EldoS | Feel safer!

Software components for data protection, secure storage and transfer

XMLBlackbox Signing with .p12 Certs

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#15504
Posted: 01/14/2011 10:25:40
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

I have been struggling with XML and SOAP signings for a while. I could not find what was wrong while my SOAP style signed docs always failed to verify.

Now I have found that the possibe reason could be when using .p12 style Certificates . For these latest tests I have abandoned all my own codes and used for testing purely the SimpleSigner demo app.

In enclosed ZIP is the simple SourceDoc1.xml file that was Signed and then Verified with two keys. Keyfiles ThisKeyWorks.pfx and ThisKeyDoesNotWork_PasswordIs-test1234.p12.
The first key is one of Eldos's demokeys and does not have password and the password for second file is told also in filename, "test1234".

The DigestValue with both signings in the signed XML is the same, but Signature values differ.

I have tried with several different .p12 certificates, but no luck. I wonder if there really is some bug, or is this only some dummy error of mine.

Grateful for any hints.
SP


[ Download ]
#15506
Posted: 01/14/2011 10:35:25
by Eugene Mayevski (EldoS Corp.)

.p12 is another extension for PFX, both used for files in PKCS#12 format. So extension can not influence the procedure.

Please track some other difference between your certificates that causes the problem.


Sincerely yours
Eugene Mayevski
#15512
Posted: 01/15/2011 07:52:44
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Eugene Mayevski wrote:
Please track some other difference between your certificates that causes the problem.
It really seems that the problem is not with the extension. And if I use BlackBox CertDemo.exe to create a new .p12 certificate file, the Signing + Verify works also there.

The problem seems to be related with third party .p12 certificates. I can not get around this even if I use some converter to convert the .p12 certificate to PEM format or some other format. The same problem remains. The verify process with these certificates always returns this error:
Code
"Signing certificate is not valid."
"Signature and references validated succesfully."


I can reproduce this situation when I use OpenSSL to create one of those .p12 certificates. Files signed with this certificate fail to verify with XMLBlackbox verifier.

Included is my test material, and also BAT file how to create .p12 certificate with OpenSSL.

Our certificates come from third party. So I should find at least some work around how to maybe get the certificates converted to some such format that they would work with XMLBlackbox.

Thanks
SP


[ Download ]
#15513
Posted: 01/15/2011 08:45:30
by Eugene Mayevski (EldoS Corp.)

"Signing certificate is not valid" has nothing to do with file format. It says that validation of the certificate could not be performed correctly. This can mean that the issuer certificate could not be verified, OCSP validation failed or whatever else. I have moved your last message to the helpdesk so that developers could check the certificate itself.


Sincerely yours
Eugene Mayevski
#15514
Posted: 01/15/2011 08:57:16
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Eugene Mayevski wrote:
"Signing certificate is not valid" has nothing to do with file format. It says that validation of the certificate could not be performed correctly.

If it would say this already at the Signing phase, that would make more sense to me, but the error appears only at Verify phase.

Quote
I have moved your last message to the helpdesk so that developers could check the certificate itself.
Thanks for this.

SP
#15515
Posted: 01/15/2011 09:29:26
by Eugene Mayevski (EldoS Corp.)

Quote
San P wrote:
If it would say this already at the Signing phase, that would make more sense to me, but the error appears only at Verify phase.


Why would it? The components don't validate certificates that you pass to them, it's your job to perform any control over input data, if you need it.


Sincerely yours
Eugene Mayevski
#15516
Posted: 01/15/2011 09:57:55
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Why would it? The components don't validate certificates that you pass to them, it's your job to perform any control over input data, if you need it.
There was no code of mine. So I was not adding any extra input data control, I was only using the plain SimpleSigner demo app.

That demo app raises the error message, but it raises it only when the OpenSSL created certificate was used.

It is not my intention just to keep complaining or arguing about this. If that error was caused from any of my actions, then I am sorry, and I am just grateful if I hear how I should have handled that. And how to get around it.

Thanks
SP
#15518
Posted: 01/15/2011 10:36:51
by Eugene Mayevski (EldoS Corp.)

Samples don't perform any validation of certificates being used for signing or encryption of the data. Maybe we will need to extend them to show how this should be done.


Sincerely yours
Eugene Mayevski
#15634
Posted: 01/28/2011 12:07:13
by San P (Standard support level)
Joined: 11/07/2009
Posts: 37

Quote
Eugene Mayevski wrote:
I have moved your last message to the helpdesk so that developers could check the certificate itself.
I can still view the Helpdesk_Ticket number 18xxx thread and area, but it looks like I can no more write there. I do not know if this is intentional or some cookie problem or something.

I just wanted to report that the final fix that Dmytro Bogatskyy made on Sunday 23 Jan 2011 seems finally have solved this signing problem.

He enclosed signed SignedSoap1.XML document and reported he got 'internal error' when sending that to the test site. That file works fine here! I can send that sample XML to the bank just like it is. And get acceptable SOAP response from the bank.
Also the code he fixed works all right.

Oh boy, it was great moment when the first accepting response came from the bank. After more than two months of calendar time, struggling time to time. For several weeks in total, to get as this thing solved.

Right now, Big Thank for Eldos and the people who helped to get this fixed.

If I still have writing rights to that Helpdesk_Ticket number area, I will close it as solved after one week or so. If nothing more will not pop up with this matter.

Thanks
SP
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 1892 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!