EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Validate certificate when signing PDF file

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#35336
Posted: 12/31/2015 11:31:26
by João Domingos (Standard support level)
Joined: 11/13/2015
Posts: 2

Hi,

I'm trying to make a complete certificate validation when signing a PDF file. Initially I was setting AutoCollectRevocationInfo to true and the certificate was being validated (including OCSP/CRL check) but revocation info was also being included in the signature, resulting in a large PDF file. I tried to disable AutoCollectRevocationInfo to false but this also disables certificate validation although ForceCompleteChainValidation is set to true.
Is there any way to TElPDFAdvancedPunlicKeySecurityHandler to make a complete certificate validation before performing the signature without including revocation info in the signature? Or will I have to directly use TElX509CertificateValidator to force the certificate validation before performing the signature?
Also, does TElX509CertificateValidator implements any kind of cache for revocation objects? Should I use the same instance of the TElX509CertificateValidator to take advantage of the cache or is the cache shared across TElX509CertificateValidator instances?
Thanks in advance.
#35340
Posted: 12/31/2015 12:12:25
by Eugene Mayevski (EldoS Corp.)

Quote
MedicineOne wrote:
Is there any way to TElPDFAdvancedPunlicKeySecurityHandler to make a complete certificate validation before performing the signature without including revocation info in the signature? Or will I have to directly use TElX509CertificateValidator to force the certificate validation before performing the signature?


The idea of AutoCollectRevocationInfo is to put all information to the PDF file, so you are having a kind of contradictory requirements. In this situation (if you don't want to put everything to PDF) your only option is to use TElX509CertificateValidator to check the certificate used for signing, and then include just the signing certificate or certificate chain to the PDF. Note that in this situation each recipient of the PDF will need to perform validation on their own.

Quote
MedicineOne wrote:
Also, does TElX509CertificateValidator implements any kind of cache for revocation objects? Should I use the same instance of the TElX509CertificateValidator to take advantage of the cache or is the cache shared across TElX509CertificateValidator instances?


In version 14 validated certificates are cached with flexible caching options. CRLs are cached as well. As for OCSP - it's not cached automatically (for obvious reasons) but it's possible to implement the cache in your code if needed.


Sincerely yours
Eugene Mayevski
#35403
Posted: 01/06/2016 05:49:19
by João Domingos (Standard support level)
Joined: 11/13/2015
Posts: 2

Hi,

Quote
In version 14 validated certificates are cached with flexible caching options. CRLs are cached as well.


Is the cache per instance of TElX509CertificateValidator? Or does it persists during the runtime of the application?
#35404
Posted: 01/06/2016 06:34:43
by Eugene Mayevski (EldoS Corp.)

The caches are global per-application.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 1964 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!