Hi,
I have been using iText - PdfPKCS7 for signing PDFs and verifying signed
PDFs. In verification code, signature verification is successfully done but,
certification chain verification renders the following result.
Cannot be verified against the KeyStore or the certificate chain
I tried both loading Keystore with by default provider and location and
loading it from a specified location. But for both scenarios, it gives the
above output.
Following is the code snippet I used.
* PdfPKCS7 pk = af.verifySignature(pdfDocumentName);
Calendar cal = pk.getSignDate();
//load keystore by default
KeyStore kall = PdfPKCS7.loadCacertsKeyStore();
X509Certificate pkc[] = (X509Certificate[])pk.getCertificates();
mCertChain = (X509Certificate[])pk.getCertificates();
System.out.println("Certificates are:");
for(int i=0; i<pkc.length; i++)
{
System.out.println(pkc[i].toString());
//This gives null for all three certificates. why does this
render null?
System.out.print("============================Verifying
certificate :");
//i tried using both cal object & null value as 3rd param
String result = PdfPKCS7.verifyCertificate(pkc[i], null,
null);
System.out.println(result);
}
System.out.println("Subject: "+
PdfPKCS7.getSubjectFields(pk.getSigningCertificate()));
// Is the certificate avaible ? search the chain of certificate
System.out.println("Keystore details : "+kall.getType());
Enumeration e = kall.aliases();
while(e.hasMoreElements())
{
String alias = (String)e.nextElement();
System.out.println("alias : "+alias);
//i printed out this as the root certificate i want is
included under this alias. I did not do it. I merely installed it on my
FireFox browser. I don't know from where it come from.
if(alias.equals("verisignclass1g2ca"))
{
X509Certificate cert = (X509Certificate)
kall.getCertificate(alias);
System.out.println("certificate : "+cert.toString());
}
}
Object fails[] = PdfPKCS7.verifyCertificates(pkc, kall, null,
null);
if (fails == null)
{
loader.setCertificateChainValidation("\nCertificates
verified against the KeyStore");
System.out.println("Certificates verified against the
KeyStore");
}
else
{
loader.setCertificateChainValidation("Certificate Chain
verification failed: "+fails[1]);
System.out.println();
for(int i = 0;i<fails.length;i++)
{
System.out.println(fails[i]);
}
}
Output code:
*
Keystore details : JKS
alias : digicertassuredidrootca
alias : trustcenterclass2caii
alias : thawtepremiumserverca
alias : swisssignplatinumg2ca
alias : swisssignsilverg2ca
alias : thawteserverca
alias : equifaxsecureebusinessca1
alias : utnuserfirstclientauthemailca
alias : thawtepersonalfreemailca
alias : entrustevca
alias : utnuserfirsthardwareca
alias : certumca
alias : addtrustclass1ca
alias : entrustrootcag2
alias : equifaxsecureca
alias : quovadisrootca3
alias : quovadisrootca2
alias : digicerthighassuranceevrootca
alias : secomvalicertclass1ca
alias : equifaxsecureglobalebusinessca
1
alias : geotrustuniversalca
alias : verisignclass3ca
alias : thawteprimaryrootcag3
alias : deutschetelekomrootca2
alias : utnuserfirstobjectca
alias : geotrustprimaryca
alias : baltimorecodesigningca
alias : verisignclass1ca
alias : baltimorecybertrustca
alias : starfieldclass2ca
alias : camerfirmachamberscommerceca
alias : ttelesecglobalrootclass3ca
alias : verisignclass3g5ca
alias : ttelesecglobalrootclass2ca
alias : trustcenteruniversalcai
alias : verisignclass3g3ca
alias : certplusclass3pprimaryca
alias : certumtrustednetworkca
alias : verisignclass3g2ca
alias : globalsignr3ca
alias : utndatacorpsgcca
alias : secomscrootca2
alias : gtecybertrustglobalca
alias : secomscrootca1
alias : trustcenterclass4caii
alias : verisignuniversalrootca
alias : globalsignr2ca
alias : certplusclass2primaryca
alias : digicertglobalrootca
alias : globalsignca
alias : thawteprimaryrootca
alias : geotrustglobalca
alias : soneraclass2ca
alias : verisigntsaca
alias : soneraclass1ca
alias : quovadisrootca
alias : valicertclass2ca
alias : comodoaaaca
alias : addtrustqualifiedca
alias : keynectisrootca
alias : aolrootca2
alias : addtrustexternalca
alias : verisignclass2g3ca
alias : aolrootca1
alias : verisignclass2g2ca
alias : geotrustprimarycag3
alias : swisssigngoldg2ca
alias : entrust2048ca
alias : gtecybertrust5ca
alias : camerfirmachambersignca
alias : camerfirmachambersca
alias : godaddyclass2ca
alias : entrustsslca
alias : verisignclass1g3ca
alias : secomevrootca1
*alias : verisignclass1g2ca*
certificate : [
[
*// I don't need this root certificate*
Version: V1
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:
119950617602343703456423506733047709247727658595962983304701412945217223306812050734950912030531272224652487645130032827030431591202640533806504282247970443051092643159731477694553756627881887390789466738613624437448076277090630609093768046888993692043541081868205223103456314080994127036695173259031445497717
public exponent: 65537
Validity: [From: Mon May 18 05:30:00 GMT+05:30 1998,
To: Wed Aug 02 05:29:59 GMT+05:30 2028]
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 1 Public Primary Certification Authority -
G2, O="VeriSign, Inc.", C=US
SerialNumber: [ 4cc7eaaa 983e71d3 9310f83d 3a899192]
]
Algorithm: [SHA1withRSA]
Signature:
0000: A9 4F C3 0D C7 67 BE 2C CB D9 A8 CD 2D 75 E7 7E .O...g.,....-u..
0010: 15 9E 3B 72 EB 7E EB 5C 2D 09 87 D6 6B 6D 60 7C ..;r...\-...km`.
0020: E5 AE C5 90 23 0C 5C 4A D0 AF B1 5D F3 C7 B6 0A ....#.\J...]....
0030: DB E0 15 93 0D DD 03 BC C7 76 8A B5 DD 4F C3 9B .........v...O..
0040: 13 75 B8 01 C0 E6 C9 5B 6B A5 B8 89 DC AC A4 DD .u.....[k.......
0050: 72 ED 4E A1 F7 4F BC 06 D3 EA C8 64 74 7B C2 95 r.N..O.....dt...
0060: 41 9C 65 73 58 F1 90 9A 3C 6A B1 98 C9 C4 87 BC A.esX...<j......
0070: CF 45 6D 45 E2 6E 22 3F FE BC 0F 31 5C E8 F2 D9 .EmE.n"?...1\...
]
*//I only need this Root certificate for verifictaion.
[0] Version: 3
SerialNumber: 9549200516449922912
IssuerDN: C=LK,ST=Western,L=Moratuwa,CN=LankaCertify Root
CA,O=LK Domain Registry,OU=LankaCertify
Start Date: Thu Nov 05 15:07:10 GMT+05:30 2009
Final Date: Tue Nov 04 15:07:10 GMT+05:30 2014
SubjectDN: C=LK,ST=Western,L=Moratuwa,CN=LankaCertify Root
CA,O=LK Domain Registry,OU=LankaCertify
Public Key: RSA Public Key
modulus:
b44a3f1efc28747af571febe02b28acb0a77ca921db258c2a8729e32c0dc41dcd6ead12daea37dc07065e933810daf66ad756f00b5b2fbc4f0d76eb7b98274efb722342dcb4d16b4bbf708ccf99e6b653bd51e9fd0953418b0f3f6f27b7c63a899c56b353e6a3b185cb0e28bfbbda71b726c040da83b9469c3035bbd2973afc4d80b333d4a337349b756797b81296873d9662a4abe8e8b51c6a2dd92160be6f0fdd8ddc98cc0981cf1cfccb6762e84481c73c9774a2b1f6270225a0e2a1553b2ae6b075681268b387793e41eb334ebf21cc1886b45a78156324f12680cfa435e63f19bee9f5fd4b183125aa9165a4c6b79e5c0e260225e56f5a7fbee10e1c21d
public exponent: 10001
Signature Algorithm: SHA1withRSA
Signature: 0a101112405e2e1104a25469534dca87fdba6f7f
c43ba579d43110c7c447c234bdf7cef3bb669526
17a428450e3926152ea7aa07e1d478559a00157e
1d3a94753e1fe081902e95bb0cb77d2e0d479d7a
e2ba859d8f878ade7136fa8a99f9e859a526c6c3
5b745cdf19b2bdf8e898baeeca9afc222221ca90
9691e4e45f9fc59a992f001c96e6d78a83b1998e
74bd414409891d27818583651923e33a8981829b
bba8743f4842799038aad692590695b12db25bf1
8d20788a9bdd5c9fe1d719bb880663e58b4b6535
1fbd818ea2c814404e7bd9863b18813cde10e883
262263a23154157f13d2e1422dc4d45f7f46e1c8
23950c24292f977d911c75f9adc93ff3
Extensions:
critical(false) 2.5.29.14 value = DER Octet
String[20]
critical(false) 2.5.29.35 value = DER Sequence
Tagged [0] IMPLICIT
DER Octet String[20]
Tagged [1]
Tagged [4]
DER Sequence
DER Set
DER Sequence
ObjectIdentifier(2.5.4.6)
PrintableString(LK)
DER Set
DER Sequence
ObjectIdentifier(2.5.4.8)
PrintableString(Western)
DER Set
DER Sequence
ObjectIdentifier(2.5.4.7)
PrintableString(Moratuwa)
DER Set
DER Sequence
ObjectIdentifier(2.5.4.3)
PrintableString(LankaCertify Root CA)
DER Set
DER Sequence
ObjectIdentifier(2.5.4.10)
PrintableString(LK Domain Registry)
DER Set
DER Sequence
ObjectIdentifier(2.5.4.11)
PrintableString(LankaCertify)
Tagged [2] IMPLICIT
DER Octet String[9]
critical(true) BasicConstraints: isCa(true)
critical(false) KeyUsage: 0xc6*
*Cannot be verified against the KeyStore or the certificate chain*
iText documentation says that "*KeyStore kall =
PdfPKCS7.loadCacertsKeyStore();*" loads root certificate from
java.home/lib/security/cacerts.
But I could not see any such folder structure (/security/cacerts) in my
machine. So I created it and tried including my keystore as a JKS keystore
in that folder. Still it does not verify certification chain. I am confused
where does this Keystore loads root certificate. Is it from my browser? All
the alias names that have been printed , where do they come from? I am
totally confused. I installed my root certificate in Firefox browser as a
separate root certificate. Then why it is listed under "*verisignclass1g2ca*"
alias name with a verisign root certificate.
Since this approach did not work for me, I tried loading keystore by
providing its location as follows.
KeyStore kall = KeyStore.getInstance("PKCS12");
kall.load(new FileInputStream(pfxFile.getPath()),
password.toCharArray());
Here I used the .pfx version of the keystore. But this also did not work.
I am totally confused now. I am using this for my university project and
dead line is getting closer and closer. Still I cannot find a way to do the
verification.
I even added it as a trusted certificate under Adobe Reader 8.
Could some one of you be kind enough to help me with this. Plzzzzzzzzzzzzzz
Regards,
dushi.
------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
iText-questions mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php
