EldoS | Feel safer!

Software components for data protection, secure storage and transfer

PKI Data Signing Verification Issue

Posted: 01/17/2008 11:42:04
by Andrew Filby (Premium support level)
Joined: 05/16/2006
Posts: 3

I'm having a problem verifying a signed byte array using EIMessageVerifier with exactly the same CertStorage that was used to sign it. This is in C#.NET

Here is the relevant code:

byte[] arrFileData = External code to get the file data

X509Certificate2 certSignCertificate = External code to get the signing certificate

// Get certificate
byte[] bySignCertificatePFX = certSignCertificate.Export(X509ContentType.Pfx, "Test");
SBX509.TElX509Certificate ecCert = new SBX509.TElX509Certificate();
ecCert.LoadFromBufferPFX(bySignCertificatePFX, "Test");

// Create custom cert store
SBCustomCertStorage.TElMemoryCertStorage memoryCertStorage = new SBCustomCertStorage.TElMemoryCertStorage();

memoryCertStorage.Add(ecCert, true);

// Create signer
SBMessages.TElMessageSigner signer = new SBMessages.TElMessageSigner(null);
// Assign custom cert store to signer
signer.CertStorage = memoryCertStorage;
signer.RecipientCerts = memoryCertStorage;

// RSA public key is used
signer.SignatureType = SBMessages.TSBMessageSignatureType.mstPublicKey;
signer.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;

// Do the signing
int iSize = 0;
byte[] outbuf = new byte[0];
signer.Sign(arrFileData, ref outbuf, ref iSize, false);
outbuf = new byte[iSize];
int i = signer.Sign(arrFileData, ref outbuf, ref iSize, false);

// Manage return value
if (i != 0)

// Create the verifier
SBMessages.TElMessageVerifier v = new SBMessages.TElMessageVerifier(null);
v.CertStorage = memoryCertStorage;
v.VerificationOptions = (short)2;

// Do the verification
iSize = 0;
arrFileData = new byte[0];
v.Verify(outbuf, ref arrFileData, ref iSize);
arrFileData = new byte[iSize];
i = v.Verify(outbuf, ref arrFileData, ref iSize);

This code is very similar to that provided in the samples.
The verification fails with error code 8194: Can't find certificate.
The same happens if certificates are included in the signed file and with different verification options.

Stepping through the code, the problem seems to be with the import of the certificate PFX byte array into a TElX509Certificate object, as the serial number gets prefixed with a '0'. Analysing the serial number associated with the .NET X509Certificate2 object, it is 16 bytes long, starting with a byte '210'. But analysing the serial number associated with the TElX509Certificate object, after import, it is 17 bytes long, starting with a byte '0' then '210' etc.

However, the serial number contained in the CertID in the Verifier is the original 16-byte value, with the 17-byte value contained in the CertStorage and Certificates property. I expect this difference is why it can never find a certificate to verify with.

I have confirmed that the exported PFX from the .NET X509Certificate2 object will at least reimport into a new .NET X509Certificate2 object without the erroneous serial number.

I would appreciate any insight you could give to this problem.
Posted: 01/18/2008 04:01:12
by Ken Ivanov (Team)

Thank you for contacting us.

A similar problem has been resolved several months ago. Please check if you are using the latest build of SecureBlackbox. If the version you are using is not the latest one (5.2.124/6.0.130), please try to upgrade to it and check if it solves the issue. If it doesn't, please provide us the certificate you are using (of course, only its public part), so that we could investigate the problem in our conditions. Please use the HelpDesk system to post the certificate.



Topic viewed 4280 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!