Ahmet-Kaplan / xades4j

Automatically exported from code.google.com/p/xades4j
GNU Lesser General Public License v3.0
0 stars 0 forks source link

Cannot validate certificate to obtain validation data #44

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I've got a simple CA structure, there's just the CA which signs user 
certificates. This CA also publishes CRL. The only specific thing, is that it 
uses SHA256withRSA, but it's been used for over a year to provide S/MIME 
certificates for Thunderbird, gpg, etc. and https certificates for our www 
servers where it works without problems.

Problem is, when I try to create a XAdES-C document (using 
XadesCSigningProfile) I receive a "Cannot validate certificate to obtain 
validation data" error.

I create the ValidationDataProvider using:

X509CRL crl = /* download fresh CRL */;
KeyStore trustAnchors = loadJKSKeyStore("cacerts.jks", "changeit"); // CA cert
KeyStore myKeyStore = loadJKSKeyStore("private.jks", "changeit"); // my cert 
and CA cert
CertStore cs = otherCertificatesCertStore(trustAnchors, myKeyStore, crl);
pkixcvp = new PKIXCertificateValidationProvider(trustAnchors, true, cs);
vdp = new ValidationDataFromCertValidationProvider(pkixcvp);

and sign using:

signer = new XadesCSigningProfile(keyProvider, vdp).newSigner();
new Enveloped(signer).sign(elem);

where otherCertificatesCertStore() is:

private static CertStore otherCertificatesCertStore(KeyStore trustAnchors,
            KeyStore myCerts, X509CRL... crl)
            throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, KeyStoreException
    {

        Certificate cert = trustAnchors.getCertificate("qbsca");
        CertStore cs;

        Collection<Object> contentList = new ArrayList<Object>();
        contentList.add(cert);
        for (int i=0; i < crl.length; i++) {
            contentList.add(crl[i]);
        }
        cs = CertStore.getInstance("Collection", new CollectionCertStoreParameters(contentList));

        return cs;
    }

Stack trace:

Exception in thread "main" xades4j.providers.ValidationDataException: Cannot 
validate certificate to obtain validation data
    at xades4j.providers.impl.ValidationDataFromCertValidationProvider.getValidationData(ValidationDataFromCertValidationProvider.java:52)
    at xades4j.production.SignerC.getFormatSpecificSignatureProperties(SignerC.java:76)
    at xades4j.production.SignerBES.sign(SignerBES.java:200)
    at xades4j.production.SignerBES.sign(SignerBES.java:122)
    at xades4j.production.Enveloped.sign(Enveloped.java:68)
    at XAdES4jTest.main(XAdES4jTest.java:153)
Caused by: xades4j.providers.CannotBuildCertificationPathException: unable to 
find valid certification path to requested target
    at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:257)
    at xades4j.providers.impl.ValidationDataFromCertValidationProvider.getValidationData(ValidationDataFromCertValidationProvider.java:49)
    ... 5 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:253)
    ... 6 more

Original issue reported on code.google.com by hubert.k...@gmail.com on 17 Aug 2012 at 11:51

GoogleCodeExporter commented 9 years ago
Oh, and during debug, I confirmed that the error is related to our CA 
certificates not TSA certificates.

Original comment by hubert.k...@gmail.com on 17 Aug 2012 at 11:54

GoogleCodeExporter commented 9 years ago
Certificates that I can't validate

Original comment by hubert.k...@gmail.com on 17 Aug 2012 at 12:44

Attachments:

GoogleCodeExporter commented 9 years ago
Everything looks ok on the code and on the certificates.
How is the keyProvider (KeyingDataProvider) configured?

Original comment by luis.fgoncalv on 17 Aug 2012 at 8:13

GoogleCodeExporter commented 9 years ago
Did you try enabling debug for the cert path builder? You can use this 
property: -Djava.security.debug=certpath

Original comment by luis.fgoncalv on 17 Aug 2012 at 8:22

GoogleCodeExporter commented 9 years ago
keyingDataProvider is created using FileSystemKeyStoreKeyingDataProvider.

When using -Djava.security.debug=certpath I get attached output.

Today I tried to use a certificate that doesn't specify CRL Issuer in CRL 
Distribution Point and it worked.

So it looks to me like a bug in CertPathBuilder. What's weird, is that the same 
bug exists in BC and SUN providers...

Original comment by hubert.k...@gmail.com on 21 Aug 2012 at 1:06

Attachments:

GoogleCodeExporter commented 9 years ago
All the issuer names match... maybe it really is a bug. I see that you posted 
the question on BC forum. I'll keep this issue open until confirmation. Can you 
post any conclusions here please? Thanks.

Original comment by luis.fgoncalv on 22 Aug 2012 at 2:12

GoogleCodeExporter commented 9 years ago

Original comment by luis.fgoncalv on 25 Sep 2012 at 10:53

GoogleCodeExporter commented 9 years ago

Original comment by luis.fgoncalv on 11 May 2014 at 7:20