EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validation of CRL's signature failed

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#27370
Posted: 11/25/2013 09:58:36
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

Hello,

I am proceeding with signature validation using your "Validation of certificates in SecureBlackbox (mini-FAQ)." I have implemented all the events raised during validation with debuging outputs as you recommend.

But when validating CRL's signature I get "SB_VALIDATOR_CRL_ERROR_VALIDATION_FAILED 1001" error in OnCRLError event.

But, when I validate the CRL signature manually in OnCRLRetrieved event using
Code
int crlValidationResponse = CRL.Validate(CACertificate);
it returns 0 return code, which means the certificate is valid.

It happens with two different trusted signature certificates from different CA authorities.

I need to validate whole certs tree in production environment. Could you point me to the right direction please?
#27371
Posted: 11/25/2013 10:16:28
by Ken Ivanov (EldoS Corp.)

Hello Petr,

Thank you for contacting us.

CRL.Validate() only validates the integrity of the CRL by ensuring that its digital signature is correct. The validator component performs a deeper validation, by trying to build a chain of trust from the certificate that was used to issue the CRL up to the root certificate. If the validator fails to build this chain, the CRL is considered not validated and, consequently, not trusted.

A typical reason for chain validation issues is unavailability of one or more certificates from the chain, or absence of the root certificate in the trusted list. Please create a validation trace as explained here to find out which exactly element can't be found.
#27372
Posted: 11/25/2013 10:23:11
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

I have changed the certificates text to be more readable, but the result is this:



Starting certificate validation: Petr Kykal / PostSignum Qualified CA 2
Will be retrieving CRL response for certificate: Petr Kykal / PostSignum Qualified CA 2, location: http://www.postsignum.cz/crl/psqualifiedca2.crl
Retrieved CRL for certificate: Petr Kykal / PostSignum Qualified CA 2, location: http://www.postsignum.cz/crl/psqualifiedca2.crl
Starting certificate validation: PostSignum Qualified CA 2 / PostSignum Root QCA 2
Will be retrieving CRL response for certificate: PostSignum Qualified CA 2 / PostSignum Root QCA 2, location: http://www.postsignum.cz/crl/psrootqca2.crl
Retrieved CRL for certificate: PostSignum Qualified CA 2 / PostSignum Root QCA 2, location: http://www.postsignum.cz/crl/psrootqca2.crl
Starting certificate validation: PostSignum Root QCA 2 / PostSignum Root QCA 2
Successfully used CRL for certificate: PostSignum Root QCA 2 / PostSignum Root QCA 2
Successfully used CRL for certificate: PostSignum Root QCA 2 / PostSignum Root QCA 2
Successfully used CRL for certificate: PostSignum Root QCA 2 / PostSignum Root QCA 2
Certificate validation completed for certificate: PostSignum Root QCA 2 / PostSignum Root QCA 2. Validity: cvSelfSigned, Reason: 0
Encountered CRL error when validating certificate: PostSignum Qualified CA 2 / PostSignum Root QCA 2, location: http://www.postsignum.cz/crl/psrootqca2.crl, error: 1001
Certificate validation completed for certificate: PostSignum Qualified CA 2 / PostSignum Root QCA 2. Validity: cvInvalid, Reason: 128
Encountered CRL error when validating certificate: Petr Kykal / PostSignum Qualified CA 2, location: http://www.postsignum.cz/crl/psqualifiedca2.crl, error: 1001
Certificate validation completed for certificate: Petr Kykal / PostSignum Qualified CA 2. Validity: cvInvalid, Reason: 128
#27374
Posted: 11/25/2013 11:23:07
by Ken Ivanov (EldoS Corp.)

Quote

Certificate validation completed for certificate: PostSignum Root QCA 2 / PostSignum Root QCA 2. Validity: cvSelfSigned, Reason: 0


The line above indicates that the validator was unable to establish trust for a certificate that was used to sign the CRL (namely, 'PostSignum Root QCA'). In order for the CRL to be validated correctly, the relevant certificate should be explicitly trusted by the verifier. Either it should reside in the Trusted Root Certification Authorities system store, or it should be added to the validator's trusted certificate list with the AddTrustedCertificates() method.
#27381
Posted: 11/25/2013 23:25:46
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

PostSignum Root QCA 2 and Postsignum Root QCA are both root certs of trusted CA and I have them among trusted certs in windows storage, which is loaded. I suppose, that result 0 and cvSelfSigned should be OK for trusted root certs.

The problem is with CRL's signature. But the CRLs contains the same chain as my signature with the same root cert. I will try to put the root cert explicitly among trusted in order to be sure.
#27382
Posted: 11/26/2013 01:03:54
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

You are right as always :-)

I supposed, that
Code
CertValidator.UseSystemStorages = true;            CertValidator.InitializeWinStorages();
should be enough.

But only if I use
Code
TElWinCertStorage wCertStorage = new TElWinCertStorage();
wCertStorage.SystemStores.Add("CA");
CertValidator.AddTrustedCertificates(wCertStorage);
the result is valid.

Is this aproach ok, or should I do it better way?
#27383
Posted: 11/26/2013 01:06:09
by Eugene Mayevski (EldoS Corp.)

Your approach is wrong. In your code you trust certificates in CA storage, but this is not correct. Only ROOT storage may be explicitly trusted (and this is what our validator's code does). If some root certificate for whatever reason appeared in your CA storage, this can happen only if you imported it there by hand. In this case you need to reimport it to ROOT storage.


Sincerely yours
Eugene Mayevski
#27385
Posted: 11/26/2013 02:29:24
by Petr Kykal (Standard support level)
Joined: 04/10/2013
Posts: 18

I have changed the code to wCertStorage.SystemStores.Add("ROOT"); and everything is alright. Signatures from trusted CAs are valid and signatures from DEMO CAs are invalid.

Thank you for assistance again.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 2075 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!