EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CAdES-EPES question?

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#21802
Posted: 10/03/2012 03:31:58
by Adi Vasi (Basic support level)
Joined: 09/27/2012
Posts: 19

Hi all,

Finally I have succeeded to create a CAdES-BES C signature.The log file doesn't seems to contain any errors and the catch mechanism doesn't catch any exceptions.
Now I want to validate the signature.

Code

sInput = new FileStream(input, FileMode.Open, FileAccess.Read);
verify= new TElSignedCMSMessage();
verify.Open(sInput, null, 0, 0);

TElCMSSignature sig= verify.get_Signatures(0);

TElCAdESSignatureProcessor cadesProc = new SBCAdES.TElCAdESSignatureProcessor(sig);

TElWinCertStorage trustedCerts = new TElWinCertStorage();
trustedCerts.SystemStores.Add("ROOT");
cadesProc.TrustedCertificates = trustedCerts;

cadesProc.OnCertValidatorPrepared += new SBCAdES.TSBCAdESCertValidatorPreparedEvent(cadesProc_OnCertValidatorPrepared);
cadesProc.OnCertValidatorFinished += new SBCAdES.TSBCAdESCertValidatorFinishedEvent(cadesProc_OnCertValidatorFinished);

TSBCAdESSignatureValidity result = cadesProc.Validate();


After the execution the result value is "asvInvalid" what means that the signature is invalid I guess.I verified the log and doesn't seems to be any errors.

Thanks,
Vasi
#21803
Posted: 10/03/2012 03:57:07
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

Most likely internal instance of TElX509CertificateValidator fails to validate some certificate. You should assign its event handlers using cadesProc_OnCertValidatorPrepared handler and log validator's output to find out the exact reason.
#21804
Posted: 10/03/2012 04:14:21
by Adi Vasi (Basic support level)
Joined: 09/27/2012
Posts: 19

Hi,

I assigned the event handlers like below.
Code

#region [cadesProc_OnCertValidatorPrepared]

        void cadesProcessor_OnCertValidatorPrepared(object Sender, ref SBCertValidator.TElX509CertificateValidator CertValidator, TElX509Certificate Cert)
        {
            log.Info("Starting validation of the certificate: " + Cert.SubjectRDN.SaveToDNString() + " / " + Cert.IssuerRDN.SaveToDNString());

            CertValidator.CheckOCSP = true;
            //CertValidator.CheckOCSP = false;
            CertValidator.CheckCRL = true;
            CertValidator.MandatoryCRLCheck = false;
            CertValidator.MandatoryOCSPCheck = false;
            CertValidator.MandatoryRevocationCheck = true;
            //CertValidator.IgnoreCAKeyUsage = true;

            CertValidator.OnBeforeCRLRetrieverUse += new SBCertValidator.TSBBeforeCRLRetrieverUseEvent(CertValidator_OnBeforeCRLRetrieverUse);
            CertValidator.OnBeforeOCSPClientUse += new SBCertValidator.TSBBeforeOCSPClientUseEvent(CertValidator_OnBeforeOCSPClientUse);
            CertValidator.OnCRLError += new SBCertValidator.TSBCertificateValidatorCRLErrorEvent(CertValidator_OnCRLError);
            CertValidator.OnCRLNeeded += new SBCertValidator.TSBCRLNeededEvent(CertValidator_OnCRLNeeded);
            CertValidator.OnCRLRetrieved += new SBCertValidator.TSBCRLRetrievedEvent(CertValidator_OnCRLRetrieved);
            CertValidator.OnOCSPError += new SBCertValidator.TSBCertificateValidatorOCSPErrorEvent(CertValidator_OnOCSPError);
            CertValidator.OnAfterCRLUse += new SBCertValidator.TSBAfterCRLUseEvent(CertValidator_OnAfterCRLUse);
            CertValidator.OnAfterOCSPResponseUse += new SBCertValidator.TSBAfterOCSPResponseUseEvent(CertValidator_OnAfterOCSPResponseUse);
            CertValidator.OnBeforeCertificateValidation += new TSBBeforeCertificateValidationEvent(CertValidator_OnBeforeCertificateValidation);
            CertValidator.OnAfterCertificateValidation += new TSBAfterCertificateValidationEvent(CertValidator_OnAfterCertificateValidation);

