"Signature is not LTV enabled"

[karelbilek]

When I open PDF created by this tool in Acrobat, I see "Signature is not LTV enabled"

What does that mean, how to enable LTV?

[vanbroup]

Have you added the revocation status of the certificate and a time stamp from a TSA?

[karelbilek]

@vanbroup Thanks!

The revocation data is indeed missing. I just copied code from main.go :) which doesn't have them.

I will try to read how to get the revocation data and what is it.

[karelbilek]

TSA is there though; I have used ts.ssl.com which is free and it seems to show up correctly in acrobat, unlike freetsa.org

[karelbilek]

How do I "add revocation status" with this library

All I see is these 2 options...

   // The follow options are likely to change in a future release
    //
    // cache revocation data when bulk signing
    RevocationData:     revocation.InfoArchival{}, 
    // custom revocation lookup
    RevocationFunction: sign.DefaultEmbedRevocationStatusFunction,

I don't care about caching, or custom revocation lookup?

[karelbilek]

Ah it's because I put empty certificate chains. I will try to edit that

[karelbilek]

Ah, it seems certificate chains must be present and RevocationFunction must be set to sign.DefaultEmbedRevocationStatusFunction

[karelbilek]

However with our code, the OCSP shows "malformed" error. :(

Will try to look deeper.

[vanbroup]

Do you use a publicly trusted certificate?

Have you tried uploading the certificate to https://certificate.revocationcheck.com/

[karelbilek]

The issue was that I have put "our cert - intermediate cert - root cert" to the "certificate chains" option.

However, when doing OCSP on intermediate cert with root cert, the root cert OCSP returned error. (I am not sure why, why does intermediate cert OCSP return error when asked with the root cert issuer... maybe some issue on the side of the authority, I don't know.)

However, looking around, I figured out that Acrobat has even the intermediate cert in its root store, not the cert authority root store. So doing only "our cert - intermediate cert" as certificate chain fixed the issue and we see "LTV enabled".

What I think could be documented better is that the RevocationFunction is required if you want LTV, and that you need to add the certificate chain.

But I understand this is an open source project so, thanks for the library anyway :D and I might add a PR with the docs

[karelbilek]

Interestingly - if I use "proCentrum SmartSign" - a different program to check PDF certificates - I get "Certificate is not issued by qualified distribution point".

That's weird... that seems to have something to do with CLR. I have edited the function to add both OCSP and CLR even in the case OCSP request fails, and added that for all three certs in the chain... and still get this error.

That is so strange... I will trust Acrobat more than "proCentrum SmartSign" though.

[karelbilek]

The EU demo works

https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation

So I will discount the proCentrum thing.

[karelbilek]

Closing this issue but I might update the docs later