EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validating documents signed with revoked signature

Posted: 05/08/2012 04:49:38
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

For test purposes I've got from customer a smart card containing certificate which is revoked. When I sign document with that certificate (for example PDF, or Office), corresponding applications (Adobe reader, or Word) are correctly showing that the signature is not valid because signers certificate is revoked. But the problem is that I can't get the same result in my application, nor in any test application from Eldos.

CRL is actualy contained in signature. I saw that one of SBCertificateValidityReason is also vrRevoked which should mean that the certificate is revoked by issuer...

What should I do in order to validate properly documents signed with revoked certificates?
Posted: 05/08/2012 05:15:31
by Vsevolod Ievgiienko (Team)

Thank you for contacting us.

What result do you get with our samples? Could you post here or via Helpdesk (https://www.eldos.com/helpdesk/index.php) a sample document to reproduce the problem.
Posted: 05/08/2012 05:19:06
by Eugene Mayevski (Team)

If you pass the CRL from the signature to TElCertificateValidator, AND that CRL is recognized, then the validator should report that the certificate has been revoked. However the situation is more complicated - CRL's signature is also validated and if validation of that signature fails, the CRL is not taken into account. So first of all you need to check CRL's validity itself. In general we have a how-to on how TElCertificateValidator works (just in case you didn't see it before). To check whether the CRL is used, you can handle OnCRL* events and see which ones are called and what is reported there.

Also you are welcome to post your document for checking (probably via the HelpDesk ticket). I'll move your question to the helpdesk so that you could post your document here, and this answer will serve as information for other users.

Sincerely yours
Eugene Mayevski
Posted: 05/08/2012 05:49:56
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

I have found where was the problem. When setting up TElX509CertificateValidator ia have put MandatoryCRLCheck to true. But since one CRL is not accessable (it is partial CRL defined only for Entrust Ready applications) then it got the exception that it can't validate chain. But when I set MandatoryCRLCheck to false everything worked as expected.

Thank you for support.



Topic viewed 643 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!