Fault in adobe digital signature revocation checking schema
Hello,
I have found some fault in adobe digital signature revocation checking schema. If OCSP response signing certificate contains CRL distribution point (in my case CDP (CRL) and AIA (OCSP)), online OCSP check executes, but after getting all chain certificate OCSP responses, validating signature against CRL (it’s looks from Local cache). It means you never get OCSP validation data in Adobe Acrobat or Reader signature revocation tab.
Adobe Revocation Checking Quick Key schema is following:
Check Embedded revocation responses
Check local CRL cache C:\Documents and Settings\<user>\Application Data\Adobe\Acrobat\9.0\Security\CRLCache
Check Online OCSP response
Check Online CRL response
LAB environment:
Certificate chain E-ME SSI (RCA) (Root Certificate) -> E-ME PSI (PCA) (Policy Certificate) -> E-ME IS (CA1) (Issuer certificate) -> User certificate (Document signing certificate)
Sign PDF document (Ocsp-CHECK.pdf) using Adobe Acrobat 9 with User certificate (Don’t add revocation information in signature)
Test steps:
Sign PDF document using Adobe Acrobat 9 with User certificate (Don’t add revocation information in signature)
Clear Local CRL cache under C:\Documents and Settings\<user>\Application Data\Adobe\Acrobat\9.0\Security\CRLCache
Open signed file using Adobe Acrobat 9 or Reader 9
Verify signature. Verification process finishes successfully. Under signature properties in certificate windows and user certificate revocation tab you can see that revocation information data comes from CRL. The same for all chain certificates. But if we look in chain and user certificate its holds AIA record for OCSP service.
After a couple of tests I tried to disable access for Acrobat to local CRL cache folder (Everyone – Full control deny).
After disabling access to local CRL cache folder - verify the same signed PDF file. Opening document you can see OCSP checking progress and verification process finishes successfully. Under signature properties in certificate windows and user certificate revocation tab you can see that revocation information data comes from OCSP. The same for all chain certificates.
Resolution:
Its looks when Adobe starts online OCSP checking and receives OCSP response they start parsing OCSP response signer certificate and check OCSP signer certificates revocation information. In this process CRL for OCSP signer certificate is downloaded and placed in Local CRL cache C:\Documents and Settings\<user>\Application Data\Adobe\Acrobat\9.0\Security\CRLCache
Somehow when Adobe gets all chain certificate OCSP responses and have verified also all OCSP signer certificates, online OCSP check is no more continued and revocation information are taken from Local CRL cache.
Can you please help me to clear how to deal with this problem, to make sure that procedure works correctly?
Message was edited by: Gatis Žeiris
Sorry i add corect link to Signed test file: http://www.dsistemas.lv/files/Ocsp-CHECK.pdf
Similar Messages
-
Hello SDN,
I have to implement Digital signatures in my Webdynpro interactive forms. In sdn I found one example related to online Interactive form security but for offline I couldnt find.
In offline scenario, a user will send pdf form to customer or employee etc to fill the form and send it back.
1) Here how a receiver will know that he got the form, from an authorized person?
2) Once the form is filled and send it back, how receiver can validate whether the filled form came from an authorized person?
3) Also how exactly I can use digital signatures? what are the technical requirements for implementing digital signatures?(SSL is mandatory?)
Can some one guide me on this?
Appreciate your help.
With regards,
RaviHi Ravi,
Digital signatures can also be created and verified as of Adobe Reader 5.1. Users can use the Adobe Acrobat Reader to display and print files in PDF format, whose content and appearance correspond to the paper version, on a cross-platform basis. The prerequisites for this are the use of the new Adobe Document Server for Reader Extensions and the replacement of SmartForms by Adobe Acrobat (this is still in development). SSF is not used.
Adobe Document Server for Reader Extensions assign additional usage rights to electronic forms that were created with Adobe Acrobat 5.0 and Adobe Form Designer 5.0. Digital signatures are a type of usage right.
