EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature TimeStamp Invalid (Reason: CRL not verified)

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#35427
Posted: 01/07/2016 12:17:45
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi,

I'm developing an application with BlackBox to sign XML files with XAdES. When I reach the XAdES-XL level, I get this result from verification: Invalid (Reason: CRL not verified) (the verification of the certificate fails too, because this is a selfsigned one, Am I right on this issue?).

I'm using http://tss.accv.es:8318/tsa TSA service, which, in theory, is an oficial one. So, why am I gettin this result?

My application is being based in Implementing XAdES signing of data using SecureBlackbox, where I have seen:

Quote

The XAdES components could automatically collect certificates and revocation information or use custom certificates and revocation information. Automatic collection in [XAdES PLACE #1] is done by calling XAdESSigner.Generate method with parameter XAdES_X_L or higher


So, what I understand is that the CRL of the TSA certificate is auto included, is it right? In other case, how can I include it manually?

Regards
#35428
Posted: 01/07/2016 12:37:00
by Eugene Mayevski (EldoS Corp.)

You are getting this result because during validation of the certificate there was a need to retrieve the CRL for some certificate in the chain, and the attempt to retrieve the CRL failed.

First of all you need to ensure that you use CRL retriever and OCSP client as described in the help file, in the description of TElX509CertificateValidator class.

If you are doing this, please refer to these articles for the detailed explanation of how validation works:

1) "Validation of certificates in SecureBlackbox (mini-FAQ)" (https://www.eldos.com/security/articles/7545.php ),
2) "Diagnosing certificate chain validation errors when validating a certificate or signature with *AdES components" (https://www.eldos.com/security/articles/7639.php ),
3) "Additional tune-up of retrievers in TElX509CertificateValidator" (https://www.eldos.com/security/articles/8115.php )


Sincerely yours
Eugene Mayevski
#35429
Posted: 01/07/2016 12:45:51
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Sorry, as I have mentioned, I'm using a selfsigned certificate at the moment, so I can't use a CRL retriever or an OCSP client yet (Am I right??). But I don't understand why the verification of the timestamps are no valid.

Regards!
#35430
Posted: 01/07/2016 12:47:36
by Eugene Mayevski (EldoS Corp.)

You are using timestamping via HTTPS. This involves TLS certificate which needs to be validated, as well as a timestamping certificate used to sign the timestamp response (and which also has to be validated). That's where the problem happens.


Sincerely yours
Eugene Mayevski
#35432
Posted: 01/07/2016 12:56:06
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

I could be mistaken, but this is my TSA service:

http://tss.accv.es:8318/tsa

So, it is not HTTPS...
#35433
Posted: 01/07/2016 13:02:24
by Eugene Mayevski (EldoS Corp.)

I am sorry, I've missed this. But still there's the timestamping certificate that needs validation.


Sincerely yours
Eugene Mayevski
#35434
Posted: 01/07/2016 13:34:12
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi,

Ok, thanks, but how?

That's my code:

Code
   Dim tsaCert As New TElX509Certificate()
   tsaCert.LoadFromStreamPFX(File.OpenRead("E:\tsaCert\tsa.cer"), "")

   Dim tsaCerts As New TElMemoryCertStorage()
   tsaCerts.Add(tsaCert)
   Dim OCPResponses As New ArrayList
   OCPResponses.Add("http://ocsp.accv.es/")
   XAdESVerifier.AddRevocationValues(Nothing, OCPResponses)

   XAdESVerifier.AddCertificateValues(tsaCerts)
   Dim Validity As TSBXAdESValidity =     XAdESVerifier.AddValidationDataValues()      


It fails at XAdESVerifier.AddRevocationValues(Nothing, OCPResponses) line. Are CRL and OCSP both necesary? Why?

Thanks.

Regards!
#35436
Posted: 01/07/2016 15:01:54
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote

It fails at XAdESVerifier.AddRevocationValues(Nothing, OCPResponses) line. Are CRL and OCSP both necesary? Why?

