Expand my Community achievements bar.

Problem on CRLs

Avatar

Level 4
Level 4
6/16/09 2:40:24 AM

hi...

I am working on a process for Digital Signature Verification. I am facing problem with CRLs. I imported CRL of a CA and CA certificate in Trust Store. I am signing with a revoked certificate. Though the output I am getting is an invalid signature but for revocation information the result is "No valid CRL found".

<revocationInformation>
            <status>Trouble</status>
            <statusMessage>ALC-DSS-112-015: No Valid CRL found</statusMessage>
          </revocationInformation>

Can anyone tell me where am I making mistake? Is there some problem with CRL or some problem in configuring CRL?

I also want to know, how is the basic verification of digital signature carreid out. To be specific, when is Trust Store checked for CA and what happens if a particular CA's certificate is not available in our trust store?

Any pointers will be highly appreciated.

Thanks and Regards,

Ambika Mittal

Views

10.8K

Replies

8
Sign in to like this content

Total Likes

Translate
Translate
8 Replies

Avatar

Former Community Member
6/17/09 8:39:14 AM

Check the "CRL Option Spec" properties of your "Verify PDF Signature" operation.  There is a parameter called "Consult Local URI First"

I belive this tells Digital Signatures ES to check the (local) CRL stored in the Trust Store.

From the Workbench help...

CRL Options Spec

Optional) A CRLOptionSpec value that  represents the certificate revocation list (CRL) preferences if revocation  checking using CRLs is to be done. If you provide a literal value, specify the  following options.

Consult Local URI First: A boolean value that  specifies whether the CRL location provided as the local URI should be given  preference over any specified locations within a certificate for the purpose of  revocation checking. The default is False.

Local URI for CRL Lookup: A string value that  represents the URL for the local CRL store. This value is used only if the  Consult Local URI First setting is True.

For your other question...

I also want to know, how is the basic verification of digital signature carreid out. To be specific, when is Trust Store checked for CA and what happens if a particular CA's certificate is not available in our trust store?

Anytime a "Verify PDF Signature" operation is used, the Trust Store will be checked for the relevant certificates.  If the certificate is not in the Trust Store then the "signerStatus" attribute of the PDFSignatureVerificationResult opject (returned by Verify PDF Signature) will be "UNKNOWN".  Assuming the document has not changed since the signature was applies, the "signatureStatus" would be "VALIDANDUNMODIFIED"

Regards

Steve

Views

1.6K

Replies

0

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/22/09 2:18:21 AM

Hi Steve,

Thanks for ur reply. This helped me but I have a doubt.

"Local URI for CRL Lookup: A string value that  represents the URL for the local CRL store. This value is used only if the  Consult Local URI First setting is True."

Is the local CRL store is CRL cache in every machine?

Thanks and Regards,

Ambika

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Former Community Member
6/22/09 11:05:24 AM

As far as I know, the "Local URI for CRL lookup" is referring to the location of the locally stored CRL on the server.  The CRL is stored in the Trust Store.

There is a local cache for CRLs on the client system as well, but this is only used when signatures are being validaed on the client (by Acrobat or Reader).

FYI, the location on the client is C:\Documents and Settings\userprofile\Application Data\Adobe\Acrobat\9.0\Security\CRLCache

Regards

Steve

Views

1.6K

Replies

0

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
6/23/09 2:41:33 AM

hi Steve,

Thanks for ur prompt response. But my problem is not yet solved. I am having valid CRL an CA root certificate in Trust Store but still the revocation information is showing no valid CRL found.

This time I unchecked the local URI but still in revocation information, its showing "No valid CRL found". Is the ldap server URL required? 

Regards

Ambika

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
7/5/09 10:16:45 PM

Hi Ambika,

If the CRLdp in the certificate is something like ldap://xyz.com/xyz.crl

Import the above CRL in truststore with alias as the CRLdp i.e. provide the alias as "ldap://xyz.com/xyz.crl"

HTH

Santosh

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
7/6/09 4:42:26 AM

hi Santosh,

Thanks for your reply.

I want to confirm does CRLdp means CRL distribution point?

N can u please explain me, hw changing the alias name as CRLdp works?

Thanks and Regards,

Ambika

Views

1.8K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
7/6/09 4:53:03 AM

Hi Ambika,

Yes CRLdp means CRL distribution point

If Local CRLs are not used , LC Digital Signature service directly fetches the CRL from online by contacting http or ldap server from the url http://<path to CRL> or ldap://<path to CRL> as mentioned in the certificate but if Local CRLs are used LC Digital Signatures does not parse each and every CRL in database to identify the correct file (for performance reasons)

If CRL is imported with an alias equal to the CRLdp string, LC digital signatures compares the string in the certificate and to the alias and starts further processing to check whether it has been issued by a trusted issuer

--Santosh

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate