Digital Signature get CRL/OCSP full chain & Get DSS Objects

We can get the certificate chain and revocation status of the certificate with OCSP and CRL by validating the digital signature. Please refer the below documentation,

https://www.syncfusion.com/blogs/post/create-validate-pdf-digital-signatures-csharp.aspx#validate-PDF-digital-signature

Please let us know, if you need any further assistance on this.

Thanks Ravikumar

But this is not what i am asking for.

ValidateSignature function gets the full chain of user certifcate and gets also the new pdfsignercertificate which contains ocsp / crl certificate ,is embedded ..etc

But does not get the full chain of the CRL/OCSP certificate from its issuer to the root ... which can be completely different than user certificate chain.

That's why i am asking for this information if syncfusion can provide an object or a function to get this chain or a function to access the pdf DSS (document security store) in order to be able to build chain for CRL/OCSP in code.

Can you please confirm whether you need the certificate chain as shown in the attached screenshot?

We request you to share the input PDF file and screenshot for the exact requirement, so that it will be helpful for us to analyze and assist you further on this.

Yes ... but in the the attached screen shot ... the CRL/OCSP issuer shown in Signer Details button "Digidentity Business Qualified" is the same issuer of the user signature certificate "Enjoy and Deply B.V." what if in another pdf the two chains are different ...

Also the chain elements for CRL could contain multiple elements till end (rootca self signed) .

I don't have a file with this exact case ... but i researched over the internet and found that CRL signer chain could be entirely different than user signature chain but may share same rootca.... that's why i was requesting that validatesignature function returns the full chain of CRL signer and it would be great also if there is another function to access the DSS to get all certificates embedded in document .

Thanks for your usual support. 

As i mentioned for the first point ... i don't have a file for this case ... but as i researched over the internet this case could happen ( CRL signer chain could be entirely different than user signature chain but may share same rootca)

Thanks for the update,

Currently, we don't have a test document for the specific case you mentioned. Therefore, we are unable to proceed with further analysis for this requirement at this time. We will take your requirement into consideration as soon as we obtain a test document. Additionally, we kindly request that you share the test document with us if you come across one in the future.

Thanks ... waiting ffeature in 2023 Volume 3 SP1

Can you please also support getting embedded CRLs and OCSP responses from DSS?

Thank you for the update.

We already have a high-level API that allows us to obtain details about embedded Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) responses, including the respective certificates for each signature. You can find more information about how to retrieve revocation information in our User Guide documentation at the following link: [https://help.syncfusion.com/file-formats/pdf/working-with-digitalsignature#retrieve-revocation-certificate-information-from-digital-signature]

Additionally, we have some concerns about the requested requirement. It seems that it may not have a useful scope. Therefore, we kindly request that you provide us with more information about why you need embedded CRLs and OCSP responses from the (DSS). This information will help us better understand the details of your scope and allow us to proceed with further analysis.

Thanks Ravikumar , i am fully aware of the PdfSignatureValidationResult.SignerCertificates object.

I was trying to do extra validation process on embedded crl , as in case of non-LTV signature i can download the crl file from the CRL distribution point (http url) then build and validate its full chain against windows store. while in case of embedded crl i have no access to this object.

Also check for any embedded crls for the entire chain of CRL signer certificate (every element of crl entire chain) ...which is not available in SignerCertificates object

Thanks for the update,

Thanks Ravikumar, the PdfSignatureValidationResult.SignerCertificates object shows if CRL/OCSP is embedded or not and get the CRL/OCSP issuer certificate only not their entire chain till root.

We are analyzed your query and currently we are validating on this. We will update the further details by November 7^th, 2023.

Thank you for your patience,

Please check attached , Kindly find that the CrlCertificate.Certificates per each element in certificate chain is always containing one certificate instead of getting the crl whole chain till its rootca

see attached file

Attachment: Test_Digital_Signaturesigned_64dc196e.zip

In our machine, only one certificate showed up because the chain and root certificates are not installed on my machine. Please refer to the screenshot below.

 Could you please share the chain and root certificates for the provided test document? it will helps us for further analysis.

I shared with you before the whole certificate chain in other tickets 

Plesase refer to 

https://www.syncfusion.com/forums/184411/digital-signature-ltvverificationinfo-isltvenabled-returns-incorrect-value

We are currently analyzing the possibilities to achieve your requirement, and we will provide further details on November 15th, 2023.

Thank you for waiting,

We've organized our API functions similar to Adobe's signature structure. We have a specific function called PdfSignatureCertificate that displays the signer's certificate in a certain order. This function gives you the root and chain certificates in the expected sequence.

Moreover, the signer's certificate details of CRL are accessible through the PdfSignature.CRLCertificate.Certificate[] function. However, please note that this function won't provide all the details of the signer's certificate in the CRLCertificate.Certificate collection. This behavior is intentional on our part. Adobe, too, only provides signer details and doesn't include the entire chain.

Thanks for your detailed explanation ... 😊

I am expecting the new feature as promised “Support to get certificates from the Document Security Store (DSS)”  in your upcoming 2023 Volume 3 Sp1 release.

We have included the feature “Support to get certificates from the Document Security Store (DSS)” in our Volume 3 SP1 release 2023 (V23.2.4). Please refer the below code example for API references,

Thanks Sowmiya,

I have used the DocumentSecureStore object to get the x509 certificates and it is very helpful.

Is there any chance that you can extend the DocumentSecureStore object to include its list of crls as bytes in order to be parsed and verified separately using BouncyCastle ... That would be super great and really appreciated.

Currently we are analyzing on this and will update the further details on February 9th, 2024.

As of now, we do not have support to get CRL bytes and OCSP from the Document Security Store (DSS). So, we have logged the feature request for this “Support to get CRL bytes and OCSP from the Document Security Store (DSS)” and we don't have any immediate plan to implement this feature. We will implement this support on any of our upcoming release.

You can track the status of the feature using the following feedback link.

https://www.syncfusion.com/feedback/50770/support-to-get-crl-bytes-and-ocsp-from-the-document-security-store-dss

Thanks alot , i hope you add this feature soon.

As said earlier, we do not have a definite timeline for this implementation. Once, we decide on the implementation, we will keep you posted through the feedback portal link. please track the feedback link for any further updates.

https://www.syncfusion.com/feedback/50770/support-to-get-crl-bytes-and-ocsp-from-the-document-security-store-dss