You should use either AddValidationDataValues() method or AddCertificateValues()/AddRevocationValues() methods.
The AddValidationDataValues() method is used to add validation data (certificate, revocation info) value in the automatic way (using TElX509CertificateValidator class).
The AddCertificateValues()/AddRevocationValues() methods are used to add certificate and revocation info in the manual mode. The AddRevocationValues() method as a second parameter expect the list of TElOCSPResponse objects, not the string value.
I think the simplest way for you, would be to set the trusted certificates using:
Code
XAdESVerifier.TrustedCertificates = tsaCerts

and then call AddValidationDataValues() method to automatically collect revocation info.
You can adjust certificate validator options (e.g. disable CRLs) in TElXAdESVerifier.OnBeforeCertificateValidate event handler.
#35442
Posted: 01/07/2016 16:41:57
by Eugene Mayevski (EldoS Corp.)

Quote
a.guillermo wrote:
Ok, thanks, but how?


Can you please clarify, what exactly you are asking about with "how"? You said that you use timestamping. This involves validation of the certificate with the validator, that is created internally. This validation fails.

Is there something specific you want to ask about?


Sincerely yours
Eugene Mayevski
#35452
Posted: 01/08/2016 05:20:49
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi,

First of all thanks for the patience.

I will try to explain my trouble.

I'm developing a signer module for xml files. We need to reach XAdES-A level, so I have done a Sign function which generates a signature on XAdES_C level. I haven't a trusted certificate to use to sign, so I can validate this yet.

That's the code:

Code
   Friend Function Sign(ByVal XMLDocument As TElXMLDOMDocument, ByVal X509Data As TElXMLKeyInfoData) As Boolean
        ' Creating an instance of XML-DSig signer.
  
        Dim Signer As New TElXMLSigner
        ' Creating an instance of XAdES signer.
        Dim XAdESSigner As New TElXAdESSigner
        ' Setup XAdES processor
        Signer.XAdESProcessor = XAdESSigner


        Dim doc As New TElXMLDOMDocument()

        doc.LoadFromFile("C:\Discos\Disco1\20151221T101552Z6705788_LibsafeXMLDisk1.xml")
        Dim keyInfo As New TElXMLKeyInfoX509Data(True)

        Dim crtIns As New TElX509Certificate()
        crtIns.LoadFromStreamPFX(File.OpenRead("E:\certificate\ia.p12"), "26S1rbBa")
        keyInfo.Certificate = crtIns

        Dim NSMap As New TElXMLNamespaceMap()
        NSMap.AddNamespace("ds", SBXMLDefs.Unit.xmlSignatureNamespace)

        Dim signatureNodes = doc.SelectNodes("//ds:Signature", NSMap)

        Dim tspClient As New TElHTTPTSPClient
        Dim httpClient As New TElHTTPSClient
        tspClient.HTTPClient = httpClient
        tspClient.URL = "http://tss.accv.es:8318/tsa "
        httpClient.SocketTimeout = 20000 '20 seconds
        Dim SigNode As TElXMLDOMNode
        ' Selecting a target node for the signature
        If signatureNodes.Count = 1 Then
            SigNode = signatureNodes(0)
        ElseIf signatureNodes.Count = 0 Then
            SigNode = doc.ChildNodes(1)
        End If


        If signatureNodes.Count = 0 Then
            ' (!) Remember to handle the httpClient’s OnCertificateValidate
            ' event if the TSA server is accessible via HTTPS protocol.
            'XAdESSigner.IgnoreTimestampFailure = True

            Dim k As Integer = 0
            Try

                ' adding a references. For example, adding a reference for a document element.
                Dim Ref As New TElXMLReference
                Ref.TransformChain.Add(New TElXMLEnvelopedSignatureTransform)
                Ref.URI = ""
                Ref.URINode = SigNode
                Signer.References.Add(Ref)

                ' Setup signer key data
                Signer.KeyData = keyInfo
                Signer.SignatureMethod = SBXMLSec.Unit.xsmRSA_SHA256

