bouncycastle - XAdES BES timestamp verification error -

- August 15, 2015

i trying use xades4j library verification uses bouncycastle xades-bes , getting following stacktrace:

xades4j.verification.timestampinvalidsignatureexception: verification failed property     'signaturetimestamp': invalid token signature     @ xades4j.verification.timestampverifierbase.getex(timestampverifierbase.java:114)     @ xades4j.verification.timestampverifierbase.verify(timestampverifierbase.java:89)     @ xades4j.verification.timestampverifierbase.verify(timestampverifierbase.java:38)     @ xades4j.verification.qualifyingpropertiesverifierimpl.verifyproperties(qualifyingpropertiesverifierimpl.java:59)     @ xades4j.verification.xadesverifierimpl.getvalidationdate(xadesverifierimpl.java:250)     @ xades4j.verification.xadesverifierimpl.verify(xadesverifierimpl.java:174)     @ com.signapplet.sign.signcomponent.verify(signcomponent.java:663)   caused by: xades4j.providers.timestamptokensignatureexception: invalid token signature or certificate     @ xades4j.providers.impl.defaulttimestampverificationprovider.verifytoken(defaulttimestampverificationprovider.java:154)     @ xades4j.verification.timestampverifierbase.verify(timestampverifierbase.java:71)     ... 42 more caused by: org.bouncycastle.tsp.tspvalidationexception: certificate hash not match certid hash.     @ org.bouncycastle.tsp.timestamptoken.validate(unknown source)     @ xades4j.providers.impl.defaulttimestampverificationprovider.verifytoken(defaulttimestampverificationprovider.java:150)     ... 43 more

here code xades4j throws exception:

try {     tstoken.validate(this.signerinfoverifierbuilder.build(tsacert)); //tstoken==org.bouncycastle.tsp.timestamptoken } catch (tspvalidationexception ex) {     throw new timestamptokensignatureexception("invalid token signature or certificate", ex); } catch (exception ex) {     throw new timestamptokenverificationexception("error when verifying token signature", ex); }

the problem occurs when sign file software provided cryptoki tokens' manufacturer way worked great till , able validate same files different validation software xades. problem occurs in xades4j.

when sign same file xades4j, verifies expected.

below code verification. certdatalist list certificates document in string , getcert return list. dummycertificatevalidationprovider returns validationdata list of constructed x509certs.

    public boolean verify(final file file) {         if (!dictionaries.valid()) {             return true;         }         certlist = null;         try {              final documentbuilderfactory dbf = documentbuilderfactory.newinstance();             dbf.setnamespaceaware(true);             final documentbuilder db = dbf.newdocumentbuilder();              final document doc = db.parse(file);             doc.getdocumentelement().normalize();              final nodelist nlist = doc.getelementsbytagname("ds:signature");             element elem = null;             (int temp = 0; temp < nlist.getlength(); temp++) {                 final node nnode = nlist.item(temp);                 if (nnode.getnodetype() == node.element_node) {                     elem = (element) nnode;                 }             }             final nodelist nlist2 = doc.getelementsbytagname("ds:x509certificate");             final list<string> certdatalist = new arraylist<string>();             (int temp = 0; temp < nlist2.getlength(); temp++) {                 final node nnode = nlist2.item(temp);                 certdatalist.add(nnode.gettextcontent());             }             certlist = getcert(certdatalist);              final certificatevalidationprovider certvalidator = new dummycertificatevalidationprovider(certlist);              final xadesverificationprofile p = new xadesverificationprofile(certvalidator);             final xadesverifier v = p.newverifier();             final signaturespecificverificationoptions opts = new signaturespecificverificationoptions();              // relative document paths             final string baseuri = "file:///" + file.getparentfile().getabsolutepath().replace("\\", "/") + "/";             logger.debug("baseuri:" + baseuri);             opts.usebaseuri(baseuri);             v.verify(elem, opts);             return true;         } catch (final illegalargumentexception | xades4jexception | certificateexception | ioexception | parserconfigurationexception | saxexception e) {             logger.error("xml not validated!", e);         }          return false; }

certificatevalidationprovider must return validationdata certificate chain validates certificate represented supplied certselector. described on documentation, certificates on validationdata should in order, namely, first certificate should signing certificate.

when validating ts token, signing certificate tsa's certificate. when certificatevalidationprovider asked validation certselector, must return tsa cert in first position of chain. ts validation code assume in first position, documented.

in validation code you're picking certificates in signature. list not valid certificate chain needed certificate validations. eventually, tsa certificate won't present on signature.

i think you'll need change certificatevalidationprovider implementation return, @ least, appropriate certificate in first position. let me know if helps.

Search This Blog

Sp

bouncycastle - XAdES BES timestamp verification error -

Comments

Post a Comment

Popular posts from this blog

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

php - Magento - Deleted Base url key -

android - How to disable Button if EditText is empty ? -