EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Chain validation failed

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#17909
Posted: 10/17/2011 07:39:03
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello
If I try to sign a PDF document with PADES and set
Code
handler.AutoCollectRevocationInfo = true


then signing failes with error
Quote

---------------------------
Error
---------------------------
Chain validation failed
---------------------------
OK
---------------------------

If I let this property to false, signing passes OK, but then in verification I again get error: "Chain validation failed". What can I do?
#17910
Posted: 10/17/2011 07:45:59
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage. Or you can set TElPDFAdvancedPublicKeySecurityHandler.IgnoreChainValidationErrors to 'true'.
#17911
Posted: 10/17/2011 07:53:10
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Quote
You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage


Could youi please explain me how to do it? In Pades demo theres no sample for doing that.
#17912
Posted: 10/17/2011 08:01:22
by Vsevolod Ievgiienko (EldoS Corp.)

You should read this article first: http://www.eldos.com/security/articles/3641.php

Certificates can be added using TElPDFAdvancedPublicKeySecurityHandler.CertStorage.Add method.
#17913
Posted: 10/17/2011 09:31:32
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I am setting CertStorage property of TElPDFAdvancedPublicKeySecurityHandler object to my smart card storage(instance of TElPKCS11CertStorage). This storage is opened and session is logged in. Storage have 3 certificates, which all together creates a valid chain. Still I get error Chain validation failed. I want to tell that if I set IgnoreChainValidationErrors to true, documents gets signed OK and even Adobe reader says that document is signed ok and can validate it without problems. However I am suspicious since I get this error if I don't set IgnoreChainValidationErrors to true. I have read the article you mentioned but I wonder why I should create my ElCustomCertStorage object, when I have my storage (from smart card) which is allready prefilled with valid values?
#17914
Posted: 10/17/2011 09:57:16
by Vsevolod Ievgiienko (EldoS Corp.)

Try to check if TElPKCS11CertStorage.ChainCount is equal to 1 to ensure that a full chain in stored there.
#17916
Posted: 10/17/2011 10:41:27
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Stange thing happen when I try to check ChainCount property. Program blocks forever and I can only kill it from VS. If I don't check it everything else works...
#17919
Posted: 10/17/2011 11:43:55
by Vsevolod Ievgiienko (EldoS Corp.)

Hm... strange. Try to copy all certificates from token to TElMemoryCertStorage and check if its ChainCount == 1. Then try to use it for signing. If this works for you then we'll try to localize a problem with TElPKCS11CertStorage.
#17924
Posted: 10/18/2011 03:38:17
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

After I did this:
Code
TElMemoryCertStorage memStorage = new TElMemoryCertStorage();
for (int i = 0; i < storage.Count; i++)
{
  TElX509Certificate cert = storage.get_Certificates(i);
  memStorage.Add(cert, true);
}
handler.CertStorage = memStorage;

I am still getting the same error ("chain validation failed"). ChainCount is equal to1.

Concerning the problem about ChainCount property from smart card storage I have found out that:
Code
TElPKCS11CertStorage storage = new TElPKCS11CertStorage();
storage.DLLName = "aetpkss1.dll";
storage.Open();
TElPKCS11SessionInfo session = null;
session = storage.OpenSession(0, true);
MessageBox.Show(storage.ChainCountToString());

if I comment out open session this will work (showing ChainCount 0), but if uncomment OpenSession, program blocks...
#17925
Posted: 10/18/2011 04:04:22
by Eugene Mayevski (EldoS Corp.)

It is possible that validation fails not because of your certificates but during validation of revocation information (CRLs, OCSP etc.). I will move your question to the helpdesk where you can post your document for investigation.


Sincerely yours
Eugene Mayevski
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 2031 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!