EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Chain validation failed

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#17909
Posted: 10/17/2011 07:39:03
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello
If I try to sign a PDF document with PADES and set
Code
handler.AutoCollectRevocationInfo = true


then signing failes with error
Quote

---------------------------
Error
---------------------------
Chain validation failed
---------------------------
OK
---------------------------

If I let this property to false, signing passes OK, but then in verification I again get error: "Chain validation failed". What can I do?
#17910
Posted: 10/17/2011 07:45:59
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage. Or you can set TElPDFAdvancedPublicKeySecurityHandler.IgnoreChainValidationErrors to 'true'.
#17911
Posted: 10/17/2011 07:53:10
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Quote
You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage


Could youi please explain me how to do it? In Pades demo theres no sample for doing that.
#17912
Posted: 10/17/2011 08:01:22
by Vsevolod Ievgiienko (EldoS Corp.)

You should read this article first: http://www.eldos.com/security/articles/3641.php

Certificates can be added using TElPDFAdvancedPublicKeySecurityHandler.CertStorage.Add method.
#17913
Posted: 10/17/2011 09:31:32
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I am setting CertStorage property of TElPDFAdvancedPublicKeySecurityHandler object to my smart card storage(instance of TElPKCS11CertStorage). This storage is opened and session is logged in. Storage have 3 certificates, which all together creates a valid chain. Still I get error Chain validation failed. I want to tell that if I set IgnoreChainValidationErrors to true, documents gets signed OK and even Adobe reader says that document is signed ok and can validate it without problems. However I am suspicious since I get this error if I don't set IgnoreChainValidationErrors to true. I have read the article you mentioned but I wonder why I should create my ElCustomCertStorage object, when I have my storage (from smart card) which is allready prefilled with valid values?
#17914
Posted: 10/17/2011 09:57:16
by Vsevolod Ievgiienko (EldoS Corp.)

Try to check if TElPKCS11CertStorage.ChainCount is equal to 1 to ensure that a full chain in stored there.
#17916
Posted: 10/17/2011 10:41:27
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Stange thing happen when I try to check ChainCount property. Program blocks forever and I can only kill it from VS. If I don't check it everything else works...
#17919
Posted: 10/17/2011 11:43:55
by Vsevolod Ievgiienko (EldoS Corp.)

Hm... strange. Try to copy all certificates from token to TElMemoryCertStorage and check if its ChainCount == 1. Then try to use it for signing. If this works for you then we'll try to localize a problem with TElPKCS11CertStorage.
#17924
Posted: 10/18/2011 03:38:17
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

After I did this:
Code
TElMemoryCertStorage memStorage = new TElMemoryCertStorage();
for (int i = 0; i < storage.Count; i++)
{
  TElX509Certificate cert = storage.get_Certificates(i);
  memStorage.Add(cert, true);
}
handler.CertStorage = memStorage;

I am still getting the same error ("chain validation failed"). ChainCount is equal to1.

Concerning the problem about ChainCount property from smart card storage I have found out that:
Code
TElPKCS11CertStorage storage = new TElPKCS11CertStorage();
storage.DLLName = "aetpkss1.dll";
storage.Open();
TElPKCS11SessionInfo session = null;
session = storage.OpenSession(0, true);
MessageBox.Show(storage.ChainCountToString());

if I comment out open session this will work (showing ChainCount 0), but if uncomment OpenSession, program blocks...
#17925
Posted: 10/18/2011 04:04:22
by Eugene Mayevski (EldoS Corp.)

It is possible that validation fails not because of your certificates but during validation of revocation information (CRLs, OCSP etc.). I will move your question to the helpdesk where you can post your document for investigation.


Sincerely yours
Eugene Mayevski
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 2035 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!