Hi,
The method AddValidationInfo seems to retrieve OCSPs from certificate but also the CRLs from like the intermediate. Is there an option to skip the CRLs? For PAdES B-LT the OCSP of the signer certificate is enough.
Thanks,
Fannar
Hi,
The method AddValidationInfo(PdfSignature) will download validation-related information for the signature and the signature’s timestamp and embed it in the PDF file, effectively making the signature “LTV enabled” and possible to validate without Internet access.
This means that not only revocation information of the signer’s certificate chain and the timestamper’s certificate chain is collected, but also revocation information of the OCSP response signer’s certificate is collected, for each collected OCSP response.
GemBox.Pdf first tries to retrieve the OCSP response and retrieves the CRL only if the OCSP response cannot be retrieved. The only exception is for the certificate of the OCSP response signer’s certificate, for which the CRL is tried first.
If you want to avoid adding the CRL, you can retrieve the validation info for the signer’s certificate and the timestamper’s certificate using the GetValidationInfo(PdfCertificate) method and then create and add a new PdfSignatureValidationInfo by filtering out CRLs of the PdfSignatureValidationInfo instance returned by the GetValidationInfo(PdfCertificate) method.
Regards,
Stipo
Hi! Thanks again for a great explanation!
Have you thought about having this as an option? Commercial tools I have tried seem to only use CRL if OCSP is not found. When I sign a document with multiple signatures the file gets quite big as we need the CRL for each signature.
I will test out the method you suggest.
Thanks again!
Fannar
Hi!
GemBox.Pdf does the same as other commercial tools - use CRL only if OCSP is not found. The only exception is the certificate for the OCSP response. OCSP response is also signed, and to be able to validate the document’s signature without Internet access, validation/revocation info for the OCSP response signer certificate must also be retrieved.
An OCSP response signer certificate usually specifies CRL as revocation info because it is unusual that the OCSP response has another OCSP response as its revocation info.
As mentioned in my previous post, you can retrieve the validation/revocation info yourself via the GetValidationInfo method and then create a new PdfSignatureValidationInfo from certificates and OCSP responses (but not CRLs) of the returned PdfSignatureValidationInfo and add it to the document’s security store.
Regards,
Stipo
Hi!
This was not only CRLs problem but also a font problem. The method you mentioned to skip the CRLs dropped the file size of around 150KB, so that is good but when I set the signature appearance font the file adds additional 211KB. If I skip setting the font I don’t get UTF8 characters in the visible signature.
Thanks,
Fannar
Maybe this should be an option? The file without CRLs is 100% valid in Acrobat and validators.
Hi,
Sorry for the late response.
When setting the signature appearance font to any non-standard PDF font, GemBox.Pdf embeds the entire font file in the PDF to maintain behavior compatible with Adobe Acrobat and to enable fields that might be changed later to use that same font. Usually, GemBox.Pdf embeds just the subset of the font file (just the glyphs used in the PDF), but in this particular case, the entire font is embedded because we do not know what glyphs might be needed for possible later usage of this font file by other fields.
When using any of the standard PDF fonts (like the default Helvetica), the font file doesn’t need to be embedded, but these fonts support only the Latin character set.
We will consider adding an option not to embed the entire font file, and in that case, the font will be used just to create the signature appearance for the currently signing signature field and won’t be preserved in the file.
Regarding the certificate for the OCSP response, it seems that Adobe Reader doesn’t check revocation of OCSP responder if it has the OCSP No-Check extension set. We will consider implementing the same approach - to not retrieve the revocation information in that case.
Regards,
Stipo
Hi,
Please try again with this NuGet package:
Install-Package GemBox.Pdf -Version 2025.11.108
Note that this is a hidden (unlisted) version. To install it, you’ll need to run the above command on the NuGet Package Manager Console (Tools → NuGet Package Manager → Package Manager Console).
We have added support for not embedding the full font used in the signature appearance, reducing the output file size.
For this, please try setting the PdfSignatureAppearance.IsFontTransient to true before setting the PdfSignatureAppearance.Font.
Also, the OCSP responder certificate validation info will no longer be downloaded if the certificate has an OCSP No-Check extension, because Adobe Reader considers it valid for the same reason and doesn’t perform any revocation checks.
Does this solve your issue?
Regards,
Mario