EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature TimeStamp Invalid (Reason: CRL not verified)

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#35457
Posted: 01/08/2016 06:39:55
by Eugene Mayevski (EldoS Corp.)

You are now talking about your task, which is XML signing/verification. This task includes collection or validation of the timestamp as one of the steps. During collection of the timestamp, TSP's certificate is validated. This validation fails. Now you need to step back from signing and try to address the certificate validation problem.

I have specified several articles above which explain, what happens and what you can do. Retelling the articles here makes little sense. The second article provides information specifically about your case. Please follow instructions in it.


Sincerely yours
Eugene Mayevski
#35470
Posted: 01/08/2016 13:04:36
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi,

Ok. I had read the articles you mentioned, but I re-read them. Then it take me the whole day testing the two different ways to validate these TSA certificates, without success.

As I read:

From Validation of certificates in SecureBlackbox (mini-FAQ):

Quote

CRL and OCSP checks
The private key for the certificate can be compromised, or the certificate can be canceled (revoked) by the certificate authority that issued this certificate. In this case other users must be informed that the certificate can not be trusted anymore. This is done in two ways: by publishing Certificate Revocation Lists or by responding to real-time requests for certificate status (OCSP requests). Information about where to take the CRL and where to send OCSP request to is contained in the certificate itself.


From Implementing XAdES signing of data using SecureBlackbox:

Quote

Creating Extended Long electronic signatures with time (XAdES-X-L)
XAdES-X-L form extends XAdES-X type 1 or XAdES-X type 2 or lower forms by inserting certificate and revocation information values of the referenced validation data (certificates, CRLs and OCSP responses) to the unsigned properties. XAdES-X-L signature is thus a self-contained signature that does not require any external certificate or revocation provisioning services to be successfully validated.
The XAdES components could automatically collect certificates and revocation information or use custom certificates and revocation information. Automatic collection in [XAdES PLACE #1] is done by calling XAdESSigner.Generate method with parameter XAdES_X_L or higher. Automatic collection in [XAdES PLACE #2] and [XAdES PLACE #3] is done by calling AddValidationDataValues method:


So, as I can understand, I could validate the TSA adding AddValidationDataValues, but I've found a problem: where have I to include the TSA certificate?

From one of your answers:

Quote

Hi,

Quote

It fails at XAdESVerifier.AddRevocationValues(Nothing, OCPResponses) line. Are CRL and OCSP both necesary? Why?

You should use either AddValidationDataValues() method or AddCertificateValues()/AddRevocationValues() methods.
The AddValidationDataValues() method is used to add validation data (certificate, revocation info) value in the automatic way (using TElX509CertificateValidator class).
The AddCertificateValues()/AddRevocationValues() methods are used to add certificate and revocation info in the manual mode. The AddRevocationValues() method as a second parameter expect the list of TElOCSPResponse objects, not the string value.
I think the simplest way for you, would be to set the trusted certificates using:
Code
XAdESVerifier.TrustedCertificates = tsaCerts

and then call AddValidationDataValues() method to automatically collect revocation info.


So I implemented:

Code
   Dim tsaCert As New TElX509Certificate()
   tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\tsa.pem"), "")
   Dim tsaCerts As New TElMemoryCertStorage
   tsaCerts.Add(tsaCert)

   tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\rootca.crt"), "")
   tsaCerts.Add(tsaCert)
     
   [B]XAdESVerifier.TrustedCertificates = tsaCerts
   XAdESVerifier.AddValidationDataValues()[/B]


This solution returns me an Invalid (Reason: CRL not verified), so I try the manual one:

From Implementing XAdES signing of data using SecureBlackbox:

Quote

Custom certificates and revocation information could be added in [XAdES PLACE #2] and [XAdES PLACE #3] using AddCertificateValues and AddRevocationValues methods.



