I am signing a PDF with Bouncy Castle and embedding an OCSP response in the PKCS7. I assemble the signed PDF with PDFBox, but I can't for the life of me get the resulting file to validate properly in Adobe Reader (the OCSP is not recognized). Since the OCSP responder requires signed requests, I have to embed the response in the file.
If someone would have any pointers at all, it would be much appreciated.
I presume it's easier to look at the actual signature/certs/OCSP than my code. The signed PDF is available here:
https://drive.google.com/open?id=0B_TaSaQW0YXteUgtbUlEa0NhcGc
And the Base64-encoded signature is here:
https://drive.google.com/open?id=0B_TaSaQW0YXtaEtPczRROTg4UDA
Edit:
When I look at the certificate in Adobe Reader, and check Revocation > Problems encountered, it says:
Certificate is not valid for the usage. Must sign the request.
The Revocation-section also says:
An attempt was made to determine whether the certificate is valid by doing
a revocation check using the Online Certificate Status Protocol (OCSP).
So it seems that the embedded OCSP is skipped altogether.
Edit 2:
As per mkl's suggestion I updated the nonce-extension, by changing the following line:
DEROctetString extValue = new DEROctetString(nonce);
To this:
DEROctetString extValue = new DEROctetString(new DEROctetString(nonce)));
Resulting in the following DER-structure:
[1] (1 elem)
SEQUENCE (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.3.6.1.5.5.7.48.1.2ocspNonce(OCSP)
OCTET STRING (1 elem)
OCTET STRING IKhVULz41m7JWTa4swZXJPBm6Zs=
But I still get the same error messages in Adobe Reader. I have attached the updated document and base64-encoded signature:
https://drive.google.com/open?id=0B_TaSaQW0YXtVjNqRWlxbXg4T0U
https://drive.google.com/open?id=0B_TaSaQW0YXtNC1CblZlUHV4dGs
Edit 3:
I compared the file to another version without the embedded OCSP response, and got this error in Prolems encountered in Adobe Reader:
Must sign the request.
Leading me to believe that the first part of the initial error was indeed from trying to validate the embedded OCSP-response:
Certificate is not valid for the usage.
I guess the certificate in question, would be the signing certificate of the OCSP-response. My own document is signed with the following certificate structure:
Root CA -> Bank (on EU Trust List) -> My Company
The OCSP is signed with the following structure:
Root CA -> External company (cert marked for OCSP signing)
Does the intermediary certificate in the document signing chain make the OCSP-signature invalid? Or can I somehow include missing pieces of the cert chain(s) to make it validate? Or is this perhaps not the problem?
OCSP Nonce encoding
The nonce extension in your OCSP response is encoded like this:
3405 45: [1] {
3407 43: SEQUENCE {
3409 41: SEQUENCE {
3411 9: OBJECT IDENTIFIER
: ocspNonce (1 3 6 1 5 5 7 48 1 2)
3422 28: OCTET STRING 'EZrf5DVM/y1QFGUfydwBSOsxZ6s='
: }
: }
: }
This most likely corresponds to the nonce extension as you sent it in your request.
Remember, though, that the value of an extension is wrapped in an OCTET STRING by definition. Thus, your actual nonce value is the sequence of bytes given by the ASCII values of the characters EZrf5DVM/y1QFGUfydwBSOsxZ6s=, i.e. something completely untyped as far as ASN.1 is concerned.
But RFC 6960 specifies, for the nonce extension, ASN.1 syntax that was missing in RFC 2560...
Nonce ::= OCTET STRING
(RFC 6960 sections 1 and 4.4.1)
So your nonce value has to be an OCTET STRING instead of untyped as far as ASN.1 is concerned.
Thus, please try and wrap the value you chose for your nonce in an OCTET STREAM (which then, according to the Extension definition, will be wrapped in yet another OCTET STREAM).
Revocation information for all certificates
To make verification succeed without additional revocation information requests, the signature must bring along revocation information for all certificates involved except the (trusted) root certificates and other certificates marked accordingly.
Thus, you do not only need revocation information for your signer certificate and the intermediary bank certificate but also for the OCSP certificates of your embedded OCSP responses (unless they have the id-pkix-ocsp-nocheck extension).
If I read the ASN.1 dumps correctly, the OCSP certificate in your case does not have that extension. Thus, Adobe Reader will try to receive revocation information for it online, and if that does not work, it won't use your embedded OCSP responses.
OCSP service TLS certificate
As your signature does not bring along all required revocation information. Adobe Reader tries to receive them online. While doing so, it runs into errors.
The detailed error information I get are
Certificate is not valid for the usage____________________________________________________________
Certificate is not valid for the usage____________________________________________________________
SSL certificate error.
And indeed, trying to access https://va1.bankid.no/ (the URL of the OCSP server) manually, I'm also been told about certificate issues.
You appear to get different errors. Did you install and trust some special certificates on your computer or in Adobe Reader?
Related
I understand "certificate chain provided by the peer", if certificate provided by the peer is in the X509TrustManager, the certificate is trusted, so is it just need a checkTrusted instead of checkClientTrusted and checkServerTrusted, i don't understand what's the difference? Can anyone explains?
https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509TrustManager.html
void checkClientTrusted(X509Certificate[] chain, String authType):
Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for client SSL authentication based on the authentication type.
void checkServerTrusted(X509Certificate[] chain, String authType):
Given the partial or complete certificate chain provided by the peer, build a certificate path to a trusted root and return if it can be validated and is trusted for server SSL authentication based on the authentication type.
In the early SSL/TLS protocols that existed when JSSE was designed, there was a significant difference between the constraints on and thus validation of server cert (linked to the key_exchange portion of the ciphersuite) versus client cert (mostly independent of key_exchange but controlled by CertReq); see rfc2246 7.4.2 and 7.4.4 (modified by rfc4492 2 and 3). Although authType is a String in both checkServer and checkClient, the values in it and the processing of them in the default TrustManager were significantly different.
TLS1.2, implemented (along with 1.1) by Java 7 and early 8, changed the cert constraints to also use a new signature_algorithms extension (from client) and field (from server) in combination with the prior fields. As a result in Java 7 up the interface you link is functionally replaced by a subtype class https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html which in addition to the new constraint checks also moves to the JSSE layer only in checkServer the hostname checking aka endpoint identification formerly done at a higher level like HttpsURLConnection (if at all). The extended class additionally takes an SSLSocket or SSLEngine argument (as applicable) which allows access to the additional information for sigalgs and hostname.
Finally TLS1.3, implemented in java 11 up and backported to 8u261 up, uses only extensions, now two of them, and not the ciphersuite at all, for cert selection and checking. In 1.3 the extended API is still called but the value in authType is meaningless and must not be used, and in at least some cases I have looked at is in fact empty, so the actual (rfc5280) validation is in fact the same for both directions. But as above checkServer does endpoint identification if applicable while checkClient does not.
See an actual difference in https://security.stackexchange.com/questions/158339/ssl-tls-certificate-chain-validation-result-in-invalid-authentication-type-d (note: 2017 was before TLS1.3 existed)
and compare javax.net.ssl.SSLContext to trust everything sslContext.init(keyManagerFactory.getKeyManagers(), ???, new SecureRandom()); .
I'm parsing TLS records, taken from a PCAP file.
I have the bytes of a TLS certificate in ASN.1 format (in a []byte).
I want to unmarshall this byte slice into a useful structure (avoiding having to manually parse ASN.1).
I can't seem to find an interface for a TLS certificate that follows the RFC in either encoding/asn1 nor crypto/tls.
Has this been created somewhere I can't find or do I need to write my own?
The struct is in the x509 package
I am working on a web service project which requires that clients connecting to my service authenticate themselves via X.509 certificates as part of a Mutual Authentication TLS negotiation. In addition to linking the client certificate to a specific PKI trust chain, my requirements dictate that I must verify specific values within the certificate. Specifically, the subject DN must contain one OU with a predetermined value, and the certificate must contain one subjectAltName with a different predetermined value in URI format.
I am using Apache httpd 2.4.6 on a CentOS 7 system, and am able to satisfy most of these requirements fairly easily with standard Apache configuration directives leveraging common mod_ssl variables, with one notable exception: I cannot seem to find a variable that allows me to access a subjectAltName value in URI format. Looking at the mod_ssl documentation found here:
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html
I can see variables for the following subjectAltName formats:
SSL_CLIENT_SAN_Email_n - Client certificate's subjectAltName extension entries of type rfc822Name
SSL_CLIENT_SAN_DNS_n - Client certificate's subjectAltName extension entries of type dNSName
SSL_CLIENT_SAN_OTHER_msUPN_n - Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3)
Given that URI is a distinct and valid format for subjectAltName values as defined in RFC 5280 (X.509/PKI) section 4.2.1.6, I'm at a loss for why mod_ssl would not provide access to subjectAltNames in this format. Is there a variable that provides this functionality which I am simply not seeing in the documentation?
