Reputation: 1
I get a SigningCertificateCertsNotInCertPathException when validating a XADES. The file is signed using a certificate what has a intermediate cert and a root cert:
The section xades:SigningCertificate in the XADES file contains the tree certs. If I build the XADES with only the personal cert in xades:SigningCertificate (using false in FileSystemKeyStoreKeyingDataProvider.returnFullChain), the validation run Ok, but not with the tree certs in xades:SigningCertificate...
Debugging the library, I see that certChainData.getCertificateChain() in method 'verify' of SigningCertificateVerifier.java only contains 2 certs: personal and intermediate certs, but no root cert. I think this could be the reason why SigningCertificateCertsNotInCertPathException arise, but really I don't know
How must I validate the XADES with the tree certs in the xades:SigningCertificate section? My code is this:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new FileReader(SIGNED)));
DOMHelper.useIdAsXmlId(doc.getDocumentElement());
NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");
FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore(CERT_FOLDER);
KeyStore ks;
try (FileInputStream fis = new FileInputStream(CERT_FOLDER + KEY_STORE)) {
ks = KeyStore.getInstance("jks");
ks.load(fis, PASS.toCharArray());
}
CertificateValidationProvider provider = new PKIXCertificateValidationProvider(
ks, false, certStore.getStore());
XadesVerificationProfile profile = new XadesVerificationProfile(provider);
Element sigElem = (Element) nl.item(0);
XAdESVerificationResult r = profile.newVerifier().verify(sigElem, null);
In CERT_FOLDER, I have the two .cer files (root and intermediate certs)
In the KEY_STORE file, I have the three certificates:
Tipo de Almacén de Claves: PKCS12
Proveedor de Almacén de Claves: SUN
Su almacén de claves contiene 3 entradas
personal, 09-dic-2021, PrivateKeyEntry,
Huella Digital de Certificado (SHA1): D8:25:0E:AA:...
intermedio, 09-dic-2021, trustedCertEntry,
Huella Digital de Certificado (SHA1): 80:8B:72:E4:...
raiz, 09-dic-2021, trustedCertEntry,
Huella Digital de Certificado (SHA1): EC:50:35:07:...
Upvotes: 0
Views: 162
Reputation: 2090
If the intermediate certificate is also on the trusted key store (ks
) supplied to PKIXCertificateValidationProvider
, then you're saying that it can be used as a trust root. During verification, it will be possible to build a certification path consisting of personal
< intermedio
, as the later is trusted, so no need to keep going.
If your trust root is raiz
, then ks
should only contain this certificate.
Upvotes: 0