EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Chain validation failed when IgnoreChainValidationErrors is false

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#35311
Posted: 12/28/2015 10:41:22
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello
I have problem with signing PDF document when IgnoreChainValidationErrors is set to false. Here is the code:
Code
static void SignPDF(string filePath, string certificateCommonName)
        {
            string newFilePath = Path.Combine(Path.GetDirectoryName(filePath), "TestSigned.pdf");
            File.Copy(filePath, newFilePath, true);

            //Initialize SB utilities, register necessary factories
            SBPDF.Unit.Initialize();
            SBPDFSecurity.Unit.Initialize();
            SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory();
            SBLDAPCRL.Unit.RegisterLDAPCRLRetrieverFactory();
            SBLDAPCertRetriever.Unit.RegisterLDAPCertificateRetrieverFactory();
            SBHTTPCertRetriever.Unit.RegisterHTTPCertificateRetrieverFactory();
            SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory();

            using (SBPDF.TElPDFDocument Document = new SBPDF.TElPDFDocument())
            {
                using (FileStream stream = new FileStream(newFilePath, FileMode.Open, FileAccess.ReadWrite))
                {
                    Document.Open(stream);

                    int signatureIndex = Document.AddSignature();
                    SBPDF.TElPDFSignature sig = Document.get_Signatures(signatureIndex);

                    sig.SigningTime = DateTime.UtcNow;
                    sig.Invisible = true;

                    using (SBCertValidator.TElX509CertificateValidator validator = new SBCertValidator.TElX509CertificateValidator())
                    using (SBPAdES.TElPDFAdvancedPublicKeySecurityHandler handler = new SBPAdES.TElPDFAdvancedPublicKeySecurityHandler())
                    using (SBCustomCertStorage.TElMemoryCertStorage certStorage = new SBCustomCertStorage.TElMemoryCertStorage())
                    using (SBWinCertStorage.TElWinCertStorage systemStore = new SBWinCertStorage.TElWinCertStorage())
                    {
                        handler.IgnoreChainValidationErrors = false;
                        handler.HashAlgorithm = SBConstants.__Global.SB_ALGORITHM_DGST_SHA256;

                        sig.Handler = handler;

                        systemStore.SystemStores.BeginUpdate();
                        try
                        {
                            systemStore.SystemStores.Clear();
                            systemStore.SystemStores.Add("MY");
                            systemStore.SystemStores.Add("CA");
                            systemStore.SystemStores.Add("Root");
                        }
                        finally
                        {
                            systemStore.SystemStores.EndUpdate();
                        }

                        SBX509.TElX509Certificate cert = new SBX509.TElX509Certificate();
                        SBX509.TElX509Certificate entrustCert = new SBX509.TElX509Certificate();

                        certStorage.Clear();
                        for (int i = 0; i < systemStore.Count; i++)
                        {
                            cert = systemStore.get_Certificates(i);
                            if (cert.SubjectName.CommonName == certificateCommonName)
                            {
                                certStorage.Add(cert, true);
                                int index;
                                while((index = systemStore.GetIssuerCertificate(cert)) != -1)
                                {
                                    cert = systemStore.get_Certificates(index);
                                    certStorage.Add(cert, false);
                                }
                                break;
                            }
                        }

                        handler.OnCertValidatorPrepared += new SBPAdES.TSBPDFCertValidatorPreparedEvent((object Sender, ref SBCertValidator.TElX509CertificateValidator CertValidator, SBX509.TElX509Certificate Cert) =>
                        {
                            CertValidator.AddTrustedCertificates(certStorage);
                            CertValidator.CheckCRL = true;
                            CertValidator.CheckOCSP = false;
                            CertValidator.MandatoryCRLCheck = false;
                            CertValidator.MandatoryOCSPCheck = false;
                        });


                        handler.CertStorage = certStorage;
                        handler.AutoCollectRevocationInfo = true;
                        handler.ForceCompleteChainValidation = true;
                        handler.IncludeRevocationInfoToAdbeAttribute = true;
                        handler.PAdESSignatureType = SBPAdES.TSBPAdESSignatureType.pastEnhanced;
                        handler.SignatureType = SBPDFSecurity.TSBPDFPublicKeySignatureType.pstPKCS7SHA1;
                        handler.HashAlgorithm = SBConstants.__Global.SB_ALGORITHM_DGST_SHA256;
                        handler.CustomName = "Adobe.PPKMS";
                        handler.DeepValidation = true;

                        Document.Close(true);
                    }
                }
            }
        }

If IgnoreChainValidationErrors is true signing succeeds but CRL is not embedded in signature. As soon as I set IgnoreChainValidationErrors to false I get exception:
'SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError' occurred in SecureBlackbox.PKIPDF.dll

Additional information: Chain validation failed

I am signing with valid certificate and the issuer certificate is in trusted store. Please help.
#35312
Posted: 12/28/2015 10:52:17
by Eugene Mayevski (Team)

We have several articles, related to validation of certificates and to diagnostics of possible problems. The articles are:
1) "Validation of certificates in SecureBlackbox (mini-FAQ)" (https://www.eldos.com/security/articles/7545.php ),
2) "Diagnosing certificate chain validation errors when validating a certificate or signature with *AdES components" (https://www.eldos.com/security/articles/7639.php ),
3) "Additional tune-up of retrievers in TElX509CertificateValidator" (https://www.eldos.com/security/articles/8115.php )

Please review those articles (especially the second one) and try the steps provided in the articles.