        }

        void cadesProc_OnCertValidatorFinished(object Sender, SBCertValidator.TElX509CertificateValidator CertValidator, TElX509Certificate Cert, TSBCertificateValidity Validity, int Reason)
        {
            log.Info("Finished validation of the certificate: " + Cert.SubjectRDN.SaveToDNString() + " / " + Cert.IssuerRDN.SaveToDNString() + ", validity: " + Validity.ToString() + ", reason: " + Reason.ToString());
        }

        void CertValidator_OnAfterOCSPResponseUse(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, SBOCSPClient.TElOCSPResponse Response)
        {
            log.Info("Successfully used OCSP response for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString());
        }

        void CertValidator_OnAfterCRLUse(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, SBCRL.TElCertificateRevocationList CRL)
        {
            log.Info("Successfully used CRL for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString());
        }

        void CertValidator_OnOCSPError(object Sender, TElX509Certificate Certificate, string Location, SBOCSPClient.TElOCSPClient Client, int ErrorCode)
        {
            log.Info("Encountered OCSP error when validating certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ", location: " + Location + ", error: " + ErrorCode.ToString());
        }

        void CertValidator_OnCRLRetrieved(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, SBX509Ext.TSBGeneralName NameType, string Location, SBCRL.TElCertificateRevocationList CRL)
        {
            log.Info("Retrieved CRL for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ", location: " + Location);
        }

        void CertValidator_OnCRLNeeded(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, ref SBCRLStorage.TElCustomCRLStorage CRLs)
        {
            log.Info("CRL needed for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString());

        }

        void CertValidator_OnCRLError(object Sender, TElX509Certificate Certificate, string Location, SBCRLStorage.TElCustomCRLRetriever Retriever, int ErrorCode)
        {
            log.Info("Encountered CRL error when validating certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ", location: " + Location + ", error: " + ErrorCode.ToString());
        }

        void CertValidator_OnBeforeOCSPClientUse(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, string OCSPLocation, ref SBOCSPClient.TElOCSPClient OCSPClient)
        {
            log.Info("Will be retrieving OCSP response for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ", location: " + OCSPLocation);
        }

        void CertValidator_OnBeforeCRLRetrieverUse(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, SBX509Ext.TSBGeneralName NameType, string Location, ref SBCRLStorage.TElCustomCRLRetriever Retriever)
        {
            log.Info("Will be retrieving CRL response for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ", location: " + Location);
        }

        void CertValidator_OnAfterCertificateValidation(object Sender, TElX509Certificate Certificate, TElX509Certificate CACertificate, ref TSBCertificateValidity Validity, ref int Reason, ref bool DoContinue)
        {
            log.Info("Certificate validation completed for certificate: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString() + ". Validity: " + Validity.ToString() + ", Reason: " + Reason.ToString());
        }

        void CertValidator_OnBeforeCertificateValidation(object Sender, TElX509Certificate Certificate)
        {
            log.Info("Starting certificate validation: " + Certificate.SubjectRDN.SaveToDNString() + " / " + Certificate.IssuerRDN.SaveToDNString());
        }

        #endregion


I have attached the log file.In the log file doesn't appear any errors.
Also if I try cadesProc.isC() it returns false and if I try cadesProc.isT() returns true.

Thanks.


[ Download ]
#21805
Posted: 10/03/2012 07:44:35
by Ken Ivanov (EldoS Corp.)

Normally a signature is reported as Invalid if there is no doubt that it was forged (in contrast to reporting the Incomplete status if the components fails to pick certificates or revocation elements).

Do you intend to validate a detached or an embedded signature? If you do a detached one, you should load the signed content explicitly into the TElSignedCMSMessage object. If you are validating an embedded signature, please post the file in problem to the Helpdesk for investigation.

Reply

Statistics

Topic viewed 3823 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!