Foxit PDF SDK for Windows

How to do Long-Term Validation of Signatures (LTV) with Foxit PDF SDK

Long term validation (LTV)

From version 7.0 onwards, Foxit PDF SDK provides APIs to establish long term validation of signatures, which is mainly used to solve the verification problem of signatures that have already expired. LTV requires DSS (Document Security Store) which contains the verification information of the signatures, as well as DTS (Document Timestamp Signature) which belongs to the type of time stamp signature.

In order to support LTV, Foxit PDF SDK provides:

  • Support for adding the signatures of time stamp type, and provides a default signature callback for the subfilter “ETSI.RFC3161”.
  • TimeStampServerMgr and TimeStampServer classes, which are used to set and manager the server for time stamp. The default signature callback for the subfilter “ETSI.RFC3161” will use the default time stamp server.
  • LTVVerifier class which offers the functionalities of verifying signatures and adding DSS information to documents. It also provides a basic default RevocationCallback which is required by LTVVerifier.

Following lists an example about how to establish long term validation of signatures using the default signature callback for subfilter “ETSI.RFC3161” and the default RevocationCallback. For more details, please refer to the simple demo “ltv” in the “\examples\simple_demo” folder of the download package.

Example:

How to establish long term validation of signatures using the default signature callback for subfilter “ETSI.RFC3161” and the default RevocationCallback

#include "include/pdf/fs_pdfdoc.h"
#include "include/pdf/fs_pdfpage.h"
#include "include/pdf/fs_signature.h"
#include "include/pdf/fs_ltvverifier.h"
...

// Initialize time stamp server manager, add and set a default time stamp server, which will be used by default signature callback for time stamp signature.
TimeStampServerMgr::Initialize();
TimeStampServer timestamp_server = TimeStampServerMgr::AddServer(server_name, server_url, server_username, server_password);
TimeStampServerMgr::SetDefaultServer(timestamp_server);

// Assume that "signed_pdf_path" represents a signed PDF document which contains signed signature.
PDFDoc pdf_doc(signed_pdf_path);
pdf_doc.StartLoad();
{
    // Use LTVVerifier to verify and add DSS.
LTVVerifier ltv_verifier(pdf_doc, true, false, false, LTVVerifier::e_SignatureTSTTime);
    // Set verifying mode which is necessary.
ltv_verifier.SetVerifyMode(LTVVerifier::e_VerifyModeETSI);
SignatureVerifyResultArray sig_verify_result_array = ltv_verifier.Verify();
    for (size_t i = 0; i < sig_verify_result_array.GetSize(); i++) {
        // ltv state would be e_LTVStateNotEnable here.
    SignatureVerifyResult::LTVState ltv_state =  sig_verify_result_array.GetAt(i).GetLTVState();
        if (sig_verify_result_array.GetAt(i).GetSignatureState() & Signature::e_StateVerifyValid)
        ltv_verifier.AddDSS(sig_verify_result_array.GetAt(i));
}
}

// Add a time stamp signature as DTS and sign it. "saved_ltv_pdf_path" represents the newly saved signed PDF file.
PDFPage pdf_page = pdf_doc.GetPage(0);
// The new time stamp signature will have default filter name "Adobe.PPKLite" and default subfilter name "ETSI.RFC3161".
Signature timestamp_signature = pdf_page.AddSignature(RectF(), L"", Signature::e_SignatureTypeTimeStamp);
Progressive sign_progressive = timestamp_signature.StartSign(L"", L"", Signature::e_DigestSHA256, saved_ltv_pdf_path);
if (sign_progressive.GetRateOfProgress() != 100)
sign_progressive.Continue();

// Then use LTVVeirfier to verify the new signed PDF file.
PDFDoc check_pdf_doc(saved_ltv_pdf_path);
check_pdf_doc.StartLoad();
{
    // Use LTVVeirfier to verify.
LTVVerifier ltv_verifier(pdf_doc, true, false, false, LTVVerifier::e_SignatureTSTTime);
    // Set verifying mode which is necessary.
ltv_verifier.SetVerifyMode(LTVVerifier::e_VerifyModeETSI);
SignatureVerifyResultArray sig_verify_result_array = ltv_verifier.Verify();
    for (size_t i = 0; i < sig_verify_result_array.GetSize(); i++) {
        // ltv state would be e_LTVStateEnable here.
    SignatureVerifyResult::LTVState ltv_state =  sig_verify_result_array.GetAt(i).GetLTVState();
    ... // User can get other information from SignatureVerifyResult.
}
}

// Release time stamp server manager when everything is done.
TimeStampServerMgr::Release();

PAdES

From version 7.0 onwards, Foxit PDF SDK also supports PAdES (PDF Advanced Electronic Signature) which is the application for CAdES signature in the field of PDF. CAdES is a new standard for advanced digital signature, its default subfilter is “ETSI.CAdES.detached“. PAdES signature includes four levels: B-B, B-T, B-LT, and B-LTA.

  • B-B: Must include the basic attributes.
  • B-T: Must include document time stamp or signature time stamp to provide trusted time for existing signatures, based on B-B.
  • B-LT: Must include DSS/VRI to provide certificates and revocation information, based on B-T.
  • B-LTA: Must include the trusted time DTS for existing revocation information, based on B-LT.

Foxit PDF SDK provides a default signature callback for the subfilterETSI.CAdES.detached” to sign and verify the signatures (with subfilterETSI.CAdES.detached“). It also provides TimeStampServerMgr and TimeStampServer classes to set and manager the server for time stamp. The default signature callback for the subfilterETSI.CAdES.detached” will use the default time stamp server.

The different levels of PAdES are handled at the application level according to the related requirements. For more details about how to add, sign and verify a PAdES signature in PDF document, please refer to the simple demo “pades” in the “\examples\simple_demo” folder of the download package.

Updated on September 11, 2019

Was this article helpful?
Thanks for your feedback. If you have a comment on how to improve the article, you can write it here: