EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How do I use a certificate in a custom storage to verify my timestamp

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#26070
Posted: 08/09/2013 06:02:29
by Christian Cerny (Standard support level)
Joined: 08/09/2013
Posts: 2

Hi,

we use a custom storage containing 2 or more certificates - first one is the certificate provided to sign a document / etc., 2nd to n-th one are the certificates provided by the timestamping server.

Now, the signing process is fine, but during the verification process we always get the message "invalid timestamp", regardless if we use a custom storage or keep it out altogether and only use the signing certificate (the first one from the custom storage).

Included is the used code for signing & verifying.

Code
private TElXMLKeyInfoX509Data LoadCertificate()
{
    TElXMLKeyInfoX509Data x509KeyData = new TElXMLKeyInfoX509Data(true);
   TElCustomCertStorage storage = new TElMemoryCertStorage();

   // ...

   storage.Add(cert, true);
   storage.Add(tsCert, true); // Chained CERT of zeitstempel.dfn.de, also tried all 3 CERTS separately

    x509KeyData.CertStorage = storage;
   x509KeyData.Certificate = x509KeyData.CertStorage.get_Certificates(0);

   return x509KeyData;
}

private TElXAdESSigner CreateXadesSigner(TElX509Certificate SigningCertificate)
{
    TElXAdESSigner XAdESSigner = new TElXAdESSigner();

    XAdESSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_4_1;
    XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_T;

    XAdESSigner.PolicyId.SigPolicyId.Identifier = "urn:oid:1.0.0";
    XAdESSigner.PolicyId.SigPolicyId.IdentifierQualifier = SBXMLAdES.Unit.xqtOIDAsURN;

    TElHTTPTSPClient TSPClient = new TElHTTPTSPClient();
    TElHTTPSClient HTTPClient = new TElHTTPSClient();
    TSPClient.HTTPClient = HTTPClient;
    TSPClient.URL = "http://zeitstempel.dfn.de";
    TSPClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA512;

    XAdESSigner.TSPClient = TSPClient;
    XAdESSigner.IgnoreTimestampFailure = false;

   XAdESSigner.SigningTime = DateTime.UtcNow;
   XAdESSigner.Generate();
   
   XAdESSigner.QualifyingProperties.XAdESPrefix = "xades";

   return XAdESSigner;
}

private void InitializeCertificateValidator()
{
        certificateValidator = new TElX509CertificateValidator();
        certificateValidator.MandatoryCRLCheck = false;
        certificateValidator.MandatoryOCSPCheck = false;
        certificateValidator.MandatoryRevocationCheck = false;
        certificateValidator.CheckOCSP = true;

        certificateValidator.UseSystemStorages = false;
}

// SIGN

TElXMLReferenceList refList = new TElXMLReferenceList();
TElXMLReference reference = new TElXMLReference();
short digestMethod = SBXMLSec.Unit.xdmSHA512;

reference.DigestMethod = digestMethod;
reference.URIStream = ...; // byte[]
reference.URI = ...; // string
refList.Add(reference);

reference = new TElXMLReference();
reference.DigestMethod = digestMethod;
reference.URIStream = ...; // byte[]
reference.URI = ...; // string
refList.Add(reference);

TElXMLDOMNode sigNode = null;
TElXMLSigner signer = new TElXMLSigner();

signer.References = refList;
signer.SignatureType = SBXMLSec.Unit.xstDetached;
signer.CanonicalizationMethod = SBXMLDefs.Unit.xcmCanon;
signer.SignatureMethodType = SBXMLSec.Unit.xmtSig;
signer.SignatureMethod = SBXMLSec.Unit.xsmRSA_SHA512;

TElXMLKeyInfoX509Data x509KeyData = LoadCertificate(web);

signer.KeyData = x509KeyData;

signer.XAdESProcessor = CreateXadesSigner(x509KeyData.Certificate, web, useTimestamping);
//signer.XAdESProcessor.SigningCertificates = x509KeyData.CertStorage;

signer.UpdateReferencesDigest();
signer.GenerateSignature();

signer.Save(ref sigNode);
signer.Dispose();

return sigNode;

