I've found the following about the signature in the signed PDFs I have to timestamp: * The '/Filter' entry contains 'Adobe.PPKLite' * The '/SubFilter' entry contains 'adbe.x509.rsa_sha1' * The X509 certificate is stored in the '/Cert' entry * The '/Contents' entry doesn't seem to be padded, so there is no free space * The '/M' entry contains the date of signing, but it is an unverified computer time This information leads me to believe the PDFs are signed using PKCS#1 as Michael said, not PKCS#7 as I had supposed. How can I confirm it? So, if the signatures are PKCS#1, does the situation change? Is it less troublesome to timestamp the PDFs then? How would I go about it? Where would I insert the timestamp? I'm lost as heck... Thanks a lot for your help. PD: If PAdES-LTV is the way to go, I will look deeper into it, but I haven't found many examples on the net, so I'm a bit wary. Daniel Pérez Álvarez
Technological Solutions Atos Origin +34 91 126 7310 C/ Albasanz, 16 28037 Madrid Spain ------------------------------ Date: Tue, 8 Jun 2010 12:25:53 -0700 (PDT) From: mkl <[email protected]> Subject: Re: [iText-questions] Add timestamp to signed PDF To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii Daniel Perez Alvarez, Daniel Perez Alvarez wrote: > My problem is that I have some signed PDFs, and now I have to timestamp > them. > > I'm quite a newbie regarding the PDF format... I'm using iText, and I've > seen that I can add a PdfPKCS7 signature with a timestamp to the PDF, but > I don't know how to retrieve an existing signature and append/modify the > timestamping information. > > It looks like the timestamping information is an unauthenticated > attribute, with the id 1.2.840.113549.1.9.16.2.14, but I don't know how to > alter attributes in a PDF. ISO 32000-1:2008 recommends inclusion of timestamps in PKCS#7 signatures as unsigned attributes; therefore, retroactively adding timestamps to them is theoretically possible. There are a number of reasons, though, why you shouldn't walk that road: * as the range in the PDF file reserved for the PKCS#7 container is determined before the actual PKCS#7 signature is created, and as it's fixed from then on, there simply may not be enough space left in a number of your PDFs; this space cannot be expanded without invalidating the signature itself; * if there are PDFs with multiple integrated signatures, only the last one may be changed, as all prior ones are part of the data signed by the later ones; * if there is a timestamp embedded in a PKCS#7 container, its time according to ISO 32000-1:2008 is considered to be the time of signing which in your case would be wrong. As you are from Spain, though, you might want to go the ETSI way and generate document time stamps as per ETSI TS 102 778-4 (PAdES-LTV). Regards, Michael. PS: Have you checked, by the way, whether all the signatures you have really are PKCS#7 signatures? Alternatively plain PKCS#1 signatures may also be in use. Or maybe xml signatures in case of XFA forms. -- View this message in context: http://itext-general.2136553.n4.nabble.com/Add-timestamp-to-signed-PDF-tp2247722p2247894.html <http://itext-general.2136553.n4.nabble.com/Add-timestamp-to-signed-PDF-tp2247722p2247894.html> Sent from the iText - General mailing list archive at Nabble.com. ------------------------------------------------------------------ This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. Este mensaje y los ficheros adjuntos pueden contener informacion confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente pueden estar protegidos por secreto profesional. Si usted recibe este correo electronico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos Origin no se hace responsable por su contenido. Su contenido no constituye ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por ambas partes. Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no sera responsable de cualesquiera danos que puedan resultar de una transmision de virus. ------------------------------------------------------------------
<<winmail.dat>>
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ iText-questions mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.itextpdf.com/book/ Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
