I'm generating a PDF document with signature and I want it to be LTV enabled. For this, I sign the PDF when creating it and then I add the second version containing the DSS with the validation related informations (VRI). As I found in some articles, I need to add the Certificate chain (without the root certificate - Authority) and the Certificate Revocation List (CRL). In my case, both will have 2 elements. After that I add the entry for the VRI which is a SHA-1 hash of the signature content (found in the first PDF verion in the /Contents ) with the value which refers the Certificates and CRL mentioned above.
For both the certificates and the revocation list elements I use the raw bytes stream of the content.
Here is my PDF sample
Edit
The way I obtain the CRL information is uising WynCrypt like this:
//Retrieve chained certificate
if(!CertGetCertificateChain(hChainEngine, pSignerCert, pTime, hAdditionalStore, &chainPara, dwFlags, NULL, &ppChainContext))
return NULL;
//first cert in chain is the end cert; last one is the root cert
for(int i = 0; i < ppChainContext->cChain; ++i)
{
PCERT_SIMPLE_CHAIN simpleChain = ppChainContext->rgpChain[i];
for(int j = 0; j < (int)simpleChain->cElement - 1; j++)//do not include root certificate
{
PCERT_CHAIN_ELEMENT chainElement = simpleChain->rgpElement[j];
if(chainElement->pCertContext)
{
//the certificate bytes
byte* certBytes =chainElement->pCertContext->pbCertEncoded
}
if(chainElement->pRevocationInfo && chainElement->pRevocationInfo->pCrlInfo)
{
PCCRL_CONTEXT crlContext = chainElement->pRevocationInfo->pCrlInfo->pBaseCrlContext;//get revocation context
//the bytes that will be written in PDF
byte* crlBytes = crlContext->pbCrlEncoded;
}
}
}
It's the same solution that worked for this issue: Another issue