Code
   Dim tsaCert As New TElX509Certificate()
   tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\tsa.pem"), "")
   Dim tsaCerts As New TElMemoryCertStorage
   tsaCerts.Add(tsaCert)

   Dim tsaTrustedCerts As New TElMemoryCertStorage

   Dim tsaRootCert As New TElX509Certificate()
   tsaRootCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\rootca.crt"), "")
   tsaCerts.Add(tsaRootCert)
   tsaTrustedCerts.Add(tsaRootCert)

   tspClient.CertStorage = tsaCerts

   XAdESVerifier.CertificateValidator = New SBCertValidator.TElX509CertificateValidator
   XAdESVerifier.CertificateValidator.AddTrustedCertificates(tsaTrustedCerts)
   [B]XAdESVerifier.AddCertificateValues(tsaCerts)[/B]

   Dim tsaCRL As New TElCertificateRevocationList
   Dim crlTSA As New TElMemoryCRLStorage

   tsaCRL.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\accvca110_der.pem"), "")
   crlTSA.Add(tsaCRL)

   tsaCRL.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\accvca120_der.pem"), "")
   crlTSA.Add(tsaCRL)

   ...[I]I add the rest of CRLs I've downloaded from the TSA[/I]...

   Dim serverResult As Short
   Dim reply() As Byte
   Dim ocspList As New ArrayList
   Dim ocspService As New TElFileOCSPClient()
   ocspService.URL = "http://ocsp.pki.gva.es"
   Dim req = ocspService.PerformRequest(serverResult, reply)
   [B]XAdESVerifier.AddRevocationValues(crlTSA, ocspList)[/B]


And the result is the same than before.

So as I read on Diagnosing certificate chain validation errors when validating a certificate or signature with *AdES components, I try to validate the certificate with TElX509CertificateValidator (I suppose that is what is used by TElXAdESVerifier) to see a more specific result:

Code
   Dim tsaCert As New TElX509Certificate()
   tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\tsa.pem"), "")
   Dim tsaCerts As New TElMemoryCertStorage
   tsaCerts.Add(tsaCert)

   Dim tsaTrustedCerts As New TElMemoryCertStorage

   Dim tsaRootCert As New TElX509Certificate()
   tsaRootCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\rootca.crt"), "")
   tsaCerts.Add(tsaRootCert)
   tsaTrustedCerts.Add(tsaRootCert)

   Dim val As New TElX509CertificateValidator
   Dim validation As New TSBCertificateValidity
   Dim reason As Integer
   val.AddTrustedCertificates(tsaTrustedCerts)
   val.ValidateForTimestamping(tsaCert, tsaTrustedCerts, True, Now, validation, reason)        


And I get cvChainUnvalidated value for validation and 256 value for reason.

Sorry about my insistence and don't think I'm asking you for the final solution, but I don't know what I have mistaken or if something is wrong with the certificate and its root certificate.

Thanks a lot for your attention.

Regards!
#35471
Posted: 01/08/2016 13:17:14
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

If I understand correctly, you need to add xadesv141:TimeStampValidationData element. This element is defined by XAdES version 1.4.1. From http://uri.etsi.org/01903/v1.4.1/ts_101903v010401p.pdf :
Quote
This element is specified to serve as an optional container
for validation data required for carrying a full verification of
time-stamp tokens embedded within any of the different time-stamp containers defined in the present document.

So, if your XAdES version 1.3.2 or 1.4.1 you may add it using AddTimeStampValidationData() method. This method behaves in the similar way as AddValidationDataValues() method.
#35472
Posted: 01/08/2016 13:32:21
by Eugene Mayevski (EldoS Corp.)

It does not matter how you collect revocation information - in both cases you want to timestamp the signature, and this leads to the problem with validating the certificate used to sign the timestamp.

At this point you must decide how to act -- if you want or have to use the TSP in question, then you must diagnose why the error happens during this procedure.

The last part of your message is correct - you have properly chosen the way to do diagnostics. It has told you that the chain has not been validated because the CRL could not be retrieved.

