EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Invalid signature on different computers

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#10949
Posted: 09/03/2009 17:57:54
by Cezar Botez (Priority Standard support level)
Joined: 08/28/2009
Posts: 22

Quote
And where exactly are CA and ROOT certificates stored? Is CA certificate stored on the device?


The CA certificate (Entrust CA for Adobe) is on the token. The ROOT certificate (Adobe Root CA) comes from a file I exported from Adobe Acrobat and installed it in Windows.

Assuming the following code along with CreateCertificateCopy() provided

Code
TElX509Certificate certCopy;
TElX509Certificate certCACopy;
TElX509Certificate certRootCopy;

certCopy = CreateCertificateCopy(cert);
certCACopy = CreateCertificateCopy(certCA);
certRootCopy = CreateCertificateCopy(certRoot);


here is the results after passing copies of the certificates (each and combinations of them) to CertStorage:

when used cert, certCA and certRoot
--> result: failed after typing the PIN
--> error: signing failed (error 8219). signing failed.
when used cert, certCA and certRootCopy
--> result: failed after typing the PIN
--> error: signing failed (error 8219). signing failed.
when used cert, certCACopy and certRoot
--> result: successfully signed
when used certCopy, certCA and certRoot
--> result: failed before typing the PIN
--> error: signing failed (error 8219). signing failed.
when used cert, certCACopy and certRootCopy
--> result: successfully signed
when used certCopy, certCA and certRootCopy
--> result: failed before typing the PIN
--> error: signing failed (error 8219). signing failed.
when used certCopy, certCACopy and certRoot
--> result: failed before typing the PIN
--> error: no signing certificate found. signing failed. [no errror number]
when used certCopy, certCACopy and certRootCopy
--> result: failed before typing the PIN
--> error: no signing certificate found. signing failed. [no errror number]
when used cert and certCACopy (no root certificate provided)
--> result: successfully signed

In other words, it successfully signed the document when passed the original certificate issued for the company along with the copy (and not the original) of the CA certificate to CertStorage.

It works with the function provided and I can't see an issue using it, but I was wondering what the difference is and if the result will be consistent enough to use this method.

I would also like to thank Eugene and Innokentiy for taking the time and helping me find a solution.

Cezar
#10951
Posted: 09/04/2009 00:03:25
by Ken Ivanov (EldoS Corp.)

It seems that the token reports CA certificate as having a corresponding private key available. As TElPDFPublicKeySecurityHandler attempts to sign the document using all the certificate containing a corresponding private key, it encounters problems when trying to create a signature with the CA certificate (which does not have a private key actually). By passing the CA certificate through the method I have provided, you create a "clean" public copy of the CA certificate, so all possible [incorrect] references to the absent private key are removed.

As a conclusion, using the above method for CA and ROOT certificate is absolutely safe. Please note that you should not pass the signing certificate through it, as it will result in private key loss in the created copy.

Reply

Statistics

Topic viewed 7338 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!