EldoS | Feel safer!

Software components for data protection, secure storage and transfer

NegativeSerialWorkaround

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#11798
Posted: 11/24/2009 10:13:10
by nick ameladiotis (Standard support level)
Joined: 11/24/2009
Posts: 2

I am trying to open a pdf document with pubkey security, but it looks like there is a bug or something in the library and fails to validate the cert serial against the Recipient serial in SBPDFSecuritly.TElPDFPublicKeyRecipientGroup.RecipientCertificatePresent method.

(RecipientInfos[I].SerialNumber = Storage.Certificates[K].SerialNumber) result to false cause when i load the cert from pfx format, and when NegativeSerialWorkaround is set to true this cause an #0 character to be added ( #0 + FTBSCertificate.FSerialNumber;) in the serial readed from the file,
Code
    if (Length(FTBSCertificate.FSerialNumber) >= 1) and
      (Ord(FTBSCertificate.FSerialNumber[1]) >= $80) and
      (NegativeSerialWorkaround) then
    begin
      FTBSCertificate.FSerialNumber := #0 + FTBSCertificate.FSerialNumber;
      FNegativeSerial := true;
    end;

while the serial from the pdf document dosen't have this extra character.
Am i missing something here ?
If i set NegativeSerialWorkaround false will this be a safe solution to my problem ? or it would be better to have a modified RecipientCertificatePresent( that check for FNegativeSerial before comparing the serials ?
#11801
Posted: 11/24/2009 12:08:29
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Negative serial numbers are non-standard-compliant and appear quite rarely. According to our experience, switching NegativeSerialWorkaround to true won't cause problems. However, updating the implementation of RecipientCertificatePresent() seems to be a better solution. We will do this in the future build update. Thank you for pointing us at this.
#11802
Posted: 11/25/2009 02:15:26
by nick ameladiotis (Standard support level)
Joined: 11/24/2009
Posts: 2

Quote
However, updating the implementation of RecipientCertificatePresent() seems to be a better solution

I agree and this is what i have implemented, i modified RecipientCertificatePresent AND DecryptSessionKey so that serialNumber will compare without the added #0 character and everything worked as expected i am using the following method for getting a valid pdf serial number

Code
{helper class}

function TElX509CertificateHelper.PDFSerialNumber: BufferType;
begin
  result := SerialNumber;
  if NegativeSerial then
     Result := copy(Result, 2, length(Result));
end;

Reply

Statistics

Topic viewed 811 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!