EldoS | Feel safer!

Software components for data protection, secure storage and transfer

trusting of signed pdf ?

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#8698
Posted: 01/23/2009 06:22:05
by Kvetoslav Jansta (Standard support level)
Joined: 05/06/2008
Posts: 56

Hi, I have one question/problem with pdf and trusting.

signed document is still not trusted,
error : Signer's identity is unknown because it has not been included in your list of trusted identities and none of its parent certificates are trusted identities.

using delphi, pdfblackbox, win xp.
ROOT CA -> Qualified CA -> my_cert

ROOT CA is stored in current_user / root
Qualified CA is installed in intermediate or in root too
my_cert is not installed on PC of my customer.

why is it not trusted ?
thank you, slava
#8699
Posted: 01/23/2009 06:31:33
by Ken Ivanov (EldoS Corp.)

Acrobat supports two signing/validation modes, Adobe.PPKMS and Adobe.PPKLite. The first mode makes Acrobat use Windows system stores to validate a certificate. If the signature is created in Adobe.PPKLite mode, the signing certificate is validated with certificates contained in Acrobat certificate store.

Please perform the following assignment prior to saving the document to make SBB create a signature that should be validated using Windows system stores:

PublicKeyHandler.CustomName = 'Adobe.PPKMS';
#8705
Posted: 01/23/2009 07:25:09
by Kvetoslav Jansta (Standard support level)
Joined: 05/06/2008
Posts: 56

Quote
Innokentiy Ivanov wrote:
Acrobat supports two signing/validation modes, Adobe.PPKMS and Adobe.PPKLite. The first mode makes Acrobat use Windows system stores to validate a certificate. If the signature is created in Adobe.PPKLite mode, the signing certificate is validated with certificates contained in Acrobat certificate store.

Please perform the following assignment prior to saving the document to make SBB create a signature that should be validated using Windows system stores:

PublicKeyHandler.CustomName = 'Adobe.PPKMS';


ok, but I had Adobe.PPKMS long time ago :(
#8709
Posted: 01/23/2009 07:38:29
by Ken Ivanov (EldoS Corp.)

Please try to add the intermediate CA certificate to the TElPDFPublicKeySecurityHandler.CertStorage store along with the signing certificate and check if it helps. If it doesn't, please provide us the number of version of Adobe Acrobat that fails to validate the signature, so that we could try to reproduce the issue here.
#8712
Posted: 01/23/2009 08:34:56
by Kvetoslav Jansta (Standard support level)
Joined: 05/06/2008
Posts: 56

Quote
Innokentiy Ivanov wrote:
Please try to add the intermediate CA certificate to the TElPDFPublicKeySecurityHandler.CertStorage store along with the signing certificate and check if it helps. If it doesn't, please provide us the number of version of Adobe Acrobat that fails to validate the signature, so that we could try to reproduce the issue here.


I understand, you want me to install intermediate CA to MY store, cause there is my signing cert.
ok, I have saved this intermediate CA to the same store as signing cert, so MY.
I did it in mmc console.

no change, no effect, still the same error.
document signed, not changed, but not trusted.
Adobe reader 8.
#8715
Posted: 01/23/2009 08:48:06
by Ken Ivanov (EldoS Corp.)

Quote
I understand, you want me to install intermediate CA to MY store, cause there is my signing cert.

There's actually no need in installing the intermediate certificate to the system MY store -- please just try to include it to the signature by adding it to the TElPDFPublicKeySecurityHandler.CertStorage store.

We will try to reproduce the issue here.
#8716
Posted: 01/23/2009 09:36:15
by Ken Ivanov (EldoS Corp.)

BTW, Windows integration must be explicitly turned on in Adobe Reader. Please go to Edit->Preferences menu and then to Security->Advanced Preferences dialog. Ensure that "Validating Signatures" and/or "Validating Certified Documents" checkboxes on the Windows Integration tab are checked.
#8721
Posted: 01/26/2009 03:16:40
by Kvetoslav Jansta (Standard support level)
Joined: 05/06/2008
Posts: 56

Quote
Innokentiy Ivanov wrote:
BTW, Windows integration must be explicitly turned on in Adobe Reader. Please go to Edit->Preferences menu and then to Security->Advanced Preferences dialog. Ensure that "Validating Signatures" and/or "Validating Certified Documents" checkboxes on the Windows Integration tab are checked.


Hi, thank you very much, now, it's clear :)

best regards, slava jansta
#18212
Posted: 11/16/2011 09:36:45
by Marc Meister (Standard support level)
Joined: 08/19/2011
Posts: 10

Quote
Innokentiy Ivanov wrote:
Please try to add the intermediate CA certificate to the TElPDFPublicKeySecurityHandler.CertStorage store along with the signing certificate and check if it helps. If it doesn't, please provide us the number of version of Adobe Acrobat that fails to validate the signature, so that we could try to reproduce the issue here.
Innokentiy Ivanov,

Hi Ivanov,

I have the same problem, signature identity unknown. Can you help me how to add the root certificate. It shows up in the Windows Cert Store under Trusted Root Certification Authorities. I use VB.net in VS2010, so far I can load the certificates from the SystemStore, which lists all certificates from the "Personal Certificates" in the Windows Certificate store.

SystemStore = New TElWinCertStorage

Some of my code....
===================
CertStorage.Clear()
CertStorage.Add(Cert, True) <-- Add signing certificate
CertStorage.Add(Cert_RootCA, True) <-- Add CA root certificate
PublicKeyHandler.CertStorage = CertStorage
PublicKeyHandler.SignatureType = TSBPDFPublicKeySignatureType.pstPKCS7SHA1
PublicKeyHandler.CustomName = "Adobe.PPKMS"

I got most of this code from the TinySinger example.

Thanks
#18214
Posted: 11/16/2011 09:50:53
by Ken Ivanov (EldoS Corp.)

As far as I can see, you are already adding the root certificate by the following line of code (though there is no need to pass True as the second parameter, as there is no need in copying it with a private key):

CertStorage.Add(Cert_RootCA, True) <-- Add CA root certificate

What you [apparently] should do here, is to add an intermediate CA certificate to the CertStorage together with signing and root certificates. I.e. you should load this intermediate certificate from somewhere (system store, file, ...), and add another line of code that will add it to the storage:

CertStorage.Add(Cert_IntermediateCA, False)
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 7038 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!