search

open-eid / digidoc4j

DigiDoc for Java. Javadoc:
http://open-eid.github.io/digidoc4j
GNU Lesser General Public License v2.1
73 stars 39 forks source link

NO_CERTIFICATE_CHAIN_FOUND when creating a BDOC container #10

Closed informatik01 closed 8 years ago

informatik01 commented 8 years ago

Hi.

I am experimenting with the final release of DigiDoc4j library (version 1.0.0). I have generated an access certificate (.p12d file) thru https://www.sk.ee/getaccess/?lang=eng using my own Estonian ID card, and I use this file in a simple program that just creates a BDOC container and saves it to a local file system. Although the container is created successfully the signature is marked "Not valid" and I see some validation errors in the logs.

What is interesting is that after creating a signature and validating it (signature.validate()), I get NO validation errors. But when validating a resulting BDOC container (container.validate()) , there are some errors. Below I will provide the simplified code and some logs to illustrate this issue.

Main.java

Container container = ContainerBuilder.
        aContainer(ContainerBuilder.BDOC_CONTAINER_TYPE).
        withDataFile("src/main/resources/test.txt", "text/plain").
        build();

String privateKeyPath = "src/main/resources/905281.p12d";
char[] password = "password".toCharArray();
PKCS12SignatureToken signatureToken = new PKCS12SignatureToken(privateKeyPath, password);   

Signature signature = SignatureBuilder.
        aSignature(container).
        withSignatureDigestAlgorithm(DigestAlgorithm.SHA256).
        withSignatureProfile(SignatureProfile.LT).
        withCountry("Estonia").
        withStateOrProvince("Harjumaa").
        withCity("Tallinn").
        withPostalCode("12618").
        withSignatureToken(signatureToken).
        invokeSigning();

List<DigiDoc4JException> validationExceptions = signature.validate();
if (validationExceptions != null && validationExceptions.size() > 0) {
    System.err.println("***** Signature validation failed:");
    for (DigiDoc4JException e : validationExceptions) {
        System.err.println(e.getMessage());
    }

    return;
} else {
    System.out.println("***** Signature validation was successful!");
}

container.addSignature(signature);

container.saveAsFile("result.bdoc");

ValidationResult validationResult = container.validate();
if (validationResult.isValid()) {
    System.out.println("***** Container validation was successful!");
} else {
    System.err.println("***** There were errors/warnings when validating the container.");

    List<DigiDoc4JException> containerErrors = validationResult.getContainerErrors();
    if (containerErrors != null && containerErrors.size() > 0) {
        System.err.println("Errors:");
        for (DigiDoc4JException e : validationResult.getContainerErrors()) {
            System.err.println(e.getMessage());
        }
    }

    List<DigiDoc4JException> warnings = validationResult.getWarnings();
    if (warnings != null && warnings.size() > 0) {
        System.err.println("\nWarnings:");
        for (DigiDoc4JException e : validationResult.getWarnings()) {
            System.err.println(e.getMessage());
        }
    }

}

System.out.println("\n***** Validation report *****");
System.out.println(validationResult.getReport());

Logs:

14:13:31.569 [main] INFO org.digidoc4j.Configuration - Loading configuration from file digidoc4j.yaml 14:13:31.585 [main] INFO org.digidoc4j.Configuration - Configuration file digidoc4j.yaml not found. Trying to search from jar file. 14:13:31.616 [main] INFO org.digidoc4j.Configuration - Configuration loaded for PROD mode 14:13:31.668 [main] INFO eu.europa.ec.markt.dss.validation102853.CommonCertificateVerifier - + New CommonCertificateVerifier created. 14:13:31.748 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - New BDoc container created 14:13:31.748 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - Adding data file: src/main/resources/test.txt, mime type: text/plain 14:13:31.770 [main] INFO org.digidoc4j.signers.PKCS12SignatureToken - Using PKCS#12 signature token from file: src/main/resources/905281.p12d 14:13:31.867 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - Signing BDoc container 14:13:31.867 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - Getting data to sign 14:13:31.917 [main] INFO org.digidoc4j.signers.PKCS12SignatureToken - Signing with PKCS#12 signature token, using digest algorithm: SHA256 14:13:31.917 [main] INFO eu.europa.ec.markt.dss.signature.token.AbstractSignatureTokenConnection - Signature algorithm: RSA/SHA256 14:13:31.967 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - Finalizing BDoc signature 14:13:32.988 [main] WARN eu.europa.ec.markt.dss.validation102853.tsl.AbstractTrustService - java.lang.IllegalArgumentException: improperly specified input name: serialNumber=896929130327, givenName=OCSP, SN=Responder 03-1, CN=OCSP Responder 03-1, C=AT 14:13:34.603 [main] WARN eu.europa.ec.markt.dss.validation102853.tsl.AbstractTrustService - Unsupported algorithm: 1.2.840.113549.1.1.10 14:13:35.172 [main] WARN eu.europa.ec.markt.dss.validation102853.tsl.TrustedListsCertificateSource - Other problem: eu.europa.ec.markt.dss.exception.DSSException: Not ETSI compliant signature. The signature is not valid. 14:13:37.670 [main] WARN eu.europa.ec.markt.dss.validation102853.tsl.TrustedListsCertificateSource - Other problem: eu.europa.ec.markt.dss.exception.DSSException: Not ETSI compliant signature. The signature is not valid. 14:13:38.564 [main] INFO eu.europa.ec.markt.dss.signature.xades.XAdESLevelBaselineT - ====> Extending: IN MEMORY DOCUMENT 14:13:38.652 [main] INFO eu.europa.ec.markt.dss.validation102853.tsp.OnlineTSPSource - Status: Operation Okay 14:13:38.652 [main] INFO eu.europa.ec.markt.dss.validation102853.tsp.OnlineTSPSource - SID: org.bouncycastle.cms.SignerId@4e0148f2 14:13:38.752 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - Retrieving 49c707cdd2dfbf683ab71a457aea4caf0cefd20c9088972950e853d49787b680 certificate's issuer using AIA. 14:13:38.752 [main] INFO eu.europa.ec.markt.dss.DSSUtils - There is no AIA extension for certificate download. 14:13:38.752 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - The issuer certificate cannot be loaded using AIA. 14:13:38.765 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - Retrieving 1e49f497d89d430aad534b622d82bd9b9d0d4afdb7b7d36986c5df0981d9067d certificate's issuer using AIA. 14:13:38.765 [main] INFO eu.europa.ec.markt.dss.DSSUtils - There is no AIA extension for certificate download. 14:13:38.765 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - The issuer certificate cannot be loaded using AIA. 14:13:38.921 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - Retrieving 49c707cdd2dfbf683ab71a457aea4caf0cefd20c9088972950e853d49787b680 certificate's issuer using AIA. 14:13:38.921 [main] INFO eu.europa.ec.markt.dss.DSSUtils - There is no AIA extension for certificate download. 14:13:38.921 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - The issuer certificate cannot be loaded using AIA. 14:13:38.999 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - Signing BDoc successfully completed 14:13:38.999 [main] INFO org.digidoc4j.impl.bdoc.BDocSignature - Signature has 0 validation errors

***\ Signature validation was successful! 14:13:38.999 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - Saving container to file: result.bdoc 14:13:39.000 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - Verifying BDoc container 14:13:39.181 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - Retrieving 49c707cdd2dfbf683ab71a457aea4caf0cefd20c9088972950e853d49787b680 certificate's issuer using AIA. 14:13:39.181 [main] INFO eu.europa.ec.markt.dss.DSSUtils - There is no AIA extension for certificate download. 14:13:39.182 [main] INFO eu.europa.ec.markt.dss.validation102853.SignatureValidationContext - The issuer certificate cannot be loaded using AIA. 14:13:39.220 [main] ERROR org.digidoc4j.impl.bdoc.XadesSignatureValidator - The certificate chain is not trusted, there is no trusted anchor. 14:13:39.227 [main] INFO org.digidoc4j.impl.bdoc.ManifestValidator - Validation of meta data within the manifest file and signature files error count: 0 14:13:39.228 [main] INFO org.digidoc4j.impl.bdoc.BDocSignature - Signature has 1 validation errors 14:13:39.229 [main] INFO org.digidoc4j.impl.bdoc.AsicFacade - BDoc container is valid: false