                ' calculate digest value for references
                Signer.UpdateReferencesDigest()

                ' Filling XAdES info
                ' Setting XAdES version
                XAdESSigner.XAdESVersion = SBXMLAdES.Unit.XAdES_v1_4_1

                'XAdESSigner.AddCounterSignature(Signer)


                XAdESSigner.PolicyId.SigPolicyHash.DigestMethod = SBXMLSec.Unit.DigestMethodToURI(SBXMLSec.Unit.xdmSHA256)
                XAdESSigner.PolicyId.SigPolicyHash.DigestValue = SBXMLSec.Unit.CalculateDigest(crtIns.CertificateBinary, SBXMLSec.Unit.xdmSHA256)

                ' Place a code to setup Signed properties and Timestamp client
                ' [XAdES PLACE #1]
                ' setting up production place
                XAdESSigner.Included = SBXMLAdESIntf.Unit.xipProductionPlace
                XAdESSigner.ProductionPlace.City = "EL ESPINAR"
                XAdESSigner.ProductionPlace.StateOrProvince = "SEGOVIA"
                XAdESSigner.ProductionPlace.PostalCode = "40400"
                XAdESSigner.ProductionPlace.CountryName = "SPAIN"

                ' adding claimed roles as text
                XAdESSigner.Included = XAdESSigner.Included Or SBXMLAdESIntf.Unit.xipSignerRole
                XAdESSigner.SignerRole.ClaimedRoles.AddText(XAdESSigner.XAdESVersion, doc, "Programmers")


                XAdESSigner.SigningCertificates = New TElMemoryCertStorage()
                XAdESSigner.OwnSigningCertificates = True
                XAdESSigner.SigningCertificatesDigestMethod = SBXMLSec.Unit.xdmSHA256
                XAdESSigner.SigningCertificates.Add(crtIns)

                ' Generating XAdES structure, specify desired XAdES form as parameter
                XAdESSigner.Generate(SBXMLAdES.Unit.XAdES_C)

                ' Generating signature structure
                XAdESSigner.QualifyingProperties.SignedProperties.ID = "SignedPropertiesID"
                Signer.GenerateSignature()
                'XAdESSigner.AddCompleteCertificateRefs(XAdESSigner.SigningCertificates)
                ' Creating timestamping components.


                ' Signing and saving signature

                ' Place a code to extend XAdES form immediately after signing.
                ' Used, for example, if you want to specify own revocation info not auto collected one.
                ' [XAdES PLACE #2]
                

                Signer.Save(SigNode)

                'doc.SaveToFile("C:\Discos\Disco1\20151221T101552Z6705788_LibsafeXMLDisk1.xml")

                Dim verDoc = Verify(SigNode)
                doc.SaveToStream(verDoc)
                verDoc.Close()
                Return True
            Catch ex As Exception
                MsgBox("ERROR.")
                Return False
            Finally

                tspClient.Dispose()
                httpClient.Dispose()
                Signer.Dispose()
                XAdESSigner.Dispose()
                MsgBox("Ended")
            End Try
        ElseIf signatureNodes.Count = 1 Then
            'Extend the signature
            Dim verDoc = Verify(SigNode)
            doc.SaveToStream(verDoc)
            verDoc.Close()
            tspClient.Dispose()
            httpClient.Dispose()
            Signer.Dispose()
            XAdESSigner.Dispose()
            MsgBox("Ended")
            Return True
        Else
            MsgBox("More than one signature node")
            Return False
        End If
    End Function


Then, before saving the file, I verify the signature, and if this result is valid, I extend the signature to XAdES-A level (frist to X, then to XL and finally to A). But when I validate the timestamps, I get xsvIncomplete value. That's the code:

