EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Signature validity

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#37589
Posted: 08/29/2016 11:41:37
by Cilmar Thomé (Standard support level)
Joined: 05/19/2016
Posts: 7

Hi all.

I have a certificate of type A1 used to sign PDF files. My problem is that Adobe Reader points the signature as invalid (see attachment, first screen). The message indicates something like "Error creating chain from signer's certificate to an issuer certificate".

In the second screen (certificate details), the chain is all there, and the message is "There are errors in the selected certificate: invalid limitation policy".

How do I know if (1) my program is not adding the certificates correctly, or (2) my environment lacks something, or (3) there are issues about the certificate?

(I can send the signed PDF if you allow me. Related to hipotesys (2), I sent the PDF to the issuer of the certificate, and the signature is displayed as VALID for them.)

Cilmar Thomé.


#37591
Posted: 08/29/2016 13:17:49
by Dmytro Bogatskyy (EldoS Corp.)

Thank you for contacting us.

Quote
How do I know if (1) my program is not adding the certificates correctly, or (2) my environment lacks something, or (3) there are issues about the certificate?

Most likely the problem is related to the certificate that you have used for signing or to the intermediate or CA certificates.
Could you please try to sign this document with another certificate. Does the same error message is shown?
Quote
I can send the signed PDF if you allow me.

Sure, please use Helpdesk ( https://www.eldos.com/helpdesk/ ) to post the documents to us privately.
#37592
Posted: 08/29/2016 15:49:06
by Cilmar Thomé (Standard support level)
Joined: 05/19/2016
Posts: 7

Thank you, Dmytro. I submited a post to Helpdesk just now, sending one PDF with invalid signature (type A1 - don't know if this matters) and one PDF with valid signature (type A3).

Cilmar.
#37595
Posted: 08/30/2016 05:30:47
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Thank you for the sample PDF documents.

"Invalid policy constraint" error means that "The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension".
Please see the following thread on Adobe support forum: https://forums.adobe.com/message/3916971#3916971 (it has an answer for your problem and a possible solution)
#37665
Posted: 09/08/2016 14:23:11
by Cilmar Thomé (Standard support level)
Joined: 05/19/2016
Posts: 7

Hi, I'm sorry for the late reply.

I was waiting for some oficial position from the issuer of the certificate, regarding the procedure of editing certificate policies in the preferences of Adobe Reader, as decribed in the forum you recommended. I finally received the following information:

"Adobe did not include A1 policies in the list of trusted policies. This kind of configuration must be set manually, accepting the risks of that solution. It is Adobe's internal decision, and the fact of a policy not being part of the list [of policies of the trusted certificate] doesn't make the signature invalid."

So, as I suspected, using certificates of type A3 is the way to avoid such policies issues.

Thank you.

Cilmar.
#37672
Posted: 09/09/2016 05:36:05
by Dmytro Bogatskyy (EldoS Corp.)

Hi,

Quote
"Adobe did not include A1 policies in the list of trusted policies. This kind of configuration must be set manually, accepting the risks of that solution. It is Adobe's internal decision, and the fact of a policy not being part of the list [of policies of the trusted certificate] doesn't make the signature invalid."

So, as I suspected, using certificates of type A3 is the way to avoid such policies issues.

Yes, it seems so.
Thank you very much for sharing the results of your research.
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 501 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!