***\ There were errors/warnings when validating the container.

* Validation report *

<?xml version="1.0" encoding="UTF-8"?><ValidationReport><SignatureValidation ID="S0">
  <Policy>
      <PolicyName>QES AdESQC TL based</PolicyName>
      <PolicyDescription>RIA customized validation policy</PolicyDescription>
  </Policy>
  <ValidationTime>2016-01-12T14:13:39Z</ValidationTime>
  <DocumentName/>
  <Signature Id="S0" SignatureFormat="XAdES_BASELINE_LT">
      <SigningTime>2016-01-12T12:13:31Z</SigningTime>
      <SignedBy>LEVAN_KEKELIDZE</SignedBy>
      <Indication>INDETERMINATE</Indication>
      <SubIndication>NO_CERTIFICATE_CHAIN_FOUND</SubIndication>
      <Error NameId="BBB_XCV_CCCBB_ANS">The certificate chain is not trusted, there is no trusted anchor.</Error>
      <SignatureLevel>AdES</SignatureLevel>
      <SignatureScopes>
          <SignatureScope name="test.txt" scope="FullSignatureScope">Full document</SignatureScope>
      </SignatureScopes>
  <AdditionalValidation Error="0"><Description>The certificate chain is not trusted, there is no trusted anchor.</Description></AdditionalValidation></Signature>
  <ValidSignaturesCount>0</ValidSignaturesCount>
  <SignaturesCount>1</SignaturesCount>
</SignatureValidation><ManifestValidation/></ValidationReport>

Technical information regarding signature from a DigiDoc client application:

SignatureA.cpp:160 Signature validation SignatureBES.cpp:762 Unable to verify signing certificate SignatureBES.cpp:752 Signing certificate does not contain NonRepudiation key usage flag SignatureTM.cpp:160 RevocationValues object is missing SignatureTM.cpp:142 Signature validation SignatureBES.cpp:762 Unable to verify signing certificate SignatureBES.cpp:752 Signing certificate does not contain NonRepudiation key usage flag SignatureTM.cpp:160 RevocationValues object is missing OCSP.cpp:113 Response is empty

Another issue is that when in the above code I use a "time mark" signature profile SignatureBuilder.aSignature(container).withSignatureProfile(SignatureProfile.LT_TM) besides the above errors in the logs I cannot open a newly created container at all: insted I get the following errors form DigiDoc client application:

An error occurred while opening the document.

BDoc.cpp:450 Failed to parse signature 'META-INF/signatures0.xml'. SignatureBES.cpp:294 Failed to parse signature XML: :1:4488 error: element 'UnsignedSignatureProperties' is not allowed for content model '(CounterSignature|SignatureTimeStamp|CompleteCertificateRefs|CompleteRevocationRefs|AttributeCertificateRefs|AttributeRevocationRefs| SigAndRefsTimeStamp|RefsOnlyTimeStamp|CertificateValues|RevocationValues|AttrAuthoritiesCertValues|AttributeRevocationValues|ArchiveTimeStamp|)'


Maybe I am doing something wrong or there is something wrong with the generated .p12d file. Anyways would appreciate any help with resolving this issue.

rvillido commented 8 years ago

Hi, thanks for the feedback!

It seems that the signature.validate() method does not do what it says, but simply returns the list of validation errors previously reported. I created a bug for that so we could fix it. https://www.pivotaltracker.com/story/show/111519384

Regarding signing documents with the .p12d key you have created, then it seems that you are trying to sign with an access certificate, but those signatures are not legally valid. The access certificate is issued from the "SK services access CA 2010" certificate chain and that is not listed in the official TSL. You cannot create legally binding documents with that certificate. The purpose of access certificates is signing OCSP requests.

I hope that helps

informatik01 commented 8 years ago

At last I was able to create, sign and save a BDOC container without validation errors. Instead of my .p12 file, I have used signout.p12 from the testFiles folder contained in the digidoc4j project. This and

Configuration configuration = new Configuration(Configuration.Mode.TEST);
configuration.setTslLocation("https://demo.sk.ee/TSL/tl-mp-test-EE.xml");

did the job. The only thing is DigiDoc is showing this signature status "Unknown" and this technical information:

SignatureA.cpp:160 Signature validation SignatureBES.cpp:762 Unable to verify signing certificate X509CertStore.cpp:241 unable to get local issuer certificate :0 OCSP.cpp:462 Failed to verify OCSP response. :0 error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found

X509CertStore.cpp:241 unable to get local issuer certificate :0

but as far as I understand it is OK for the test signature.

Thanks for the hint!