EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CAdES-EPES question?

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#21746
Posted: 09/27/2012 06:50:51
by Adi Vasi (Basic support level)
Joined: 09/27/2012
Posts: 19

Hi all,
I need to use Cades-epes envelope in order to sign different documents (pdf,txt, doc etc...).
I read that PKIBlackBox allow this but I'm not able to find an example or documentation about the methods I have to use.
Can someone help me?

Thanks

Adi Vasi
#21747
Posted: 09/27/2012 07:04:07
by Ken Ivanov (EldoS Corp.)

Adi,

Thank you for your interest in SecureBlackbox.

You can create CAdES-EPES signatures with TElCAdESSignatureProcessor class (it's a bit of a higher level one) or with TElSignedCMSMessage class (more sophisticated yet flexible). You will find the samples in the PKIBlackbox sub-folder of the Samples folder. I'm afraid that a sample for TElCAdESSignatureProcessor is only available in VCL edition, still this class is really easy to use; in most cases you only need to call its CreateEPES() method to create the signature.
#21756
Posted: 09/28/2012 12:50:58
by Adi Vasi (Basic support level)
Joined: 09/27/2012
Posts: 19

Hi Ivanov,

Thank you for your quick response.I didn't succeed to create a CAdES-EPES signature.I tried to use TElCAdESSignatureProcessor class but I don't know what PolicyID refers to.
I have another problem.I created a CAdES-BES signature after that I upgrated it to CAdES-T and when I tried to upgrade to CAdES-C I received an error something like :{"Collected validation information is not complete"} System.Exception {SBCAdES.EElCAdESSignatureProcessorError}.If you need I can send my sample code.
Can you provide a sample code or some steps?

Thanks in advance,
Vasi.
#21761
Posted: 09/29/2012 13:13:02
by Ken Ivanov (EldoS Corp.)

Quote
I tried to use TElCAdESSignatureProcessor class but I don't know what PolicyID refers to.

A CAdES-EPES signature is required to be made according to a known signature policy. PolicyID refers to a unique identifier of that policy.

Quote
have another problem.I created a CAdES-BES signature after that I upgrated it to CAdES-T and when I tried to upgrade to CAdES-C I received an error something like :{"Collected validation information is not complete"} System.Exception {SBCAdES.EElCAdESSignatureProcessorError}.

This means that the component was unable to collect the whole set of validation information needed to perform deep signature validation. The most common reasons for this error are the following:

1) One or more CA certificates (including those of the TSA) are not available,
2) One or more online CRL or OCSP responders are not available (so the component was unable to retrieve validity status for one or more certificates).
3) One or more CRL/OCSP responders run on a HTTPS servers, which require special setup of the used TElHTTPSClient object.

To track down the reason, please do the following:

1) Handle the OnCertValidatorPrepared and OnCertValidatorFinished events,
2) Inside the OnCertValidatorPrepared handler adjust the properties of the passed TElX509CertificateValidator object:

CertValidator.MandatoryCRLCheck = false;
CertValidator.MandatoryOCSPCheck = false;
CertValidator.MandatoryRevocationCheck = true;

3) Inside the OnCertValidatorPrepared handler add handlers for OnBeforeCertificateValidation, OnAfterCertificateValidation, OnCRLError and OnOCSPError events of the validator object.
4) Inside the handlers, do extensive logging to get the understanding of what is going wrong and where:
Code
procedure TfrmSig.HandleCertValidatorBeforeCertValidation(Sender : TObject;
  Certificate : TElX509Certificate);
begin
  AddToLog('Validating certificate: ' + Certificate.SubjectName.CommonName);
end;

procedure TfrmSig.HandleCertValidatorAfterCertValidation(Sender : TObject;
  Certificate : TElX509Certificate; CACertificate : TElX509Certificate;
  var Validity : TSBCertificateValidity; var Reason: TSBCertificateValidityReason;
  var DoContinue : boolean);
begin
  AddToLog('Validation done for ' + Certificate.SubjectName.CommonName + ': validity: ' +
    CertValidityToStr(Validity) + ', reason: ' + CertValidityReasonToStr(Reason));
end;

...
#21765
Posted: 09/30/2012 12:31:29
by Adi Vasi (Basic support level)
Joined: 09/27/2012
Posts: 19

I have followed this article steps : http://www.eldos.com/security/articles/7639.php
but I still get the same error.I found an error on OCSP check in CertValidator_OnOCSPError method and the error code is 2001.In the OnCertValidatorFinished event the value of Validity is "cvInvalid".If I put the CertValidator.CheckOCSP on false I didn,t receive any errors but in the OnCertValidatorFinished event the Validity value is cvChainUnvalidated The certificate is OK, it is not revocated or exipred.
#21766
Posted: 09/30/2012 13:20:51
by Eugene Mayevski (EldoS Corp.)

Error code 2001 stands for SB_VALIDATOR_OCSP_ERROR_VALIDATION_FAILED -- validation of OCSP response has failed. Finding the actual reason is your job -- SecureBlackbox provides all means for this. OnOCSPError will contain the certificate, for which OCSP check has failed, and you can use SecureBlackbox mechanisms to retrieve the OCSP and perform manual OCSP check.


Sincerely yours
Eugene Mayevski
#21795
Posted: 10/02/2012 05:56:52
by Adi Vasi (Basic support level)
Joined: 09/27/2012
Posts: 19

Hi,

I try to use another certificate and the OCSP validation error dissapeared.Now I have another problem and I think is because of timestamp server. I've attached the log file.

Thanks,
Vasi.


[ Download ]
#21796
Posted: 10/02/2012 06:00:30
by Eugene Mayevski (EldoS Corp.)

There's no log attached. Note, that forum lets you attach only TXT files (besides images) below 256Kb in size.


Sincerely yours
Eugene Mayevski
#21797
Posted: 10/02/2012 06:02:54
by Adi Vasi (Basic support level)
Joined: 09/27/2012
Posts: 19

Hi,

Now it is attached.
#21798
Posted: 10/02/2012 06:23:33
by Ken Ivanov (EldoS Corp.)

Thanks.

That's the crucial line:
Quote
Finished validation of the certificate: /2.5.4.6=FR/2.5.4.10=EdelWeb S.A./2.5.4.11=Project K7 Illidium Ultraspace Gas Factory/2.5.4.3=Experimental Time Stamping Service / /2.5.4.6=FR/2.5.4.10=EdelWeb S.A./2.5.4.11=Clepsydre Demonstration Service/2.5.4.3=Time Stamping Authority, validity: cvChainUnvalidated, reason: 0

It is likely that the certificate of the TSA ends up with an untrusted root certificate. The easiest way to resolve the issue is to add the root certificate of the TSA certificate's chain to the Trusted Root system store.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 3827 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!