Code development platform for open source projects from the European Union institutions

Skip to content

Use public key instead of certificate to verify CAdES signature integrity

Pierrick VANDENBROUCKE requested to merge github/fork/pkoziol/fix-expired-cades-integrity-check into develop

Created by: pkoziol

Validating XAdES signature created with expired certificate results in indication INDETERMINATE and subindication OUT_OF_BOUNDS_NO_POE. Simple report contains:

<Indication>INDETERMINATE</Indication>
<SubIndication>OUT_OF_BOUNDS_NO_POE</SubIndication>
<Error NameId="BBB_XCV_ICTIVRSC_ANS" NotAfter="2014-07-04T11:02:03Z" NotBefore="2013-07-04T11:02:03Z">The current time is not in the validity range of the signer's certificate.</Error>
<Warning NameId="LABEL_TINTWS">Additional assurance on the signing time may be needed to prove the validity of the signature.</Warning>

This is completely clear, because there was no timestamp. But...

Using the same file and certificate to create CAdES signature and then validating it results in indication INVALID and subindication HASH_FAILURE.

<Indication>INVALID</Indication>
<SubIndication>HASH_FAILURE</SubIndication>
<Error NameId="BBB_CV_IRDOI_ANS">The reference data object(s) is not intact!</Error>
<Info>verifier not valid at signingTime</Info>

This is caused by Bouncy Castle which checks if certificate is valid on signing time. DSS will check certificate validity later, so there is no need to do it in signature integrity verification.

Sollution to this problem is to use public key instead of certificate to build JcaSimpleSignerInfoVerifierBuilder. (According to Martijn Brinkers' post from mailing list dev-crypto@bouncycastle.org).

This is the same as arhs/sd-dss#14

Merge request reports

For further information about the platform and support, please see https://code.europa.eu/info/about