Adobe Acrobat Reader 5.1 can be downloaded free-of-charge from Adobe's Web site, and processes the usage rights that were embedded in PDF forms by the Adobe Document Server for Reader Extensions.
for SSL service go through:[https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/media/uuid/40cacc80-c1fc-2a10-f8b5-9e33b1829552]
for ADS (adobe document services) chk it out;[https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/50fd998b-494f-2b10-c2ab-e3513a857f62]
Digital Signatures and Certification in Forms:
[http://help.sap.com/saphelp_nw04s/helpdata/en/de/eda54dd9194cbcbb62bffaaebfa41d/frameset.htm]
If U have to implement digital certificates, from where I can get these certificates? Do U have to create on my own or need to buy from some party?
chk it out;https://www.bconline.gov.bc.ca/pdf/DigiCertFAQ.pdf
On-demand digital certificates for Adobe AIR applications:
[http://www.net-security.org/secworld.php?id=6628]
Regards,
Khushboo -
How to digital signature in check printing.
Hi Team,
A new digital signature has been given to me by payroll team and requested me for some configuration changes so the new digital signature appears on the check during check printing program.
Can some one give me step by step procedure of how to do this in SAP.
thanks and appreciate your help in advance.Hi Team,
Please let me know how to do this in SAP? -
Need help. One of our users opens a PDF document in Adobe Reader, signs it with his digital signature, saves it and wants to send it in an emial. When people receive the email his signature is missing. This is something he used to be able to do. Any ideas?
Hi,
Just try creating that signature again on that form. Sometimes, copy might not do!
Thanks,
Nitin -
Regarding Adobe Digital Signature
Hi
I am using Digital Signature in my application.
I have two signature field in my form.
SignatureField1 will be signed by the First person and then he/she will send that form to the Second person to be signed in the SignatureField2.
The Second Person will open the form and how can he/she validate that signature in the SignatureField1 is signed by First Person Only.
Is there a way of providing Public key of First person to the Second Person for validating the Signature of the First Person.
Regards
ChandranHi Madhavi,
Has your problem solved? It would be great help if you can share the solution.
I am opening a new thread, so that I can assign you points also for the help
With regards,
Amit -
Adobe digital editions: Error, check activation.
Hallo,
habe ein Problem beim runterladen von einer acsm Datei. Andere Dateien kann ich problemlos öffnen und runterladen, nur diese funktioniert nicht. Ich habe schon versucht das Programm zu löschen und neu zu installieren, aber das funktioniert nicht. Autorisiert bin ich bei Adobe. Weiß jemand was ich noch machen kann?
LGDas gleiche Problem habe ich auch, und sogar auf 2 PCs.
-
Installing ADE - cannot verify Adobe digital signature
On up-to-date 64-bit Windows 7 Home, I am unable to verify the software publisher when installing ADE 1.7.2, and so will not install the software. Both digitaleditions.exe (available via the ADE home page "Launch" button) and the "manual" install file setup.exe give warnings like so:
Do others experience the same message when trying to install ADE 1.7.2 on a clean system? Is there a certificate update I'm missing? Is the software really not recognizably signed?Hi,
What are you trying to do ? To help us answer question quicker, please read this:
http://h30434.www3.hp.com/t5/First-Time-Here-Learn-How-to/Welcome-Get-started-here/td-p/699035
Regards.
BH
**Click the KUDOS thumb up on the left to say 'Thanks'**
Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem. -
Hi Experts
Plz suggest the materials for Getting Started in Adobe Digital Signatures.
I tried with in the Adobe life cycle designer after drag and drop of signature field and executed, i clicked the signature and there is no action..
Is there any version problem and any thing to be updated..
As of now we are using Adobe Life Cycle Designer 7.0, Acrobat Reader 7.0
Regards
Chandran SHi Experts
Plz suggest the materials for Getting Started in Adobe Digital Signatures.
I tried with in the Adobe life cycle designer after drag and drop of signature field and executed, i clicked the signature and there is no action..
Is there any version problem and any thing to be updated..
