Discuss this help topic in SecureBlackbox Forum

Load CMS message

Addressing typical CAdES validation problems Solving Note that while referring to signature validation problems, this article also applies to at-first-glance-opposite signature creation problems. This is because the majority of tasks performed during signature creation and validation are essentially the same, and involve one or more certificate chain validation runs. As various chain validation issues are also the most common CAdES-related problems, this article will be useful for those validating CAdES signatures, updating (e.g. archiving) them and creating signatures from scratch. Behaviour of TElCAdESSignatureProcessor's methods that create or upgrade signatures differs from that of the validation methods. Methods as CreateXXX() (e.g. CreateExtendedXL()) and UpgradeToXXX() (e.g. UpgradeToBaselineLTA()) throw an exception if something goes wrong. Validate() method dumps all internal exceptions and comes up with a well-defined validation result (Valid, Invalid or Incomplete). If you came across a validation issue when creating/updating the signature, please start with inspecting the exception message carefully (if you've got it) to get a hint about the possible reason. There are three common reasons: 1) It is not possible to upgrade the signature from one level to another due to conceptual violation (e.g. you can't upgrade an XL signature to a T). In this case you will get an exception message similar to 'Signature cannot be upgraded to the specified level'. 2) You requested an extended signature to be created, but the chain couldn't be validated (due to missing certificates or unavailable revocation information sources). 3) If you are creating a timestamped signature, the unavailability of the TSA at the signing moment will induce an exception. Validation operations typically fail due to other three reasons: 1) Signature value is invalid (the data was altered or corrupted). In this case the asvInvalid result is returned. Note: a common reason for this problem is forgetting to attach the content corresponding to a detached signature. Please ensure that you are providing the signed content to TElSignedCMSMessage.Open() when opening detached signatures. 2) The signing certificate is not valid for signing or revoked. asvInvalid result is returned. This means that the signature can't be considered trusted, there's nothing else you can do about it. 3) The signing certificate chain (or any related chain, such as timestamping certificate chain) can't be validated. There are plenty of reasons for it. Please consider retrieving the validator object's log as explained here and inspecting it. Some hints can be provided by the CompatibilityErrors property. They can be used to track various CAdES compatibility issues that might have taken place. For instance, absence of SigningCertificateV2 attribute is reported via the CompatibilityErrors enumeration. Chain validation is a complicated area full of pitfalls, so it is not possible to cover all possible reasons with one small article. If this article didn't help you to solve your validation problem, please feel free to contact EldoS friendly customer support team, and we will do our best to solve it for you.

Discuss this help topic in SecureBlackbox Forum