I need to read the effective date ,next update & issuer fields in an embedded CRL while validating signatures same as adobe in revocation tab in signature properties
Syncfusion PDF library provides support to validate the digital signatures in an existing PDF document. Digital signature validation covers the following steps to ensure the validity of the signatures:
You can use the ValidateSignature method available in the PdfLoadedSignatureField class to validate the digital signature.
You can get the overall status from the IsSignatureValid property available in the PdfSignatureValidationResult class.
//Load an existing signed PDF document PdfLoadedDocument loadedDocument = new PdfLoadedDocument("Input.pdf"); //Get signature field PdfLoadedSignatureField signatureField = loadedDocument.Form.Fields[0] as PdfLoadedSignatureField; //X509Certificate2Collection to check the signer's identity using root certificates X509CertificateCollection collection = new X509CertificateCollection(); //Create new X509Certificate2 with the root certificate X509Certificate2 certificate = new X509Certificate2("PDF.pfx", "password123"); //Add the certificate to the collection collection.Add(certificate); //Validate signature and get the validation result PdfSignatureValidationResult result = signatureField.ValidateSignature(collection); //Checks whether the signature is valid or not SignatureStatus status = result.SignatureStatus; //Checks whether the document is modified or not bool isModified = result.IsDocumentModified; //Signature details string issuerName = signatureField.Signature.Certificate.IssuerName; DateTime validFrom = signatureField.Signature.Certificate.ValidFrom; DateTime validTo = signatureField.Signature.Certificate.ValidTo; string signatureAlgorithm = result.SignatureAlgorithm; DigestAlgorithm digestAlgorithm = result.DigestAlgorithm; //Revocation validation details RevocationResult revocationDetails = result.RevocationResult; RevocationStatus revocationStatus = revocationDetails.OcspRevocationStatus; bool isRevokedCRL = revocationDetails.IsRevokedCRL; //Close the document loadedDocument.Close(true); |
Please refer to the below links for more information,
https://help.syncfusion.com/file-formats/pdf/working-with-digitalsignature
Please check this and confirm whether this meets your requirment. Please try this on your end and let
Thanks Irfana... i am already using the same properties you provided before ... but what i am asking for are different fields which are related to CRL embedded in document (issuer , effective date , next update) and they appear in adobe in signature properties revocation tab same as screen shot i provided in my previous reply.
Thoses fields are different than signer certificate issuer/validfrom/validto.
Waiting for your reply
Actually ... this feature will be very helpful as in case of non-embedding crl i am downlading the crl file found in each certificate in chain and i am using bouncy castle to read these fields but this will not be valid in case of embedded crls.
And also that's why the isembeddedcrl is important per each certificate in order to know if i should get the values online or from these new fields... that's mentioned in the below thread
https://www.syncfusion.com/forums/180498/digital-signature-get-isocspembedded-and-iscrlembedded-per-certificate-in-certificate-chain
Thanks for the update,
While implementing "Support to get OCSP and CRL certificates and validity from signature validation results", we will consider the requirement to get CRL embedded issuer details, effective and next updates details.
we don’t have any immediate plan to implement this feature and we will implement this support in any of our upcoming releases. We usually have an interval of at least three months between releases, at the planning stage for every release cycle, we review all open features.
We will let you know when this feature is implemented.
Please use the below feedback link to track the status of the feature.
https://www.syncfusion.com/feedback/41225/support-to-get-ocsp-and-crl-certificates-and-validity-from-signature-validation
Thanks Irfana... but i hope you provide me with a delivery date just for this specific request if possible.
Or if you can guide me with any workaround on how to read embedded Crls .... That would be great.
Currently, we don't have any workaround for your requirement to get the effective date, next update & issuer fields from an embedded CRL. We will implement this support and include this feature in our upcoming 2023 Volume 2 main release, which will be expected at end of June 2022 tentatively.
