EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDF Signing + PDF Validation

Also by EldoS: CallbackDisk
Create virtual disks backed by memory or custom location, expose disk images as disks and more.
#29507
Posted: 05/21/2014 05:02:39
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

I'm using your PDF BlackBox Samples for digital signatures.
I'm using the PDFBlackBox/Desktop/Signer (C#) to sign and using the PDFBlackBox/Desktop/Processor to verify the signature.

I perform my digital signature with a storage certificate. That certificate is from my Smart Card (an eletronic portuguese ID card).
When I perform the signature it request my private key card PIN and it signs perfectly. When I verify the document it always says that my document is signed by a Certificate that is NOT valid. That can't be true, because my certificate is a trusted and signed one.

Every time I try to verify this I can't validate the signatures. I don't understand why.
My digital certificate works with PKCS11 and I'm using your newest 12th version (the same happens with the 11th one).

Any idea why this happens?
Thank you.
#29508
Posted: 05/21/2014 05:06:13
by Eugene Mayevski (EldoS Corp.)

Certificate validation is a complex procedure. Is it the *signature* OR *certificate* which is not valid? The signature might be ok but certificate validation would fail - that's possible.


Sincerely yours
Eugene Mayevski
#29509
Posted: 05/21/2014 05:13:26
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

The message that your Processor sample provides me is that the certificate is not valid.. I could cut this step of certificate validation.. Anyway how can the certificate not be valid? It is a valid one.. I'm sure of that.. How can I make it only to verify the signature?
#29510
Posted: 05/21/2014 05:17:56
by Vsevolod Ievgiienko (EldoS Corp.)

The certificate is validated using TElX509CertificateValidator. Please refer to the article for details: https://www.eldos.com/security/articles/7545.php
#29511
Posted: 05/21/2014 05:26:07
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

I'm not sure in what step it fails, but there is any way to validate only the signature, avoiding to validate the certificate?
#29512
Posted: 05/21/2014 05:28:31
by Vsevolod Ievgiienko (EldoS Corp.)

Yes you can simply skip TElX509CertificateValidator related steps in the sample and just call TElPDFSignature.Validate for each signature in the document.
#29513
Posted: 05/21/2014 05:28:52
by Eugene Mayevski (EldoS Corp.)

Validation of the signature alone doesn't provide any security. You must validate the certificates as well.

Also, you have the source code of the sample. Study it. Without studying the code and understanding what it does you won't accomplish your tasks.


Sincerely yours
Eugene Mayevski
#29514
Posted: 05/21/2014 05:38:17
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

Okok. I just don't understand why my eletronic ID card certificate is not a valid one.. It seems really strange.

By the way, your newest 12th version in the office black box:

Code
SBOfficeSecurity.Unit.Initialize();

            TElOfficeDocument officedocument = new TElOfficeDocument();

            try
            {
                officedocument.Open(document, false); //false to not to be read-only
            }
            catch (Exception)
            {
                Console.WriteLine("Document not loaded!");
                return false;
            }


It fails in the .Open method.
Argument Exception is thrown: "aObject is nil in call to SetLength".
#29515
Posted: 05/21/2014 05:43:44
by Eugene Mayevski (EldoS Corp.)

I've moved the Office-related part to HelpDesk for investigation.

As for certificate validation - seems that you have not yet read the article that Vsevolod recommended. This article answers your questions. If you have difficulties understanding it, we recommend a couple of great books about security and PKI in particular. They will explain you everything. Explanation of how certificate chain validation works is beyond the scope of technical support (especially Basic level).


Sincerely yours
Eugene Mayevski
#29574
Posted: 05/26/2014 11:51:58
by glinttgs sousa (Basic support level)
Joined: 02/27/2014
Posts: 51

Apologies for bothering you again.

I'm trying to validate first the signatures, skipping the certificate validations part for now.

I already signed the attached document and my TElPDFPublicKeySecurityHandler has this setSignatureType(TSBPDFPublicKeySignatureType.pstX509RSASHA1); property.

I'm using the following C# code to validate the PDF signature (totally based on your PDF Processor Sample), but it always gets into "The selected signature is signed by certificate that is NOT VALID".

Code

      public bool PDFValidation(string document)
        {
            LoadAPILicenseKey11V();

            TElPDFPublicKeySecurityHandler SecHandler = new TElPDFPublicKeySecurityHandler();
            int i, j, k, idx;
            TElPKCS7Issuer CertID;
            TElCertificateLookup Lookup = new TElCertificateLookup();
            TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
            int Reason = 0;
            TElMemoryCRLStorage TempCRLStorage;
            TElOCSPResponse TempResponse;
            DateTime ValidityTime = DateTime.Now;
            bool TSSet = false;
            TElX509Certificate Cert;

            TElPDFDocument doc = new TElPDFDocument();

            FileStream fstream;
            TElX509CertificateValidator CertificateValidator = new TElX509CertificateValidator();

            CertificateValidator.CheckCRL = false; //true
            CertificateValidator.CheckOCSP = false; //true
            CertificateValidator.CheckValidityPeriodForTrusted = true; //true
            CertificateValidator.IgnoreCAKeyUsage = true; //false
            CertificateValidator.IgnoreSystemTrust = false; //false
            CertificateValidator.MandatoryCRLCheck = false; //true
            CertificateValidator.MandatoryOCSPCheck = false; //true
            CertificateValidator.Tag = null; //null
            CertificateValidator.UseSystemStorages = true; //true
            CertificateValidator.ValidateInvalidCertificates = true; //false