Sincerely yours
Eugene Mayevski
#35315
Posted: 12/28/2015 11:25:01
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

After checking again my sample with log I've got following log:
Quote

Starting certificate validation: ***
Certificate validation completed for certificate: ***. Validity: cvInvalid, Reason: 64
Starting certificate validation: ***
Will be retrieving CRL response for certificate: ***
Will be retrieving CRL response for certificate: ***
CRL needed for certificate: ***
Encountered CRL error when validating certificate: *** error: 1004
Certificate validation completed for certificate: *** Validity: cvInvalid, Reason: 128
Exception thrown: 'SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError' in SecureBlackbox.PKIPDF.dll
Finished validation of the certificate: ***, validity: cvChainUnvalidated, reason: 192


I omitted certificate SubjectRDN and IssuerRDN, because of privacy reasons. I have set all properties of validator as it was mentioned in second article
#35317
Posted: 12/28/2015 11:37:50
by Eugene Mayevski (Team)

Which version of SecureBlackbox are you using? In version 14 TElX509CertificateValidator class has extensive logging, which provides more information than your sample log.


Sincerely yours
Eugene Mayevski
#35318
Posted: 12/28/2015 11:43:42
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Yes, I am using version 14. How can I turn on extensive logging?
#35319
Posted: 12/28/2015 11:52:20
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hi, it's me again. I have put following into certvalidatorfinished event
Code
handler.OnCertValidatorFinished += new SBPAdES.TSBPDFCertValidatorFinishedEvent((object Sender, SBCertValidator.TElX509CertificateValidator CertValidator, TElX509Certificate Cert, TSBCertificateValidity Validity, int Reason) => {
                            System.Diagnostics.Debug.WriteLine("Finished validation of the certificate: " + Cert.SubjectRDN.SaveToDNString() + " / " + Cert.IssuerRDN.SaveToDNString() + ", validity: " + Validity.ToString() + ", reason: " + Reason.ToString());

                            for (int i=0; i<CertValidator.InternalLogger.Log.Count;i++)
                            {
                                System.Diagnostics.Debug.WriteLine(CertValidator.InternalLogger.Log[i].ToString());
                            }
                        });


I've got following
Quote

Starting certificate validation (CN=***)
Certificate is explicitly trusted
Checking validity period
Checking CA certificate extensions
Basic constraints are violated
Running revocation check
Revocation check preference: CRL and OCSP
Revocation check completed
Certificate validation finished (CN=***), general validity: INVALID, general reason: CA unauthorized
Starting certificate validation (CN=)
Certificate is explicitly trusted
Checking validity period
Certificate is self-signed or trusted, no chain validation will be performed
Certificate is self-signed and is a CA for itself
Certificate signature is OK
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=) (at *.*.*)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Retrieving CRL from ***
Processing distribution point #2
Looking for the CRL in the cache
Retrieving CRL from ***
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=), general validity: INVALID, general reason: CRL not verified
#35320
Posted: 12/28/2015 12:02:17
by Eugene Mayevski (Team)

The log says that one of the validated CA certificates was not compliant to the standard - one of its mandatory extensions was either missing or incorrectly set.

You can set IgnoreCA* properties to true one by one and see, which of them lets the certificate be accepted.


Sincerely yours
Eugene Mayevski
#35321
Posted: 12/28/2015 12:14:43
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Thanks Eugene,
It was perfect, as always :)

When I have set following:
Code
CertValidator.IgnoreCABasicConstraints = true;


everything started to work. Just please tell me what are CABasicConstraints?
#35322
Posted: 12/28/2015 12:17:14
by Eugene Mayevski (Team)

From Technet:

Quote
Certification authorities (CAs) must have a certificate before they can issue certificates. They use the private key associated with this certificate to digitally sign issued certificates. When a CA obtains a certificate from another CA, the parent CA may want to control whether that certificate can be used to issue certificates to other certificate servers. This is a basic constraint.

Basic constraints are used to ensure that a certificate is only used in certain applications. An example is the path length that can be specified as a basic constraint.


Sincerely yours
Eugene Mayevski
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 2115 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!