Comments (6)
Hello,
From a quick check, it looks like DSS is not able to find out a complete certificate chain of the signature but the signing-certificate only. Thus, it does not validate the OCSP response.
You have the following options in order to provide the CA certificate:
- Provide the intermediate CA certificates directly within SignedData.certificates of CMS (next to the signing-certificate on signature creation);
- Provide the CA certificates within /DSS dictionary in PDF's structure on signature's augmentation; or
- Define the aia.caIssuers certificate extension (oid: 1.3.6.1.5.5.7.1.1) url, that will return certificate chain for your certificate on GET request.
As you are using a test PKI, the first two options would be preferable.
Provided that the OCSP response is valid, DSS should be able to correctly catch it for the given certificate when it finds its certificate chain.
Best regards,
Aleksandr
from dss-demonstrations.
You need to provide the cert chain somehow. When a CA or Root CA is present in the trusted list, it is being caught automatically. But in case of test PKI, the certificates are not known to the validation tool. Another option is to provide the self-signed certificate as trusted or adjunct certificate to the DSS validation process explicitly (see Trusted Certificates and Adjunct Certificates in documentation).
Same for time-stamp's certificates, but in your case they are already present within /DSS dictionary and within the time-stamps's SignedData itself.
from dss-demonstrations.
Ok, now certificates are incorporated within the signature and successfully found during the validation process. The missing point is, because you have a self-signed PKI, the certificates in question are not trusted by DSS by default. In case you want to be able to validate the certificate chain successfully, you need to add the self-signed root certificate to the trusted store (for both the signature and the timestamp). Please see F.A.Q., question "When validating a signature I receive INDETERMINATE/NO_CERTIFICATE_CHAIN_FOUND indication" for more information and resolution.
I hope this will help you.
Best regards,
Aleksandr
from dss-demonstrations.
So if I have only the signing cert and his root being the self-signed CA, I have to include the CA in the SignedData.certificates? And also, it is needed to add the certs up to the CA certificate for the TSA and an ocsp response for the TSA certificate? Thank you a lot for your response!
from dss-demonstrations.
I included everything including the self-signed ca of the signing certificate and also the TSA certificate and his CA, but the response is still invalid for DSS and Adobe also, Only Foxit Reader is recognizing it, but I think it is much more permissible.
I attach here the
file_signed_ok.pdf and the
DSS-Detailed-report.pdf.
It seems that now I have Basic Building Blocks REVOCATION for both signing certificate and tsa certificate.
I tried to add the certs to Adjunct Certificates, but it didn't change anything.
Do you know why is not full recognized in DSS or Adobe? I attach also photos with Adobe and Foxit state of recognition:
In Foxit it's even recognized as PAdES B-LT, which is not true because I include SigningTime attribute in the signature which is not accepted by PAdES format.
from dss-demonstrations.
Thank you! Finally I removed the SigningTime attribute and I was able to obtain B-LT in Adobe, but not LTV-enable. I read that LTV-enable is not clearly defined so I don't know what is wrong there, but in DSS, I'm able to obtain PAdES B-T and probably I can't obtain more because the OCSP response is on localhost so it will not be able to receive a response.
Thank you for all the help and wish a nice day!
Best wishes,
Ionut-Daniel Corbu
from dss-demonstrations.
Related Issues (20)
- Error access illegal - dss-token HOT 1
- NexU not detected or not started ! Download the open source version of NexU (more info) HOT 10
- Is there a nice tutorial somewhere? HOT 2
- [Feature Request] Add a spring boot webapp alternative HOT 2
- Error when validating PDF file HOT 2
- REST API certificate chain error HOT 2
- VIsible signature via REST API HOT 3
- Disable logs from o.a.c.services.RestDocumentValidationServiceImpl HOT 2
- Is it possible to add custom certificates to DSS' list of trusted certificates? HOT 4
- Is it possible to create PAdES-B-LT and PAdES-B-LTA documents via REST API? HOT 4
- Configuration of the demonstration webapp's ip and port HOT 2
- Online refresh with https://www.ssi.gouv.fr/uploads/tl-fr.xml raises [Received fatal alert: protocol_version] HOT 5
- Standalone application for Mac OS HOT 3
- Use additional trusted certificates in DSS DemoWebapp HOT 3
- Visible Signature via RestAPI HOT 2
- SigningCertificateV2 error in DSS verification HOT 3
- PDF_NOT_ETSI error while trying to verify a signature with DSS Validation Tool HOT 4
- Please teach how to create the jar file of dss-spi-x509-aia, which is not included in central repository HOT 2
- Please teach how to create the jar file of dss-spi-x509-aia, which is not included in central repository HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dss-demonstrations.