javaxades4j

Error when verifying signature: SigningCertificate property contains one or more certificates that are not part of the certification path

I'm using xades4j and I'm getting this exception when trying to verify signature: 

xades4j.verification.SigningCertificateCertsNotInCertPathException: Verification failed for property 'SigningCertificate': SigningCertificate property contains one or more certificates that are not part of the certification path.

Here is my code to sign:

public File sign(final X509Certificate x509, final PrivateKey priv, final Element elemToSign, final Document doc, final String fileName, final com.softexpert.crypto.document.Document document, List<X509Certificate> chain) throws Exception {
    final KeyingDataProvider kp = new SEDirectKeyingDataProvider(x509, priv, chain);
    XadesSigningProfile profile = new XadesBesSigningProfile(kp);
    final SESignaturePropertiesProvider propProv = this.getPropertiesProvider(document);

    profile = profile.withSignaturePropertiesProvider(propProv);
    profile = profile.withAlgorithmsProvider(AlgorithmsProvider.class);
    profile = profile.withTimeStampTokenProvider(TimeStampTokenProvider.class);

    final SignerBES signer = (SignerBES) profile.newSigner();
    final IndividualDataObjsTimeStampProperty dataObjsTimeStamp = new IndividualDataObjsTimeStampProperty();
    final DataObjectDesc obj = new EnvelopedXmlObject(elemToSign.getFirstChild()).withDataObjectTimeStamp(dataObjsTimeStamp);

    AllDataObjsCommitmentTypeProperty commitment = null;
    if (document.isProofOfOrigin() != null && document.isProofOfOrigin()) {
        commitment = AllDataObjsCommitmentTypeProperty.proofOfOrigin();
    } else {
        commitment = AllDataObjsCommitmentTypeProperty.proofOfReceipt();
    }

    SignedDataObjects dataObjs = new SignedDataObjects(obj).withCommitmentType(commitment);
    dataObjs = dataObjs.withDataObjectsTimeStamp();

    signer.sign(dataObjs, elemToSign);
    return this.outputDocument(doc, fileName);
}

private SESignaturePropertiesProvider getPropertiesProvider(com.softexpert.crypto.document.Document document) {
    SESignaturePropertiesProvider propertiesProvider = new SESignaturePropertiesProvider();

    if (document.getRole() != null) {
        final SignerRoleProperty signerRole = new SignerRoleProperty().withClaimedRole(document.getRole());
        propertiesProvider.setSignerRole(signerRole);
    }
    final SigningTimeProperty signingTime = new SigningTimeProperty();
    propertiesProvider.setSigningTime(signingTime);

    if (document.getLocalityName() != null && document.getCountry() != null) {
        final SignatureProductionPlaceProperty signatureProductionPlaceProperty = new SignatureProductionPlaceProperty(document.getLocalityName(), document.getCountry());
        propertiesProvider.setSignatureProductionPlaceProperty(signatureProductionPlaceProperty);
    }

    return propertiesProvider;
}

private File outputDocument(final Document doc, String fileName) throws Exception {
    if (!fileName.endsWith(".dsg")) {
        fileName += ".dsg";
    }

    FileOutputStream out = null;
    File f = null;
    try {
        final TransformerFactory tf = TransformerFactory.newInstance();
        f = new File(fileName);
        if (!f.exists()) {
            new File(f.getParent()).mkdirs();
            f.createNewFile();
        }
        out = new FileOutputStream(f);
        tf.newTransformer().transform(new DOMSource(doc), new StreamResult(out));
    } finally {
        if(out != null) {
            try {
                out.close();
            } catch(IOException e) {}
        }
    }

    return f;
}

And here is my code to verify:

try {
    final org.w3c.dom.Document doc = this.getDomDocument();
    doc.getDocumentElement().normalize();

    // Find Signature element
    final NodeList nl = doc.getElementsByTagNameNS(javax.xml.crypto.dsig.XMLSignature.XMLNS, "Signature");
    final CertStore crls = ... // get CRLS
    final CertStore certs = ... // get intermediate certs                
    final KeyStore ks = ... // get KS from Windows-ROOT
    final PKIXCertificateValidationProvider cvp = new PKIXCertificateValidationProvider(ks, false, certs, crls);
    final XadesVerificationProfile p = new XadesVerificationProfile(cvp);
    p.withTimeStampTokenVerifier(SETimeStampTokenProvider.class);
    final Element signatureElemntNode = (Element) nl.item(0);
    final XadesVerifier verifier = p.newVerifier();
    XAdESVerificationResult verificationResult = verifier.verify(signatureElemntNode, null); // exception is thrown here
}

I've searched for this error but couldn't find anything to help me. How can I solve this error?

Thanks in advance.

Solution

  • Based on lgoncalve's answer, I've changed my code a little bit:

    Signing: Instead of signing with the whole chain of certificates, I used only the signing certificate, so that SEDirectKeyingDataProvider.getSigningCertificateChain() returns only the signing cert). With this approach, my xml now has only one property <SigningCertificate> and no more the whole chain.

    Verifying: Using the approach I've commented above, I had a problem when verifying certs: in my xml, only the signing certificate was being referenced in property <ds:X509Certificate>, so that I could not verify the whole chain. To solve it, I had to use this code after calling XAdESVerificationResult result = verifier.verify(signatureElemntNode, null);:

    for(X509Certificate cert : chain) {         
   result.getSignature().addKeyInfo(cert);
}

    Using this code, each cert of the chain is referenced by a property <ds:X509Certificate> and I can obtain the whole chain to verify if it is trustworthy or not.