We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy. Image for the cookie policy date

Digital Signature read embedded CRL fields in a pdf signature

I need to read the effective date ,next update & issuer fields in an embedded CRL while validating signatures same as adobe in revocation tab in signature properties



20 Replies

IJ Irfana Jaffer Sadhik Syncfusion Team February 15, 2023 09:25 AM UTC

Syncfusion PDF library provides support to validate the digital signatures in an existing PDF document. Digital signature validation covers the following steps to ensure the validity of the signatures:

  • Validate the document modification.
  • Validate the certificate chain.
  • Ensure the signature with timestamp time.
  • Check the revocation status of the certificate with OCSP and CRL.
  • Ensure the multiple digital signatures.

You can use the ValidateSignature method available in the PdfLoadedSignatureField class to validate the digital signature.

You can get the overall status from the IsSignatureValid property available in the PdfSignatureValidationResult class.

//Load an existing signed PDF document

PdfLoadedDocument loadedDocument = new PdfLoadedDocument("Input.pdf");

//Get signature field

PdfLoadedSignatureField signatureField = loadedDocument.Form.Fields[0] as PdfLoadedSignatureField;


//X509Certificate2Collection to check the signer's identity using root certificates

X509CertificateCollection collection = new X509CertificateCollection();

//Create new X509Certificate2 with the root certificate

X509Certificate2 certificate = new X509Certificate2("PDF.pfx", "password123");

//Add the certificate to the collection

collection.Add(certificate);


//Validate signature and get the validation result

PdfSignatureValidationResult result = signatureField.ValidateSignature(collection);

//Checks whether the signature is valid or not

SignatureStatus status = result.SignatureStatus;

//Checks whether the document is modified or not

bool isModified = result.IsDocumentModified;

//Signature details

string issuerName = signatureField.Signature.Certificate.IssuerName;

DateTime validFrom = signatureField.Signature.Certificate.ValidFrom;

DateTime validTo = signatureField.Signature.Certificate.ValidTo;

string signatureAlgorithm = result.SignatureAlgorithm;

DigestAlgorithm digestAlgorithm = result.DigestAlgorithm;

//Revocation validation details

RevocationResult revocationDetails = result.RevocationResult;

RevocationStatus revocationStatus = revocationDetails.OcspRevocationStatus;

bool isRevokedCRL = revocationDetails.IsRevokedCRL;


//Close the document

loadedDocument.Close(true);



Please refer to the below links for more information,

https://help.syncfusion.com/file-formats/pdf/working-with-digitalsignature


Please check this and confirm whether this meets your requirment. Please try this on your end and let 



JA Jacobs replied to Irfana Jaffer Sadhik February 15, 2023 11:31 AM UTC

Thanks Irfana... i am already using the same properties you provided before ...  but what i am asking for are different fields which are related to CRL embedded in document (issuer , effective date , next update) and they appear in adobe in signature properties revocation tab same as screen shot i provided in my previous reply.

Thoses fields are different than signer certificate issuer/validfrom/validto.



JA Jacobs February 16, 2023 04:15 PM UTC

Waiting for your reply

Actually ... this feature will be very helpful as in case of non-embedding crl i am downlading the crl file found in each certificate in chain and i am using bouncy castle to read these fields but this will not be valid in case of embedded crls.

And also that's why the isembeddedcrl is important per each certificate in order to know if i should get the values online or from these new fields... that's mentioned in the below thread

https://www.syncfusion.com/forums/180498/digital-signature-get-isocspembedded-and-iscrlembedded-per-certificate-in-certificate-chain



IJ Irfana Jaffer Sadhik Syncfusion Team February 17, 2023 01:20 PM UTC

Thanks for the update,

 

While implementing "Support to get OCSP and CRL certificates and validity from signature validation results", we will consider the requirement to get CRL embedded issuer details, effective and next updates details.
we don’t have any immediate plan to implement this feature and we will implement this support in any of our upcoming releases. We usually have an interval of at least three months between releases, at the planning stage for every release cycle, we review all open features. 

We will let you know when this feature is implemented.


Please use the below feedback link to track the status of the feature.
https://www.syncfusion.com/feedback/41225/support-to-get-ocsp-and-crl-certificates-and-validity-from-signature-validation




JA Jacobs replied to Irfana Jaffer Sadhik February 17, 2023 01:51 PM UTC

Thanks Irfana... but i hope you provide me with a delivery date just for this specific request if possible.

Or if you can guide me with any workaround on how to read embedded Crls .... That would be great.



IJ Irfana Jaffer Sadhik Syncfusion Team February 21, 2023 05:07 AM UTC

Currently, we don't have any workaround for your requirement to get the effective date, next update & issuer fields from an embedded CRL. We will implement this support and include this feature in our upcoming 2023 Volume 2 main release, which will be expected at end of June 2022 tentatively.


Please use the below feedback link to track the status of the feature.
https://www.syncfusion.com/feedback/41225/support-to-get-ocsp-and-crl-certificates-and-validity-from-signature-validation



JA Jacobs replied to Irfana Jaffer Sadhik March 23, 2023 10:45 AM UTC

Thanks Irfana, waiting for upcoming 2023 Volume 2 main release which should include:

 "Support to get OCSP and CRL certificates and validity from signature validation results"

 "Support to get CRL embedded issuer details, effective and next updates details"




JA Jacobs March 28, 2023 06:30 AM UTC

another inquiry ... does the  PdfSignatureValidationResult.RevocationResult ​returns the revocation result for all the elements in certificate chain, what i mean ... for example if the signer certificate is valid and not revoked but the issuer certificate is revoked .... will the OcspRevocationStatus​/IsRevokedCRL in RevocationResult ​returns true?



