Skip to content
This repository has been archived by the owner on Mar 25, 2021. It is now read-only.

PAdES Long Term Validation

Jump to bottom
eramons edited this page Sep 18, 2020 · 15 revisions

PAdES (PDF Advanced Electronic Signatures) is a set of restrictions and extensions to PDF making it suitable for Electronic Signatures.

  • The signature is included in a data structure in the PDF as a CMS binary encoded object

  • Validation Data is the data necessary to validate an electronic signature: CA Certificate(s), OCSP, CRL

  • A LTV (Long-Term Validation) signature is valid after the signing certificate is expired, even after the Validation Data is not available online anymore

To issue a PADES-conform LTV signature with Swisscom's All-In Signing Service:

  • the SignatureStandard element must be set to PAdES in order for AIS to correctly process and embed in the signature object the corresponding attributes as defined by the standard
  • the AddTimestampp element must be present, in order for the timestamp to be included in the signature
  • the AddRevocationInformation element must be present so the validation information is delivered by the service
  • for CMS signatures (both static and on-demand) the type of the AddRevocationInformation is not necessary, since it will automatically match the defined signature standard.
"SignRequest": {
        ...
        "OptionalInputs": {
            ...
            "SignatureType": "urn:ietf:rfc:3369",
            "sc.SignatureStandard" : "PAdES",
            ...
        }
        "AddTimestamp": {
            "@Type": "urn:ietf:rfc:3161"
        },
        "sc.AddRevocationInformation": {}
}

To ensure your signed PDF is LTV-enabled:

You must ensure that the Validation Information is included in the document. Considerations:

  • For PAdES signatures, the Validation Information is embedded in the signature object as an unauthenticated attribute
  • However: the timestamp validation information must also be available in the document
  • Since the timestamp is a CAdES signature, its validation information is delivered as a separated object in the OptionalOutputs element
  • It's up to the signing application (i.e. the one invoking the service) to embed these validation information in the PDF
"SignResponse": {
   "@RequestID": "2020-08-11T11:25:41.145+0200",
   "@Profile": "http://ais.swisscom.ch/1.1",
   "Result": {"ResultMajor": "urn:oasis:names:tc:dss:1.0:resultmajor:Success"},
   "OptionalOutputs": {"sc.RevocationInformation":    {
      "sc.CRLs": {"sc.CRL": "MIIFbT...sgEnCA=="},
      "sc.OCSPs": {"sc.OCSP": "MIIItw...0lUAuO"}
   }},
   "SignatureObject": {"Base64Signature":    {
      "@Type": "urn:ietf:rfc:3369",
      "$": "MII8Fg...CNAVmw="
   }}
}

The delivered OCSPs and CRLs must be included in the DSS dictionary object. See PDF specification for further information.

To ensure your signed PDF is PAdES-B-T compliant:

You must set the subfilter as the PAdES-defined "ETSI.CAdES.detached" (and NOT "adbe.pkcs7.detached“)

In case you need your signed PDF to be PAdES LTA compliant

The document must include two timestamps:

  • The one included in the signature, this is already ensured by AIS if the "AddTimestamp" element is included in the sign request as described above
  • An additional one, issued by timestamping the already signed document sending an additional sign request with timestamp as signature type

References:

https://documents.swisscom.com/product/1000255-Digital_Signing_Service/Documents/Reference_Guide/Reference_Guide-All-in-Signing-Service-en.pdf

https://en.wikipedia.org/wiki/PDF

https://en.wikipedia.org/wiki/PAdES

http://www.etsi.org/deliver/etsi_ts%5C102700_102799%5C10277804%5C01.01.02_60%5Cts_10277804v010102p.pdf

Clone this wiki locally