            SecHandler.SignatureType = TSBPDFPublicKeySignatureType.pstX509RSASHA1;
            // enum TSBPDFPublicKeySignatureType { pstX509RSASHA1 = 0, pstPKCS7SHA1 = 1 };


            SecHandler.CertStorage = LoadCertificateFromSystemStoragePDF();

            SecHandler.CustomName = "Adobe.PPKMS";

            try
            {
                fstream = new FileStream(document, FileMode.Open, FileAccess.ReadWrite);

            }
            catch (Exception)
            {
                Console.WriteLine("This document is being used by another process");
                return false;
            }


            try
            {
                doc.Open(fstream);
            }
            catch (Exception)
            {
                Console.WriteLine("Invalid PDF file");
                return false;
            }


            for (int u = 0; u < doc.SignatureCount; u++)
            {
                TElPDFSignature sig = (TElPDFSignature)doc.get_Signatures(u);
                if (sig.Validate(true))
                {
                    if (!sig.IsDocumentSigned())
                    {
                        Console.WriteLine("The selected signature does not cover the entire document");
                        return false;
                    }

                    if (sig.Handler is TElPDFPublicKeySecurityHandler)
                    {

                        SecHandler = (TElPDFPublicKeySecurityHandler)sig.Handler;

                        for (j = 0; j < SecHandler.CertIDCount; j++)
                        {

                            CertID = SecHandler.get_CertIDs(j);

                            Lookup.Criteria = 0;
                            Lookup.Options = 0;

                            if (CertID.IssuerType == TSBPKCS7IssuerType.itSubjectKeyIdentifier)
                            {
                                Lookup.SubjectKeyIdentifier = CertID.SubjectKeyIdentifier;
                                Lookup.Criteria = SBCustomCertStorage.Unit.lcSubjectKeyIdentifier;
                            }
                            else
                            {
                                Lookup.IssuerRDN.Assign(CertID.Issuer);
                                Lookup.SerialNumber = CertID.SerialNumber;
                                Lookup.Criteria = SBCustomCertStorage.Unit.lcIssuer | SBCustomCertStorage.Unit.lcSerialNumber;
                            }
                            idx = SecHandler.Certificates.FindFirst(Lookup);
                            if (idx != -1)
                            {
                                CertificateValidator.ClearTrustedCertificates();
                                CertificateValidator.ClearBlockedCertificates();
                                CertificateValidator.ClearKnownCertificates();
                                CertificateValidator.ClearKnownCRLs();
                                CertificateValidator.ClearKnownOCSPResponses();

                                CertificateValidator.AddKnownCertificates(SecHandler.Certificates);

                                TempCRLStorage = new TElMemoryCRLStorage();

                                for (k = 0; k < SecHandler.RevocationInfo.CRLCount; k++)
                                    TempCRLStorage.Add(SecHandler.RevocationInfo.get_CRLs(k));

                                CertificateValidator.AddKnownCRLs(TempCRLStorage);

                                TempResponse = new TElOCSPResponse();
                                for (k = 0; k < SecHandler.RevocationInfo.OCSPResponseCount; k++)
                                {
                                    TempResponse.Load(SecHandler.RevocationInfo.get_OCSPResponses(k), 0, SecHandler.RevocationInfo.get_OCSPResponses(k).Length);
                                    CertificateValidator.AddKnownOCSPResponses(TempResponse);
                                }

                                if (SecHandler.TimestampCount > 0)
                                {
                                    Cert = SecHandler.get_Timestamps(0).GetSignerCertificate();
                                    if (Cert != null)
                                    {
                                        // For proper CRL and OCSP validation please read instructions in
                                        // description of ElX509CertificateValidator class in the help file
                                        CertificateValidator.Validate(Cert, SecHandler.get_Timestamps(0).Certificates, false, false, SecHandler.get_Timestamps(0).Time, ref Validity, ref Reason);
                                    }
                                    else
                                        Validity = TSBCertificateValidity.cvOk;

                                    if (Validity == TSBCertificateValidity.cvOk)
                                    {
                                        ValidityTime = SecHandler.get_Timestamps(0).Time;
                                        TSSet = true;
                                    }
                                    else
                                        ValidityTime = DateTime.Now;
                                }
                                else
                                    ValidityTime = DateTime.Now;

                                CertificateValidator.Validate(SecHandler.Certificates.get_Certificates(idx), null, false, false, ValidityTime, ref Validity, ref Reason);
                                if (Validity != TSBCertificateValidity.cvOk)
                                    break;
                            }
                        }
                        if (Validity == TSBCertificateValidity.cvOk)
                        {
                            Console.WriteLine("The selected signature is VALID");
                            /*  if (TSSet)
                                  lTimestamp.Text = "Timestamp: " + ValidityTime.ToString() + "(TSA)";*/
                            return true;
                        }
                        else
                            if (Validity == TSBCertificateValidity.cvSelfSigned)
                            {
                                Console.WriteLine("The selected signature is signed by self-signed certificate which was not previously trusted");
                                /*  if (TSSet)
                                      lTimestamp.Text = "Timestamp: " + ValidityTime.ToString() + "(TSA)";*/
                            }
                            else
                            {
                                Console.WriteLine("The selected signature is signed by certificate that is NOT VALID");
                                return false;
                            }
                    }
                }
                else
                {
                    Console.WriteLine("The selected signature is NOT VALID");
                    return false;
                }
            }

            return true;
        }


What am I doing wrong on the TElX509CertificateValidator properties?
By the way, is the PDF well signed?

P.S. I can't send you the PDF file.. Is too large.. How can I get you the file?
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 3237 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!