Verification of Digital Signatures

Similar Messages

• SOAP 1.2 web service fails when SOAP header has digital signatures

  Hi,
  When we upgraded our JAX-RPC web services from SOAP 1.1 to SOAP 1.2, they started failing with the following response.
  <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header>
  <env:Upgrade>
  <env:SupportedEnvelope xmlns:soap12="http://www.w3.org/2003/05/soap-envelope"
  qname="soap12:Envelope"/>
  </env:Upgrade>
  </env:Header>
  <env:Body>
  <env:Fault xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <faultcode>env:VersionMismatch</faultcode>
  <faultstring>Version Mismatch</faultstring>
  <faultactor>http://schemas.xmlsoap.org/soap/actor/next</faultactor>
  </env:Fault>
  </env:Body>
  </env:Envelope>
  The following two errors were in log.xml
  An error occurred for port: {http://xxx.xxx.xxx/xxx/1.0/ws/TestService}TestServicePort: oracle.j2ee.ws.common.soap.fault.SOAP11VersionMismatchException: Version Mismatch.
  Unable to determine operation id from SOAP Message.
  We use web service handlers to add and verify digital signatures. The request message seems to be making it to the web service but is failing before reaching the web service handler which verifies the digital signature.
  Everything works fine when we don't add the digital signatures. The SOAP message without the digital signature doesn't have the SOAP header. I've listed the SOAP message with the digital signature below.
  <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
       xmlns:ns0="http://xxx.xxx.xxx/1.4/"
       xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <env:Header>
            <wsse:Security
                 xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                      <ds:SignedInfo>
                           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:CanonicalizationMethod>
                           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
                           <ds:Reference URI="#Body">
                                <ds:Transforms>
                                     <ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"></ds:Transform>
                                </ds:Transforms>
                                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
                                <ds:DigestValue>...</ds:DigestValue>
                           </ds:Reference>
                      </ds:SignedInfo>
                      <ds:SignatureValue>
                      </ds:SignatureValue>
                      <ds:KeyInfo>
                           <ds:X509Data>
                                <ds:X509Certificate>
                                </ds:X509Certificate>
                           </ds:X509Data>
                           <ds:KeyValue>
                                <ds:RSAKeyValue>
                                     <ds:Modulus>
                                     </ds:Modulus>
                                     <ds:Exponent>AQAB</ds:Exponent>
                                </ds:RSAKeyValue>
                           </ds:KeyValue>
                      </ds:KeyInfo>
                 </ds:Signature>
            </wsse:Security>
       </env:Header>
       <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Body">
            <ns0:SearchRequestMessage
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:gml="http://www.opengis.net/gml"
                 xmlns:xxx="http://xxx.xxx.xxxl/1.4/"
                 xmlns:ns5="http://www.w3.org/1999/xlink"
                 >
                 <xxx:SearchCriteria itemsPerPage="10" maxTimeOut="180000" startIndex="1" startPage="1" totalResults="25">
                 </xxx:SearchCriteria>
            </ns0:SearchRequestMessage>
       </env:Body>
  </env:Envelope>
  We are using Oracle AS 10.1.3.3.0, WSDL 1.1, and SOAP 1.2. Everything works fine with WSDL 1.1 and SOAP 1.1.

  Take a look 'How to Use a Custom Serializer with Oracle Application Server Web Services' [1].
  In your case, you should be looking at BeanMultiRefSerializer (org.apache.soap.encoding.soapenc), which will serialize your data using href and providing a way to deal with cycles.
  All the best,
  Eric
  [1] http://www.oracle.com/technology/tech/webservices/htdocs/samples/serialize/index.html

• Digital signature verification failed - Error RTCCTOOL

  Hi guys !!!
  I am running the report from the SDCCNN - RTCCTOOL, but I get the following error message:
  1. Digital signature verification failed
  Description -  The verification of the recommendation content using digital signatures has failed. Therefore recommendations were suppressed.
  Implementation -  Consult SAP note 69455 if there is a known issue with content verification. If you do not find a solution open a customer message on SV-SMG-SDD.
  When I Goto - Digital signatures Activate button digital content verification is disabled.
  Then go to the transaction on the client STRUST 000 and I found the certificate: SSF SAP AGS Online Content View The certificate shows:
  Owner: CN=SID SSF SAP AGS Online Content Verification, OU=I0020596183, OU=SAP Web AS, O=SAP Trust Community, C=DE
  Certificate List: CN=Online Recommendations, CN=OR-C, CN=V01M, OU=AGS, O=SAP AG, C=DE
              CN=Online Recommendations Upd, CN=OR-U, CN=V01M, OU=AGS, O=SAP AG, C=DE
  Both certificates will expire on 01.01.2038.
  According to the help and OSS note 69455 tell me again that I must create this certificate every year, but I see this current certificate, what is the error?
  What is the process because I'm not clear and can not find another OSS note or the SDN forum to tell me what is wrong is happening.
  Thanks guys for the help I can provide.
  Desiré

