Discuss this help topic in SecureBlackbox Forum

Deal with typical CAdES validation problems

Note that while referring to signature validation problems, this article also applies some signature creation problems. Most signature creation activities are essentially the same as validation ones and involve one or more certificate chain validation runs. Chain validation issues are most common CAdES-related problems. Hence, this article will be useful for those validating CAdES signatures, updating them (e.g., archiving), or creating signatures from scratch.

SecureBlackbox offers a dedicated component, TElCAdESSignatureProcessor capable of creating, updating and validating CAdES signatures. Its signature creation methods behave differently from those devoted to validation. Methods such as CreateXXX() (e.g., CreateXL()) and UpgradeToXXX() (e.g., UpgradeToXLBase()) throw exceptions if something goes wrong. The Validate() method dumps all internal exceptions and comes up with a well-defined validation result (Valid, Invalid or Incomplete).

If you came across a validation issue when creating/updating the signature, please start with inspecting the exception message carefully to get a hint about possible failure reasons. Three reasons are most common:

  1. It is impossible to upgrade the signature from one level to another due to conceptual violation (e.g., you can't upgrade an XL signature to CAdES-T). In this case you will get an exception message like 'Signature cannot be upgraded to the specified level'.
  2. You requested an extended signature to be created, but the chain cannot be validated due to missing certificates or unavailable revocation information sources.
  3. If you are creating a timestamped signature, the unavailability of the TSA at the signing moment will induce an exception.

Validation operations typically fail due to the following reasons:

  1. Signature value is invalid (the data was altered or corrupted). In this case the asvInvalid result is returned. This problem is often caused by forgetting to attach the content corresponding to a detached signature. Please ensure that you are feeding signed content to TElSignedCMSMessage.Open() when opening detached signatures.
  2. Signing certificate is not valid for signing or revoked. asvInvalid result is returned. This means that the signature can't be considered trusted, there's nothing else you can do about it.
  3. Signing certificate chain (or any related chain, such as timestamping certificate chain) can't be validated. There are plenty of reasons for it. A good idea is to check the validation log.
    Some hints can be provided by the CompatibilityErrors property. They can be used to track various CAdES compatibility issues that might have taken place. For instance, the absence of SigningCertificateV2 attribute is reported by CompatibilityErrors.

Chain validation is a complicated area full of pitfalls, it is impossible to cover all reasons for validation failure in a short article. Please feel free to contact our customer support, and we will do our best to help you solve your problem.

How To articles about CAdES

Discuss this help topic in SecureBlackbox Forum