OCSP-s, Timestamps, CRL-s and certificate data needs to be saved into the PDF for future digital signature validation. This is also called PAdES LTV or in eIDAS terminology PAdES-BASELINE-LT.
In one of the previous posts about PAdES we examined how to create PAdES signature from scratch. We created ETSI.CAdES.detached and added this into the Byterange. This approach creates maximum PAdES-BASELINE-T even though the CAdES signature we embedded is CAdES-BASELINE-LT.
To make PDF digital signature PAdES LTV (PAdES Long Term) then we need to create Document Security Store (DSS) and optionally also Validation Related Information (VRI). When we have all the Certificates, OCSP responses and CRL-s at the time of signature then later at any point when the signer certificate is expired or some OCSP responders are not available any more then we can still verify the signature like it was before. Without this information we might not be able to verify the signature in the future anymore.
It is mandatory to include also TimeStamp. If you have CAdES signature containing timestamp then this is enough. If not then the timestamp can be applied to the PDF separately as well.
Since VRI is duplicating same info as DSS then ETSI EN 319 142-1 writes
The VRI dictionary should not be used. The inclusion of VRI dictionary entries is optional. All validation material referenced in VRI entries is also referenced in DSS entries.
Here is one example of PDF tree structure with PAdES LTV digital signature with DSS that validates and Qualified Electronic Signature QESig PAdES-BASELINE-LT
How to create DSS?
First step is to add signature to the PDF file. Once this is done then you can add DSS into the incremental update.
For DSS you need to collect all related certificates: signer certificate, CA certificate, OCSP responder certificate, Timestamp server certificate and add them into the Certs array in DSS dictionary.
You also need to collect all the OCSP responses and CRL-s if OCSP is missing. These go into the DSS dictionary appropriate arrays as well.
You need to use some kind of PDF editing library for this. In java it is possible to use PDFBox
If you are experienced cryptography developer then you can use all the principles outlined in this document and implement this solutions for yourself if not then we recommend getting and expert to build the PDF digital signature part for you.
To get eID Easy experts advice in your big project regarding PDF digital signatures then you are welcome to get in touch by info@eideasy.com