  Hi all.
  I have the same problem and explore all possible solutions found in this discussion and others without satisfactory result.
  Everything points that may be an inconsistency error external certificate which is in the DB. Anyone know how to fix this.
  Greetings.

• TS3212 I have removed my pop-up blocker completely and still receive the following error message when attempting to download iTunes:  "The file was blocked because it does not have a valid digital signature that verifies its publisher".....any ideas?

  have removed my pop-up blocker completely and still receive the following error message when attempting to download iTunes:  "The file was blocked because it does not have a valid digital signature that verifies its publisher".....any ideas?

  That suggests that the installer is getting damaged during the download.
  I'd first try downloading an installer from the Apple website using a different web browser:
  http://www.apple.com/itunes/download/
  If you use Firefox instead of IE for the download (or vice versa), do you get a working installer?

• Digital Signature Verification

  Hello Friends,
  We have used Acrobat 9 Pro (on a Win XP system) to create a form containing about 30 digital signature fields that can be signed (or not) during reviewer circulation. We're finding that once a number of signatures are applied, it becomes cumbersome to open and sign for the reviewers who sign later in the process. This is because of the time it takes to verify all the signatures.
  Is it necessary for the form to constantly verify all signatures upon opening and signing? Would it be possible to override the verification using a key combination or something in order to speed things up?
  Thanks in advance for your help,
  Calamity Vic

  In Edit Preferences Security you can turn off "Verify signatures when document is opened". If you later want to verify the signatures, open the signature panel and click "Validate All".

• I livecycle process verifies the validity of digital signatures

  Hello, I have to create a process that I livecycle verify the validity of digital signatures in PDF format. can you help me?

  hello thanks for the reply, I tried the process and works in part, the only problem in the variable verificationResult
  process output tells me <identityStatus> UNKNOWN </ identityStatus> though I imported the certificate in to livecycle
  how can I fix this?

• Adobe Acrobat and Reader digital signature verification error logs

  Can you help me how enable and where Acrobat 9.2 and Reader 9.2.3 error logs to analyse digital signature certificate revacation (CRL, OCSP)?

  Hi Gatis,
  Check out the Security and Digital Signature Admin Guide athttp://learn.adobe.com/wiki/download/attachments/52658564/acrobat_reader_security_9x.pdf?v ersion=1
  http://learn.adobe.com/wiki/download/attachments/52658564/acrobat_reader_security_9x.pdf?v ersion=1
  Once you get the file open look at section 5.3.4.4
  The folder path has to exist, but Acrobat will create the file if it's missing. For example, if you want to save the file to C:\LogFile\digSigLog.txt the folder LogFile would have to exist on the C drive, but the log file itself will get created if it's not there already.
  When you type in the file path and name in the Edit Binary Value dialog in regedit, make sure you null terminate the string by typing a zero at the end of the hex data on the left side of the dialog. It will look like a dot on the right side, but it's not really a dot (a dot is 2E in hex).
  Steve

• Second digital signature invalidates the first one

  Hello to all,
  I'm having some troubles adding a second digital signature to an already digitally signed PDF. The library that I'm using in order to handle the PDFs is an open source one, so I'm programmatically editing the PDFs. The first PDF I produce, PDF1 (the PDF with one signature), has a valid digital signature. The second PDF I produce, PDF2 (the PDF with the two signatures), has the second signature marked as valid, but the first one as invalid with the following error:
  Error during signature verification. 
  Unexpected byte range values defining scope of signed data.
  Details: The signature byte range is invalid
  I've read and applied all the "best practices" on PDF digital signature, so I'm adding the second signature in incremental mode and I'm sure that the second PDF has no changes in the first part, this because if I make a binary comparison of PDF1 and PDF2, the first part of the PDF2 equals PDF1. So if you remove the incremental part from PDF2 (after the first %%EOF), you obtain PDF1 again with the valid digital signature. So the problem seems to be in something new in the incremental part of PDF2 that makes Acrobat Reader X thinks that the first digital signature is invalid.
  If you want to see the three PDFs, here are the links:
  The original PDF: https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0BzrgexS80Iq_ODQxZTY2MDk tNTQyYi00YTE0LTk0MTctYWMxNDFiOWY4MjA5&hl=en_US
  PDF1: https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0BzrgexS80Iq_ZDQ3MTk1ZmI tNWI4NS00YzdhLTkxNmUtODk1NjVmY2M2NTVh&hl=en_US
  PDF2: https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0BzrgexS80Iq_ZGM1YmZhMWE tY2JiYi00YzZkLWE5ZjItNzgwM2RlNzExYWE1&hl=en_US
  Any help will be very apreciated. Best regards.

  Hi,
  I'm not sure if this helps, but I found something unusual with your PDF2. Just at the beginning of the second incremental update (with the new signature), the first object is added without a carriage return. This make the last line of the previous update looks like this:
  %%EOF3 0 obj
  May this leads to incorrect parsing and then invalidates the signature? Not sure about that, but as far as I can read offsets, your byte ranges are correct.

• Use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature?

  Dear all,
  I am looking to setup the use of active directory userid/password authentication instead of SAP R/3 User/Password for digital signature. We SSO to the backened ABAP AS via an SAP NW Portal to which SPNEgo kerberos authentication is setup. Today we specify R3 user id/password to digitally approvae a lot release. The idea is to have users maintain one AD password and don't have to remember the R/3 password anymore and also our Security team to avoid password maintenance.
  I know there are 3 options for digital signature and
  System signature with authorization by user ID and password (We use this currently)
  Digital User signature with verification - (We would like to use this with AD userid/password, so the system still ask the users their AD userid/password for the authentication when they try to "sign" a document.)
  User signature without verification
  Do you think there is a way to configure the system in order to ask and check the active directory userid/password instead of SAP R/3 password? Where can I found documentation about it ?
  I have several different versions of AS ABAP starting from NW 7.02 to NW 7.31.
  My active directory is based on Windows 2008.
  Thanks in advance!!
  Dhee

  Actually enabling Kerberos for SSO purposes and enabling Kerberos for digital signatures are two different topics although the latter is because of the former. I'm interested in the topic as well and I'm currently looking at different options. SAP provides a BAdI for the digital signature API which can be used for external authentication but they do not provide the solution to invoke Kerberos authentication based on username and password. SAP provides a semi solution with NWSSO 2.0 SP2 which works only on Windows with classic dynpros meaning SAP GUI for Windows is assumed. The solution is based on an ActiveX component which does the actual Kerberos authentication using the Secure Login Client which is part of the NWSSO suite. Extending that implementation to non-Windows and non-GUI applications would require some sort of web enabled service that could be used to authenticate the user with username and password. In case authentication is successful, a Kerberos token would be returned to SAP which would then be validated. All the required pieces are there since SAP has Kerberos support now in both stacks of the NetWeaver Application Server, some bits are still missing though which leaves customers looking at 3rd party or custom solutions.

• Digital Signature crashes Acrobat 9 Pro

  An error occurs when trying to Sign any PDF document, even when opening a very simple, one word (Times New Roman text only) PDF document. After opening the PDF in Acrobat Pro (WinXP Pro SP3), selecting Sign, Sign Document, Acrobat allows proper placement of the signature box, and accepts the password for the selected Signature ID. When <Sign> is then selected, Acrobat offers to save the document, and when the save location (any location) is selected, Acrobat returns the error below.
  Adobe Acrobat 9.3 has encountered a problem and needs to close. We are sorry for the inconvenience.
  Error Signature
  AppName: acrobat.exe AppVer: 9.3.2.163 ModName: acrobat.dll
  ModVer: 9.3.2.163 Offset: 00135fb9
  The same source PDF document can be modified, or password protected, and then saved without a problem. Only when a digital signature is applied does the error occur. Acrobat has successfully Signed and saved documents on this PC previously, but starting experiencing this error about week ago. I have uninstalled Acrobat, reinstalled ver. 9.0 and applied the two updates to 9.3.2, and have generated new Digital Signatures, all with the same resulting error when signing a document. The new, signed PDF document is actually created, and a Digital Signature is found in the document, but is invalid, reporting:
  Error during signature verification.
  Signature contains incorrect, unrecognized, corrupted or suspicious data.
  Support Information: SigDict /Contents illegal data
  I have tried the troubleshooting steps in http://kb2.adobe.com/cps/403/kb403613.html, but without any progress; the error continues to remain. Any advice on how to resolve this will be greatly appreciated.  Thanks.

