search

esig / dss-demonstrations

Examples of DSS integration
GNU Lesser General Public License v2.1
92 stars 70 forks source link

Use additional trusted certificates in DSS DemoWebapp #49

Closed kvcsks closed 1 year ago

kvcsks commented 1 year ago

I use following code in DSSBeanConfig to add additional trusted certificates to validate files, which was signed with test certificates.

  @Bean
    public CommonTrustedCertificateSource myListSource() {
        CommonTrustedCertificateSource trustedListsCertificateSource = new CommonTrustedCertificateSource();
        try {
            KeyStoreCertificateSource customKeystore = new KeyStoreCertificateSource(new File("C:\\certs\\Additional_trusted_TEST_certificates.jks"), KeyStore.getDefaultType(), "<mypass>");
            trustedListsCertificateSource.importAsTrusted(customKeystore);
        } catch (IOException e) {  }
        return trustedListsCertificateSource;
    }

    @Bean
    public CertificateVerifier certificateVerifier() {
        CommonCertificateVerifier certificateVerifier = new CommonCertificateVerifier();
        certificateVerifier.setCrlSource(new OnlineCRLSource());
        certificateVerifier.setOcspSource(onlineOcspSource());
        certificateVerifier.setAIASource(cachedAIASource());
        certificateVerifier.setTrustedCertSources(trustedListSource(), myListSource());

        // Default configs
        certificateVerifier.setAlertOnMissingRevocationData(new ExceptionOnStatusAlert());
        certificateVerifier.setCheckRevocationForUntrustedChains(false);

        return certificateVerifier;
    }

Indication is TOTAL_PASSED in validation result, but Qualification Details is "Unable to build a certificate chain up to a trusted list!"

bsanchezb commented 1 year ago

Hello @kvcsks ,

The error message within the qualification details literally means that the validator was not able to reach a Trusted List in order to determine the qualification status of the signature. A Trusted List defines qualification details and a validity status of the corresponding trust service issued the signing-certificate used to create the signature. Therefore, this information is crucial for the qualification status determination per ETSI TS 119 615 standard. The information is accessible with EU LOTL and for related certificates loaded by default within dss-demonstrations webApplication.

For test certificates this information is not applicable, unless you will create a custom Trusted List and load it with TLValidationJob. Therefore, it is normal to receive the error when processing a validation for test or customs certificates.

I hope this clarifies.

Best regards, Aleksandr.

kvcsks commented 1 year ago

@bsanchezb : Thank you! I have validated the same signed file with modified(additional trusted certificates) DSS DemoWebapp and with official one(https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/validation). In case of official one, Qualification is QESig, but in modified webapp I see N/A and qualification details message.

I have tried also setAdjunctCertSources and addAdjunctCertSources methods to set my jks file, but I am not sure, how to use these.

bsanchezb commented 1 year ago

@kvcsks, the official demo is configured to load trust anchors from a EU LOTL including the information about trust services. These information is essential for a qualification determination. For loading trust certificates with qualification information, you should use TLValidationJob allowing you to load the trusted certificates in automated process. Please also see the DSSBeanConfig for reference how it is implemented in DSS demo.

Best regards, Aleksandr.