SIGNING PDF FILES

The current version of BlueRidge supports the signing of XML documents according to the PADES specifications. This chapter describes the signature algorithms used by BlueRidge to digitally sign a PDF file.

Our BlueRidge PDF signing solution is compatible with the PDF specifications form Adobe Systems Inc. and supports signatures that can be validated with the freely available Adobe Reader. So, another advantage of this solution is that it can be validated by third parties, without installing dedicated software or plug-ins. The BlueRidge signature components are compliant with the EU directives 2001/115/EC and 1999/93/EC (where Annex III and IV are relevant) and ETSI TS 102 778. The service can create an advanced electronic signature based on a digital certificate using a secure signature creating device if the HSM is enclosed in the BlueRidge server.

 

The BlueRidge Sign/Validate Service consists of the following main components:

  BlueRidge server

  Optionally HSM: for instance BankSys Dep PCI/64 (FIPS 140-2 Level 2)

  Includes the PDF conversion component

  Includes the server component for signature generation (with time stamping and OCSP certificate revocation checking support)

  Includes the server component for signature validation

  Client component for signature generation and validation

BlueRidge supports the following types of signature handlers in a PDF file.

  Adobe compatible signature handlers

  D Soft Adobe compatible signature handlers

  D Soft compatible signature handlers

Signatures created using the "Adobe compatible" signature handler can be validated in Adobe Reader without additional settings or software. These signatures are fully compatible with Adobe Reader.

Signatures created using the "D Soft Adobe compatible" signature handler can be validated in Adobe Reader without additional software, but the first time a user receives a PDF with such a signature, a message will appear. The user can acknowledge this message and the signature will be validated using the internal Adobe Reader routines. However, the user can also download an Adobe Reader plug-in module that will take over the validation procedure.

Signatures created using the "D Soft" signature handler always require an Adobe Reader plug-in module that will validate the signature. This function is provided for backward compatibility only and should not be used anymore.

 

Signature Generation Service

BlueRidge server provides a mechanism that can digitally sign a PDF file. This is done using a X509 v3 based certificate. A HSM can be enclosed by the BlueRidge server to store the private keys used by the Advanced Electronic Signature Service. The signature solution of BlueRidge consists of a server and a client component.

  A PDF document can be signed by BlueRidge in a blank signature field or a new signature field can be added. If this case, an annotation is first added containing the appearance of the signature field (this is empty in case of an invisible signature).

  The PDF signature information is stored in a signature dictionary data structure.

  To create an electronic signature a digest is computed of the data stored in the document. All bytes of the PDF file are covered by the signature digest, including the signature dictionary, but excluding the signature value itself.  To verify the signature, the digest is recomputed and compared with the one stored in the document.

  The computed digest is than signed using a selected X509 certificate by the client component of the signature generation module. The hash can be signed in semi-delegated (certificate present in local store) or full-delegated mode (certificate present on server).

  This signed data is then added to the PDF as the signature value.

BlueRidge can sign using custom filters or using the standard Adobe.PPKLite or Adobe.PPKMS filter. As SubFilter BlueRidge supports adbe.pkcs7.detached and adbe.pkcs7.sha1.

Multiple signatures are supported using the incremental save capabilities of PDF. When changes to a file are made and a new signature is applied to the document, the changes are appended after the last byte of the previously existing document.

BlueRidge supports time stamping. When the BlueRidge server validates the signature, not only the signature and its integrity are checked, but the time stamp can also be validated online with the Time Stamp Server. The software uses the public key to prove the time stamp is authentic.

BlueRidge also supports Long-term validation (LTV). LTV is a special feature of PDF signing and allows for validity checking years after the certificate was created. When LTV is enabled, the certificate’s sign-time status is stored inside the PDF. This verification certificate remains in the file so that its validity can be determined even at some later date, regardless of whether the certificate has expired or been revoked, or the issuing authority no longer exists. Because the record is stored inside the signed document, it is also authenticated by the document’s signature, further reducing the chances for error or fraud. LTV helps reduce dependencies on external systems and reduces the potential for future ambiguity around expired or revoked certificates.

These methods can be pre-configured for automatic use.

