Xades4J Error on validating a signature: Verification failed for property 'SigningCertificate': Property contains too many certificates
-
02-07-2021 - |
Pergunta
When I validate a signature, that I have created before using the same keystore (and XA), the following exception arises:
Verification failed for property 'SigningCertificate': SigningCertificate property contains one or more certificates that are not part of the certification path.
I'm using the following cert-chain:
- root-CA (globalsign),
- intermediate certificate
- company certificate
- project certificate
All certificate are stored in the used keystore.
However, when trying the same thing with a self-signed certificate, only it worked, I just needed to put the certificate in the certs-and-crls-directory, too.
KeyingDataProvider:
new FileSystemKeyStoreKeyingDataProvider(KeyStore.getDefaultType(),
"D:\...\signing.keystore",
new FirstCertificateSelector(),
new DirectStorePasswordProvider("pass"),
new DirectKeyPasswordProvider("pass"), true);
CertificateValidationProvider:
FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore("D:\...\certs");
CertificateValidationProvider certValidator = new PKIXCertificateValidationProvider(
loadKeystore(),
false, // should be true, when validation works.
certStore.getStore());
private KeyStore loadKeystore() {
// deleted exception handling for readability, here
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream keystoreInStream = new FileInputStream("D:\...\verification.keystore");
keyStore.load(keystoreInStream, "pass".toCharArray());
return keyStore;
}
Feedback on keystores
The signing-keystore contains all 4 certificates. The verification-keystore contains the root-certificate (globalsign-root-ca), only. The certs-directory contains all certificates but the root (globalsign-root-ca). Then I get the following error:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
When using the same keystore as for signing (a file-system-copy) then I get the error:
Caused by: xades4j.verification.SigningCertificateCertsNotInCertPathException: Verification failed for property 'SigningCertificate': SigningCertificate property contains one or more certificates that are not part of the certification path.
Solução
I finally figured it out (i.e. a colleague helped me to).
The certificate/key (#3), I used to sign my self-created keypair (#4) with, was not allowed to sign other certificates. Although creating the signature was possible without any error, I got the error message unable to find valid certification path to requested target
when verifying the signature, which was pretty misleading.
As a 'solution', I only used certificates #1-3, and used the private key of #3 to create the signature.
@lgoncalves thanks for your enduring help.
P.S.: I get the same error message with my working setup, when I configure CRLs enabled, but do not provide all of them (i.e. one CRL issued by #2 and one issued by #1, when verifying a signature generated with #3).