EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Chain validation failed when IgnoreChainValidationErrors is false

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#35311
Posted: 12/28/2015 10:41:22
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hello
I have problem with signing PDF document when IgnoreChainValidationErrors is set to false. Here is the code:
Code
static void SignPDF(string filePath, string certificateCommonName)
        {
            string newFilePath = Path.Combine(Path.GetDirectoryName(filePath), "TestSigned.pdf");
            File.Copy(filePath, newFilePath, true);

            //Initialize SB utilities, register necessary factories
            SBPDF.Unit.Initialize();
            SBPDFSecurity.Unit.Initialize();
            SBHTTPCRL.Unit.RegisterHTTPCRLRetrieverFactory();
            SBLDAPCRL.Unit.RegisterLDAPCRLRetrieverFactory();
            SBLDAPCertRetriever.Unit.RegisterLDAPCertificateRetrieverFactory();
            SBHTTPCertRetriever.Unit.RegisterHTTPCertificateRetrieverFactory();
            SBHTTPOCSPClient.Unit.RegisterHTTPOCSPClientFactory();

            using (SBPDF.TElPDFDocument Document = new SBPDF.TElPDFDocument())
            {
                using (FileStream stream = new FileStream(newFilePath, FileMode.Open, FileAccess.ReadWrite))
                {
                    Document.Open(stream);

                    int signatureIndex = Document.AddSignature();
                    SBPDF.TElPDFSignature sig = Document.get_Signatures(signatureIndex);

                    sig.SigningTime = DateTime.UtcNow;
                    sig.Invisible = true;

                    using (SBCertValidator.TElX509CertificateValidator validator = new SBCertValidator.TElX509CertificateValidator())
                    using (SBPAdES.TElPDFAdvancedPublicKeySecurityHandler handler = new SBPAdES.TElPDFAdvancedPublicKeySecurityHandler())
                    using (SBCustomCertStorage.TElMemoryCertStorage certStorage = new SBCustomCertStorage.TElMemoryCertStorage())
                    using (SBWinCertStorage.TElWinCertStorage systemStore = new SBWinCertStorage.TElWinCertStorage())
                    {
                        handler.IgnoreChainValidationErrors = false;
                        handler.HashAlgorithm = SBConstants.__Global.SB_ALGORITHM_DGST_SHA256;

                        sig.Handler = handler;

                        systemStore.SystemStores.BeginUpdate();
                        try
                        {
                            systemStore.SystemStores.Clear();
                            systemStore.SystemStores.Add("MY");
                            systemStore.SystemStores.Add("CA");
                            systemStore.SystemStores.Add("Root");
                        }
                        finally
                        {
                            systemStore.SystemStores.EndUpdate();
                        }

                        SBX509.TElX509Certificate cert = new SBX509.TElX509Certificate();
                        SBX509.TElX509Certificate entrustCert = new SBX509.TElX509Certificate();

                        certStorage.Clear();
                        for (int i = 0; i < systemStore.Count; i++)
                        {
                            cert = systemStore.get_Certificates(i);
                            if (cert.SubjectName.CommonName == certificateCommonName)
                            {
                                certStorage.Add(cert, true);
                                int index;
                                while((index = systemStore.GetIssuerCertificate(cert)) != -1)
                                {
                                    cert = systemStore.get_Certificates(index);
                                    certStorage.Add(cert, false);
                                }
                                break;
                            }
                        }

                        handler.OnCertValidatorPrepared += new SBPAdES.TSBPDFCertValidatorPreparedEvent((object Sender, ref SBCertValidator.TElX509CertificateValidator CertValidator, SBX509.TElX509Certificate Cert) =>
                        {
                            CertValidator.AddTrustedCertificates(certStorage);
                            CertValidator.CheckCRL = true;
                            CertValidator.CheckOCSP = false;
                            CertValidator.MandatoryCRLCheck = false;
                            CertValidator.MandatoryOCSPCheck = false;
                        });


                        handler.CertStorage = certStorage;
                        handler.AutoCollectRevocationInfo = true;
                        handler.ForceCompleteChainValidation = true;
                        handler.IncludeRevocationInfoToAdbeAttribute = true;
                        handler.PAdESSignatureType = SBPAdES.TSBPAdESSignatureType.pastEnhanced;
                        handler.SignatureType = SBPDFSecurity.TSBPDFPublicKeySignatureType.pstPKCS7SHA1;
                        handler.HashAlgorithm = SBConstants.__Global.SB_ALGORITHM_DGST_SHA256;
                        handler.CustomName = "Adobe.PPKMS";
                        handler.DeepValidation = true;

                        Document.Close(true);
                    }
                }
            }
        }

If IgnoreChainValidationErrors is true signing succeeds but CRL is not embedded in signature. As soon as I set IgnoreChainValidationErrors to false I get exception:
'SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError' occurred in SecureBlackbox.PKIPDF.dll

Additional information: Chain validation failed

I am signing with valid certificate and the issuer certificate is in trusted store. Please help.
#35312
Posted: 12/28/2015 10:52:17
by Eugene Mayevski (EldoS Corp.)