Code
   Private Function Verify(ByVal SigNode As TElXMLDOMElement) As FileStream
        ' Creating an instance of XML-DSig verifier.
        Dim Verifier As New TElXMLVerifier()
        ' Creating an instance of XAdES verifier.
        Dim XAdESVerifier As New TElXAdESVerifier()
        ' Setup XAdES processor
        Verifier.XAdESProcessor = XAdESVerifier
        Dim httpClient As New TElHTTPSClient
        ' (!) Remember to handle the httpClient’s OnCertificateValidate
        ' event if the TSA server is accessible via HTTPS protocol.
        'XAdESSigner.IgnoreTimestampFailure = True
        Dim tspClient As New TElHTTPTSPClient

        Dim XAdESReasons As Integer = 0

        
        Try

            Verifier.Load(SigNode)

            ' Validate a signature using Verifier.ValidateSignature() method
            ' Validate references using Verifier.ValidateReferences() or ValidateReference(..) method
            If Verifier.ValidateSignature() And Verifier.ValidateReferences() Then

                ' check if a signature has XAdES info
                ' Validate a signer certificate and timestamps using XAdESVerifier.Validate() method

                ' Place a code to extend XAdES form. For example, add new archive time-stamp.
                ' [XAdES PLACE #3]
                tspClient.HTTPClient = httpClient
                tspClient.URL = "http://tss.accv.es:8318/tsa "
                httpClient.SocketTimeout = 20000 '20 seconds



                If SBXMLAdES.Unit.XAdESFormToString(XAdESVerifier.XAdESForm) <> "XAdES-A" Then

                    Dim k As Integer = XAdESVerifier.AddSignatureTimestamp(tspClient)
                    If k <> 0 Then
                        Throw New Exception("Failed to time-stamp: " + k)
                    End If

                    k = XAdESVerifier.AddSigAndRefsTimestamp(tspClient)
                    If k <> 0 Then
                        Throw New Exception("Failed to time-stamp: " + k.ToString())
                    End If

                    Dim tsaCert As New TElX509Certificate()
                    tsaCert.LoadFromStreamPFX(File.OpenRead("E:\tsaCert\tsa.cer"), "")

                    Dim tsaCerts As New TElMemoryCertStorage()
                    tsaCerts.Add(tsaCert)

                    XAdESVerifier.TrustedCertificates = tsaCerts

                    [B]Dim Validity As TSBXAdESValidity = XAdESVerifier.AddValidationDataValues()[/B]
                End If

                Dim result = XAdESVerifier.Validate(XAdESReasons)


                If SBXMLAdES.Unit.XAdESFormToString(XAdESVerifier.XAdESForm) <> "XAdES-A" And SBXMLAdES.Unit.XAdESFormToString(XAdESVerifier.XAdESForm) = "XAdES-X" Then
                    For i As Integer = 0 To Verifier.References.Count - 1
                        Dim Ref As TElXMLReference = Verifier.References(i)
                        If Not Ref.IsURIResolved() Then
                            If Ref.URI = "" Then
                                Ref.URINode = SigNode
                            Else
                                Dim s As String = ""
                                If SBXMLUtils.Unit.ExtractIdFromLocalURI(Ref.URI, s) AndAlso Not String.IsNullOrEmpty(s) Then
                                    Ref.URINode = SBXMLUtils.Unit.FindElementById(SigNode, s)
                                    'Else set URIData/URIStream property if URI points to file/web resource

                                End If
                            End If
                        End If
                    Next
                    XAdESVerifier.AddArchiveTimestampV141(tspClient)

                    

                    Dim F As New FileStream("C:\Discos\Disco1\20151221T101552Z6705788_LibsafeXMLDisk1.xml", FileMode.Create, FileAccess.ReadWrite)

                    Return F
                Else
                    
                    Return Nothing
                End If
            End If
        Catch ex As Exception
            MsgBox(ex.Message)
            Return Nothing
        Finally
            Verifier.Dispose()
            XAdESVerifier.Dispose()
        End Try

    End Function


This code is not complete, and it is on developet status, so it could be some mistakes, but it works: it sign on XAdES-A level, but with incomplete validation of the TSA as I said before.

What's the problem? I also have the TSA root certificate. Have I to include it too?

Thanks.

Regards!
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 5163 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!