EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PDFSecureBlackbox : status of digital Signature : Unknown

Posted: 03/07/2016 05:48:05
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Hi Ken,

But i don't have a failed validation, and this is my point.
I must have a failed validation if i don't add files (and i don't add them)
How could you help me please for this ?
Please remember that i test on my own computer, for both server and client sides.
Posted: 03/07/2016 06:04:13
by Ken Ivanov (Team)


As per the trace, the chain is validated up to the root certificate (no missing certificates are reported). If you don't add your certificates to the validator, they are most likely present in the Windows system stores and are picked from there. This is a generally normal and typical case for widely used PKI infrastructures, whose CA certificates are distributed with Windows updates.

The validation log message you highlighted ('Certificate is self-signed or trusted, no chain validation will be performed') doesn't necessarily mean that the certificate is trusted. It means that the end of the chain has been reached and no further CA certificates will be looked up for.

Further down the trace the certificate's signature is checked and found valid. After that (the relevant lines are unfortunately missing from your message), the validity of the certificate will be either considered Valid (if it's trusted) or Self-Signed (if it's not).

As you are ignoring system trust, the only reason for a self-signed certificate to be considered trusted is ImplicitlyTrustSelfSignedCertificates property set to true. Otherwise you'd got the Self-Signed validation result for this certificate.

Posted: 03/07/2016 08:03:32
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Ok Ken

Thanks, i found my error
I checked only the CertificateResult.Reason
But i've seen that validation result is in another field : CertificateResult.Validity

So now, i can have "cvChainUnvalidated" result.
Perfect, it's not validated.

Now, i would like to add certificates to validate this certificate.

The customer gave me 2 certificates :

1.- CA-Internal-2.p7b
2.- CA-Root(1).cer

I added them like following :
TElMemoryCertStorage aCertStorage = new TElMemoryCertStorage ();
aCertStorage.loadFromStreamPKCS7 (new FileInputStream ("CA-Internal-2.p7b"), 0);
aCertStorage.loadFromStreamPKCS7 (new FileInputStream ("CA-Root(1).cer"), 0);
aValidator.addTrustedCertificates (aCertStorage);

But i have the same result, my certificate is'nt validated

I don't know what's wrong.
Posted: 03/07/2016 08:10:04
by Vsevolod Ievgiienko (Team)

aCertStorage.loadFromStreamPKCS7 (new FileInputStream ("CA-Root(1).cer"), 0);

Usually CER files are not PKCS#7 files. You should check return code of loadFromStreamPKCS7() method: https://www.eldos.com/documentation/sb...pkcs7.html

Also FileInputStream objects should be closed after usage using FileInputStream.close method.

Please try to load CER file using TElX509Certificate.loadFromFileAuto() method and then add it to the storage using TElMemoryCertStorage.add method.
Posted: 03/07/2016 08:17:58
by Ken Ivanov (Team)

On a side note, LoadFromStreamPKCS7() call (and any other LoadXXX() method) clears the contents of the certificate storage before loading the certificates. Therefore your second loadFromStreamPKCS7() call will clear whatever has been loaded to the storage by the first call, only leaving the contents of CA-Root(1).cer file (if it was a valid PKCS#7, see Vsevolod's answer above) in the storage.

Besides, it is not a good practice to add the whole certificate chain as trusted. It is normally enough to only have root CA certificates as trusted, with the rest of the chains validated implicitly up to trusted anchors.

Posted: 03/07/2016 08:51:24
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Thanks Ken & Vsevolod

It's now running fine !

I can now check all (without CRL, because i'm not in the customer intranet)
Thanks a lot !

I have a last question :
When opening Applet (to sign and upload PDF file), there are somme Internet calls :

security: La prise en charge du protocole OCSP est activée.
security: La prise en charge de la liste des certificats révoqués (CRL) est activée.
network: Connexion de http://ocsp.verisign.com/ avec proxy=HTTP @ proxydvt.fr.devoteam.com/
security: OCSP Response: GOOD
network: Connexion de http://ocsp.verisign.com/ avec proxy=HTTP @ proxydvt.fr.devoteam.com/
security: OCSP Response: GOOD

security: Validation du certificat réussie à laide du protocole OCSP/de la liste des certificats révoqués (CRL)

How to avoid connection to http://ocsp.verisign.com/ ??
Because if the customer computer don't have internet connection, this mill take a long time, with timeouts...
Posted: 03/07/2016 08:57:17
by Vsevolod Ievgiienko (Team)

Most likelly these calls are performed by JRE to check the applet e.g. its signature and signing certificate. I don't think you'll be able to turn these checks off without additional manual JRE setup.
Posted: 03/07/2016 09:01:28
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39

Ok Vsevolod
i was wondering if it was due to the API or the applet jar files signatures
So you confirm me this fact.

Thanks a lot

Have a good day ! ;-)
Posted: 03/07/2016 13:26:26
by Yann Fontaine (SUPPORT DISABLED)
Joined: 02/01/2016
Posts: 39


i've another problem...

The solution of loading CER file like that :
"Please try to load CER file using TElX509Certificate.loadFromFileAuto() method and then add it to the storage using TElMemoryCertStorage.add method."

works fine on my computer (localhost), but with 2 computers this doesn't seems to work.

Here are the logs :

07/03/2016 19:06:38.006 DEBUG> Loaded certificate [/usr/local/RVR/custo/faur22/certificat/faurecia.cer]
07/03/2016 19:06:38.017 DEBUG> Checking validity period
07/03/2016 19:06:38.017 DEBUG> CA certificate not found for this certificate, can't proceed with chain validation
07/03/2016 19:06:38.018 DEBUG> (certificate expected: /C=FR/O=FAURECIA/OU=INTERNAL/CN=Faurecia Internal CA Aut)
07/03/2016 19:06:38.018 DEBUG> Running revocation check
07/03/2016 19:06:38.018 DEBUG> Revocation check preference: CRL and OCSP
07/03/2016 19:06:38.018 DEBUG> Getting OCSP status from online source(s), if they are specified in the certificate
07/03/2016 19:06:38.018 DEBUG> Revocation check completed

Any idea please ?
Posted: 03/07/2016 14:21:16
by Eugene Mayevski (Team)

CER file usually contains just one certificate (and without a private key). In your case on Linux you have no CA certificates available for checking. I assume that in Windows the CA certificate is taken from the system certificate list. The solution is to carry the needed CA files with you.

However in general it would be a good idea to read a couple of articles or even books about how PKI works. Certificates are the cornerstone of many protocols and security schemes and without good understanding of what's going on it would be hard for you to solve certificate-related problems, and we have limited capabilities to diagnose each and every certificate-related problem of every customer (this service is available as a custom work for a separate fee). We have a couple of books recommended here: https://www.eldos.com/forum/read.php?FID=7&TID=1842

Sincerely yours
Eugene Mayevski



Topic viewed 6750 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!