search

open-eid / digidoc4j

DigiDoc for Java. Javadoc:
http://open-eid.github.io/digidoc4j
GNU Lesser General Public License v2.1
72 stars 40 forks source link

Container validation fails when signature's OCSP certificate is expired #118

Closed trbt closed 1 year ago

trbt commented 1 year ago

When validating existing containers with either configuration.setFullReportNeed(true) (code) or -showerrors (command line) and the signature's OCSP certificate has expired, the validation fails. Example from the command line utility:

java -jar digidoc4j-util.jar -in "SignedContainer.asice" -v -w -showerrors

30.03.2023 17:43:48.022 INFO  [pool-3-thread-1] [o.digidoc4j.impl.asic.AsicSignature.validateSignature:164] - Signature has 2 validation errors and 0 warnings
30.03.2023 17:43:48.026 INFO  [main] [o.d.i.a.manifest.ManifestValidator.validateDocument:140] - Validation of meta data within the manifest file and signature files error count: 0
30.03.2023 17:43:48.071 INFO  [main] [o.d.i.a.a.AsicEContainerValidator.validate:98] - Is container valid: false
←[31mSignature S0 is not valid←[0m
 Error: Block Id: R-B1A01032E0A58... Type = REVOCATION. BBB_XCV_SUB_ANS: The certificate validation is not conclusive!
 Error: Block Id: R-B1A01032E0A58... Type = REVOCATION. BBB_XCV_ICTIVRSC_ANS: The current time is not in the validity range of the signer's certificate!
30.03.2023 17:43:48.083 INFO  [main] [org.digidoc4j.main.ContainerVerifier.verify:137] - Validation finished. Container is NOT valid!
30.03.2023 17:43:48.085 ERROR [main] [org.digidoc4j.main.DigiDoc4J.main:57] - Utility error (please apply DEBUG level for stacktrace): Container is NOT valid
Container is NOT valid

Signing time: 22.02.2023 11:49:20 +00:00 OCSP Certificate: ESTEID2018 AIA OCSP RESPONDER 202302, Valid from 01.02.2023 to 08.03.2023

Setting date back to be withing the OCSP cert validity range (e.g. 07.03.2023) results in validation with no errors. 

07.03.2023 18:03:10.014 INFO  [pool-3-thread-1] [o.digidoc4j.impl.asic.AsicSignature.validateSignature:164] - Signature has 0 validation errors and 0 warnings
07.03.2023 18:03:10.017 INFO  [main] [o.d.i.a.manifest.ManifestValidator.validateDocument:140] - Validation of meta data within the manifest file and signature files error count: 0
07.03.2023 18:03:10.059 INFO  [main] [o.d.i.a.a.AsicEContainerValidator.validate:98] - Is container valid: true
Signature S0 is valid
07.03.2023 18:03:10.061 INFO  [main] [org.digidoc4j.main.ContainerVerifier.verify:135] - Validation was successful. Container is valid
07.03.2023 18:03:10.062 INFO  [main] [org.digidoc4j.main.DigiDoc4J.main:70] - Finished running utility method

It appears the OCSP certificate is validated against current time instead of signing time?

PS. Using default settings the container validates with no errors, presumably the OCSP cert dates are just not checked in that case.

heititobi commented 1 year ago

Thank you for bringing it to our attention. I was able to reproduce the behaviour and we will look into it.

rsarendus commented 1 year ago

Thank you again for bringing this problem to our attention!

It appears that the functionality behind the "full report" flag is not entirely correct in the context of the latest DSS versions, and can produce false negative results in some cases. All errors that block the successful validation of a signature, will always be shown, so there is no need to use the "full report" flag.

The functionality to enable the "full report" flag either via the API or via the command line -showerrors option will be deprecated in the next version of Digidoc4j, and it will be removed in the future.