Re: Signature validation in Word 2010 failed on another computer

[Rodolphe Cardon]

See discussion on eID Applet group:

 

 https://groups.google.com/forum/#!topic/eid-applet/mqoIFUDfm4w

[Rodolphe Cardon]

Good news: this issue was fixed in mso.dll by Microsoft and is automatically installed with the security patch KB2687501: http://support.microsoft.com/kb/2687501. This fix was installed on my own computer in februari 2013.

The bug is fixed in mso.dll version 14.0.6129.5000 (20 October 2012). To know the version of this file on your computer, open Word 2010 and go to Menu File -> Help -> Additional Version and Copyright Information -> System info -> Software environment -> Loaded modules -> Name = "mso"

Ref: http://support.microsoft.com/kb/2760386/en-us Description of the Office 2010 hotfix package (Mso-x-none.msp): October 30, 2012
“Assume that you create a digitally-signed document when the certificate and time stamp are still valid. However, after the certificate is revoked or expired, and if the full certificate chain is not located on the computer, the signature is displayed as an invalid signature.“

Le mardi 6 novembre 2012 09:39:27 UTC+1, Rodolphe Cardon a écrit :

Hello,

 

We have an issue with the validation of signatures with Microsoft Word 2010.

 

The following scenario is used:

• Computer A (used for signature generation):
• Windows 7
• Internet connection available
• Microsoft Word 2010
• BeID card + Card reader + Eid Middleware 4.0
• Note: Word 2010 settings are changed during the installation of the eid Middleware to activate XadES-X-L signature and to use the timestamp server http://tsa.belgium.be/connect. See
• http://eid.belgium.be/nl/binaries/RN404c_tcm227-178303.pdf (page 4) => "Added a tool to configure XADES_XL signatures for Office2010"
• http://blogs.technet.com/b/office2010/archive/2009/12/08/digital-signitures-in-office-2010.aspx
• Computer B (used for signature validation):
• Windows 7
• Internet connection available
• Installation of self-signed certificates 'Belgium Root CA' and 'Belgium Root CA 2' (from http://repository.eid.belgium.be/) in the trusted certificate store
• Microsoft Word 2010
• Note: the certificate 'Citizen CA' present on the BeID card used with computer A is NOT installed in the certificate store (intermediate CA) of computer B.

1. A simple .docx document is signed on computer A using MS Word 2010. The signature is automatically in XadES-X-L format (OCSP, timestamp and full certificates chain are included).
2. The signed document is opened on computer B using MS Word 2010. The signature appears as invalid.
1. The signature panel displays the signature as 'Recovarable error'.
2. When showing the Signature details, the window shows: "Certificate not trusted - Cannot verify certificate revocation status. Check your network connection. Signature Type: XadES-X-L."
3. When showing the Certificate detail (button 'View...' in the 'Signature details' window): the window shows: 'Windows does not have enough information to verify this certificate' for the end user certificate. The tab 'certification path' contains only one certificate (the end user certificate) with status 'The issuer of this certificate could not be found.'

Workaround: the matching 'Citizen CA' certificate is copied from http://repository.eid.belgium.be/ (or from computer A), and installed in the intermediate CA of the certificate store of computer B. Then, the signature appears as valid in Word 2010.

The installation of all 'Citizen CA' certificates (and Foreign CA) can be a workaround for short term, but is difficult to manage (there are 95 Citizen CA certificates until now).

 

Remark: If we rename signed .docx to .zip, and open the XadES signature in Notepad, we can see that the Citizen CA is well embedded in the XadES signature.

 

If you experince the same problem or if you succeed to validate the documents in attachment, please let me know.

In attachment, you will find two examples of signed document. As workaround, you will need to install the Citizen CA 201108 and Citizen CA 201207 certificates from http://repository.eid.belgium.be/certificates.php?cert=Citizen to validate both signatures.

 

Thank you,

 

Rodolphe Cardon

Ministry of Defence