EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Chain validation failed

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
Posted: 10/17/2011 07:39:03
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

If I try to sign a PDF document with PADES and set
handler.AutoCollectRevocationInfo = true

then signing failes with error

Chain validation failed

If I let this property to false, signing passes OK, but then in verification I again get error: "Chain validation failed". What can I do?
Posted: 10/17/2011 07:45:59
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage. Or you can set TElPDFAdvancedPublicKeySecurityHandler.IgnoreChainValidationErrors to 'true'.
Posted: 10/17/2011 07:53:10
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

You should put full signing certificate chain to TElPDFAdvancedPublicKeySecurityHandler.CertStorage

Could youi please explain me how to do it? In Pades demo theres no sample for doing that.
Posted: 10/17/2011 08:01:22
by Vsevolod Ievgiienko (EldoS Corp.)

You should read this article first: http://www.eldos.com/security/articles/3641.php

Certificates can be added using TElPDFAdvancedPublicKeySecurityHandler.CertStorage.Add method.
Posted: 10/17/2011 09:31:32
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I am setting CertStorage property of TElPDFAdvancedPublicKeySecurityHandler object to my smart card storage(instance of TElPKCS11CertStorage). This storage is opened and session is logged in. Storage have 3 certificates, which all together creates a valid chain. Still I get error Chain validation failed. I want to tell that if I set IgnoreChainValidationErrors to true, documents gets signed OK and even Adobe reader says that document is signed ok and can validate it without problems. However I am suspicious since I get this error if I don't set IgnoreChainValidationErrors to true. I have read the article you mentioned but I wonder why I should create my ElCustomCertStorage object, when I have my storage (from smart card) which is allready prefilled with valid values?
Posted: 10/17/2011 09:57:16
by Vsevolod Ievgiienko (EldoS Corp.)

Try to check if TElPKCS11CertStorage.ChainCount is equal to 1 to ensure that a full chain in stored there.
Posted: 10/17/2011 10:41:27
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Stange thing happen when I try to check ChainCount property. Program blocks forever and I can only kill it from VS. If I don't check it everything else works...
Posted: 10/17/2011 11:43:55
by Vsevolod Ievgiienko (EldoS Corp.)

Hm... strange. Try to copy all certificates from token to TElMemoryCertStorage and check if its ChainCount == 1. Then try to use it for signing. If this works for you then we'll try to localize a problem with TElPKCS11CertStorage.
Posted: 10/18/2011 03:38:17
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

After I did this:
TElMemoryCertStorage memStorage = new TElMemoryCertStorage();
for (int i = 0; i < storage.Count; i++)
  TElX509Certificate cert = storage.get_Certificates(i);
  memStorage.Add(cert, true);
handler.CertStorage = memStorage;

I am still getting the same error ("chain validation failed"). ChainCount is equal to1.

Concerning the problem about ChainCount property from smart card storage I have found out that:
TElPKCS11CertStorage storage = new TElPKCS11CertStorage();
storage.DLLName = "aetpkss1.dll";
TElPKCS11SessionInfo session = null;
session = storage.OpenSession(0, true);

if I comment out open session this will work (showing ChainCount 0), but if uncomment OpenSession, program blocks...
Posted: 10/18/2011 04:04:22
by Eugene Mayevski (EldoS Corp.)

It is possible that validation fails not because of your certificates but during validation of revocation information (CRLs, OCSP etc.). I will move your question to the helpdesk where you can post your document for investigation.

Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.



Topic viewed 2126 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!