Hi Julien,
sounds wierd ... could you please post a sample PDF ?
Greetings
Andreas
----- original Nachricht --------
Betreff: [iText-questions] PDF Signature : validity unknown - belgium eid :
Signature problem in a PDF, with a certificate chain (MyCertificate ->
CitizenCA -> BelgiumRootCA)
Gesendet: Mi, 29. Dez 2010
Von: Vroonen Julien
- « validity unknown » displayed by Adobe Reader (tested in version7
and 9, …)
- Using itext to sign a pdf document
- With a smart card : the belgium eid(identity card)
- Using an external signature
- With “PdfSignatureAppearance.SELF_SIGNED” option
When I consult a signed PDF with iText (I made the signaturemyself, based on
the example found here : http://itextpdf.sourceforge.net/howtosign.html),on my
computer, where all my certificates are registered, everything is
displayedcorrectly in Adobe Reader : the signature is displayed as
“valid”.
However, when I try to read this PDF on another computer,the validity of the
signature is displayed as “validity unknown”.
I figured out that it could be :
Point 1) because the certificatechain is not included in the PDF.
Point 2) because the “Belgium RootCA” is not imported as
“trusted CA” in windows
Point 3) because the “Citizen CA”is not imported as “trusted
CA” in windows
Point 1 :
I made the signature, passing the certificate chainextracted from the smart
card.
In debug mode, every certificate is there, and the completechain is passed to
the API call : “sap.setCrypto(null, certs, null,
PdfSignatureAppearance.SELF_SIGNED);”.
So, this does not seem to be the problem (but I could notcheck it for sure) :
- on my PC, the certificate chain iswell displayed by adobe reader
- And when I call this API at the endof the signature process :
“Certificate[] certsInPdf =
stamper.getSignatureAppearance().getCertChain();”, a Certificate[] is
returned, containing the 3certificates.
Point 2 :
I installed the “Belgium Root CA”, exported from my PC andimported on
the pc displaying “validity unknown”.
I tried this installation twice : in automatic mode, and inthe
“certification store” named “Trusted Root CA”.
But it did not change anything to the display made by AdobeReader…
Point 3 :
THIS was the solution !
I installed this certificate, using the same procedure from “BelgiumRoot
CA”, and, after that, the signature appeared as “valid” !
HOWEVER, due to the number of existing “Citizen
CA”(http://repository.eid.belgium.be/FR/CitizenCA.htm),it is not possible
to do this on every pc where the signed PDF will beconsulted.
So, my question is…
Obviously, signature is well displayed if the 3 points aredone.
Why is “point 3”necessary ?
I can understand (the users could accept) the necessity of “point2”,
but Ican NOT ask every user to do the same with every existing “Citizen
CA”.
Any help, suggestion, explanation is welcome!
Best regards,
Julien.
JulienVroonen - [email protected]
Business Analyst
NSI IT Software & Services
Chaussée deBruxelles, 174 A
B-4340 Awans
Tél. Direct : +32 (0)4 239 91 60
Tél. Général : +32 (0)4 239 91 50
Fax :+32 (0)4 246 13 08
www.nsi-sa.be
--- original Nachricht Ende ----
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
