Login/Register
DSSException: Revocation data is missing
Asked Answered
javadigital-signaturepadesopenpdf
P

1

11

I'm using DSS to sign Pdf documents. I need these docs to be timestamped and LTV enabled (PAdES LTV enabled).

I'm running into some issues regarding the Revocation data.

I'm kinda new to this domain so bear with me.

I'm following the instructions and demos provived by DSS itself but to no avail.

I've been successful in signing Pdf's using PAdES B and PAdES T, so I have my TSA service setup correctly.

The problem I'm running into is that everytime I try to Sign a Pdf using LTV I get the following error: "eu.europa.esig.dss.DSSException: Revocation data is missing" and I can't figure out why... This Exception is thrown when calling "service.signDocument(...)" and right after Debugging says

"eu.europa.esig.dss.validation.SignatureValidationContext - No revocation data found for certificate : (...)".

This is my main signing method:

public void createSignature(KeyStore ks, Properties props, File inFile, File outFile, String extraName, boolean visible) throws GeneralSecurityException, IOException {
        PAdESSignatureParameters params = new PAdESSignatureParameters();

        DSSDocument toSignDocument = new FileDocument(inFile);
        DSSDocument signedDocument;

        try(Pkcs12SignatureToken token = new Pkcs12SignatureToken(
                props.getKeystore(), new KeyStore.PasswordProtection(props.getPassword()))) {

            List<DSSPrivateKeyEntry> keys = token.getKeys();

            params.setDigestAlgorithm(DigestAlgorithm.SHA256);
            params.setSigningCertificate(keys.get(0).getCertificate());
            params.setCertificateChain(keys.get(0).getCertificateChain());
            params.setSignatureLevel(props.signatureProperties().getSignatureLevel());

            CertificateVerifier verifier = new CommonCertificateVerifier();
            PAdESService service = new PAdESService(verifier);
            DataLoader dataLoader = new CommonsDataLoader();
            OnlineTSPSource onlineTSPSource;

            verifier.setTrustedCertSource(new TrustedListsCertificateSource());
            verifier.setCrlSource(onlineCRLSource());
            verifier.setOcspSource(ocspSource());
            verifier.setDataLoader(dataLoader());
            onlineTSPSource = new OnlineTSPSource(TSA_URL);
            onlineTSPSource.setDataLoader(new CommonsDataLoader("application/timestamp-query"));
            onlineTSPSource.setPolicyOid(POLICY_ID);
            service.setTspSource(onlineTSPSource);

            ToBeSigned dataToSign = service.getDataToSign(toSignDocument, params);

            DigestAlgorithm digestAlgorithm = params.getDigestAlgorithm();
            SignatureValue signValue = token.sign(dataToSign, digestAlgorithm, keys.get(0));

            signedDocument = service.signDocument(toSignDocument, params, signValue);
            signedDocument.save(outFile.getCanonicalPath());

        } catch (IOException e) {
            e.printStackTrace();
        }
    }

Some minor helper methods:

private OnlineCRLSource onlineCRLSource() {
    OnlineCRLSource onlineCRLSource = new OnlineCRLSource();
    onlineCRLSource.setDataLoader(dataLoader());
    return onlineCRLSource;
}

private OnlineOCSPSource ocspSource() {
    OnlineOCSPSource onlineOCSPSource = new OnlineOCSPSource();
    onlineOCSPSource.setDataLoader(ocspDataLoader());
    return onlineOCSPSource;
}

private OCSPDataLoader ocspDataLoader() {
    OCSPDataLoader ocspDataLoader = new OCSPDataLoader();
    ocspDataLoader.setContentType("application/ocsp-response");
    ocspDataLoader.setProxyConfig(null);
    return ocspDataLoader;
}

private CommonsDataLoader dataLoader() {
    CommonsDataLoader dataLoader = new CommonsDataLoader();
    dataLoader.setProxyConfig(null);
    return dataLoader;
}

Relevant Maven dependencies:

<dependency>
    <groupId>com.github.librepdf</groupId>
    <artifactId>openpdf</artifactId>
    <version>1.2.21</version>
</dependency>

<dependency>
    <groupId>org.digidoc4j.dss</groupId>
    <artifactId>dss-pades-openpdf</artifactId>
    <version>5.4.d4j.1</version>
</dependency>

<dependency>
    <groupId>org.digidoc4j</groupId>
    <artifactId>digidoc4j</artifactId>
    <version>3.2.0</version>
</dependency>
Pyre answered 29/7, 2019 at 9:8 Comment(3)
Maybe a silly question, but are you doing your tests with a self-signed certificate? (seeing you're relying on a PKCS12 keystore)Desireedesiri
@Desireedesiri Should've specified that, my bad. No I am not, I'm using a valid certificate.Pyre
Ok, so did you try accessing directly the CRL and/or OCSP responder associated to your signing certificate and TSA cert, e.g. using cURL ? Another point: the content-type for your OCSP data loader should be "application/ocsp-request" (though I believe the setter method is not doing anything)Desireedesiri
D
2

Although this is an old question, in case someone stumbles on the same issue: When using a test TSA, without revocation data, you must add verifier.setCheckRevocationForUntrustedChains(true); This is included in the dss example eu.europa.esig.dss.cookbook.example.sign.SignXmlXadesLTTest

Durnan answered 18/4, 2021 at 11:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.