moi glez
moi glez

Reputation: 1

xades4j validation error: SigningCertificate property contains one or more certificates that are not part of the certification path

I get a SigningCertificateCertsNotInCertPathException when validating a XADES. The file is signed using a certificate what has a intermediate cert and a root cert:

The section xades:SigningCertificate in the XADES file contains the tree certs. If I build the XADES with only the personal cert in xades:SigningCertificate (using false in FileSystemKeyStoreKeyingDataProvider.returnFullChain), the validation run Ok, but not with the tree certs in xades:SigningCertificate...

Debugging the library, I see that certChainData.getCertificateChain() in method 'verify' of SigningCertificateVerifier.java only contains 2 certs: personal and intermediate certs, but no root cert. I think this could be the reason why SigningCertificateCertsNotInCertPathException arise, but really I don't know

How must I validate the XADES with the tree certs in the xades:SigningCertificate section? My code is this:

        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        factory.setNamespaceAware(true);
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document doc = builder.parse(new InputSource(new FileReader(SIGNED)));
        DOMHelper.useIdAsXmlId(doc.getDocumentElement());

        NodeList nl = doc.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#", "Signature");

        FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore(CERT_FOLDER);

        KeyStore ks;
        try (FileInputStream fis = new FileInputStream(CERT_FOLDER + KEY_STORE)) {
            ks = KeyStore.getInstance("jks");
            ks.load(fis, PASS.toCharArray());
        }

        CertificateValidationProvider provider = new PKIXCertificateValidationProvider(
                ks, false, certStore.getStore());
        XadesVerificationProfile profile = new XadesVerificationProfile(provider);
        Element sigElem = (Element) nl.item(0);
        
        XAdESVerificationResult r = profile.newVerifier().verify(sigElem, null);

In CERT_FOLDER, I have the two .cer files (root and intermediate certs)

In the KEY_STORE file, I have the three certificates:

Tipo de Almacén de Claves: PKCS12
Proveedor de Almacén de Claves: SUN
Su almacén de claves contiene 3 entradas
  personal, 09-dic-2021, PrivateKeyEntry,
  Huella Digital de Certificado (SHA1): D8:25:0E:AA:...
  intermedio, 09-dic-2021, trustedCertEntry,
  Huella Digital de Certificado (SHA1): 80:8B:72:E4:...
  raiz, 09-dic-2021, trustedCertEntry,
  Huella Digital de Certificado (SHA1): EC:50:35:07:...

Upvotes: 0

Views: 162

Answers (1)

lgoncalves
lgoncalves

Reputation: 2090

If the intermediate certificate is also on the trusted key store (ks) supplied to PKIXCertificateValidationProvider , then you're saying that it can be used as a trust root. During verification, it will be possible to build a certification path consisting of personal < intermedio, as the later is trusted, so no need to keep going.

If your trust root is raiz, then ks should only contain this certificate.

Upvotes: 0

Related Questions