Signature is invalid - Invalid Policy Constraint - Certificate from EUTL

Community Beginner ,
May 13, 2021 May 13, 2021

Copy link to clipboard

Copied

Hello,

 

I have a digitally signed document with qualified certificate from EUTL - CA named "First certification authority, a.s." or https://www.ica.cz/.

As of today, signature with this certificate is showing as an Invalid, with error "Invalid Policy Constraint".

Version of my Acrobat Reader DC:  2021.001.20155

 

First, I tried is to turn off "load certificates from AATL server" and only left EUTL turned on in preferences, this did nothing, Acrobat is still showing source of trust obtained from AATL.

 

Second, I found this thread and it seems like in the end nobody solved it. https://community.adobe.com/t5/acrobat/previously-valid-signing-certificate-shows-invalid-policy-con...

 

Since this is policy constraint error, here I share the policies from root cert. in chain.

I also attached signed file.

Multiple certificates from different persons are returning this error.

policyError.PNG

  

Could you give me some advice how to solve this?

 

Kind regards,

John

TOPICS
Security digital signatures and esignatures

Views

1.4K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 2 Correct answers

Explorer , Oct 05, 2021 Oct 05, 2021
The real problem here is, that certificate issuer "I.CA Qualified 2 CA/RSA 02/2016" is registered both in AATL and in EUTL, but the registrations are not identical. When you first load EUTL, addressbook.acrodata contains:/Country(CZ)/Editable true/Enabled true/ID ..../Source[(EUTL)(AATL)]/and the signature is verified according to EUTL. However, the default is to load AATL first, which results in addressbook.acrodata containing:/Editable true/ID ..../Source[(AATL)(EUTL)]/and the signature fails ...

Likes

Translate

Translate
Engaged , Oct 06, 2021 Oct 06, 2021
That would explain why it works for me. Indeed, I have /Source[(EUTL)(AATL)] for that certificate.But looking at the OP's screen shot the root certificate is selected and displays the inappropriate policy constraints, it looks like in his case the CA certificate was not trusted at all, neither AATL nor EUTL. Or is the CA not taken as a trust anchor in his case because of the unfulfilled AATL policy constraints?

Likes

Translate

Translate
Engaged ,
May 15, 2021 May 15, 2021

Copy link to clipboard

Copied

I have opened your PDF in Acrobat Reader here and got a "Signed and all signatures are valid." I even updated Adobe Reader to the same version 2021.001.20155 and explicitly updated the trust list information.

An interesting difference to your screen shot, though: Here the certificate path is only displayed up to the intermediary qualified CA certificate, not the root CA certificate. This suffices as that intermediary CA certificate already is trusted by the AATL and/or EUTL.

Thus, it looks like this is not a general issue but one specific to your configuration. Have you or has your system administrator changed relevant trust settings in a way that the intermediary CA certificate is not trusted directly anymore but trust requires the root CA certificate?

Indeed, that root CA certificate in the Adobe Reader trust settings is associated with the policy requirements you see in your screen shot, i.e. 0.4.0.2042.1.2 (NCP+), 0.4.0.194112.1.2 (QCP-n-qscd), or 0.4.0.194112.1.3 (QCP-l-qscd). But the end entity certificate in your certificate chain only has the related policy 0.4.0.194112.1.0 (QCP-n). Thus, if trust is based on the root CA, that end entity certificate does not fulfill the associated policy requirements.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Jun 10, 2021 Jun 10, 2021

Copy link to clipboard

Copied

I've solved it.

Problem was in addressbook.acrodata

 

I've deleted whole directory of "%appdata%\Adobe\Acrobat"

Then manually updated AATL and EUTL list in Acrobat in Edit > Preferences > Trust Manager

 

And it's validating signatures correctly now. Even it shows EUTL server in validated signature detail, before it showed only AATL.

