Git Product home page Git Product logo

Comments (6)

bsanchezb avatar bsanchezb commented on June 17, 2024 1

Hello,

From a quick check, it looks like DSS is not able to find out a complete certificate chain of the signature but the signing-certificate only. Thus, it does not validate the OCSP response.

You have the following options in order to provide the CA certificate:

  1. Provide the intermediate CA certificates directly within SignedData.certificates of CMS (next to the signing-certificate on signature creation);
  2. Provide the CA certificates within /DSS dictionary in PDF's structure on signature's augmentation; or
  3. Define the aia.caIssuers certificate extension (oid: 1.3.6.1.5.5.7.1.1) url, that will return certificate chain for your certificate on GET request.

As you are using a test PKI, the first two options would be preferable.

Provided that the OCSP response is valid, DSS should be able to correctly catch it for the given certificate when it finds its certificate chain.

Best regards,
Aleksandr

from dss-demonstrations.

bsanchezb avatar bsanchezb commented on June 17, 2024 1

You need to provide the cert chain somehow. When a CA or Root CA is present in the trusted list, it is being caught automatically. But in case of test PKI, the certificates are not known to the validation tool. Another option is to provide the self-signed certificate as trusted or adjunct certificate to the DSS validation process explicitly (see Trusted Certificates and Adjunct Certificates in documentation).
Same for time-stamp's certificates, but in your case they are already present within /DSS dictionary and within the time-stamps's SignedData itself.

from dss-demonstrations.

bsanchezb avatar bsanchezb commented on June 17, 2024 1

Ok, now certificates are incorporated within the signature and successfully found during the validation process. The missing point is, because you have a self-signed PKI, the certificates in question are not trusted by DSS by default. In case you want to be able to validate the certificate chain successfully, you need to add the self-signed root certificate to the trusted store (for both the signature and the timestamp). Please see F.A.Q., question "When validating a signature I receive INDETERMINATE/NO_CERTIFICATE_CHAIN_FOUND indication" for more information and resolution.

I hope this will help you.

Best regards,
Aleksandr

from dss-demonstrations.

IonutCorbu avatar IonutCorbu commented on June 17, 2024

So if I have only the signing cert and his root being the self-signed CA, I have to include the CA in the SignedData.certificates? And also, it is needed to add the certs up to the CA certificate for the TSA and an ocsp response for the TSA certificate? Thank you a lot for your response!

from dss-demonstrations.

IonutCorbu avatar IonutCorbu commented on June 17, 2024

I included everything including the self-signed ca of the signing certificate and also the TSA certificate and his CA, but the response is still invalid for DSS and Adobe also, Only Foxit Reader is recognizing it, but I think it is much more permissible.
I attach here the
file_signed_ok.pdf and the
DSS-Detailed-report.pdf.

It seems that now I have Basic Building Blocks REVOCATION for both signing certificate and tsa certificate.

I tried to add the certs to Adjunct Certificates, but it didn't change anything.

Do you know why is not full recognized in DSS or Adobe? I attach also photos with Adobe and Foxit state of recognition:
Adobe
Foxit

In Foxit it's even recognized as PAdES B-LT, which is not true because I include SigningTime attribute in the signature which is not accepted by PAdES format.

from dss-demonstrations.

IonutCorbu avatar IonutCorbu commented on June 17, 2024

Thank you! Finally I removed the SigningTime attribute and I was able to obtain B-LT in Adobe, but not LTV-enable. I read that LTV-enable is not clearly defined so I don't know what is wrong there, but in DSS, I'm able to obtain PAdES B-T and probably I can't obtain more because the OCSP response is on localhost so it will not be able to receive a response.

Thank you for all the help and wish a nice day!

Best wishes,
Ionut-Daniel Corbu

from dss-demonstrations.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.