As of now we are using Adobe Life Cycle Designer 7.0, Acrobat Reader 7.0
Regards
Chandran S -
Validate Digital Signature - Check CRL
Hi all,
(1) Is it possible for LiveCycle Document Security to validate the digital signature and check CRL, if there is NO CRL Distribution Point in the certificate itself?
(2) Can I hardcode the CRL's URL in the LiveCycle Document Security's configuration file?
Thanks.
SanneySanney,
I don't know about the CRL URL question, but if I understood correctly what you are trying to achieve, then:
If you already have CRLs or certificate files at your disposal, you can store them in disk. You can then select "advanced" option when installing. This will allow you to point at the directories containing the credentials , so these can be included as an integral part of the overall server deployment.
If later on you want to update the credentials, you can run Configuration Manager. You must then rededploy the updated server components to the application server.
I'm currently writing this out of memory, but the documentation is very clear about this procedure.
HTH,
Evangelos -
Digital Signatures for cProjects Approval
Hi Folks,
I am on cProjects 4.5 and from what I understand there are 2 options for this based on whether or not I check the "Signature of Approval with User Certificate" box in Project Type config.
Unchecked - user is prompted for cProjects password and this works fine. Only issue for us is, we are on the portal and most likely cProjects password will be different and unknown to user. As per note 928527 this is standard behavior and tough luck for anybody on the portal.
Checked - use is given the ability to digitally sign the PDF approval document. When I select "sign" on the PDF I am given the ability to create a new ID or use an existing ID from a file, server etc. I created a new ID and signed the document. Once I do this and click the transfer button the system appears to hang. The progress indicator appears and keeps going.
Therefore my questions are:
1. Is there any additional config I need to do in cProjects. ADS or anywhere else?
2. How exactly does adobe digital signatures work? If anybody simply create a signature how does that provide any verification of authenticity?
Appreciate any help.
Thanks,
LashanHi,
please see teh Configuration Content for cProjects 4.5 available in SAP Solution Manager and also as PDF attachment to SAP Note 1035436.
There it says:
Making Settings for the Approval
Use
You can use user certificates for digital signatures of approvals.
Prerequisites
● You are using Microsoft® Internet Explorer 6.0 or higher.
● You have a user certificate that is suitable for digital signatures (for example, the single
sign-on certificate).
● You have installed Adobe® Reader and Adobe Document Services.
Procedure
To verify the signature, enter the corresponding root certificate in the certificate list of the
Personal Security Environment (PSE, transaction STRUST). For more information, see the
documentation for the activity and the Adobe Document Services u2013 Configuration Guide NW
2004s on SAP Service Marketplace at service.sap.com/adobe u2192 Media Library u2192
Documentation.
In fact, what is described in the ADS documentation referenced above is that you have to install
the certificate also on the ADS.
Kind regards,
Florian -
Digital Signature Validation process goes into unending state
Hi all
I am working Adobe Digital Signatures in Web Dynpro Java applications. I have been using [this|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/com.sap.km.cm.docs/media/streamingmedia/developer-areas/user-interface-technology/interactive-forms/securing%20online%20interactive%20forms%20by%20adobe%20(Session%208)/index.html?slide=] webinar to follow steps to configure SSL and validation of Digital Signatures.
After doing all necessary configurations, I am able to run my web dynpro applications containing interactive forms in secure mode.
But when I sign with digital signature and try to validate the form, the application keeps on processing and shows no result.
I tried debugging my application but control does not reach my button action code. I am clueless.
I would be thankful to receive any hints or pointers from you.
Thanks in advance.
KapilFollowing blog discusses solution to this prob
/people/kapil.kamble/blog/2009/07/08/experimenting-with-digital-signatures-in-sap-interactive-forms-by-adobe
Kapil -
Can anyone point me to where I can find some documentation on digital signatures for check printing? Thanks.
