EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How do I use a certificate in a custom storage to verify my timestamp

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
Posted: 08/09/2013 06:02:29
by Christian Cerny (Standard support level)
Joined: 08/09/2013
Posts: 2


we use a custom storage containing 2 or more certificates - first one is the certificate provided to sign a document / etc., 2nd to n-th one are the certificates provided by the timestamping server.

Now, the signing process is fine, but during the verification process we always get the message "invalid timestamp", regardless if we use a custom storage or keep it out altogether and only use the signing certificate (the first one from the custom storage).

Included is the used code for signing & verifying.

private TElXMLKeyInfoX509Data LoadCertificate()
    TElXMLKeyInfoX509Data x509KeyData = new TElXMLKeyInfoX509Data(true);
   TElCustomCertStorage storage = new TElMemoryCertStorage();

   // ...

   storage.Add(cert, true);
   storage.Add(tsCert, true); // Chained CERT of zeitstempel.dfn.de, also tried all 3 CERTS separately

    x509KeyData.CertStorage = storage;
   x509KeyData.Certificate = x509KeyData.CertStorage.get_Certificates(0);

   return x509KeyData;

private TElXAdESSigner CreateXadesSigner(TElX509Certificate SigningCertificate)
    TElXAdESSigner XAdESSigner = new TElXAdESSigner();

    XAdESSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_4_1;
    XAdESSigner.XAdESForm = SBXMLAdES.Unit.XAdES_T;

    XAdESSigner.PolicyId.SigPolicyId.Identifier = "urn:oid:1.0.0";
    XAdESSigner.PolicyId.SigPolicyId.IdentifierQualifier = SBXMLAdES.Unit.xqtOIDAsURN;

    TElHTTPTSPClient TSPClient = new TElHTTPTSPClient();
    TElHTTPSClient HTTPClient = new TElHTTPSClient();
    TSPClient.HTTPClient = HTTPClient;
    TSPClient.URL = "http://zeitstempel.dfn.de";
    TSPClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA512;

    XAdESSigner.TSPClient = TSPClient;
    XAdESSigner.IgnoreTimestampFailure = false;

   XAdESSigner.SigningTime = DateTime.UtcNow;
   XAdESSigner.QualifyingProperties.XAdESPrefix = "xades";

   return XAdESSigner;

private void InitializeCertificateValidator()
        certificateValidator = new TElX509CertificateValidator();
        certificateValidator.MandatoryCRLCheck = false;
        certificateValidator.MandatoryOCSPCheck = false;
        certificateValidator.MandatoryRevocationCheck = false;
        certificateValidator.CheckOCSP = true;

        certificateValidator.UseSystemStorages = false;


TElXMLReferenceList refList = new TElXMLReferenceList();
TElXMLReference reference = new TElXMLReference();
short digestMethod = SBXMLSec.Unit.xdmSHA512;

reference.DigestMethod = digestMethod;
reference.URIStream = ...; // byte[]
reference.URI = ...; // string

reference = new TElXMLReference();
reference.DigestMethod = digestMethod;
reference.URIStream = ...; // byte[]
reference.URI = ...; // string

TElXMLDOMNode sigNode = null;
TElXMLSigner signer = new TElXMLSigner();

signer.References = refList;
signer.SignatureType = SBXMLSec.Unit.xstDetached;
signer.CanonicalizationMethod = SBXMLDefs.Unit.xcmCanon;
signer.SignatureMethodType = SBXMLSec.Unit.xmtSig;
signer.SignatureMethod = SBXMLSec.Unit.xsmRSA_SHA512;

TElXMLKeyInfoX509Data x509KeyData = LoadCertificate(web);

signer.KeyData = x509KeyData;

signer.XAdESProcessor = CreateXadesSigner(x509KeyData.Certificate, web, useTimestamping);
//signer.XAdESProcessor.SigningCertificates = x509KeyData.CertStorage;


signer.Save(ref sigNode);

return sigNode;



TElXMLVerifier Verifier = new TElXMLVerifier();
TElXAdESVerifier XAdESVerifier = new TElXAdESVerifier();
Verifier.XAdESProcessor = XAdESVerifier;
Verifier.XAdESProcessor.CertificateValidator = certificateValidator;
TElXMLKeyInfoX509Data X509KeyData = LoadCertificate(Web);
TElCustomCertStorage customStorage = new TElMemoryCertStorage();
customStorage = X509KeyData.CertStorage;
for (int i = 1, max = X509KeyData.CertStorage.Count; i < max; i++)

//Verifier.KeyData = X509KeyData;
certificateValidator.UseSystemStorages = false;
XAdESVerifier.TrustedCertificates = customStorage;

TElXMLDOMElement signatureNode = SBXMLUtils.Unit.ParseElementFromXMLString(DetachedSignature, new TElXMLDOMDocument());
Verifier.References[0].URIData = (byte[])Ref1;
Verifier.References[1].URIData = (byte[])Ref2;

bool SigOK = true;
DateTime ValidationMoment = DateTime.UtcNow;
TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
int Reason = 0;
if (!Verifier.ValidateSignature())
    if (!Verifier.KeyDataNeeded)
      // ...
        return false;
      // ...
        return false;

if (Verifier.SignerCertificate != null)
    certificateValidator.Validate(Verifier.SignerCertificate, ((TElXMLKeyInfoX509Data)Verifier.SignerKeyData).CertStorage, true, false, ValidationMoment, ref Validity, ref Reason);

    if ((Validity != TSBCertificateValidity.cvSelfSigned) && (Validity != TSBCertificateValidity.cvOk))
        SigOK = false;
bool RefValid = Verifier.ValidateReferences();
if (!RefValid && SigOK)
    // revalidate references, as user could manually set URI* properties
    if (!Verifier.ValidateReferences())
        SigOK = false;
if ((XAdESVerifier != null) && (XAdESVerifier.QualifyingProperties != null))
    TSBXAdESValidity XAdESValidity;
    int XAdESReasons = 0;
    XAdESVerifier.ValidationMoment = ValidationMoment;
    XAdESVerifier.IgnoreChainValidationErrors = true;
    XAdESVerifier.OfflineMode = true;
    XAdESValidity = XAdESVerifier.Validate(ref XAdESReasons);
    if (XAdESValidity == TSBXAdESValidity.xsvInvalid)
        SigOK = false;

return SigOK;

Could you point me in the right direction what's wrong?

Thank you in advance.
Posted: 08/09/2013 06:16:39
by Eugene Mayevski (Team)

Unfortunately such error message doesn't give much information about the problem and maybe custom certificate storage is not related to the issue itself.

can you please sign and timestamp some test document and if it exposes the problem, send it to us (either here or via HelpDesk) for checking?

Sincerely yours
Eugene Mayevski
Posted: 08/09/2013 06:40:04
by Christian Cerny (Standard support level)
Joined: 08/09/2013
Posts: 2

Hi Eugene,

I've opened a ticket (# 23436) with a signature attached.

Additional information as described in the ticket itself:

The returned error code is 1048576.

I tried the same using the Signer example from the XMLBlackbox - it works if I import the certificate in the Windows CERT Storage, but not using a custom storage.

Unfortunately, the Windows CERT Store is not an viable option to use in my scenario.

To me it looks like as if the certificate chain is not used to validate the timestamp data.

I'm using the latest beta version (11.0.236).



Topic viewed 1469 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!