Probably some update of Acrobat Reader DC from last 2 months did this, because I have multiple computers with same problem.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 05, 2021 Oct 05, 2021

Copy link to clipboard

Copied

The real problem here is, that certificate issuer "I.CA Qualified 2 CA/RSA 02/2016" is registered both in AATL and in EUTL, but the registrations are not identical.

 

When you first load EUTL, addressbook.acrodata contains:

/Country(CZ)/Editable true/Enabled true/ID ..../Source[(EUTL)(AATL)]/

and the signature is verified according to EUTL.

 

However, the default is to load AATL first, which results in addressbook.acrodata containing:

/Editable true/ID ..../Source[(AATL)(EUTL)]/

and the signature fails verification with Invalid policy constraint

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 06, 2021 Oct 06, 2021

Copy link to clipboard

Copied

That would explain why it works for me. Indeed, I have /Source[(EUTL)(AATL)] for that certificate.

But looking at the OP's screen shot the root certificate is selected and displays the inappropriate policy constraints, it looks like in his case the CA certificate was not trusted at all, neither AATL nor EUTL. Or is the CA not taken as a trust anchor in his case because of the unfulfilled AATL policy constraints?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 06, 2021 Oct 06, 2021

Copy link to clipboard

Copied

Certificate for "I.CA Qualified 2 CA/RSA 02/2016" is directly trusted in EUTL, so "I.CA Root CA/RSA" is not even considered/displayed and its policy constraints are ignored when EUTL is checked first.

 

However, when AATL is checked first, Acrobat shows, that only "I.CA Root CA/RSA" is directly trusted in AATL, but for "I.CA Qualified 2 CA/RSA 02/2016" it shows "Source of trust obtained from AATL". Thus policy constraints from root CA now apply down the certification path and are not fulfilled by the signing certificate.

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 06, 2021 Oct 06, 2021

Copy link to clipboard

Copied

Ah, ok, so you actually meant that the CA certificate is implicitly registered via its issuer, the root. I first though you meant that the CA certificate was explicitly registered on the AATL...

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Oct 06, 2021 Oct 06, 2021

Copy link to clipboard

Copied

Well, Source[(EUTL)(AATL)] means it is explicitly registered on AATL, but it's not flagged as direct trust anchor there.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Oct 22, 2021 Oct 22, 2021

Copy link to clipboard

Copied

First of all, thank you for looking into it, you and @MikelKlink .

My knowledge about this topic is near zero, do you have any good documentation or links where I can read up on all this stuff?

 

Problem is, I have a new problem with other document signed also with qualified certificate, with root from I.CA.

And now, nothing helps and it shows invalid cert.

 

Also, I will try message to I.CA if they can do something with this.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Oct 22, 2021 Oct 22, 2021

Copy link to clipboard

Copied

quote

Problem is, I have a new problem with other document signed also with qualified certificate, with root from I.CA.

And now, nothing helps and it shows invalid cert.

 

Can you share this PDF for analysis, too?

 

quote

My knowledge about this topic is near zero, do you have any good documentation or links where I can read up on all this stuff?

 

What exactly do you mean by "this topic"? Do you mean all things related to validation of digital signatures? Or do you merely mean the limitations of Adobe's handling of trust lists?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Nov 12, 2021 Nov 12, 2021

Copy link to clipboard

Copied

>Or do you merely mean the limitations of Adobe's handling of trust lists

 

This, everything about AATL and EUTL and is it somewhere documented more technically?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Engaged ,
Nov 13, 2021 Nov 13, 2021

Copy link to clipboard

Copied

LATEST

Well, I found out about the limitations of Adobe's handling of trust lists here in this thread and similar threads or bug reports here or there.

Even if you merely want to find out about the AATL and the EUTL in general on a technical level, I'm not aware of any public Adobe documentation.

The situation changes as soon as you become interested in the sources from which Adobe's EUTL is fed, the EU trusted lists, as there is a lot of public specifications by ETSI available online.

Therefore my question what exactly you want to know.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines