Xades4J Error on validating a signature: Verification failed for property 'SigningCertificate': Property contains too many certificates

StackOverflow https://stackoverflow.com/questions/12477044

  •  02-07-2021
  •  | 
  •  

Question

When I validate a signature, that I have created before using the same keystore (and XA), the following exception arises:

Verification failed for property 'SigningCertificate': SigningCertificate property contains one or more certificates that are not part of the certification path.

I'm using the following cert-chain:

  1. root-CA (globalsign),
  2. intermediate certificate
  3. company certificate
  4. project certificate

All certificate are stored in the used keystore.

However, when trying the same thing with a self-signed certificate, only it worked, I just needed to put the certificate in the certs-and-crls-directory, too.

KeyingDataProvider:

new FileSystemKeyStoreKeyingDataProvider(KeyStore.getDefaultType(),
    "D:\...\signing.keystore", 
    new FirstCertificateSelector(),
    new DirectStorePasswordProvider("pass"),
    new DirectKeyPasswordProvider("pass"), true);

CertificateValidationProvider:

FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore("D:\...\certs");
CertificateValidationProvider certValidator = new PKIXCertificateValidationProvider(
        loadKeystore(), 
        false, // should be true, when validation works.
        certStore.getStore());

private KeyStore loadKeystore() {
    // deleted exception handling for readability, here
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    FileInputStream keystoreInStream = new FileInputStream("D:\...\verification.keystore");
    keyStore.load(keystoreInStream, "pass".toCharArray());
    return keyStore;
}

Feedback on keystores

The signing-keystore contains all 4 certificates. The verification-keystore contains the root-certificate (globalsign-root-ca), only. The certs-directory contains all certificates but the root (globalsign-root-ca). Then I get the following error:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

When using the same keystore as for signing (a file-system-copy) then I get the error:

Caused by: xades4j.verification.SigningCertificateCertsNotInCertPathException: Verification failed for property 'SigningCertificate': SigningCertificate property contains one or more certificates that are not part of the certification path.

Was it helpful?

Solution

I finally figured it out (i.e. a colleague helped me to). The certificate/key (#3), I used to sign my self-created keypair (#4) with, was not allowed to sign other certificates. Although creating the signature was possible without any error, I got the error message unable to find valid certification path to requested target when verifying the signature, which was pretty misleading.

As a 'solution', I only used certificates #1-3, and used the private key of #3 to create the signature.

@lgoncalves thanks for your enduring help.

P.S.: I get the same error message with my working setup, when I configure CRLs enabled, but do not provide all of them (i.e. one CRL issued by #2 and one issued by #1, when verifying a signature generated with #3).

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top