Signature Validation Service

The solution supports verification of signatures both online and offline. Both methods perform an integrity check, as well as a check on the certificates and their chain up to a trusted certificate. Both methods can also perform a revocation check. To verify the signature, the digest is recomputed and compared with the one stored in the document.

Path building and validation

A certificate needs to be traceable back to a trusted source, often called a root or anchor. When organizations issue certificates, those certificates contain references that point back to the issuing organization. Individual user certificates are usually signed with organizational certificates to provide proof of their source and authenticity and that it is subject to the rules of requirements established by that organization.

Revocation checking

In revocation checking, the signing or verifying application may contact the issuer of a certificate and requests information about the current status of the signing certificate. The issuer sends a response indication whether the certificate is valid or has been revoked. Certificates may be revoked for many reasons, such as a lost smart card, or fraudulent activity. Revocation checking lends more credibility to a digital signature because it can provide a real-time status of a certificate at the time of signing. The BlueRidge solution uses an advanced revocation verification scheme.

For revocation checking we support:

  Imported CRL’s on local file system or file share

  CRL distribution points in the certificate (HTTP, LDAP and OCSP)
(If required, CRLs from specified distribution points can be downloaded and cached to the server at specified times.)

  Interactive LDAP servers configuration

  Interactive OSCP verification

  Time stamp validation

Certificate Validation Service

BlueRidge checks if the digital certificate is still valid before it can be used for signing. When a client application receives a digital certificate, BlueRidge has to decide whether this certificate can be trusted and whether it can be accepted in the current application context.

The validation of a certificate against a validation policy implies several steps. First, the complete certificate chain, from the end-user certificate up to a trusted CA certificate, has to be built. The parameters for validation of a certificate (such as the trusted anchors) can be pre-configured for automatic use. Once a valid certification chain has been established, a full revocation status check of the complete certification chain has to be performed. This check can be done against various CSP revocation services available like the CRL or OCSP servers.

Only valid certificates can be used for signing. The Certificate Validation Service is compliant with this RFC-3280 standard.

 

Signature Browser Plug-in

The Signature Browser Plug-in is used when the certificate to be used for signing is located in the keystore of the local computer and the user signs in semi delegated mode. So, the Signature Browser Plug-in acts as a bridge between the web application and the keystore on the computer of the user. By using a HTTP(s) based client-server communication protocol, problems with firewalls are greatly reduced.

This module is available as a Java applet and a .Net ActiveX version.

 

Time Stamping Service

Some transactions and records are time-sensitive, and often electronic records need to record the time of signing in a verifiable manner. PDF signature features can increase the accuracy and trust of the signature time. The most basic source for time is the system clock of the signing computer. System time is usually accurate, especially in enterprise environments, but there is the possibility that the system date could be altered to fraudulently predate a document. In some cases, the signature time can be compared with other system logs to determine its accuracy. For example, if LTV is employed, the revocation response contains a time stamp from the issuing system. Because the time on the revocation response is usually more secure than system time, this time can be cross-referenced and compared with the signature time.

The most accurate way to establish the time of signing is to add a secure time stamp to a digital signature. A secure time stamp is a standards-based method (based on RFC 3161) for recording the time of a transaction. In PDF documents, secure time stamps are added directly to a signature at the time of signing and are visible when verifying signatures.

BlueRidge supports time stamping. In this case the program will fetch a time stamp upon creation of the signature from a Time Stamp Server. The program calculates a hash value of the document to sign. This hash is packed into a timestamp request and is sent to the Time Stamp Server. Only the data file’s unique hash value is transmitted, sensitive data is never transmitted outside the client. The Time Stamp Server adds the current time to the hash value, signs it, and generates a time stamp according to [RFC3161]. This time stamp is delivered back to the BlueRidge server as a DER coded ASN.1 stream. All client to server communication is HTTP(s). The TSA response is then incorporated in the signature itself. When the BlueRidge server validates the signature, not only the signature and its integrity are checked, but the time stamp can also be validated online with the Time Stamp Server. The software uses the public key to prove the time stamp is authentic.

Copyright 2014 © All Rights Reserved.