LTV Enabled

[alejandroav96]

Hello.

I'm trying the pyHanko (Thanks for this!)

I have a problem, because I have a certificate .p12 and I usage the Java for signs documents.

This is a print in java when I call a function to sign document.

And the result include LTV Enabled.

But I'm trying to sing document using pyHanko, the LTV is no enabled.

This is my code:

signer = signers.SimpleSigner.load_pkcs12(
    pfx_file='certificado.p12', passphrase=b''
)

root_cer = load_cert_from_pemder('CA_ROOT.crt')
sub = load_cert_from_pemder('CA_SUB01.crt')

signature_meta = signers.PdfSignatureMetadata(
    field_name='DocumentID', 
    md_algorithm='sha256',
    subfilter=SigSeedSubFilter.PADES,
    validation_context=ValidationContext(allow_fetching=True,trust_roots=[signer.signing_cert,root_cer,sub]),
    embed_validation_info=True,
    use_pades_lta=True,
)

with open('example.pdf', 'rb') as inf:
    w = IncrementalPdfFileWriter(inf)
    with open('example-sign.pdf', 'wb') as outf:
        signers.sign_pdf(
            w, 
            signature_meta=signature_meta, 
            signer=signer,
            output=outf
        )

[MatthiasValvekens]

Hello,

trust_roots=[signer.signing_cert,root_cer,sub]

This is your problem: your trust setup is not correct. The way pyHanko collects validation data is always relative to the trust roots you specify. If the signer's certificate is part of that list, then no validation information is needed since the certificate is taken as trusted by fiat. In other words: you should only include root_cer in trust_roots, the rest goes in other_certs (and you can omit the signer's certificate from the ValidationContext altogether).

The way things work in iText is a little different; from what I remember, it will always try to build a putative path irrespective of trust settings, and just fetch validation information for each entry in the chain.

By the way, Acrobat's "LTV enabled" notion is not publicly defined anywhere with any degree of precision. The closest I've been able to come to "reverse engineering" a criterion is "Acrobat was able to validate the signature without downloading any revocation data or additional certificates". Usually this is relative to the AATL. But there are various things that the "LTV enabled"-checker doesn't bother verifying, so don't put too much stock in that.