EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Check Signed PDF : check CRL & CAs, retrieve Certificate infos (DN, SN

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#35960
Posted: 02/22/2016 10:31:09
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi,

I'm working with the JAVA Version

after signed my PDF from applet, i send it to the server.
On the server side, i have to :
- add a timestamp to the signature (seems to be OK)
- check signature with a CRL
- check the signature with list of CA (Certificate Authorities)
- retrieve certificate infos like DN, SN, user name, ...

I don't manage to retrieve all that.

I have my Document, TElPDFSignature (i do a setSigningTime to set time from a NTP server), but don't find out how to do all what i want

I can find my Certificate (but no CertID) throw
((TElPDFPublicKeySecurityHandler) aSignature.getHandler ()).getCertificates ().getCertificate (0)

1. Is the method used to set Time is the right one ?
2. How to check CRL (file or URL resource) and CAs (file(s) resource(s)) with your builtin API ?
3. Is there any kind of extract data DN, SN without convert it to common X509 using toX509Certificate () ?

Thanks for your support

Regards,

Yann
#35962
Posted: 02/22/2016 11:24:25
by Eugene Mayevski (EldoS Corp.)

Quote
Yann Fontaine wrote:
- check signature with a CRL


Signatures are not checked with CRLs. Certificates, used to make a signature, are indeed validated, and it involves much more than just checking the CRL.

Quote
Yann Fontaine wrote:
- check the signature with list of CA (Certificate Authorities)


This should be done with TElX509CertificateValidator class. You can pass the list of known and/or trusted certificates to the instance of this class, then have that instance validate the certificate(s) in question. The validator will perform full validation of the certificates, including checking CRLs and OCSPs.

Quote
Yann Fontaine wrote:
- retrieve certificate infos like DN, SN, user name, ...


All certificate-related information is available via properties of TElX509Certificate class. There's no such thing as "user name" in the certificate. There exists SubjectName extension ( a set of properties that describe the "owner" of the certificate), IssuerName extension ( a set of properties that describe the certificate authority).

I don't know what "DN" and "SN" mean in your question. If SN is SubjectName, then please see above. If SN is a serial number, then there's a property for it as well.


Sincerely yours
Eugene Mayevski
#35981
Posted: 02/23/2016 05:37:29
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Thanks Eugene for these answers.

I need more details...

I want to use TElX509CertificateValidator, and want to know what is done/checked.
So, in the first time, i would like to disable all validations, and enable one at a time :
- add CRL and check CRL,
- add CAs and check certificate throw CAs,
..

Is the following enough to disable all validations ?

aValidator.setCheckCRL (false);
aValidator.setCheckOCSP (false);
aValidator.setCheckValidityPeriodForTrusted (false);
aValidator.setIgnoreBadOCSPChains (true);
aValidator.setIgnoreCABasicConstraints (true);
aValidator.setIgnoreCAKeyUsage (true);
aValidator.setIgnoreCANameConstraints (true);
aValidator.setIgnoreRevocationKeyUsage (true);
aValidator.setIgnoreSSLKeyUsage (true);
aValidator.setIgnoreSystemTrust (true);
aValidator.setOfflineMode (true);
aValidator.setValidateInvalidCertificates (true);
aValidator.setForceCompleteChainValidationForTrusted (false);

I still have a result with cvInvalid
Reason : 40

(logs :
CA certificate not found for this certificate, can't proceed with chain validation
(certificate expected: /CN=Communications Server)

Is there a place where i can find constants for each wrong validation ?
(Reaon 40, Reason 8, 24, ...)

So, here are my questions :
1. How to completely disable all validations, in order to have a validator that pass with any certificate (self signed, date overduted, no provided CAs, ...) ?
2. Where to find all Reason constants to understand what is the problem according to the Reason given
3. How can i add CRL file/URL resource to the validator ?
4. How can i add CA file(s)/URL(s) resource(s) to the validator ?

Thanks
#35994
Posted: 02/24/2016 05:13:12
by Ken Ivanov (EldoS Corp.)

Hi Yann,

Quote
Is there a place where i can find constants for each wrong validation ?
(Reaon 40, Reason 8, 24, ...)

You will find them here.

Quote
1. How to completely disable all validations, in order to have a validator that pass with any certificate (self signed, date overduted, no provided CAs, ...) ?

You can't disable literally all validation elements. Such elements as signatures and validity periods are always checked. The validator allows you to tune-up certain validation branches to cater for common compatibility issues and use scenarios, but still it is a validator and its purpose is to validate.

I believe the only way to have a knowingly bad certificate to pass validation is to add it as explicitly trusted and switch off CheckValidityPeriodForTrusted property.

Quote
2. Where to find all Reason constants to understand what is the problem according to the Reason given

Please see above.

Quote
3. How can i add CRL file/URL resource to the validator ?

Use the validator's AddKnownCRLs() method.

Quote
4. How can i add CA file(s)/URL(s) resource(s) to the validator ?

Use AddKnownCertificates() and AddTrustedCertificates() methods.

Note that while the validator can retrieve certificates/CRLs from web and LDAP sources automatically, it can only take the URLs from the certificate chain itself. I.e. if you know some URL from where you can download a CA certificate or a CRL, but this URL is not stated in the validated certificate's CRL distribution points or Authority information access extensions, you will have to download it manually (e.g. with TElHTTPSClient component) before validating and then pass it to the AddKnownXXX() method to make the validator aware of it.

Ken

Reply

Statistics

Topic viewed 1630 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!