Please use the below feedback link to track the status of the feature.
https://www.syncfusion.com/feedback/41225/support-to-get-ocsp-and-crl-certificates-and-validity-from-signature-validation
Thanks Irfana, waiting for upcoming 2023 Volume 2 main release which should include:
"Support to get OCSP and CRL certificates and validity from signature validation results"
"Support to get CRL embedded issuer details, effective and next updates details"
another inquiry ... does the PdfSignatureValidationResult.RevocationResult returns the revocation result for all the elements in certificate chain, what i mean ... for example if the signer certificate is valid and not revoked but the issuer certificate is revoked .... will the OcspRevocationStatus/IsRevokedCRL in RevocationResult returns true?
another inquiry ... does the PdfSignatureValidationResult.RevocationResult returns the revocation result for all the elements in certificate chain, what i mean ... for example if the signer certificate is valid and not revoked but the issuer certificate is revoked .... will the OcspRevocationStatus/IsRevokedCRL in RevocationResult returns true? |
Based on our current architecture, we give priority to offline verification using embedded OCSP and CRL response details. We obtain the CRL certificate list from the embedded response and verify it with the signer's revocation certificate list. If the signer's revocation certificate list matches any CRL certificate list, it will be marked as Revoked. The same process is followed for online CRL revocation verification.
If you have any test documents regarding the case where the signer certificate is valid and not revoked, but the issuer certificate is revoked, kindly share them with us. This information will be helpful for us to investigate and proceed further on our end. |
That's good... if signature is LTV ... it should check offline using embedded ocsp/crl ... if not ltv it should be online.
But it should be done for every element in the certificate chain with its corresponding offline/online ocsp/crl.
Actually i don't have a pdf for this case but i want to know of this is already implemented in syncfusion validatesignature function or not? And if you can add it if not implemented.
We appreciate it and will take it into consideration. We plan to implement it as we work on enhancing the signature revocation validation module.
Thanks Irfana ... please add this implementation checking in both validation and signing processes to make a consistent behavior.
Hello Irfana,
Can you provide support to get crl list(list of revoked serial numbers and revocation date per serial) in case of embedded crl ... in case of non-embedded i can download the crl using webclient on crl distribution point utl to get the crl list ... but i can't get in case of embedded?
Currently we are analzying on the requirement and we will provide the further details on August 1st, 2023.
Thank you for your patience,
We have added this requirement as a feature request “Support to get CRL list of revocation serial numbers and date information during signature validation” in our library. At present, we do not have any immediate plans to implement this feature and we will implement this support in any of our upcoming releases. We usually have an interval of at least three months between releases, at the planning stage for every release cycle, we review all open features. We will let you know when this feature is implemented.
Please use the below feedback link to track the status of the feature.
Thanks ... but is there any chance to get this request soon.
or even add isrevoked property in pdfsingercertificate for every element in certificate chain for both
user's signature certificate
PdfSignatureValidationResult.SignerCertificates
and embedded timestamp signature certificate
PdfSignatureValidationResult.TimeStampInformation.SignerCertificates
in order to check revocation per every element in certificate chain
To make things more convenient, we've decided to record your request for adding the IsRevoked feature to the PdfSignerCertificates mentioned, instead of providing the functionality of the revocation date and serial number. However, I want to let you know that we don't have immediate plans to work on this feature right away. It will be included in one of our upcoming releases, which usually have a gap of around three months between them. During the planning phase of each release cycle, we assess all the open features. We'll inform you once this feature is successfully implemented.
You can keep track of the feature's status using the feedback link below. Thank you!
Thanks Santhiya , but i was requesting the isrevoked property as a faster workaround ... but getting the crl object ( revoked serial numbers list and its revocation time) will be more powerful and developer using syncfusion can have more control on writing code using this object..
so please reconsider getting this list or provide both 😊
We have reviewed all the features you asked for (like the serial number for revocation, the date of revocation, and whether it's revoked) for each part of the chain. We planned to implement and include the requested functionality in our upcoming 2023 volume 3 SP1 service pack release.
To keep track of the progress of this feature, please use the feedback link provided below.
Thanks Santhiya ... That's great news