service pack 1 at end of july?



IJ Irfana Jaffer Sadhik Syncfusion Team July 28, 2023 05:29 AM UTC

Thank you for patience,


In our latest release, 2023 Volume 2 SP1, we have added support for obtaining the timestamp embedded signer's information, along with the ability to read DSS certificate details.


To retrieve the timestamp embedded signer details, you can use the following code example:

//Loads an existing document.

PdfLoadedDocument document = new PdfLoadedDocument("Input.pdf");

//Gets the signature field.

PdfLoadedSignatureField signatureField = document.Form.Fields[0] as PdfLoadedSignatureField;

//Validates signature and gets the validation result.

PdfSignatureValidationResult result = signatureField.ValidateSignature();

//Gets signer certificates

PdfSignerCertificate[] certifcate = result.TimeStampInformation.SignerCertificates;

//Close the document.

document.Close(true);

 


We are glad to announce that our Essential Studio 2023 Volume 2 Service Pack release v22.2.5 is rolled out and is available for download under the following link.

Essential Studio 2023 Volume 2 Service Pack Release v22.2.5 is available for download | Announcements Forums | Syncfusion

We thank you for your support and appreciate your patience in waiting for this release. Please get in touch with us if you would require any further assistance.



JA Jacobs August 2, 2023 02:03 PM UTC

i tested the new release , and the two requests are working correctly 😊

Thanks Irfana for your usual support.


However i noticed another difference between syncfusion and adobe that was already in previous release


if there is two LTV signatures with whole chain like (second and third signature in attached document) that have separate crl files embedded in document and have the same crl issuer ... adobe reads each corresponding CRL information , while syncfusion reads the latest one for both


Please check the below screen shots (igone the timezone difference +3 in adobe )

1st signature by Test 1 (no chain no ltv ... reads the crl information from DSS of ... so now LTV)

Syncfusion same as Adobe

Valid from 12/07/2023 08:45:28

Valid To 13/07/2023 08:45:28



2nd signature by Test128 February 2022 (full chain ltv ... crl embedded in document)

Syncfusion different than Adobe

Syncfusion (readsw latest from DSS)

Valid from 12/07/2023 08:45:28

Valid To 13/07/2023 08:45:28

Adobe (reads crl info from its related signature)

Valid from 12/07/2023 06:13:05

Valid To 13/07/2023 06:13:05




3rd signature by Test 1 (full chain ltv )

Syncfusion same as Adobe

Valid from 12/07/2023 08:45:28

Valid To 13/07/2023 08:45:28





Attachment: dss_issue_448ac664.zip


RB Ravikumar Baladhandapani Syncfusion Team August 4, 2023 10:30 AM UTC

Currently, we are analyzing the reported problem with provided details on our end and we will update further details on August 8th, 2023.



RB Ravikumar Baladhandapani Syncfusion Team replied to Ravikumar Baladhandapani August 8, 2023 02:05 PM UTC

We confirmed the issue “The CRL is failed to extract from DSS which is related to the PdfSignerCertificate” as a defect in our product and we will include the fix into our upcoming weekly NuGet release, which will be available on August 22nd, 2023.

Please use the below feedback link to track the status of the reported bug.

https://www.syncfusion.com/feedback/45966/the-crl-revocation-date-and-time-zone-information-are-incorrect-in-the-pdf-signer

Note: If you require a patch for the reported issue in any of our Essential Studio Main or SP release version, then kindly let us know the version, so that we can provide a patch in that version based on our SLA policy.

Disclaimer: “Inclusion of this solution in the weekly release may change due to other factors including but not limited to QA checks and works reprioritization.”



