EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Web : Send (and Encrypt) & Sign PDF file

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
#35815
Posted: 02/02/2016 10:20:05
by Eugene Mayevski (EldoS Corp.)

I understand your difficulties, however as the SecureBlackbox is cross-platform library, there's no Javadoc available. We document main classes and describe each method and property, but the process drags behind development. Also, supplementary classes, specific to Java or C++, are not fully documented. Documentation writing is a narrow place, I must admit.

We have sample projects that should simplify development to some extent, especially for classes where there's no documentation.


Sincerely yours
Eugene Mayevski
#35826
Posted: 02/03/2016 04:54:21
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi,

i managed to write new PDF using (local) streams FileInputStream/TElMemoryStream/RandomAccessFile with some bytes copies

I have another question : when i open my PDF file, i've a warning, because of Date & Time are those of the signer
Is there an option to remove this warning ?
My customer don't have any TSA/TSP server (only NTP server, and not sure it's available from client side)

another pb : - AcrobatReader tell me Signature Valdity UNKNOWN
Is there a way to valid that ? use CA server side to valid signature ? or other way ?

Any idea for these questions please ?

Thanks for your support

Yann
#35827
Posted: 02/03/2016 05:01:04
by Ken Ivanov (EldoS Corp.)

Hi Yann,

The only option to remove the warning is to use an external trusted TSA. You can timestamp signatures later on your server after receiving the document, there is no requirement to do it at the time of signing.

Quote
another pb : - AcrobatReader tell me Signature Valdity UNKNOWN
Is there a way to valid that ? use CA server side to valid signature ? or other way ?

This is probably due to the fact that the root certificate is not trusted by Adobe Reader. Does Reader show you any reasons for the signature to be considered UNKNOWN?

Ken
#35830
Posted: 02/03/2016 08:54:16
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Thanks Ken for all your replies.

I've now another problem to solve :
create a secure and identicated connection between applet and server (servlet i think)

Is there a way to use the session for the connection that will be used ?
Just put jsessionid in a parameter will be enough ?
I ask you because of your Security skills and i think you'll be able to answer me quickly with a right answer

Thanks

Yann
#35831
Posted: 02/03/2016 10:08:51
by Ken Ivanov (EldoS Corp.)

Hi Yann,

You need to use HTTPS (HTTP + TLS) to build a secure connection between your applet and server. By default, such connection will provide confidentiality and server authentication. If you need to authenticate the client to the server too, you might need to use additional mechanisms, such as client-side certificate-based authentication.

You can add HTTPS support to your applet by using TElHTTPSClient and implementing server certificate validation procedure (not too complicated with TElX509CertificateValidator component).

Regarding your second question, you can add jsessionid to parameters send over by TElHTTPSClient so that the session will be recognised by the server. However, jsessionid is not a private parameter, and can't be used as an client authentication mechanism (as it could've been intercepted by an attacker upon transfer of non-secure pages).
#35832
Posted: 02/03/2016 10:16:31
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Ok Ken, i knew i have to use HTTPS

When you say

" client-side certificate-based authentication.

You can add HTTPS support to your applet by using TElHTTPSClient and implementing server certificate validation procedure (not too complicated with TElX509CertificateValidator component). "

In a customer environment, the certificate that will be used for exchanges will be throw an HTTPS with customer certificate.
Do i have to add my own certificate, and ask the customer to add it to its network ?
Or Does i need to include the customer certificate in my applet ?
In this case, i'll need to include all customers certificates in my applet jar ?
I'm just wondering how it could be thebest way

Thanks for your support Ken

Yann
#35833
Posted: 02/03/2016 12:59:23
by Ken Ivanov (EldoS Corp.)

Yann,

I am not sure if I understood your questions completely, sorry.

Essentially, you have different certificates for different purposes:

1) a server (HTTPS) certificate which belongs to the server and is used to confirm the authenticity of the server to the clients and to exchange TLS keys.

2) a collection of client certificates, each one held by a particular customer of yours and used to sign a PDF document.

3) a collection of client certificate that they use within a TLS session to the server to confirm their authenticity to the server. These may either coincide with certificates from step (2), OR you can refrain from using client certificates for authenticating clients on the TLS stage at all, and authenticate the clients via other means. For example, you can check that a signature on the provided PDF document matches the certificate that belongs to that particular client.

Ken
#35834
Posted: 02/03/2016 13:41:16
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Ok Ken

I'm talking about case 1)

in case of web pages, the user can see in the browser if there is a risk with the server certificate ?
In the case of an applet communicating with the server, how can i be sure that there's no Man In the Middle Attack possible ?
Maybe by a secured HTTP/S communication. But how to be sure there is no man in the middle ? The only way i think is to have the server certificate, and check for the certificate provided while connecting throw HTTPS, am i right ?
This is this mechanism that i want more information. Or existing another mechanism to provide security ?

I hope this time what i write is enough clear

Thanks Ken

Yann
#35836
Posted: 02/03/2016 15:04:44
by Ken Ivanov (EldoS Corp.)

Thanks Yann, indeed everything is clear now.

It is the responsibility of the applet to make sure that the server certificate is OK. There are some components in SBB that simplify that task. Public and widely accessible servers normally use certificates issued by some well-known CA (whose chains are deployed on most client machines by OS vendors), so it's unlikely that you would need to include the server's certificate to the applet.

TLS protects you from man-in-the-middle attacks, so you can be safe about the security of your connection, provided that the server certificate is validated properly.

Ken
#35848
Posted: 02/05/2016 06:40:20
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

..
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 4503 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!