I signed PDF document with Qualified Electronic Signature and Qualified Timestamp. For some reason Adobe Reader thinks the timestamp could not be verified. All other validators show the signature being valid PAdES-BASELINE-LT. What could the cause of it?
Exact error message "The signature includes an embedded timestamp but it could not be verified"
As far as I know, Adobe Reader does not make use of the EU LOTL and EU MS TLs “directly” but rather use an Adobe-specific format (similar to the AATL) to configure trust anchors derived from the EU MS TLs.
So in general the content of the Adobe-specific EU TL can differ (desynchronization) from the latest published EU MS TLs.
Most probably, the timestamp has been generated by a "recently" qualified time-stamping service, which has not (yet ?) been included in the Adobe-specific EU TL.
Related
When signing a PDF using digital signature, one can use a trusted timestamping service to add a time-stamp token that is signed by the timestamping authority. When viewing the signature of the PDF then, it will say that it contains a signed timestamp and that it has not been tampered with since that time (if it hasn't).
Technically what happens isn that the hash of the pdf content gets sent to the TSA (RCF3161), that hash is put into a structure together with the current timestamp (as determined by the timestamping authority) plus some metadata and that is then signed and sent back. This then provides proof that a PDF has not been changed since this point in time.
Technically it should be possible therefore to create such a timestamp proof without signing the document itself with an additional signature. Is that somehow supported though by the PDF standard (and also in terms of Acrobat Reader then being able to show this timestamp somehow)?
Of course I could just do it manually, take the SHA-256 hash of the file's binary representation, send it to the TSA service and store the received token in an external file, but preferrably I'd like to embedd the no-tamper proof into the PDF and such that Acrobat Reader can display it.
Is this possible? If so, how?
You can embed pure RFC 3161 time stamps in a PDF. This construct is called a document timestamp.
This structure has been originally specified in ETSI TS 102 778-4 (Annex A.2) in 2009 as a means to purely timestamp a previously signed PDF with some validation related information added in revisions after the signed one. As PAdES developed, this specification finally found its way into ETSI EN 319 142-1 (section 5.4.3).
While ETSI could only specify the structure as extension to ISO 32000-1 (PDF 1.7), the responsible ISO committee added it to the core ISO 32000-2 (PDF 2) in 2017.
Concerning your questions in comments:
Is this compatible with PDF/A?
I think they are not compatible with PDF/A-1, PDF/A-2, and PDF/A-3. As PDF/A-4 is based on ISO 32000-2, though, I assume it will be compatible. (I have not yet had a look at ISO 19005-4...)
Is there a way to create those with Acrobat Reader?
It should be possible with some Adobe Acrobat version. It is (currently) not possible with the base Adobe Acrobat Reader version. Probably, though, Adobe Acrobat Reader with some of its fee-based, built-in tools can create them.
optimally I'd like to have a cli tool or be able to do it through some library
Any not outdated general PDF signing library should support the creation of document time stamps.
but first I want to test how they are displayed later in Acrobat Reader
Like this:
The first entry is a Signature with an embedded signature timestamp, the second entry is a document time stamp.
I have a very strange problem and I am not sure where the issue is. I am creating a PDF and not setting any security restrictions or a password. When I open the PDF in Adobe Reader DC and get the properties,it does show the Security Method as No Security. However, the Document Assembly and Page Extraction are set to Not Allowed.
The PDF was created from a Word document and I simply did a save as PDF, no other options.
In General
Please be aware that the "Document Restrictions Summary" summarizes restrictions that arise from a number of factors, the following ones coming to my mind:
Restrictions applied in the course of encryption
When encrypting a PDF, permissions for a number of features can be restricted for a regular user. Thus, if the PDF is opened with the user password, these restrictions apply and are shown in the summary; if it is opened with the owner password, they don't apply.
These are the restrictions one usually thinks of when checking the document properties Security tab.
Restrictions applied in the course of signing (certification & approval)
When a PDF is digitally signed with an integrated signature, a number of features are automatically restricted, and some more features may be restricted depending on the MDP transforms and locks applied by the signatures. These restrictions also are shown in the summary.
Restrictions applied by the viewer software used
The viewer you use may restrict what you can do with a PDF, e.g. a number of features of the Acrobat Pro editions are not present in Adobe Reader or are present but by default disabled. These restrictions also appear in the summary.
These viewer related restrictions may even differ based on the kind of document you have. E.g. in Adobe Reader they differ between PDF documents carrying a XFA form definition and those that don't.
Restrictions changed by usage rights signatures (aka Reader Enabling)
There is a special kind of PDF signature (usage rights signatures) which can lift some restrictions caused by the viewer software. If a PDF contains such a valid usage rights signature, some usually disabled features of the viewer may be enabled, a fact which also reflects in the summary.
If a PDF contains a usage rights signature which has been invalidated, e.g. by disallowed changes to the document, not only those usually disabled features remain disabled but some more features may become disabled, which again shows in the summary.
There may be additional factors still...
In Your Case
The "Not Allowed" entries you see for your file in Adobe Reader DC are restrictions of the third type listed above, they are restrictions applied by the viewer software used. If you opened the file in a superior Acrobat edition, those entries would become "Allowed".
