search

esig / dss-demonstrations

Examples of DSS integration
GNU Lesser General Public License v2.1
95 stars 70 forks source link

Is it possible to add custom certificates to DSS' list of trusted certificates? #42

Closed slavistan closed 1 year ago

slavistan commented 1 year ago

Hi! I'm using the DSS webapp's HTTP API as part of a prototypical platform to validate digitally signed PDF documents. The PDFs in question are signed outside of DSS and the signatures are based on a self-signed certificate, which I'd like to import into DSS' list of trusted certificates.

May I kindly ask you how this may be done? So far, I've tried adding to the java keystore via keytool to no avail, unfortunately.

Thank you.

bsanchezb commented 1 year ago

Hello @slavistan ,

Provided that you have a configured keystore with trusted certificates, you may use the following code to define trust anchors to DSS for signature validation:

// Create instance of CertificateVerifier
CertificateVerifier cv = new CommonCertificateVerifier();

// Configure CertificateVerifier
...

// Create an instance of a trusted certificate source
CommonTrustedCertificateSource trustedCertSource = new CommonTrustedCertificateSource();

// import the keystore as trusted
trustedCertSource.importAsTrusted(keystoreCertSource);

// Add trust anchors (trusted list, keystore,...) to a list of trusted certificate sources
// Hint : use method {@code CertificateVerifier.setTrustedCertSources(certSources)} in order to overwrite the existing list
cv.addTrustedCertSources(trustedCertSource);

// Create an instance of DocumentValidator
SignedDocumentValidator documentValidator = SignedDocumentValidator.fromDocument(signedDocument);

// Provide the certificate verifier to the DocumentValidator (which allows to verify and trust certificates)
documentValidator.setCertificateVerifier(cv);

// Execute the validation
Reports reports = documentValidator.validateDocument();

For other options to configure trust anchors, please see 7.1.1. Trust anchor configuration from a certificate store of the documentation.

I hope this will help you.

Best regards, Aleksandr.

slavistan commented 1 year ago

Hi @bsanchezb. Thank you very much for your answer. Judging by your reply there's no way to achieve the same result using the existing DSS demo webapp bundle without writing java code - correct? That is, there's no exposed equivalent configuration (via config files or environment variables etc).

I'll give your suggestion a try in just a second, but since I'm unfamiliar with Java I wanted to ascertain that there's no simpler method (simple for me subjectively - the code is simple enough).

bsanchezb commented 1 year ago

Indeed, there is no other exposed method to configure trust anchors. If using dss-webapp, all what you need to do is to add your custom trusted certificate source next to the default (LOTL) trusted source within the method DSSBeanConfig.java#L201. So the code should look like:

certificateVerifier.setTrustedCertSources(trustedListSource(), customTrustedCertificates());

Best regards, Aleksandr.

slavistan commented 1 year ago

Wonderful, thank you. It works perfectly.