IJ Irfana Jaffer Sadhik Syncfusion Team March 30, 2023 01:12 PM UTC

another inquiry ... does the  PdfSignatureValidationResult.RevocationResult ​returns the revocation result for all the elements in certificate chain, what i mean ... for example if the signer certificate is valid and not revoked but the issuer certificate is revoked .... will the OcspRevocationStatus​/IsRevokedCRL in RevocationResult ​returns true?

Based on our current architecture, we give priority to offline verification using embedded OCSP and CRL response details. We obtain the CRL certificate list from the embedded response and verify it with the signer's revocation certificate list. If the signer's revocation certificate list matches any CRL certificate list, it will be marked as Revoked. The same process is followed for online CRL revocation verification.

 

If you have any test documents regarding the case where the signer certificate is valid and not revoked, but the issuer certificate is revoked, kindly share them with us. This information will be helpful for us to investigate and proceed further on our end.



JA Jacobs replied to Irfana Jaffer Sadhik March 30, 2023 01:58 PM UTC

That's good... if signature is LTV ... it should check offline using embedded ocsp/crl ... if not ltv it should be online.

But it should be done for every element in the certificate chain with its corresponding offline/online ocsp/crl.

Actually i don't have a pdf for this case but i want to know of this is already implemented in syncfusion validatesignature function or not? And if you can add it if not implemented.



IJ Irfana Jaffer Sadhik Syncfusion Team March 31, 2023 09:39 AM UTC

We appreciate it and will take it into consideration. We plan to implement it as we work on enhancing the signature revocation validation module.




JA Jacobs replied to Irfana Jaffer Sadhik March 31, 2023 10:06 AM UTC

Thanks Irfana ... please add this implementation checking in both validation and signing processes to make a consistent behavior.



JA Jacobs July 27, 2023 05:00 PM UTC

Hello Irfana,

Can you provide support to get crl list(list of revoked serial numbers and revocation date per serial) in case of embedded crl ... in case of non-embedded i can download the crl using webclient on crl distribution point utl to get the crl list ... but i can't get in case of embedded?



IJ Irfana Jaffer Sadhik Syncfusion Team July 28, 2023 02:35 PM UTC

Currently we are analzying on the requirement and we will provide the further details on August 1st, 2023.



RB Ravikumar Baladhandapani Syncfusion Team August 1, 2023 03:03 PM UTC

Thank you for your patience,


We have added this requirement as a feature request “Support to get CRL list of revocation serial numbers and date information during signature validation” in our library. At present, we do not have any immediate plans to implement this feature and we will implement this support in any of our upcoming releases. We usually have an interval of at least three months between releases, at the planning stage for every release cycle, we review all open features.  We will let you know when this feature is implemented. 


Please use the below feedback link to track the status of the feature.

https://www.syncfusion.com/feedback/45769/support-to-get-crl-list-of-revocation-serial-numbers-and-date-information-during



JA Jacobs August 9, 2023 02:08 PM UTC

Thanks ... but is there any chance to get this request soon.


or even add isrevoked property in pdfsingercertificate for every element in certificate chain for both

user's signature certificate

PdfSignatureValidationResult.SignerCertificates


and embedded timestamp signature certificate

PdfSignatureValidationResult.TimeStampInformation.SignerCertificates


in order to check revocation per every element in certificate chain



SN Santhiya Narayanan Syncfusion Team August 10, 2023 12:48 PM UTC

To make things more convenient, we've decided to record your request for adding the IsRevoked feature to the PdfSignerCertificates mentioned, instead of providing the functionality of the revocation date and serial number. However, I want to let you know that we don't have immediate plans to work on this feature right away. It will be included in one of our upcoming releases, which usually have a gap of around three months between them. During the planning phase of each release cycle, we assess all the open features. We'll inform you once this feature is successfully implemented.


You can keep track of the feature's status using the feedback link below. Thank you!

https://www.syncfusion.com/feedback/45769/support-to-get-crl-list-of-revocation-serial-numbers-and-date-information-during



JA Jacobs August 10, 2023 12:55 PM UTC

Thanks  Santhiya , but i was requesting the isrevoked property as a faster workaround ... but getting the crl object ( revoked serial numbers list and its revocation time) will be more powerful and developer using syncfusion can have more control on writing code using this object..

so please reconsider getting this list or provide both 😊



SN Santhiya Narayanan Syncfusion Team August 11, 2023 03:20 PM UTC

We have reviewed all the features you asked for (like the serial number for revocation, the date of revocation, and whether it's revoked) for each part of the chain. We planned to implement and include the requested functionality in our upcoming 2023 volume 3 SP1 service pack release.


To keep track of the progress of this feature, please use the feedback link provided below.

https://www.syncfusion.com/feedback/45769/support-to-get-crl-list-of-revocation-serial-numbers-and-date-information-during



JA Jacobs replied to Santhiya Narayanan August 11, 2023 05:48 PM UTC

Thanks Santhiya ... That's great news 


Loader.
Up arrow icon