Joseph,
I don't know of any reference to signature files for producing check. Reports does have the ablility to include image files on the report and if the signature capture software stores the signature as an image, we should be able to display that image on the report in the proper position. On the layout editor or the live previewer, you can add the image by selecting the link object item. Look at the online help for examples. Also look at "read from file" field property in help to see how to display an image also. Hope this gives you some ideas.
Regards,
The Oracle Reports Team. -
Does anyone know how I can assign a digital signature to a PDF document, a word or pages document or an email message using Snow leopard?
Thanks
OFYou can download Adobe Digital Signature here.
http://www.adobe.com/security/partners_cds.html
Goggle "Digital Signature for more"
Also, if you have Adobe Acrobat or Acrobat Pro it's built-in.
EDIT: There's nothing in SL and also note that not all institutions accept digital signatures.
-mj
Message was edited by: macjack -
We have created adobe captivate video in "exe" format (Using Captivate 5). It has a adobe digital signature, but it is not proper (Invalid digital sign). So we want to remove that old digital sign and put our digital sign. How to remove digital sign from exe?
We used "FileUnsigner.exe" from here. It has removed that old digital sign and after that we have signed with our thawte digital sign. But after signing, that exe is not opening. How can we solve this issue?
Or any other option to publish that exe without digital signature? So that we can put our digital sign later.
Please anyone help as soon as possibleHello there,
I'm not sure whether the signing would work with this exe but my question was if you are able to create the exe and playback without signing it.
Thanks,
Vish -
Digital signature on LMS - issue with R/3 password
Hi,
We have enabled the Digital Signature (FDA check) for Follow-up against WBT course delivery method. Once I click on 'Confirm Participation' link, I get a popup to provide username and password. I believe this popup checks for SAP (R/3) UserID and password. The problem is, Learning portal (HCM_LEARNING) is linked within SAP Enterprise portal and most of our users don't have backend access and no password. They only know thier portal username and password.
So definitely, when I put my portal login details into the Popup, it will error as the password is different to the ECC System.
Is there any work around solution for this issue? Has anyone been able to resolve the issue around password?
Would really appreciate if you could share the solution with us.
Best,
JayaHi
You need to Trigger an Outbound Message for generating the IDoc.
Using the process code, the IDoc interface finds the application selection module which converts the SAP document into an IDoc.
The process code is only used with applications which perform outbound processing via Message Control (NAST).
goto Transaction NACE ,
Select the Application ME - Inventory mangament.
Clcik on Output types , Copy the Out Put type WA03 & create anew Out put type.
Selec the Output type & Click on Processing routines
Maintain the medium 6 - EDI , there is no standard print program for EDI So you need to create your own Program & form Routine
Check this form routine EDI_PROCESSING in program RSNASTED for having an idea.
After maintaining all the relevant EDI Paramters.
Maintain the message condition record using MN21 for the new out put type.
When you create a Goods issue the Message will be triggereed & Idoc will be trigerred , you can then transfer this into XI.
Thanks & Regards
Kishore
Maybe you are looking for
-
User Profile Parameter ID KVS not work
Hi, I've got some troubles with parameter id KVS. I set it in my user profile, parameter = KVS value = B2 description = Version (CO) when I call report GPCQE53LSADXCC16KZ1R96N5156001, there are two fields with this parameter, and their value r
-
Scrambled destination view in installer build specifications LV8.5
I don't think this build specifications bug has been mentioned yet. I am using LV8.5 Pro under Win XP. When configuring a new installer build specs, under Source Files, I select my application item in the Project View and click on the arrow button to
-
Hello everybody, I'm trying to back up all my sms on my pc. I have installed the Nokia Pc Suite software, I backed up all the photos and contacts, but I can't save the messages... 560 messages...please help me. tnks! elena
-
Aperture 3.4.1 won't open after install
Aperture 3.4.1 wont open after install. it says my graphics card isn't supported. Here's my card ATI Radeon HD 2600 Pro 256 MB, but I can't find specs required for 3.4.1, so I got no idea
-
Preventing manual entry in delivery document.
Hi , Is there any solution regarding how the manual entry can be stopped in delivery document? Thanks & regards, Rupam.