Closed trbt closed 1 year ago
Thank you for bringing it to our attention. I was able to reproduce the behaviour and we will look into it.
Thank you again for bringing this problem to our attention!
It appears that the functionality behind the "full report" flag is not entirely correct in the context of the latest DSS versions, and can produce false negative results in some cases. All errors that block the successful validation of a signature, will always be shown, so there is no need to use the "full report" flag.
The functionality to enable the "full report" flag either via the API or via the command line -showerrors
option will be deprecated in the next version of Digidoc4j, and it will be removed in the future.
When validating existing containers with either
configuration.setFullReportNeed(true)
(code) or-showerrors
(command line) and the signature's OCSP certificate has expired, the validation fails. Example from the command line utility:java -jar digidoc4j-util.jar -in "SignedContainer.asice" -v -w -showerrors
Signing time:
22.02.2023 11:49:20 +00:00
OCSP Certificate:ESTEID2018 AIA OCSP RESPONDER 202302, Valid from 01.02.2023 to 08.03.2023
Setting date back to be withing the OCSP cert validity range (e.g. 07.03.2023) results in validation with no errors.
It appears the OCSP certificate is validated against current time instead of signing time?
PS. Using default settings the container validates with no errors, presumably the OCSP cert dates are just not checked in that case.