EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Chain validation failed

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
Posted: 10/17/2011 07:39:03
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

If I try to sign a PDF document with PADES and set
handler.AutoCollectRevocationInfo = true

then signing failes with error

Chain validation failed

If I let this property to false, signing passes OK, but then in verification I again get error: "Chain validation failed". What can I do?
Posted: 10/17/2011 07:45:59
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage. Or you can set TElPDFAdvancedPublicKeySecurityHandler.IgnoreChainValidationErrors to 'true'.
Posted: 10/17/2011 07:53:10
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage

Could youi please explain me how to do it? In Pades demo theres no sample for doing that.
Posted: 10/17/2011 08:01:22
by Vsevolod Ievgiienko (EldoS Corp.)

You should read this article first: http://www.eldos.com/security/articles/3641.php

Certificates can be added using TElPDFAdvancedPublicKeySecurityHandler.CertStorage.Add method.
Posted: 10/17/2011 09:31:32
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I am setting CertStorage property of TElPDFAdvancedPublicKeySecurityHandler object to my smart card storage(instance of TElPKCS11CertStorage). This storage is opened and session is logged in. Storage have 3 certificates, which all together creates a valid chain. Still I get error Chain validation failed. I want to tell that if I set IgnoreChainValidationErrors to true, documents gets signed OK and even Adobe reader says that document is signed ok and can validate it without problems. However I am suspicious since I get this error if I don't set IgnoreChainValidationErrors to true. I have read the article you mentioned but I wonder why I should create my ElCustomCertStorage object, when I have my storage (from smart card) which is allready prefilled with valid values?
Posted: 10/17/2011 09:57:16
by Vsevolod Ievgiienko (EldoS Corp.)

Try to check if TElPKCS11CertStorage.ChainCount is equal to 1 to ensure that a full chain in stored there.
Posted: 10/17/2011 10:41:27
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Stange thing happen when I try to check ChainCount property. Program blocks forever and I can only kill it from VS. If I don't check it everything else works...
Posted: 10/17/2011 11:43:55
by Vsevolod Ievgiienko (EldoS Corp.)

Hm... strange. Try to copy all certificates from token to TElMemoryCertStorage and check if its ChainCount == 1. Then try to use it for signing. If this works for you then we'll try to localize a problem with TElPKCS11CertStorage.
Posted: 10/18/2011 03:38:17
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

After I did this:
TElMemoryCertStorage memStorage = new TElMemoryCertStorage();
for (int i = 0; i < storage.Count; i++)
  TElX509Certificate cert = storage.get_Certificates(i);
  memStorage.Add(cert, true);
handler.CertStorage = memStorage;

I am still getting the same error ("chain validation failed"). ChainCount is equal to1.

Concerning the problem about ChainCount property from smart card storage I have found out that:
TElPKCS11CertStorage storage = new TElPKCS11CertStorage();
storage.DLLName = "aetpkss1.dll";
TElPKCS11SessionInfo session = null;
session = storage.OpenSession(0, true);

if I comment out open session this will work (showing ChainCount 0), but if uncomment OpenSession, program blocks...
Posted: 10/18/2011 04:04:22
by Eugene Mayevski (EldoS Corp.)

It is possible that validation fails not because of your certificates but during validation of revocation information (CRLs, OCSP etc.). I will move your question to the helpdesk where you can post your document for investigation.

Sincerely yours
Eugene Mayevski
Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.



Topic viewed 1998 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!