EldoS | Feel safer!

Software components for data protection, secure storage and transfer

.net with java dc return multiples certificates on signature

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#36629
Posted: 05/03/2016 07:11:32
by Javier Aranda (Basic support level)
Joined: 05/02/2016
Posts: 8

I am using DC signature with java and when signature is done, in pkcs7 message are included all certificates displayed on client machine, not only those selected by user, used on signature.

¿is there any way to remove others certs on pkcs7 message?

Quote

---=== Validate sbb ===---
Verifying results:
Successfully verified!

Signature type: PUBLIC KEY


Hash Algorithm:
SHA1


Certificates contained in message:

Certificate #1
Issuer: C=, L=, O=, CN=xxx-GARZA3-CA
Subject: C=CL, L=Santiago, O=xxx, CN=Javier Aranda DS
Private key is not available
Certificate #2
Issuer: C=, L=, O=DO_NOT_TRUST, CN=DO_NOT_TRUST_FiddlerRoot
Subject: C=, L=, O=DO_NOT_TRUST, CN=DO_NOT_TRUST_FiddlerRoot
Private key is not available
Certificate #3
Issuer: C=, L=, O=, CN=Communications Server
Subject: C=, L=, O=, CN=javier.aranda@xxx.com
Private key is not available
Certificate #4
Issuer: C=, L=, O=, CN=xxx-xxx
Subject: C=, L=, O=, CN=Aranda Leiva, Javier
Private key is not available
Certificate #5
Issuer: C=, L=, O=, CN=SONDA_USUARIOS\Javier.Aranda
Subject: C=, L=, O=, CN=SONDA_USUARIOS\Javier.Aranda
Private key is not available
Certificate #6
Issuer: C=si, L=, O=state-institutions, CN=
Subject: C=si, L=, O=state-institutions, CN=Janez Novak
Private key is not available

---=== End Validate sbb ===---


Validation code taken from example:

Code
Private Sub DoVerification(signature As String)
        LogLine("---=== Validate sbb ===---")
        Try
            Dim input As Byte() = System.Text.Encoding.Unicode.GetBytes(TextBoxAdv1.Text)
            Dim v As New SBMessages.TElMessageVerifier
            v.InputIsDigest = False

            Dim Buf() As Byte = Convert.FromBase64String(signature)
            If Buf Is Nothing Then Return

            Dim i As Integer = v.VerifyDetached(input, Buf)
            If i = 0 Then
                'WriteDestination(OutBuf, intSize)
                LogLine("Verifying results:")

                LogLine("Successfully verified!" + ControlChars.CrLf)
                If (v.SignatureType = SBMessages.TSBMessageSignatureType.mstMAC) Then
                    LogLine("Signature type: MAC")
                Else
                    LogLine("Signature type: PUBLIC KEY")
                End If
                LogLine(ControlChars.CrLf)
                LogLine("Hash Algorithm: ")
                LogLine(GetAlgorithmName(v.HashAlgorithm))
                LogLine(ControlChars.CrLf)
                If (v.SignatureType = SBMessages.TSBMessageSignatureType.mstMAC) Then
                    LogLine("MAC Algorithm: ")
                    LogLine(GetAlgorithmName(v.MacAlgorithm))
                    LogLine(ControlChars.CrLf)
                End If
                LogLine("Certificates contained in message:" + ControlChars.CrLf)
                LogLine(GetCertificatesInfo(v.Certificates))
            Else
                LogLine("Verification failed with error #" + i.ToString)
            End If
        Catch ex As Exception
            LogLine("Error: " + ex.Message)
        End Try
        LogLine("---=== End Validate sbb ===---")
    End Sub
#36630
Posted: 05/03/2016 07:21:44
by Ken Ivanov (EldoS Corp.)

Hi Javier,

SecureBlackbox signing components always include all certificates passed to them via their CertStorage property to the signature. This was done that way to provide the user with a better control over certificates included in the signature.

Simply remove the unneeded certificates from the CertStorage before creating the signature. You can pick the relevant certificates by walking up the chain from the signing certificate, and using the certificate storage's GetIssuerCertificate() method to identify the CA certificate for a particular certificate in the chain.

Ken
#36631
Posted: 05/03/2016 07:55:40
by Ken Ivanov (EldoS Corp.)

UPD:

Besides, you can remove unnecessary certificates manually after the CMS has been created (either with or without involving DC), by removing relevant objects from TElSignedCMSMessage.Certificates list and then re-saving the message. This will let you remove any excessive certificates provided back by the applet.

Ken
#36632
Posted: 05/03/2016 08:32:18
by Eugene Mayevski (EldoS Corp.)

Javier, are you setting the certificates for the signature in your code? If yes, are you doing this on pre-sign stage or on post-sign stage?


Sincerely yours
Eugene Mayevski
#36640
Posted: 05/04/2016 09:48:37
by Javier Aranda (Basic support level)
Joined: 05/02/2016
Posts: 8

i get certificates on post-sign stage in result.aspx, certificates are in client machine. ¿could i remove extra certificates on this stage?
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 1227 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!