EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How Do I save a copy of the revocation status

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
Posted: 03/10/2010 10:30:59
by Bram Breels (Standard support level)
Joined: 02/20/2009
Posts: 4


We are looking for a way to save a copy the certificate revocation STATUS (=list?), so that we can add it as attachement to PDF files (as a part of very long term signing).

I've been looking inside the SecureBlackbox assemblies and found the SaveToStream() method inside the TElCertificateRevocationList class under the SBCRL namespace.

I must admit that I'm quite new to the world of signing and CRL. Could you show me in the right direction, purhaps even show me a code snippet to start from?

Much obliged,
Sven Billiau
.NET Architect
Advalvas Europe NV
Posted: 03/10/2010 10:44:12
by Santiago CastaƱo (Standard support level)
Joined: 04/16/2006
Posts: 155

I do that using this code:
                SizePKI := 0;
                FElCertificateRevocationList.SaveToBuffer(nil, SizePKI);
                SetLength(BufPKI, SizePKI);
                if FElCertificateRevocationList.SaveToBuffer(@BufPKI[0], SizePKI)=0 then

Where FElCertificateRevocationList is TElCertificateRevocationList, BufPKI is a ByteArray, and PublicKeyHandlerT is a TElPDFPublicKeySecurityHandler for the PDF.

Hope it helps :)
Posted: 03/11/2010 03:58:44
by Bram Breels (Standard support level)
Joined: 02/20/2009
Posts: 4


I'm afraid that I have badly formulated my question.
Purhaps if I sketch the problem or "challenge", it would show more clearly what I need.

We are a company engaged in electronic invoicing. We send signed PDF files to our customer's clients containing the invoice(s). Due to legal requirements, it not sufficient to sign the PDF, because in some European countries the invoice must be stored for a long period of time (up to 10 years). This means that usage time of the PDF extends the validity period of the signing certificate. To have legal prove of certificate validity, we want to attach the revocation status of the signing certificate to the PDF file just before signing the PDF with the same certificate.

This also means that we don't need the entire revocation list, but only the revocation status of the certificate in use. We believe (but please correct us if we are wrong) that OCSP is the way to go, because it's a live check and only for a specific certificate.

Just to give you an idea how much help I need (as said before I'm quite the novice here): I found the sample application "OCSP client" in the samples folder of the install location, but I have no idea which file(s) to select in the certificate boxes.
I have an example of a signed PDF on my machine and Adobe PDF reader is able to verify its revocation status completely independently. I suppose (just checking if a have my facts straight) that the certificate is inside the PDF file and the URL where to check the revocation status is attached to the certificate.
Assuming this, I've exported the certificate using Adobe Reader and selected it in de OCSP Client. But once I've hit the Check-button I get an error message saying that the file doesn't contain any valid certificate(s).
Off course, once integrated in our application, the certificate must be verified just before the PDF is signed direcly from code.

I've been checking our current implementation of the signing:

  • The TElPKCS11CertStorage class is used as certificate storage and is initialized using a DLL file name (of SafeNet).
  • The TElX509Certificate class represents the certificate and is converted into a X509Certificate2 class.
  • We use iTextSharp (which uses Org.BouncyCastle) to add the signature to the PDF.

My question is:
Which code do I need to get and save the revocation status of the certificate, starting for the TElPKCS11CertStorage or TElX509Certificate class instances we already have in our code.

Much obliged,
Sven Billiau
.NET Architect
Posted: 03/11/2010 06:26:11
by Ken Ivanov (EldoS Corp.)

Within PKI infrastructure, revocation status of certificate is confirmed with one of two entities: CRL or OCSP response. CRL is a document issued by the CA periodically; it lists the certificates which has been revoked by the CA for a moment when the CRL was published. That is, CRLs tend to "grow" from version to version.

OCSP protocol was designed to bypass certain lacks of CRL-driven model. First, OCSP is a real-time protocol that allows to get the revocation status of the particular certificate "for now". Second, the response only contains a status of the requested certificate and thus is more compact.

PDF specification provides support for both types of revocation information. Along with the signature itself, you can place to the document all the CRL(s) and OCSP response(s) needed to perform long-term validation. Basically, you will need to implement the following algorithm:

FOR <each certificate C forming the chain starting from the signing one up to the CA certificate> DO
  1. Get revocation status for the certificate C in the form of OCSP response or CRL.
  2. Put the obtained status object to the signature with the use of TElPDFPublicKeySecurityHandler.RevocationInfo property.

Revocation information can be obtained from the appropriate locations manually or with the use of TElX509CertificateValidator component.



Topic viewed 1513 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!