We have several articles, related to validation of certificates and to diagnostics of possible problems. The articles are:
1) "Validation of certificates in SecureBlackbox (mini-FAQ)" (https://www.eldos.com/security/articles/7545.php ),
2) "Diagnosing certificate chain validation errors when validating a certificate or signature with *AdES components" (https://www.eldos.com/security/articles/7639.php ),
3) "Additional tune-up of retrievers in TElX509CertificateValidator" (https://www.eldos.com/security/articles/8115.php )

Please review those articles (especially the second one) and try the steps provided in the articles.


Sincerely yours
Eugene Mayevski
#35315
Posted: 12/28/2015 11:25:01
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

After checking again my sample with log I've got following log:
Quote

Starting certificate validation: ***
Certificate validation completed for certificate: ***. Validity: cvInvalid, Reason: 64
Starting certificate validation: ***
Will be retrieving CRL response for certificate: ***
Will be retrieving CRL response for certificate: ***
CRL needed for certificate: ***
Encountered CRL error when validating certificate: *** error: 1004
Certificate validation completed for certificate: *** Validity: cvInvalid, Reason: 128
Exception thrown: 'SBPAdES.EElPDFAdvancedPublicKeySecurityHandlerError' in SecureBlackbox.PKIPDF.dll
Finished validation of the certificate: ***, validity: cvChainUnvalidated, reason: 192


I omitted certificate SubjectRDN and IssuerRDN, because of privacy reasons. I have set all properties of validator as it was mentioned in second article
#35317
Posted: 12/28/2015 11:37:50
by Eugene Mayevski (EldoS Corp.)

Which version of SecureBlackbox are you using? In version 14 TElX509CertificateValidator class has extensive logging, which provides more information than your sample log.


Sincerely yours
Eugene Mayevski
#35318
Posted: 12/28/2015 11:43:42
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Yes, I am using version 14. How can I turn on extensive logging?
#35319
Posted: 12/28/2015 11:52:20
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Hi, it's me again. I have put following into certvalidatorfinished event
Code
handler.OnCertValidatorFinished += new SBPAdES.TSBPDFCertValidatorFinishedEvent((object Sender, SBCertValidator.TElX509CertificateValidator CertValidator, TElX509Certificate Cert, TSBCertificateValidity Validity, int Reason) => {
                            System.Diagnostics.Debug.WriteLine("Finished validation of the certificate: " + Cert.SubjectRDN.SaveToDNString() + " / " + Cert.IssuerRDN.SaveToDNString() + ", validity: " + Validity.ToString() + ", reason: " + Reason.ToString());

                            for (int i=0; i<CertValidator.InternalLogger.Log.Count;i++)
                            {
                                System.Diagnostics.Debug.WriteLine(CertValidator.InternalLogger.Log[i].ToString());
                            }
                        });


I've got following
Quote

Starting certificate validation (CN=***)
Certificate is explicitly trusted
Checking validity period
Checking CA certificate extensions
Basic constraints are violated
Running revocation check
Revocation check preference: CRL and OCSP
Revocation check completed
Certificate validation finished (CN=***), general validity: INVALID, general reason: CA unauthorized
Starting certificate validation (CN=)
Certificate is explicitly trusted
Checking validity period
Certificate is self-signed or trusted, no chain validation will be performed
Certificate is self-signed and is a CA for itself
Certificate signature is OK
Running revocation check
Revocation check preference: CRL and OCSP
Starting certificate CRL check (CN=) (at *.*.*)
We are configured to look for implicit DPs if no CRL distribution points are available
Retrieving CRLs...
Processing distribution point #1
Looking for the CRL in the cache
Retrieving CRL from ***
Processing distribution point #2
Looking for the CRL in the cache
Retrieving CRL from ***
No CRLs have been successfully retrieved
Validating the CRLs we've downloaded (0)
CRL check completed for certificate (CN=), general validity: VALID, general reason: CRL not verified, CRL exists: True
Failed to retrieve adequate revocation information
Revocation check completed
Certificate validation finished (CN=), general validity: INVALID, general reason: CRL not verified
#35320
Posted: 12/28/2015 12:02:17
by Eugene Mayevski (EldoS Corp.)

The log says that one of the validated CA certificates was not compliant to the standard - one of its mandatory extensions was either missing or incorrectly set.

You can set IgnoreCA* properties to true one by one and see, which of them lets the certificate be accepted.


Sincerely yours
Eugene Mayevski
#35321
Posted: 12/28/2015 12:14:43
by ingbabic  (Standard support level)
Joined: 09/27/2011
Posts: 114

Thanks Eugene,
It was perfect, as always :)

When I have set following:
Code
CertValidator.IgnoreCABasicConstraints = true;


everything started to work. Just please tell me what are CABasicConstraints?
#35322
Posted: 12/28/2015 12:17:14
by Eugene Mayevski (EldoS Corp.)

From Technet:

Quote
Certification authorities (CAs) must have a certificate before they can issue certificates. They use the private key associated with this certificate to digitally sign issued certificates. When a CA obtains a certificate from another CA, the parent CA may want to control whether that certificate can be used to issue certificates to other certificate servers. This is a basic constraint.

Basic constraints are used to ensure that a certificate is only used in certain applications. An example is the path length that can be specified as a basic constraint.


Sincerely yours
Eugene Mayevski
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 1690 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!