EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDFSecureBlackbox : status of digital Signature : Unknown

Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.
#36044
Posted: 02/29/2016 05:03:38
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi,

i signed my PDF file, and it runs, either with a local certificate, or a USB Token one

But, i've 2 problems :
When i open it in Acrobat Reader, here is what's telling me :

Signature validity is UNKNOWN
-The Document has not been modified since this signature was applied.
1. -The signer's identity is unknown because it has not been included in your list of trested identities and none od its parent certificates are trusted identities.
2. - Signature date/time are from the clock on the signer's computer
The time is based on the local time on the signer’s computer.


How to solve that 2 points please ?
For 2., customer provide a NTP server, but no TSA server. Is there a way to achieve that on server side (i digital sign PDF on applet client side, than send file to server) ?

Thanks for your support

Yann
#36046
Posted: 02/29/2016 05:20:57
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Technical Support is provided to customers with the linked Support Access Ticket. You will find your Support Access Ticket together with all the details about how to use it in the registration e-mail that we’ve sent to you upon the purchase. The procedure of linking the Support Access Ticket is described in the registration e-mail as well.

I am afraid that without the Support Access Ticket linked we won't be able to assist you. Thank you for understanding.
#36047
Posted: 02/29/2016 05:32:50
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Thanks Vsevolod for your reply.

But i'm in my last week to implement PDF digital file, and i need to be sure these problems will be resolved before purchase your API

So, is there a chance that i'll have some help about this topic ?
The 3 months of evaluation LicenceKey is maybe here for that, evaluating the API
And to finish my evaluation of the API, i need the information about this topic.

Thanks a lot

Yann
#36048
Posted: 02/29/2016 05:50:04
by Vsevolod Ievgiienko (EldoS Corp.)

It was not clear from your message that you're evaluating the product - sorry.

Quote
1. -The signer's identity is unknown because it has not been included in your list of trested identities and none od its parent certificates are trusted identities.

The root certificate of the one used to sign the PDF file should be added to the trusted list on the computer where validation is performed. Acrobat Reader uses its own lists and Windows system certificate stores to check this.

Quote
2. - Signature date/time are from the clock on the signer's computer
The time is based on the local time on the signer’s computer.

You should use TSP server to pruduce timestamp during signing process to remove this message. NTP server will not solve the problem.

Quote
Is there a way to achieve that on server side (i digital sign PDF on applet client side, than send file to server) ?

Do I understand right that you are using Distributed Crypto plugin and documents are stored on server side?
#36050
Posted: 02/29/2016 06:27:41
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Ok, thanks


If i understand clearly,

1. It's on the customer client computer to add trusted certificates (or CA chain)

2. The customer server with NTP isn't enough to avoid this error message, the customer should have a TSP/TSA server

And for your final comment, i do not use crypto modules.
The customer want explicitely to digital sign before upload ; so i :
- load the document (applet),
- sign it (applet), and send it to the server ; then i'll call "validate" on server side (will check CRL and CA)

The last things i hadn't checked are :
- validate CRL (because of the customer CRL isn't accessible from my computer)
- validate CAs (i'm waiting for CA files, this is right ???)

Is the PDFBlackBox enough, or do i need additional packages to register to do that stuff ?
How to be sure to register packages needed ?

Because i'll ask for registering ASAP now

Thanks for your support

Yann
#36079
Posted: 03/01/2016 03:36:24
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
1. It's on the customer client computer to add trusted certificates (or CA chain)

Yes.

Quote
2. The customer server with NTP isn't enough to avoid this error message, the customer should have a TSP/TSA server

Yes.

Quote
- validate CRL (because of the customer CRL isn't accessible from my computer)
- validate CAs (i'm waiting for CA files, this is right ???)

These steps are needed for a whole signature validation and may be performed with our TElX509CertificateValidator component.

Quote
Is the PDFBlackBox enough, or do i need additional packages to register to do that stuff ?

You may also need LDAPBlackbox and HTTPBlackbox packages for automatic CRLs retrieval during validation.
#36080
Posted: 03/01/2016 04:57:39
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Thanks Vsevolod for your answers.

We think we'll buy the Professional Package, as we can cover more modules in the future.

Another question about this topic (validate signature certificate with a trusted CA):

The customer sent me 2 files ;
1.- CA-Internal-2.p7b
2.- CA-Root(1).cer

The 2. seems to be a ROOT CA (described as in the certificate description), so is it that to add a ".cer" file to the storage ? is this possible (i seen that i have to add p7b files here https://www.eldos.com/security/articles/7545.php "Normally you put only trusted Roots to trusted certificates.")
Must i ask the customer for a root CA in .p7b format ?

Thanks for your support

Yann
#36089
Posted: 03/01/2016 06:27:59
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
The 2. seems to be a ROOT CA (described as in the certificate description), so is it that to add a ".cer" file to the storage ?

Quote
Must i ask the customer for a root CA in .p7b format ?

CER file can be also added to the storages.
#36142
Posted: 03/07/2016 04:51:02
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi,

I still don't know how to enable CA verification...

My example is running on my own computer (within a Tomcat container).

How to force failed validation if no CA files added (or found) ?
I have to do this check. Then, i'll add files when i know how to force validation...

Here are the logs :

Checking validity period
07/03/2016 10:35:28.487 DEBUG> Checking CA certificate extensions
07/03/2016 10:35:28.498 DEBUG> Running revocation check
07/03/2016 10:35:28.499 DEBUG> Revocation check preference: CRL and OCSP
07/03/2016 10:35:28.499 DEBUG> Getting OCSP status from online source(s), if they are specified in the certificate
07/03/2016 10:35:28.499 DEBUG> Revocation check completed
07/03/2016 10:35:28.501 DEBUG> Checking validity period
07/03/2016 10:35:28.502 DEBUG> Checking CA certificate extensions
07/03/2016 10:35:28.507 DEBUG> Running revocation check
07/03/2016 10:35:28.507 DEBUG> Revocation check preference: CRL and OCSP
07/03/2016 10:35:28.507 DEBUG> Getting OCSP status from online source(s), if they are specified in the certificate
07/03/2016 10:35:28.507 DEBUG> Revocation check completed
07/03/2016 10:35:28.509 DEBUG> Checking validity period
07/03/2016 10:35:28.509 DEBUG> Certificate is self-signed or trusted, no chain validation will be performed
07/03/2016 10:35:28.509 DEBUG> Certificate is self-signed and is a CA for itself

07/03/2016 10:35:28.514 DEBUG> Certificate signature is OK
07/03/2016 10:35:28.514 DEBUG> Running revocation check
07/03/2016 10:35:28.514 DEBUG> Revocation check preference: CRL and OCSP
07/03/2016 10:35:28.514 DEBUG> Getting OCSP status from online source(s), if they are specified in the certificate
07/03/2016 10:35:28.514 DEBUG> Revocation check completed

Is this because the logs says :
Certificate is self-signed or trusted, no chain validation will be performed
07/03/2016 10:39:58.628 DEBUG> Certificate is self-signed and is a CA for itself
?

Maybe because i'm running on localhost, and using Windows Storage to check...
But i configured :
aValidator.setIgnoreSystemTrust (true);

Any idea ?

Thanks for your help
#36143
Posted: 03/07/2016 05:41:59
by Ken Ivanov (EldoS Corp.)

Hi Yann,

Quote
How to force failed validation if no CA files added (or found) ?
I have to do this check. Then, i'll add files when i know how to force validation...

The validation will fail by itself if any part of the chain (i.e. any intermediary or root CA) was not found. In this case you will get a failed validation with cvChainUnvalidated result.

Ken
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 4895 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!