I am using this flow for performing digital signatures using external trust service provider.
I have integrated this approach to add timestamp to my current certifying signature.
Using these, I am able to perform signature timestamp with embedded trusted timestamp.
In my DSS dictionary of PDF, I have added revocation information before calling saveIncrementalForExternalSigning. But I am unable to add revocation information and certificates for timestamp since timestamp token is not available before saveIncrementalForExternalSigning. Later on, when I get the timestamp token, I am making changes to DSS dictionary but they are not being reflected in output PDF. Below is my source code flow:
public ByteArrayOutputStream getSignedStream(PDDocument document, SignRequest request, Certificate[] certificateChain) throws Exception {
// adding revocation info for signature
validationService.addValidationInformation(document, certificateChain);
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
ExternalSigningSupport externalSigningSupport = document.saveIncrementalForExternalSigning(outputStream);
InputStream inputStream = request.getDocument();
CMSSignedData signedData = generateCMSSignedData(certificateChain, externalSigningSupport, inputStream, signParams...);
MessageDigest digest = MessageDigest.getInstance("SHA-256");
//Initialized TSAClient
tsaClient = new TimestampClient(new URL(options.getUrl()),
options.getUsername(), options.getPassword(), digest);
//Here, timestampToken is generated using the signedData Inputstream
signedData = TimestampUtil.addSignedTimeStamp(signedData, tsaClient, document);
//Using above timestamp token, certificates and revocation information is available now.
CMSSignedData data = new CMSSignedData(TSAUtil.token);
TimeStampToken timeStampToken = new TimeStampToken(data);
Store certificatesStore = timeStampToken.getCertificates();
TSAUtil.certificates = TSARevocationInfoUtil.convertCertificates(certificatesStore);
/*trying to add revocation info for timestamp to DSS dictionary, which is not being reflected in output document */
validationService.addValidationInformation(document, certificateChain);
byte[] cmsSignature = signedData.getEncoded();
externalSigningSupport.setSignature(cmsSignature);
return outputStream; }
Also, with certifying signatures, I want to use DocMDP permission as 1 (No changes allowed). So, I cannot save the document multiple times.
Please suggest, how can I update DSS dictionary for certificates of embedded signature timestamp without corrupting the document and in compliance with docMDP permission as 1.