I have a very strange problem and I am not sure where the issue is. I am creating a PDF and not setting any security restrictions or a password. When I open the PDF in Adobe Reader DC and get the properties,it does show the Security Method as No Security. However, the Document Assembly and Page Extraction are set to Not Allowed.
The PDF was created from a Word document and I simply did a save as PDF, no other options.
In General
Please be aware that the "Document Restrictions Summary" summarizes restrictions that arise from a number of factors, the following ones coming to my mind:
Restrictions applied in the course of encryption
When encrypting a PDF, permissions for a number of features can be restricted for a regular user. Thus, if the PDF is opened with the user password, these restrictions apply and are shown in the summary; if it is opened with the owner password, they don't apply.
These are the restrictions one usually thinks of when checking the document properties Security tab.
Restrictions applied in the course of signing (certification & approval)
When a PDF is digitally signed with an integrated signature, a number of features are automatically restricted, and some more features may be restricted depending on the MDP transforms and locks applied by the signatures. These restrictions also are shown in the summary.
Restrictions applied by the viewer software used
The viewer you use may restrict what you can do with a PDF, e.g. a number of features of the Acrobat Pro editions are not present in Adobe Reader or are present but by default disabled. These restrictions also appear in the summary.
These viewer related restrictions may even differ based on the kind of document you have. E.g. in Adobe Reader they differ between PDF documents carrying a XFA form definition and those that don't.
Restrictions changed by usage rights signatures (aka Reader Enabling)
There is a special kind of PDF signature (usage rights signatures) which can lift some restrictions caused by the viewer software. If a PDF contains such a valid usage rights signature, some usually disabled features of the viewer may be enabled, a fact which also reflects in the summary.
If a PDF contains a usage rights signature which has been invalidated, e.g. by disallowed changes to the document, not only those usually disabled features remain disabled but some more features may become disabled, which again shows in the summary.
There may be additional factors still...
In Your Case
The "Not Allowed" entries you see for your file in Adobe Reader DC are restrictions of the third type listed above, they are restrictions applied by the viewer software used. If you opened the file in a superior Acrobat edition, those entries would become "Allowed".
Background:
I have written a java program using itext library to sign PDF with ikey.
I have two ikeys, one with a Common Name certificate, and the other has a Pseudonym certificate.
Description:
When I open the pdf signed by the Common Name cert in Acrobat Reader, it displays the blue ribbon meaning it's a valid signature, and in the Signature Panel it shows "Certified by Jane Doe". Everything is perfect.
However, if the certificate is a Pseudonym certificate, it displayed "Certified by %s".
In spite of the blue ribbon and the validation info all display correctly.(Not allowed to attach image, so put Screenshot here: http://imgur.com/lpvOKLz)
Questions:
Is this an issue with the Acrobat Reader, that it cannot display correct "Certified by" info if the pdf is signed by a Pseudonym certificate?
Any suggestion is appreciated.
I have seen Certified by %s before. See my book about digital signatures figure 2.23. I quote:
As expected, Alice’s certification signature is invalid after Carol
tried to sign the document using a second certification signature,
but the output is kind of strange. In the signature panel, we see
‘Certified by %s’ instead of ‘Certified by Carol’, and there’s a
looking glass instead of a red cross. These situations are rather
exotic and should be avoided. Let’s focus on real life examples, and
combine signing with form filling.
This quote is about the results of some experiments that conflict with the ISO specification / PAdES. You may have found another conflict.
In my book, I describe a situation where there are two certification signatures. This doesn't make sense as it is explicitly forbidden to add two certification signatures. It is also implied in the specs that the certification signature is always the first signature, although Adobe Reader doesn't complain (yet) if it isn't.
I can easily imagine that using a pseudonym certificate is also one of those exotic cases where Adobe Reader doesn't really know what to do. What is the sense of signing a document anonymously? Who should Adobe Reader pick as the authorized signer?
The fact that I've seen %s before, tells me (without even looking at your PDF) that %s is an artifact from Adobe Reader. I wrote some of the signing functionality in iText and I'm sure that we don't put the %s there.
Anybody, please explain what's the difference between signatures.
When i open one PDF document - Adobe Acrobat 9 shows the message "At least one signature has problems" but if i open the other PDF then the message is "At least one signature requires validating".
Seems like both PDFs were signed by self-signed certificates, but the messages are not the same.
This difference is extremely significant for our business.
Please help.
Making my comment an actual answer
At least one signature has problems implies that Adobe Acrobat has tried to verify the signature but failed doing so.
At least one signature requires validating implies that Adobe Acrobat has not tried to verify the signature and, therefore, has not yet decided whether it would fail or not.
Whether or not Adobe Reader / Acrobat tries to verify a signature depends on the Filter and SubFilter entries of the signature dictionary:
If the Reader / Acrobat knows them, it automatically tries to verify the signature (unless the configuration settings were changed).
If it knows the SubFilter but not the Filter, it does not try to verify automatically but at least offers to verify
If it does not know the SubFilter, it does not try to verify.
The OP could verify this:
I've changed the subfilter from CMS to CADES and the message changed from "At least one signature has problems" to "At least one signature requires validating".
On any Acrobat XI, though, the message presumably will become "At least one signature has problems" again because Adobe meanwhile has started supporting PAdES subfilters.