  Hi Mike,
  After the Save As operation was done, did you see the signature appearance displayed in the signed signature field before you closed the doc? And if did see the signature appearance, did you happen to notice if there was a green check mark displayed in the blue message bar at the top of the file?
  Thanks,
  Steve

• PubSec Digital signatures in Acrobat 9

  Hi,
  i m developing a digital signature plug-in, PubSec, to be specific. My plugin will, hopefully, digitally sign open pdf, and also able to verify them. The signature i am creating will be standard so that any other plugin, including Acrobat's own, can also verify it, and my plugin can verify others too. For this, i will leave the Filter unset and only set subfilter appropriately.
  Now, when implementing the signature creation and verification callbacks i found it very difficult, and in some cases am stuck, while getting required information from the provided arguments of the callbacks. For instance, from this structure "PSSigValidateDialogParams" i want to extract information such as:
  - signature's verification status
  - signer's certificate
  - reason location, etc.
  But so far i can only get the verification status as:
  ASInt32 sigValDigest = ASCabGetInt( sigValCab,  PROP_SigVal_Digest,  kDSSigValUnknown   );
  ASInt32 sigValTrustFlags = ASCabGetInt( sigValCab,  PROP_SigVal_TrustFlags,  kDSSigValUnknown   );
  ASInt32 sigValId = ASCabGetInt( sigValCab,  PROP_SigVal_Id,  kDSSigValUnknown );
  And i dont even completely understand what each of these mean. And i cannot get the rest of the info from the structure as well, as i cant find any discription about them in documentation. I did find a "Digital signature API Reference" document for acrobat 6, but none for acrobat 9. And even in acrobat 6, there is no description for most of the functions and structure, just the prototype.
  Please help me get the above information from the PSSigValidateDialogParams, or atleast point me towards the documentation of the digital signature api reference for acrobat 9. Thanks

  Hi,
  Go to: http://livedocs.adobe.com/acrobat_sdk/9/Acrobat9_HTMLHelp/API_References/Acrobat_API_Refer ence/Digital_Signatures/PubSec.html#kPSSigTrustUntrusted
  and search for  DSValidState
  enum DSValidState {  DSSigBlank = 0,
    DSSigUnknown,
    DSSigInvalid,
    DSSigValid,
    DSSigDoubleChecked,
    DSSigValidStateEnumSize
  and here: http://livedocs.adobe.com/acrobat_sdk/9/Acrobat9_HTMLHelp/API_References/Acrobat_API_Refer ence/Digital_Signatures/PubSec.html#kPSSigTrustAll
  enum DSSigValState {  kDSSigValUnknown = 0,
    kDSSigValUnknownTrouble,
    kDSSigValUnknownBytesNotReady,
    kDSSigValInvalidTrouble,
    kDSSigValUnused,
    kDSSigValJustSigned,
    kDSSigValFalse,
    kDSSigValTrue,
    kDSSigValEnumSize
  Regards,
  mwak

• Using a digital signature in 7.0 after it is created

  I created a digital signature in Acrobat 7.0. I'll use it once to sign a document. When I create a new document and try to sign it, it says my password is incorrect. I know it is not incorrect as I had only created it barely 5 minutes before. And I wrote it down! What is going on? Do I need to recreate a new digital signature for every document I sign? I'm not using third party verification.
  Thank you in advance for your thoughts and advice.

  Most third party signature pads require two things. 
  1.  An Acrobat plug-in
  2.  A device driver to connect the plug-in to device data being used for the signture.
  Which third party Signature Pad are you using and which software are you using in conjunction with the Signature Pad.

• Digital Signatures and Certificates

  I use Adobe Profession 8,
  I installed a certifcate on my computer (certnew.cer) which has my informations and stuff on it.. ok so far. We have our own certificate server.
  When i try to apply a signature on a pdf i created, my name is not on the list (Adobe). The only options i have is to create one or import one (.pfx, .p12). I dont mind importing one but it cant import .cer files.
  Testing on another computer, after installing his certificate, his name was shown on the list in adobe.
  Is there something that I can be doing wrong?
  Is there are way to import a .cer file instead of a .pfx, .p12?
  Is there an easy method of converting a .cer to .pfx (.p12) apart from using Windows Drivers Kit?

