All geek questions in one place

Validation fails in Adobe Reader / Acrobat: document has been modified or damaged

I am currently working on a timestamp service that creates timestamps compatible with PAdES-4. This works great with timestamps received from Swisscom / Swisssign / QuoVadis servers. But whenever I use a timestamp obtained from my own authority, timestamping or Signtrust, Adobe Reader (version 11.0.06) continues to reject my timestamp with a German comment: "Dokument wurde nach dem Unterzeichnen verändert oder beschädigt", which means " The document has been modified or damaged after creating the signature. " Adding the required certificates to the trust list (so that the tsa subscriber certificate is verified successfully) does not affect this behavior.

Since the timestamps received from the TSAs mentioned above confirm the correctness, I assume that my basic digest calculation is very good.

Since my timestamps based on the external (non-PAdES) CMS are correctly validated using alternative signature applications, I assume that the digest encoding as well as the timestamp structure are just fine.

With my own TSA, I use the same digest algorithms and structures as Swisssign, but Adobe Reader just won't accept it. Since additional information about the error given by Adobe Reader is not observed, I lost it.

Does anyone have an idea what is wrong with the timestamp in the document found at: https://dl.dropboxusercontent.com/u/40847151/Timestamping/TS%20-%20selfsigned.pdf

Swisssign : https://dl.dropboxusercontent.com/u/40847151/Timestamping/TS%20-%20Swisssign.pdf

!

,

+1
1

TS - selfsigned.pdf

TSA RFC 3161.

, , Adobe , , RFC 3161 .

RFC 3161

2.3. TSA

TSA     . TSA ,    , , ,     .         , [RFC2459]    4.2.1.13 KeyPurposeID :

id-kp-timeStamping.  This extension MUST be critical.

KeyPurposeID,     id-kp-timeStamping.

id-kp-timeStamping OBJECT IDENTIFIER ::= {iso(1)
               identified-organization(3) dod(6)
               internet(1) security(5) mechanisms(5) pkix(7)
               kp (3) timestamping (8)}

, TSA SwissSign .

, BNetzA, , . , (SigG), - ...

TS - EKU critical.pdf

Adobe - OP. , :

- serialNumber TSTInfo:

133 02    4:                 INTEGER -171182259

. ( ), - , .

contentType SignerInfo:

1290 06    9:               OBJECT IDENTIFIER
            :                 contentType (1 2 840 113549 1 9 3)
            :                 (PKCS #9 (1 2 840 113549 1 9))
1301 31   11:               SET {
1303 06    9:                 OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
            :                   (PKCS #7)
            :                 }
            :               }

Swisssign TSTInfo:

3540 06    9:               OBJECT IDENTIFIER
            :                 contentType (1 2 840 113549 1 9 3)
            :                 (PKCS #9 (1 2 840 113549 1 9))
3551 31   13:               SET {
3553 06   11:                 OBJECT IDENTIFIER
            :                   id-ct-TSTInfo (1 2 840 113549 1 9 16 1 4)
            :                   (S/MIME Content Types (1 2 840 113549 1 9 16 1))
            :                 }
            :               }

, CMS SigningCertificateV2, SigningCertificate. Swisssign SigningCertificate.

RFC 3161 SigningCertificate:

(ESSCertID)     TSA signerInfo     SigningCertificate.

RFC 5816 V2, ETSI TS 102 778-4 RFC 3161.

+1

Source: https://habr.com/ru/post/1570805/

More articles:


All Articles