EldoS | Feel safer!

Software components for data protection, secure storage and transfer

AS2Receipt Verify Signature always returns 8194

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#24351
Posted: 03/28/2013 08:09:15
by John Anderson (Priority Standard support level)
Joined: 03/15/2013
Posts: 24

I am using the sample application from C:\Dev\EldoS\SecureBlackbox.NET\Samples\C#\EDIBlackbox\AS2\Sender.

When I use the call to:-
Code
private void buttonLoadReceipt_Click(object sender, EventArgs e)
        {
            memoText.Text = String.Empty;
            listErrors.Items.Clear();
            Application.DoEvents();
            bool result = as2Receipt.Load(textLoadReceiptFile.Text);
            LoadReceiptValues();
            LoadReceiptErrors();
            if (result)
                MessageBox.Show("The receipt is loaded successfully", Text);
            else
                MessageBox.Show("There were warnings while loading the receipt", Text);
        }

the as2receipt.Load always returns false.
I have trapped:-
Code
void as2Receipt_OnError(object Sender, int Code, string Message, bool Critical, ref bool Ignore)
        {
            ;
        }

        private void as2Receipt_OnVerifying(object Sender, TElASMessageVerifier Verifier)
        {
            ;
        }

        private void as2Receipt_OnVerify(object Sender, TElASMessageVerifier Verifier)
        {
            ;
        }

as2Receipt_OnError has Code=8194 which is documented as:-

Decryption/Signature verification: Certificate which was used to encrypt/sign message was not found.

however on inspecting Verifier both before and after it does contain the correct certificate which was loaded during buttonCertificateAdd method.

The certificate is not "self-signed", so I am assuming its the CA which it can't find; how does as2receipt.Load deal with chains? If I need to manually manipulate the Verifier to cope with a certification chain how and where do I do that?
#24352
Posted: 03/28/2013 08:22:40
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

8194 error code stands for SB_MESSAGE_ERROR_NO_CERTIFICATE. Possible reasons for this error:

- Decryption/Signature verification: Certificate which was used to encrypt/sign message was not found.
- Encryption/Signing: Certificate storage is empty.
- Signing: Certificate storage doesn't contain any certificate with corresponding private key.
- Decryption: The required certificate is found but it doesn't contain the corresponding private key.

So yes you should manipulate the Verifier. You can add missing certificates to ((TElASSMIMEMessageVerifier)Verifier).Verifier.CertStorage.
#24355
Posted: 03/28/2013 08:44:05
by Eugene Mayevski (EldoS Corp.)

Let me also note that after the verifier verifies the message itself and extracts certificates (and possibly builds certificate chain inside), you have the list of certificates (in Verifier) which you need to validate yourself. This can be done with help of TElX509CertificateValidator class.

There exist several reasons for validation not to be done by Verifier itself.


Sincerely yours
Eugene Mayevski
#24356
Posted: 03/28/2013 08:51:39
by John Anderson (Priority Standard support level)
Joined: 03/15/2013
Posts: 24

Yes, I have read the article at https://www.eldos.com/documentation/sbb/documentation/ref_howto_pki_cert_validate.html?sphrase_id=428524 which explains how to validate both EElX509Certificate and TElCustomCertStorage but I don't see how that applies to the TElASMessageVerifier. I notice you cast the Verifier to a TElASSMIMEMessageVerifier above to get at the CertStorage but how and when should the Verifier be changed? I already tried adding the CA certificate to the storageVerifying that is the certificate storage of the as2receipt; this causes the Verifier to contain both certificates but not as a chain. I also tried adding the chain into a pfx file and using that but the code in buttonCertificateAdd_Click only reads one certificate from the pfx file.

If I wanted to modify buttonCertificateAdd_Click so that it loaded the chain how would that be coded? I can't find an example of doing this anywhere and can't find it in the help/documentation either.
#24357
Posted: 03/28/2013 08:59:36
by Alexander Ionov (EldoS Corp.)

Could you please zip and attach the receipt and the certificate without private key to the ticket? So I'll be able to run the sample and see what's going wrong.


--
Best regards,
Alexander Ionov
#24359
Posted: 03/28/2013 09:12:48
by Eugene Mayevski (EldoS Corp.)

I've moved the original post to the helpdesk, where you can attach the ZIP file.


Sincerely yours
Eugene Mayevski
#24360
Posted: 03/28/2013 09:32:26
by John Anderson (Priority Standard support level)
Joined: 03/15/2013
Posts: 24

Here is a zip with the as2r, the localhost/signing certificate and the JandA CA certificate.

Looking at my code where the Signature is created I have:-
Code
message.Signature.CertStorage = m_signCertStorage;
message.Signature.VerificationOptions |= SBMessages.__Global.voUseLocalCerts;
but I don't remember where I copied this code from and I can't find any documentation for VerificationOptions. Would that be telling the recipient to only consider certificates stored in the LocalMachine store?

Edit: Sorry that's the place where the message.signature is set-up. The receipt has identical code after it has had the message assigned to it.
#24361
Posted: 03/28/2013 10:15:07
by John Anderson (Priority Standard support level)
Joined: 03/15/2013
Posts: 24

Because I mentioned above that I was looking at chains, as an experiment I have added:
Code
receipt.Signature.IncludeChain = true;

to my receipt before it is saved and the problem has gone away.

Can you please explain why IncludeChain is not set true by default? Is it a security issue to include the CA certificate chained to the Signing certificate?
#24362
Posted: 03/28/2013 10:47:19
by Alexander Ionov (EldoS Corp.)

Quote
John Anderson wrote:
I can't find any documentation for VerificationOptions

Here it is


--
Best regards,
Alexander Ionov
#24363
Posted: 03/28/2013 10:59:23
by Ken Ivanov (EldoS Corp.)

Quote
Can you please explain why IncludeChain is not set true by default? Is it a security issue to include the CA certificate chained to the Signing certificate?

There is no general reason to always include complete certificate chains to the signatures. A lot of validation environments maintain their own lists of trusted and intermediate certificates and will be able to validate signatures whether or not they contain the complete chains. A different typical case is where the signer has no access to the chain and thus is not able to include it to the signature.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 1282 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!