EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Invalid signature on different computers

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#10911
Posted: 08/28/2009 18:04:05
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

Hi,

I haven't found anything on this forum, nor in any of the articles closely related to this topic to give me an answer.

There is a certificate on an iKey 2032 password protected (PIN) token issued by Entrust CA for Adobe for the company I work for. This certificate is automatically installed in Windows (Personal tab) along with the Entrust CA for Adobe certificate (Intermediate CA tab) when the token is first time plugged in.

If I use Acrobat Standard to sign a PDF document ("File/Save as Certified Document" or "Advanced/Sign & Certify/Certify with Visible Signature"), and open it on a different machine, the certified signature is valid.

If I use the code I built (inspired from the Signer project in the SecureBlackbox.NET\Samples\C# folder), the document shows invalid certified signature when opened on different computers.

Can you please take a look and show me where I may not have done right? Code attached.

Also:
1. In all cases I started with the same new document.
2. If I unplug the token, all files certified by both Adobe and SecureBlackbox show valid certified signature on my computer.
3. The PIN has been manually entered in all cases (need to contact Entrust/SafeNet about the DLL to access the device).
4. SetLicenseKey set as in the sample (using the trial version).

Thank you,
Cezar


[ Download ]
#10912
Posted: 08/29/2009 05:55:25
by Eugene Mayevski (EldoS Corp.)

Most likely the CA certificate for your signing certificate is not found.

Let's start diagnostics with the sample application. If you use the sample application and the certificate mapped to Windows Certificate Storage, what happens during validation on
a) your computer
b) other computers?

Also, you can try adding the complete certificate chain to the document AND also set CustomName property to "Adobe.PPKMS". This name is used by Acrobat and Reader to look for the certificates when validating the certificates. "Adobe.PPKLite" causes Adobe tools to look for certificates in internal storage. "Adobe.PPKMS" causes Adobe tools to look for certificates in Windows Certificate storage.


Sincerely yours
Eugene Mayevski
#10922
Posted: 08/31/2009 15:29:42
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

Quote
Most likely the CA certificate for your signing certificate is not found.


The other computers don't have Entrust CA for Adobe installed at all. However, when certified in Acrobat Standard, the document shows a valid certified signature.

Quote
Let's start diagnostics with the sample application. If you use the sample application and the certificate mapped to Windows Certificate Storage, what happens during validation on
a) your computer
b) other computers?


I used the sample application. On the computer I have the token plugged in, Adobe shows me the document with a valid certified signature. On the other computers, the signature is still invalid.

Quote
Also, you can try adding the complete certificate chain to the document AND also set CustomName property to "Adobe.PPKMS".


Back to my code, I changed from Adobe.PPKLite to Adobe.PPKMS and added the certificate from Entrust CA for Adobe found in the CA storage, like in example below. It found the certificate correctly and showed one chain in the storage. I didn't add Adobe Root CA, which is the issuer for Entrust CA for Adobe. This is listed in Trusted Identities in Adobe, but not in Windows.

Code
certStorage.Clear();
certStorage.Add(certCA, false);
certStorage.Add(cert, true);

publicKeyHandler.CertStorage = certStorage;
publicKeyHandler.SignatureType = TSBPDFPublicKeySignatureType.pstPKCS7SHA1;
publicKeyHandler.CustomName = "Adobe.PPKMS";


The code above fails with "signing failed (error 8219)" when saving the document. I didn't find this error in the Help file.

Is the way I add the certificates incorrect, should I add Adobe Root CA to the storage and how? Is it something else that I'm missing?

Thank you,
Cezar
#10924
Posted: 08/31/2009 17:29:48
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

Also, if I run

Code
int reason = 0;
TSBCertificateValidity validity;

validity = certStorage.BuildChain(0).Validate(ref reason, DateTime.Now);


after

Code
certStorage.Clear();
certStorage.Add(certCA, false);
certStorage.Add(cert, true);


validity returns cvOk.

When I try to validate certificate by certificate, I can validate company's against Entrust CA for Adobe, but I'm not able to validate the certificate from Entrust CA for Adobe against Adobe Root CA (the issuer) as the latter is not in chain.

Thank you,
Cezar
#10925
Posted: 08/31/2009 18:13:30
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

It's me again.

I managed to export Adobe Root CA as a certificate and imported into Windows (it automatically added it under Trusted Root CAs). certStorage.BuildChain(0).Validate() returns now cvSelfSigned, but I still get the error "signing failed (error 8219)" after providing the PIN to login the token.

Now I'm really stuck as I can't see where I'm doing wrong. I appreciate any help.

Thank you,
Cezar
#10927
Posted: 09/01/2009 00:00:47
by Ken Ivanov (EldoS Corp.)

First, please try to add certificates of the chain to the handler from the signing one up to the root one:
certStorage.Clear();
certStorage.Add(cert, true);
certStorage.Add(certCA, false);
certStorage.Add(certRoot, false);

Second, if you need to make your documents validated against Adobe Entrust CA (trusted by Adobe, but not Windows), you will have to change the CustomName property back to "Adobe.PPKLite".
#10934
Posted: 09/01/2009 17:05:33
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

I have updated the code with your suggestion, and am still getting the error "signing failed (error 8219)" after providing the PIN.

Because of so many changes, I attached the latest code.

Any help is greatly appreciated.

Thank you,
Cezar


[ Download ]
#10937
Posted: 09/02/2009 02:04:36
by Ken Ivanov (EldoS Corp.)

Thank you for the code. It seems to be correct at first glance. Can you please check if the 8219 error occurs if no CA and ROOT certificates are added to the CertStorage?
#10940
Posted: 09/02/2009 13:27:51
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

It occurs only when CA, or CA and ROOT certificates are added to the CertStorage.

Cezar
#10942
Posted: 09/03/2009 00:35:09
by Ken Ivanov (EldoS Corp.)

And where exactly are CA and ROOT certificates stored? Is CA certificate stored on the device?

Please try to pass CA and ROOT certificates through the following method before adding them to the CertStorage and check if it helps:
Code
private TElX509Certificate CreateCertificateCopy(TElX509Certificate cert)
{
    TElX509Certificate copy = new TElX509Certificate();
    byte[] buf = null;
    cert.SaveToBuffer(out buf);
    copy.LoadFromBuffer(buf);
    return copy;
}
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 7326 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!