This could be a consequence of one or more of several reasons:
1) invalid CRL location written in the certificate
2) CRL location not accessible for whatever reason
3) you have not initialized the CRL retriever

You can omit CRL validation by setting

Code
MandatoryCRLCheck = false;
MandatoryOCSPCheck = false;
MandatoryRevocationCheck = true;


Also you can set RevocationCheckPreference property to PreferOCSP (that's optional).

Doing the above should let you get rid of the problem. Also please consider what Dmytro has written above.

Potentially you can override the validation result completely, but if the certificate is not valid, then even when you include the timestamp into your signature, the certificate won't pass validation by the document recipient.


Sincerely yours
Eugene Mayevski
#35492
Posted: 01/11/2016 07:07:56
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Thanks a lot for your answers.

I've done every thing you said, but I'm still receiving the same response.

I try to validate the certificate with openssl and get an OK result, so this, let me think all the data I use are correct, and the TSA is a trusted one. (I send an attached file with OpenSSL response).

That' my whole code to verify a certificate:

Code
        Dim tsaCert As New TElX509Certificate()
        tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\tsa.pem"), "")
        
        Dim tsaTrustedCerts As New TElMemoryCertStorage

        Dim tsaRootCert As New TElX509Certificate()
        tsaRootCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\rootca.pem"), "")
        tsaTrustedCerts.Add(tsaRootCert)

        Dim val As New TElX509CertificateValidator
        Dim validation As New TSBCertificateValidity
        Dim reason As Integer
        val.CheckOCSP = True
        val.CheckCRL = False
        val.AddTrustedCertificates(tsaTrustedCerts)
        val.MandatoryCRLCheck = False
        val.MandatoryOCSPCheck = False
        val.MandatoryRevocationCheck = True
        val.RevocationCheckPreference = TSBX509RevocationCheckPreference.rcpPreferOCSP
        val.Validate(tsaCert, tsaTrustedCerts, True, Now, validation, reason)
        


And I get validation = 4 (cvChainUnvalidated) and reason 512(How can I know what reason result means?)

So, what's the problem? if I can validate it from OpenSSL using OCSP, why can I get the same result with Black Box?

Edited
I've seen that
Quote
vrIdentityMismatch = 512 vrIdentityMismatch f_vrIdentityMismatch = 512 Provided certificate doesn't include the specified name and / or IP address. Either the remote side in TLS or sender in S/MIME is misconfigured, or the certificate is misused by the remote side or sender, or authenticity of the remote side or sender is forged.



So if I have understand it, that's mean that it can't find the ocsp url, but inspecting the certificate I see it (as you can see on the attached image)



Thanks.

Regards!


#35495
Posted: 01/11/2016 07:43:36
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

As I can't attach two images in the same post I add one here:


#35497
Posted: 01/11/2016 07:49:37
by Eugene Mayevski (EldoS Corp.)

The Reason codes are described in documentation. 512 stands for Identity Mismatch and is reported when the name in the certificate doesn't match the name of the host (in case of TLS). You can check what's going on by handling OnAfterCertificateValidate and looking, which exactly certificate fails validation.

Now, OpenSSL is not the last instance. It can have bugs and security issues.


Sincerely yours
Eugene Mayevski
#35504
Posted: 01/11/2016 13:24:57
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

Hi,

I try to do what Dmytro said, adding AddTimestampValidationData without any parameter, and didn't success. Then, I thank: How does the verifier which are the TSA data? In this point I saw this function is overloaded, and try to use the one has these parameters:
- TElClientTSPInfo: I try to instanciate it, but I don't know how
- URI
- TElXMLCustomFormatter: What's that?

