CertificateValidationProvider
must return a ValidationData
with the certificate chain that validates the certificate represented by the supplied CertSelector
. As described on the documentation, the certificates on ValidationData
should be in order, namely, the first certificate should be the signing certificate.
When validating a TS token, the signing certificate is the TSA's certificate. When CertificateValidationProvider
is asked to do the validation with a CertSelector, it must return the TSA cert in the first position of the chain. The TS validation code will assume that it is in the first position, as documented.
In your validation code you're picking all the certificates in the signature. That list is not a valid certificate chain for ALL the needed certificate validations. Eventually, the TSA certificate won't even be present on the signature.
I think you'll need to change your CertificateValidationProvider
implementation to return, at least, the appropriate certificate in the first position. Let me know if this helps.