EldoS | Feel safer!

Software components for data protection, secure storage and transfer

A Problem with the certificate and the signature

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#22770
Posted: 12/10/2012 11:17:03
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

Sample "PDFBlackBox -> PAdES": I use a certificate from system certificate storage to sign a pdf. Details:
I used "Use certificate from system certificate storage" and checked "Visible signature", "Create enhaced (PAdES) signature" and "Include local revocation information to the signature". When I try checking "Automatically collect revocation information (CRLs, OCSP statuses)", the sample tells me after all "Signing succeeded", but the end document is not signed.

Sample "PDFBlackBox -> Processor": When I try to check the signature I made with "PDFBlackBox -> PAdES", when I press "Validate" button, it tells me "The selected signature is signed by certificate that is NOT VALID".

Sample "PKIBlackBox -> CertValidator": When I check the certificate wich I used to sign in the sample "PDFBlackBox -> PAdES", sample "PKIBlackBox -> CertValidator" tells me that the certificate is valid, with the following options checked:
"Check CRL", "Check OCSP", "Check validity period for trusted", "Complete chain validation for trusted", "Ignore CA Key usage", "Mandatory OCSP check", "Mandatory revocation check" and "Use System storages"

I guess that I am missing something, because I think that it can't be possible at same time:
-Signing succeded.
-Certificate validated.
-Fail checking the signature because certificate is not valid.
#22772
Posted: 12/10/2012 13:12:39
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for getting in touch with us.

What is the result of signature validation when its performed using "PDFBlackBox -> PAdES" sample?
#22773
Posted: 12/11/2012 01:53:08
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

When I use "PDFBlacbox -> PAdES" it tells me "Signing succeeded".
After signing the document when I target the same document in "PDFBlacbox -> PAdES (but without signing it again) I see inside Form1:


Document properties:
Filename
Pages
Attachments
Signed
Empty signature fields

Signatures
Type: Enhaced (long-term)
Name: Signature1
Author: Issuer: /2.5.4.6=ES/2.5.4.10=FNMT/2.5.4.11=FNMT Clase 2 CA, S/N: 3CD89718
Signing time: 11/12/2012 7:20
Timestamped: no
Validity: Chain validation failed

Revocation information (check trusted certificates)
Type: Certificate
Details: /2.5.4.6=ES/2.5.4.10=FNMT/2.5.4.11=FNMT Clase 2CA/2.5.4.11=701002321/2.5.4.3=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX
Location: Document


Afterwards when I open the PDF document I see the tab "Signatures". After clicking on it, I see something like this:

-Recipient Signatures
The following people have digitally counter-signed this document
-Signed by Not specified
An error ocurred while attempting to verify this signature
Signer's identity has not yet been verified
-Time: 2012.12.11 07:20:36 Z
GMT: 2012.12.11 07:20:36 Z
Reason: Not Available
Field: Signature1 on page 1
Document revision: 1 of 1


I donĀ“t know if you meant this. Or is there any results that the "PDFBlacbox -> PAdES" should have shown me after signing but before ending the execution?
#22774
Posted: 12/11/2012 02:05:33
by Vsevolod Ievgiienko (EldoS Corp.)

If "PKIBlackBox -> CertValidator" reports the certificate as valid then we can compare its options with those used in PAdES sample and find out the difference. From your messages I see that in CertValidator sample "Ignore CA Key usage" is "true", however its set to "false" by default. Please try to check if its value impacts on the result of validation.
#22775
Posted: 12/11/2012 02:24:29
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

I get the same result in CertValidator with or without checking "Ignore CA Key usage" and having checked the options "Check CRL", "Check OCSP", "Check validity period for trusted", "Complete chain validation for trusted", "Mandatory OCSP check", "Mandatory revocation check" and "Use System storages". The result I get is:

11/12/2012 9:21:19 BeforeCertificateValidation:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, storage=MY
11/12/2012 9:21:20 BeforeCRLRetrieverUse:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, storage=MY, location=2.5.4.6=ES,2.5.4.10=FNMT,2.5.4.11=FNMT Clase 2 CA,2.5.4.3=CRL9545
11/12/2012 9:21:20 CACertificateNeeded:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, CRL missing
11/12/2012 9:21:20 AfterCertificateValidation:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, storage=MY, root CN=, validity=valid
11/12/2012 9:21:20 BeforeCertificateValidation:
CN=, storage=Root
11/12/2012 9:21:20 BeforeCRLRetrieverUse:
CN=, storage=Root, location=2.5.4.6=ES,2.5.4.10=FNMT,2.5.4.11=FNMT Clase 2 CA,2.5.4.3=CRL1
11/12/2012 9:21:20 CACertificateNeeded:
CN=, CRL missing
11/12/2012 9:21:20 AfterCertificateValidation:
CN=, storage=Root, root CN=, validity=valid

11/12/2012 9:21:20 RESULT:
CN=NOMBRE XXXXXXX XXXXXXXXXX XXX - NIF XXXXXXXXX, validity=valid
#22776
Posted: 12/11/2012 02:31:33
by Vsevolod Ievgiienko (EldoS Corp.)

Now I see the reason of the problem. You should turn MandatoryCRLCheck off in PAdES sample. Your certificate includes LDAP distribution point without a domain name part in the URL. Our component fails to retrieve it and this causes validation failure.

You should handle TElPDFAdvancedPublicKeySecurityHandler.OnCertValidatorPrepared event and change its value using CertValidator.MandatoryCRLCheck property.
#22777
Posted: 12/11/2012 03:23:50
by Blank Blank (Basic support level)
Joined: 11/30/2012
Posts: 9

I think that I don't understand it. If you meant "PKIBlackBox -> CertValidator" sample, I had already the check "MandatoryCRLCheck" turned off all the time (Maybe it is being checked background by the program without my knowledge? That is why you are telling me about TElPDFAdvancedPublicKeySecurityHandler.OnCertValidatorPrepared, to set in it the CertValidator.MandatoryCRLCheck to false?). If you meant another sample, I can't see any check named "MandatoryCRLCheck" neither in "PDFBlackBox -> PAdES" nor in "PDFBlackBox -> Processor". Those three samples are the ones with I am trying to accomplish the target Certificate validation + PDF signing + PDF signature validation. So I have not made any changes in those three samples. I first want to accomplish the target mentioned above without modifying the the samples if possible (Because I want to have a safe point where the target is achieved from which I can start working forward), and afterwards modify them.
#22778
Posted: 12/11/2012 03:34:46
by Vsevolod Ievgiienko (EldoS Corp.)

"PKIBlackBox -> CertValidator" sample uses TElX509CertificateValidator to validate certificates. Using checkboxes you can change its properties such as MandatoryCRLCheck etc.

"PDFBlackBox -> PAdES" sample uses TElPDFAdvancedPublicKeySecurityHandler to generate PAdES signatures an it in turn uses TElX509CertificateValidator internally to validate certificates used for signing.

The problem is that in "PDFBlackBox -> PAdES" sample TElX509CertificateValidator is used with default parameters (MandatoryCRLCheck is 'true') that doesn't work with your certificate but in "PKIBlackBox -> CertValidator" sample MandatoryCRLCheck is turned off and it works.

Your certificate can be successfully validated only when TElX509CertificateValidator.MandatoryCRLCheck is set to 'false'. Thats why you need to modify "PDFBlackBox -> PAdES" sample as I described above.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 2718 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!