So with these doubts I could't go on this way

Then, I have played with the values you mentioned before on my code:

Code
MandatoryCRLCheck = false;
MandatoryOCSPCheck = false;
MandatoryRevocationCheck = true;


Full code for verification:
Code
        Dim tsaCert As New TElX509Certificate()
        tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\tsa.pem"), "")

        Dim tsaTrustedCerts As New TElMemoryCertStorage
        Dim tsaRootCert As New TElX509Certificate()
        tsaRootCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\rootca.pem"), "")
        tsaTrustedCerts.Add(tsaRootCert)

        Dim val As New TElX509CertificateValidator
        AddHandler val.OnAfterCertificateValidation, AddressOf HandleAfterCertificateValidation
        Dim validation As New TSBCertificateValidity
        Dim reason As Integer

        val.AddTrustedCertificates(tsaTrustedCerts)
        val.MandatoryCRLCheck = False
        val.MandatoryOCSPCheck = False
        val.MandatoryRevocationCheck = True
        val.RevocationCheckPreference = TSBX509RevocationCheckPreference.rcpPreferCRL
        val.ValidateForTimestamping(tsaCert, tsaTrustedCerts, True, Now, validation, reason)


And the result was: cvChainUnvalidated with reason 768 (I can't see what it means), so I have added a handler for OnAfterCertificateValidate, where I have seen that both certificate verifications (tsa.pem and its root certificate) returned a cvInvalid result with reason = 368 (I can't see what it means).

At this point, I have found CheckOCSP and CheckCRL properties. When I turn both to false, the result is cvOk. Because I'm only interested on OCSP verification at the moment, I've set CheckOCSP = True And CheckCRL= False, and the code above returned cvChainUnvalidated with reason 512, and the HandleAfterCertificateValidation returned cvInvalid and reason 256 (OCSP response for this certificate could not be retrieved and/or validated.) for both certificates.


I decided to do it separately like I've seen in: Create and send the OCSP request. But I have a doubt here:

Quote

If you use TElHTTPOCSPClient, you need to set the HTTPClient property of TElHTTPOCSPClient class to the instance of TElHTTPSClient component. Note, that TElHTTPOCSPClient is provided together with TElHTTPSClient in SSLBlackbox package (i.e. not in PKIBlackbox, as TElOCSPClient one). Also, you need to specify the address of the OCSP server in URL property of TElHTTPOCSPClient class.


Because I haven't TElHTTPSClient, so what have to have my TElHTTPSClient instance?

Anyway I tried it. That's the code:

Code
        Dim tsaCert As New TElX509Certificate()
        'tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\CamerfirmaTSA.pem"), "")
        tsaCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\tsa.pem"), "")

        Dim tsaTrustedCerts As New TElMemoryCertStorage

        Dim tsaRootCert As New TElX509Certificate()
        'tsaRootCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\CamerfirmaTSAroot.pem"), "")
        tsaRootCert.LoadFromStreamPEM(File.OpenRead("E:\tsaCert\rootca.pem"), "")
        tsaTrustedCerts.Add(tsaRootCert)

        Dim ocspClient As New TElHTTPOCSPClient
        ocspClient.CertStorage = New TElMemoryCertStorage
        ocspClient.CertStorage.Add(tsaCert)
        ocspClient.IssuerCertStorage = New TElMemoryCertStorage
        ocspClient.IssuerCertStorage.Add(tsaRootCert)
        ocspClient.URL = "http://ocsp.pki.gva.es"
        Dim serRes As Short
        Dim reply() As Byte
        Dim res = ocspClient.PerformRequest(serRes, reply)


But ocspClient.Response had 0 responses.

With all this information, could you help me?

Thanks.

Regards!
#35520
Posted: 01/12/2016 07:32:51
by AGM  (Standard support level)
Joined: 12/18/2015
Posts: 18

I have also build a HandleOCSPError, where I can see that the error code is 2002 (OCSP client could not be created or found)
#35521
Posted: 01/12/2016 07:43:56
by Dmytro Bogatskyy (EldoS Corp.)

I welcome you to continue the conversation in the Helpdesk ( https://www.eldos.com/helpdesk/ ).

Helpdesk is our easy-to-use individual support system that allows communicating and exchanging sample data with our support personnel privately. You will also get e-mail notifications about updates of your support request.
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 5179 times

none




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!