EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature time validation for multiple signatures

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#16664
Posted: 06/15/2011 10:32:17
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

Could someone please explain to me how I can validate properly a document that is signed and countersigned multiple times ? My problem seems to be that a message signer can have more than one signer ID (in the CertIDs array) but it only has a single SignatureTime. If each signature happens at different time, how can I make sure the linked certificate was valid at the moment of the signature ?

Thank you very much
#16665
Posted: 06/15/2011 10:42:27
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

TElMessageVerifier exposes the CountersignatureAttributes property. Use it to get values of the signing times attributes corresponding to particular countersignatures.

As an option, you might consider using TElSignedCMSMessage class that provides more flexible access to the elements of PKCS#7/CMS messages than TElMessageVerifier.
#16691
Posted: 06/17/2011 08:03:01
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thanks for your answer.

I'm looking into using TElSignedCMSMessage: it looks like it's what I should be using.

A couple of questions:

- When I use the "validate" method of a TElCMSSignature instance and passes it a TElX509CertificateValidator instance, it doesn't seem to using the system store for certificate validation: if I set the "cvoValidateChains" option, I always get "casvIncompleteChain" as result (only the leaf certificate is included in the CMS message, the rest of the chain is in the system store). What I am missing ?
- How can I validate the signature against the data ? Is it included in the "Validate" command ?

Thanks a lot
#16693
Posted: 06/17/2011 08:13:18
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

Quote
- When I use the "validate" method of a TElCMSSignature instance and passes it a TElX509CertificateValidator instance, it doesn't seem to using the system store for certificate validation: if I set the "cvoValidateChains" option, I always get "casvIncompleteChain" as result (only the leaf certificate is included in the CMS message, the rest of the chain is in the system store). What I am missing ?

You should call ElX509CertificateValidator.InitializeWinStorages first.

Quote
- How can I validate the signature against the data ? Is it included in the "Validate" command ?


Yes it is included.
#16694
Posted: 06/17/2011 08:19:31
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you for the quick reply.

Quote
You should call ElX509CertificateValidator.InitializeWinStorages first.


Ah but I do call it. I use a centralized validator (actually, created and initialized in the object that uses the CMS signatrue). Here is the accesstor for the linked property that initialize the instance if necessary:

Code
function TSignaturemanipulator.GetValidator: TElX509CertificateValidator;
begin
  if not assigned(FValidator) then
  begin
    FValidator := TElX509CertificateValidator.Create(nil);
    Validator.IgnoreSystemTrust := false;
    Validator.OfflineMode := true;
    Validator.UseSystemStorages := true;
    Validator.InitializeWinStorages;
  end;
  result := FValidator;
end;
#16695
Posted: 06/17/2011 08:24:08
by Ken Ivanov (EldoS Corp.)

Quote
if I set the "cvoValidateChains" option, I always get "casvIncompleteChain" as result (only the leaf certificate is included in the CMS message, the rest of the chain is in the system store). What I am missing ?

The validation routine performed by TElX509CertificateValidator is quite strict. Under default configuration this component requires the complete validation data (all the certificates of all the chains used directly or indirectly in the signature along with the relevant CRLs and OCSP responses) to be either available locally or accessible via the Internet. It is possible that some piece of revocation information cannot be retrieved during validation (for example, the OCSP server is down), and thus the overall validation process fails.

To localize the problem, please put the TElX509CertificateValidator object to the most liberal mode by adjusting the following properties:

- UseSystemStorages to true,
- IgnoreSystemTrust to false,
- CheckCRL to false,
- CheckOCSP to false,
- CheckValidityPeriodForTrusted to false,
- IgnoreCAKeyUsage to false,
- MandatoryRevocationCheck to false,
- ForceCompleteChainValidationForTrusted to false.

If the signature is validated fine under the above configuration, you can start adjusting the properties one by one to find out the exact one that causes the problem.

Quote
How can I validate the signature against the data ? Is it included in the "Validate" command ?

Validate() does that automatically. If the signature you are validating is detached, you should load the appropriate data via the TElSignedCMSMessage.Content.Init() method prior to validation.
#16701
Posted: 06/17/2011 10:55:48
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thanks again. I'll check why the chain isn't building properly next week.

On last question, if I may: If I understand correctly the csoUseGeneralizedTimeFormat option of the ElCMSSignature.SigningOptions property, it controls whether the signature time will be corrected to UTC when signing.

When I read back the signature, how can I know if the signing time was UTC or local ? The csoUseGeneralizedTimeFormat doesn't seem to be carried in the CMS message itself and it's absent when I reload the message.

Thanks again
#16703
Posted: 06/17/2011 11:08:49
by Ken Ivanov (EldoS Corp.)

In absolutely most of the cases SecureBlackbox won't performs any time zone conversions for you. I.e. it is your task to convert time to UTC before assigning it to the SigningTime property. The csoUseGeneralizedTimeFormat property only tells the component to force usage of ASN.1 GeneralizedTime type when saving time values (if the option is off, either UTCTime or GeneralizedTime will be used, depending on the exact time value supplied).

Quote
When I read back the signature, how can I know if the signing time was UTC or local ?

You should always expect the times to be in UTC.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 1341 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!