Further reviewing the mod_ssl source code, it is clear that extracting SAN values in URI format for use in variables is simply not currently supported, as noted by this comment:
/*
* Not implemented right now:
* GEN_X400 (x400Address)
* GEN_DIRNAME (directoryName)
* GEN_EDIPARTY (ediPartyName)
* GEN_URI (uniformResourceIdentifier)
* GEN_IPADD (iPAddress)
* GEN_RID (registeredID)
*/
in https://github.com/apache/httpd/blob/5f32ea94af5f1e7ea68d6fca58f0ac2478cc18c5/modules/ssl/ssl_util_ssl.c
As such, the answer to my question is apparently that there is not presently a variable I can use for this purpose, and fulfilling this requirement will necessitate a workaround (or an implementation of GEN_URI pushed to mod_ssl).
I have A3 certificate in a smart card from icpbr when I try sign PDF with iText
I get this error:
c.i.t.p.s.OcspClientBouncyCastle INFO Getting OCSP from http://io-ocsp-icpbr.imprensaoficial.com.br
com.itextpdf.text.pdf.security.OcspClientBouncyCastle ERROR io-ocsp-icpbr.imprensaoficial.com.br
I use the code of this link:
Digital signatures - chapter 4
File: C4_01_SignWithPKCS11HSM.java
I checked that http://io-ocsp-icpbr.imprensaoficial.com.br don't have OCSP active.
how to skip OCSP request?
Thanks a lot!
If you don't want iText to make OCSP requests, don't give it an OCSP client to make them with, i.e. use null instead of an OcspClientBouncyCastle instance as OCSP client in the OcspClient ocspClient parameter.
How do I open a Pem file to check a) That the 'Not before' and 'Not after' dates are okay and b) That there is a chain of certs in the pem file to a route certificate authority?
I have tried:
:-use_module(library(http/http_client)).
url('http://fm4dd.com/openssl/source/PEM/certs/512b-rsa-example-cert.pem').
url_data(Url,D):-
http_get(Url,D,[to(string)]).
url_data1(Url,Certificate):-
http_get(Url,D,[to(stream(Stream))]),
load_certificate(Stream, Certificate),
close(Stream).
url_data/1 works in that it returns the pem file as a string. But url_data1/1 does not work. It is intended to return each certificate(s) as a list of terms.
* Update *
I have:
url_data1(Url,Certs):-
http_open(Url,Stream,[]),
all_certs(Stream,Certs),
forall(member(C,Certs),my_validate(C)),
close(Stream).
all_certs(Stream,[C1|Certs]):-
catch(load_certificate(Stream,C1),_,fail),
all_certs(Stream,Certs),!.
all_certs(_Stream,[]).
my_validate(C):-
memberchk(to_be_signed(Signed),C),
memberchk(key(Key),C),
memberchk(signature(Signature),C),
memberchk(signature_algorithm(A),C),
algo_code(A,Code),
rsa_verify(Key,Signed,Signature,[type(Code)]).
algo_code('RSA-SHA256',sha256).
algo_code('RSA-SHA1',sha1).
Which fails. What are the correct arguments?
You can use http_open/3 in combination with load_certificate/2:
?- url(Url),
http_open(Url, Stream, []),
load_certificate(Stream, Certificate),
maplist(portray_clause, Certificate).
Yielding:
version(0).
notbefore(1345613214).
notafter(1503293214).
serial('0DFA').
subject(['C'='JP', 'ST'='Tokyo', 'O'='Frank4DD', 'CN'='www.example.com']).
hash("071CB94F0CC8514D024124708EE8B2687BD7D9D5").
signature("14B64CBB817933E671A4DA516FCB081D8D60ECBC18C7734759B1F22048BB61FAFC4DAD898DD121EBD5D8E5BAD6A636FD745083B60FC71DDF7DE52E817F45E09FE23E79EED73031C72072D9582E2AFE125A3445A119087C89475F4A95BE23214A5372DA2A052F2EC970F65BFAFDDFB431B2C14A9C062543A1E6B41E7F869B1640").
signature_algorithm('RSA-SHA1').
etc.
Check the issuer_name/1 element to obtain the issuer. You can use load_certificate/2 again to read further certificates from the file.
Note that a much more typical way to validate the certificate chain is to establish a secure connection (via HTTPS), and then to use ssl_peer_certificate/2 or ssl_peer_certificate_chain/2 on the stream to obtain the peer certificate and certificate chain.
To validate the chain, you must verify the signature/1 fields, which contain the digital signatures of the to_be_signed/1 portions of the certificate, signed by the respective issuer.
You can use library(crypto) to verify the signatures.