EldoS | Feel safer!

Software components for data protection, secure storage and transfer

.net with java dc return multiples certificates on signature

Posted: 05/03/2016 07:11:32
by Javier Aranda (Basic support level)
Joined: 05/02/2016
Posts: 8

I am using DC signature with java and when signature is done, in pkcs7 message are included all certificates displayed on client machine, not only those selected by user, used on signature.

¿is there any way to remove others certs on pkcs7 message?


---=== Validate sbb ===---
Verifying results:
Successfully verified!

Signature type: PUBLIC KEY

Hash Algorithm:

Certificates contained in message:

Certificate #1
Issuer: C=, L=, O=, CN=xxx-GARZA3-CA
Subject: C=CL, L=Santiago, O=xxx, CN=Javier Aranda DS
Private key is not available
Certificate #2
Issuer: C=, L=, O=DO_NOT_TRUST, CN=DO_NOT_TRUST_FiddlerRoot
Subject: C=, L=, O=DO_NOT_TRUST, CN=DO_NOT_TRUST_FiddlerRoot
Private key is not available
Certificate #3
Issuer: C=, L=, O=, CN=Communications Server
Subject: C=, L=, O=, CN=javier.aranda@xxx.com
Private key is not available
Certificate #4
Issuer: C=, L=, O=, CN=xxx-xxx
Subject: C=, L=, O=, CN=Aranda Leiva, Javier
Private key is not available
Certificate #5
Issuer: C=, L=, O=, CN=SONDA_USUARIOS\Javier.Aranda
Subject: C=, L=, O=, CN=SONDA_USUARIOS\Javier.Aranda
Private key is not available
Certificate #6
Issuer: C=si, L=, O=state-institutions, CN=
Subject: C=si, L=, O=state-institutions, CN=Janez Novak
Private key is not available

---=== End Validate sbb ===---

Validation code taken from example:

Private Sub DoVerification(signature As String)
        LogLine("---=== Validate sbb ===---")
            Dim input As Byte() = System.Text.Encoding.Unicode.GetBytes(TextBoxAdv1.Text)
            Dim v As New SBMessages.TElMessageVerifier
            v.InputIsDigest = False

            Dim Buf() As Byte = Convert.FromBase64String(signature)
            If Buf Is Nothing Then Return

            Dim i As Integer = v.VerifyDetached(input, Buf)
            If i = 0 Then
                'WriteDestination(OutBuf, intSize)
                LogLine("Verifying results:")

                LogLine("Successfully verified!" + ControlChars.CrLf)
                If (v.SignatureType = SBMessages.TSBMessageSignatureType.mstMAC) Then
                    LogLine("Signature type: MAC")
                    LogLine("Signature type: PUBLIC KEY")
                End If
                LogLine("Hash Algorithm: ")
                If (v.SignatureType = SBMessages.TSBMessageSignatureType.mstMAC) Then
                    LogLine("MAC Algorithm: ")
                End If
                LogLine("Certificates contained in message:" + ControlChars.CrLf)
                LogLine("Verification failed with error #" + i.ToString)
            End If
        Catch ex As Exception
            LogLine("Error: " + ex.Message)
        End Try
        LogLine("---=== End Validate sbb ===---")
    End Sub
Posted: 05/03/2016 07:21:44
by Ken Ivanov (Team)

Hi Javier,

SecureBlackbox signing components always include all certificates passed to them via their CertStorage property to the signature. This was done that way to provide the user with a better control over certificates included in the signature.

Simply remove the unneeded certificates from the CertStorage before creating the signature. You can pick the relevant certificates by walking up the chain from the signing certificate, and using the certificate storage's GetIssuerCertificate() method to identify the CA certificate for a particular certificate in the chain.

Posted: 05/03/2016 07:55:40
by Ken Ivanov (Team)


Besides, you can remove unnecessary certificates manually after the CMS has been created (either with or without involving DC), by removing relevant objects from TElSignedCMSMessage.Certificates list and then re-saving the message. This will let you remove any excessive certificates provided back by the applet.

Posted: 05/03/2016 08:32:18
by Eugene Mayevski (Team)

Javier, are you setting the certificates for the signature in your code? If yes, are you doing this on pre-sign stage or on post-sign stage?

Sincerely yours
Eugene Mayevski
Posted: 05/04/2016 09:48:37
by Javier Aranda (Basic support level)
Joined: 05/02/2016
Posts: 8

i get certificates on post-sign stage in result.aspx, certificates are in client machine. ¿could i remove extra certificates on this stage?



Topic viewed 1987 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!