  A cer file doesn't have a private key. It contains a public key and other certificate data. Signing requires a digital ID which includes both the cert/public key and the private key, and these are usually stored in pfx/p12 files.
  Self-signed digital IDs are inherently less secure, but they can be made more secure if the recipient verifies the cert "thumbprints" that the signer shares ahead of time. . .
  Comprehensive digital signature instructions exist in this doc:
  http://www.adobe.com/devnet/acrobat/pdfs/digsig_user_guide.pdf
  See also other security related docs on:
  http://www.adobe.com/devnet/acrobat/security.html
  ben

• Confused about digital signatures

  Please refer to this archived thread:
  http://www.adobeforums.com/webx?128@@.59b4d8d6
  I'm researching digital signatures because we have a request form that was created in Acrobat 7.1, and that a user signed by creating his own signature in Reader 8.x. In Acrobat 7.1, I see a message when the file is opened that it has been digitally signed, and it verifies the signature. I'm trying to figure out whether that signature process would satisfy an auditor as to its authenticity.
  But according to the above thread, I'd need at least Acrobat 8.0 to "enable" a PDF to be signed. What does that mean? The form I received, by all appearances, *was* signed. It didn't need a special signature field... the signature was added over a standard text field and it was recognized and authenticated, and appeared in the signature pane in both Acrobat 7.1 and Reader 8+.
  Also, what does the 500 signature limit mean? By what process is it determined how many times a form has been used and signed? There is no tie, as far as I can see, from one copy of the form to another. The user simply saves a copy, fills it out, and sends it in. Many different people use that form (it's a work request form for IS services). Does the 500 limit apply in this scenario?
  If anyone could please advise and point me toward documentation that would help me understand how all this should work, I'd be deeply grateful.

  >But according to the above thread, I'd need at least Acrobat 8.0 to "enable" a PDF to be signed. What does that mean?
  It means that you need to use Acrobat 8.0 Professional or above to
  prepare a PDF in a special way.
  If this is not done, Reader cannot sign it.
  > The form I received, by all appearances, *was* signed.
  One possibility is that the person who signed it was not clear about
  what software they actually have.
  >
  >Also, what does the 500 signature limit mean?
  The EULA gives the legal details that lawyers would apply. It has
  seemed that each copy used counts towards the 500. If there is ANY
  POSSIBILITY of this limit being reached it is prudent to use Adobe's
  server enabling software instead.
  Aandi Inston

• Digital Signatures for cProjects Approval

  Hi Folks,
  I am on cProjects 4.5 and from what I understand there are 2 options for this based on whether or not I check the "Signature of Approval with User Certificate" box in Project Type config.
  Unchecked - user is prompted for cProjects password and this works fine. Only issue for us is, we are on the portal and most likely cProjects password will be different and unknown to user. As per note 928527 this is standard behavior and tough luck for anybody on the portal.
  Checked - use is given the ability to digitally sign the PDF approval document. When I select "sign" on the PDF I am given the ability to create a new ID or use an existing ID from a file, server etc. I created a new ID and signed the document. Once I do this and click the transfer button the system appears to hang. The progress indicator appears and keeps going.
  Therefore my questions are:
  1. Is there any additional config I need to do in cProjects. ADS or anywhere else?
  2. How exactly does adobe digital signatures work? If anybody simply create a signature how does that provide any verification of authenticity?
  Appreciate any help.
  Thanks,
  Lashan

  Hi,
  please see teh Configuration Content for cProjects 4.5 available in SAP Solution Manager and also as PDF attachment to SAP Note 1035436.
  There it says:
  Making Settings for the Approval
  Use
  You can use user certificates for digital signatures of approvals.
  Prerequisites
  ● You are using Microsoft® Internet Explorer 6.0 or higher.
  ● You have a user certificate that is suitable for digital signatures (for example, the single
  sign-on certificate).
  ● You have installed Adobe® Reader and Adobe Document Services.
  Procedure
  To verify the signature, enter the corresponding root certificate in the certificate list of the
  Personal Security Environment (PSE, transaction STRUST). For more information, see the
  documentation for the activity and the Adobe Document Services u2013 Configuration Guide NW
  2004s on SAP Service Marketplace at service.sap.com/adobe u2192 Media Library u2192
  Documentation.
  In fact, what is described in the ADS documentation referenced above is that you have to install
  the certificate also on the ADS.
  Kind regards,
     Florian