JA Jacobs replied to Ravikumar Baladhandapani August 16, 2023 11:56 AM UTC

Thanks Ravikumar ... waiting for the fix 😊


i have another issue with TimeStampInformation.SignerCertificates , it returns only two elements in chain from embedded timestamp in signature , however it should return 4 elements.

can you please have a look into it? pdf attached


Image_6016_1692186803607

Image_2224_1692186847401




Attachment: Test07_25c51e86.zip


RB Ravikumar Baladhandapani Syncfusion Team August 17, 2023 01:38 PM UTC

Currently, we are analyzing the reported problem with provided details on our end and we will update further details on August 21st, 2023



SN Santhiya Narayanan Syncfusion Team August 22, 2023 04:47 AM UTC

We found that we were only able to obtain 2 certificates from the TimeStamp information. However, Adobe has shown the main certificate chain and another middle certificate from the Document Security Store (DSS) certification details. Right now, we're investigating how Adobe correctly links the main and middle certificates from the DSS collection. We'll provide more information on this by August 23rd, 2023.



JA Jacobs replied to Santhiya Narayanan August 22, 2023 04:52 AM UTC

Thanks Santhiya for your usual support 😊

I appreciate syncfusion team usual efforts 🙏



RB Ravikumar Baladhandapani Syncfusion Team August 24, 2023 02:08 PM UTC


We confirmed the issue “The CRL is failed to extract from DSS which is related to the PdfSignerCertificate” as a defect in our product and we will include the fix into our upcoming weekly NuGet release, which will be available on August 22nd, 2023.

Please use the below feedback link to track the status of the reported bug.

https://www.syncfusion.com/feedback/45966/the-crl-revocation-date-and-time-zone-information-are-incorrect-in-the-pdf-signer

Note: If you require a patch for the reported issue in any of our Essential Studio Main or SP release version, then kindly let us know the version, so that we can provide a patch in that version based on our SLA policy.

Disclaimer: “Inclusion of this solution in the weekly release may change due to other factors including but not limited to QA checks and works reprioritization.”

 

We have included the fix for the reported issue “The CRL is failed to extract from DSS which is related to the PdfSignerCertificate” in our latest weekly NuGet release (v22.2.10). Please use the below link to download our latest weekly NuGet,    

https://www.nuget.org/packages/Syncfusion.Pdf.WinForms/22.2.10

We found that we were only able to obtain 2 certificates from the TimeStamp information. However, Adobe has shown the main certificate chain and another middle certificate from the Document Security Store (DSS) certification details. Right now, we're investigating how Adobe correctly links the main and middle certificates from the DSS collection. We'll provide more information on this by August 23rd, 2023.

 

We confirmed the issue “Timestamp signer root and intermediate certificate are not extracted properly from DSS” as a defect in our product and we will include the fix into our upcoming weekly NuGet release, which will be available on August 29th, 2023.

Please use the below feedback link to track the status of the reported bug.

https://www.syncfusion.com/feedback/46313/timestamp-signer-root-and-intermediate-certificate-are-not-extracted-properly-from 

Note: If you require a patch for the reported issue in any of our Essential Studio Main or SP release version, then kindly let us know the version, so that we can provide a patch in that version based on our SLA policy.

Disclaimer: “Inclusion of this solution in the weekly release may change due to other factors including but not limited to QA checks and works reprioritization.”

Please let us know if you have any concerns on this

 



JA Jacobs replied to Ravikumar Baladhandapani August 24, 2023 04:47 PM UTC

Thanks Ravikumar

I really appreciate syncfusion team efforts.

I will check the fix and will be waiting for next week update.



SN Santhiya Narayanan Syncfusion Team August 29, 2023 01:47 PM UTC

We have included the fix for the reported issue “Timestamp signer root and intermediate certificate are not extracted properly from DSS” in our latest weekly NuGet release (v22.2.11). Please use the below link to download our latest weekly NuGet,    

https://www.nuget.org/packages/Syncfusion.Pdf.WinForms/22.2.11



JA Jacobs replied to Santhiya Narayanan September 4, 2023 07:44 AM UTC

Thanks Santhiya 


This is to confirm that i checked latest release and found that both issues were fixed.

The CRL is failed to extract from DSS which is related to the PdfSignerCertificate

Timestamp signer root and intermediate certificate are not extracted properly from DSS


Thanks again for your usual support



SS Swetha Srikumar Syncfusion Team September 6, 2023 10:44 AM UTC

Most welcome.


Loader.
Up arrow icon