// VERIFY

InitializeCertificateValidator();

TElXMLVerifier Verifier = new TElXMLVerifier();
TElXAdESVerifier XAdESVerifier = new TElXAdESVerifier();
Verifier.XAdESProcessor = XAdESVerifier;
Verifier.XAdESProcessor.CertificateValidator = certificateValidator;
TElXMLKeyInfoX509Data X509KeyData = LoadCertificate(Web);
TElCustomCertStorage customStorage = new TElMemoryCertStorage();
customStorage = X509KeyData.CertStorage;
/*
for (int i = 1, max = X509KeyData.CertStorage.Count; i < max; i++)
    customStorage.Add(X509KeyData.CertStorage.get_Certificates(i));
*/

certificateValidator.ClearKnownCertificates();
certificateValidator.ClearTrustedCertificates();
certificateValidator.AddKnownCertificates(customStorage);
certificateValidator.AddTrustedCertificates(customStorage);
//Verifier.KeyData = X509KeyData;
certificateValidator.UseSystemStorages = false;
XAdESVerifier.TrustedCertificates = customStorage;

TElXMLDOMElement signatureNode = SBXMLUtils.Unit.ParseElementFromXMLString(DetachedSignature, new TElXMLDOMDocument());
Verifier.Load(signatureNode);
Verifier.References[0].URIData = (byte[])Ref1;
Verifier.References[1].URIData = (byte[])Ref2;

bool SigOK = true;
DateTime ValidationMoment = DateTime.UtcNow;
TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
int Reason = 0;
if (!Verifier.ValidateSignature())
{
    if (!Verifier.KeyDataNeeded)
    {
      // ...
        return false;
    }
    else
    {
      // ...
        return false;
    }

}
if (Verifier.SignerCertificate != null)
{
    certificateValidator.Validate(Verifier.SignerCertificate, ((TElXMLKeyInfoX509Data)Verifier.SignerKeyData).CertStorage, true, false, ValidationMoment, ref Validity, ref Reason);

    if ((Validity != TSBCertificateValidity.cvSelfSigned) && (Validity != TSBCertificateValidity.cvOk))
        SigOK = false;
}
bool RefValid = Verifier.ValidateReferences();
if (!RefValid && SigOK)
{
    // revalidate references, as user could manually set URI* properties
    if (!Verifier.ValidateReferences())
        SigOK = false;
}
if ((XAdESVerifier != null) && (XAdESVerifier.QualifyingProperties != null))
{
    TSBXAdESValidity XAdESValidity;
    int XAdESReasons = 0;
    XAdESVerifier.ValidationMoment = ValidationMoment;
    XAdESVerifier.IgnoreChainValidationErrors = true;
    XAdESVerifier.OfflineMode = true;
    XAdESValidity = XAdESVerifier.Validate(ref XAdESReasons);
    if (XAdESValidity == TSBXAdESValidity.xsvInvalid)
        SigOK = false;

   ...
}
return SigOK;


Could you point me in the right direction what's wrong?

Thank you in advance.
#26071
Posted: 08/09/2013 06:16:39
by Eugene Mayevski (EldoS Corp.)

Unfortunately such error message doesn't give much information about the problem and maybe custom certificate storage is not related to the issue itself.

can you please sign and timestamp some test document and if it exposes the problem, send it to us (either here or via HelpDesk) for checking?


Sincerely yours
Eugene Mayevski
#26072
Posted: 08/09/2013 06:40:04
by Christian Cerny (Standard support level)
Joined: 08/09/2013
Posts: 2

Hi Eugene,

I've opened a ticket (# 23436) with a signature attached.

Additional information as described in the ticket itself:

Quote
The returned error code is 1048576.

I tried the same using the Signer example from the XMLBlackbox - it works if I import the certificate in the Windows CERT Storage, but not using a custom storage.

Unfortunately, the Windows CERT Store is not an viable option to use in my scenario.


To me it looks like as if the certificate chain is not used to validate the timestamp data.

I'm using the latest beta version (11.0.236).

Reply

Statistics

Topic viewed 1398 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!