XAdES4j验证证书链
我在使用XAdES API的应用程序中验证Xades4j签名时遇到问题。我尝试验证两个已烧录的文件1.docx和2.pdf。当我验证2.pdf时,我收到了异常
18:03:38.230 [http-listener-1(5)] ERROR p.c.k.i.repository.pki.DigitalSignVerifierService - Invalid certification path.
xades4j.providers.CannotBuildCertificationPathException: unable to find valid certification path to requested target
at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:257) ~[xades4j-1.3.1.jar:na]
at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:175) ~[xades4j-1.3.1.jar:na]
at pl.comp.kbf.services.ejb.repository.pki.DigitalSignVerifierServiceImpl.verifyFileSignature(DigitalSignVerifierServiceImpl.java:95) ~[KBFPortalEJB.jar/:na]
at pl.comp.kbf.services.ejb.repository.pki.DigitalSignVerifierServiceImpl$Proxy$_$$_WeldClientProxy.verifyFileSignature(Unknown Source) [KBFPortalEJB.jar/:na]
at pl.comp.kbf.portal.documents.registered.FileSignatureBean.verifyXadesSignature(FileSignatureBean.java:210) [FileSignatureBean.class:na]
at pl.comp.kbf.portal.documents.registered.FileSignatureBean.verifySignature(FileSignatureBean.java:174) [FileSignatureBean.class:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_75]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_75]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_75]
at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_75]
at com.sun.el.parser.AstValue.invoke(AstValue.java:289) [javax.el.jar:3.0.1-b03]
at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:304) [javax.el.jar:3.0.1-b03]
at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-osgi-bundle.jar:2014-06-18 10:59]
at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-osgi-bundle.jar:2014-06-18 10:59]
at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [javax.faces.jar:2.2.7]
at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) [javax.faces.jar:2.2.7]
at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [javax.faces.jar:2.2.7]
at javax.faces.component.UICommand.broadcast(UICommand.java:315) [javax.faces.jar:2.2.7]
at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) [javax.faces.jar:2.2.7]
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) [javax.faces.jar:2.2.7]
at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [javax.faces.jar:2.2.7]
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [javax.faces.jar:2.2.7]
at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [javax.faces.jar:2.2.7]
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:646) [javax.faces.jar:2.2.7]
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:344) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.primefaces.webapp.filter.FileUploadFilter.doFilter(FileUploadFilter.java:105) [primefaces-5.1.jar:5.1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:205) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.doInvoke(ApplicationDispatcher.java:873) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:739) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:575) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.doDispatch(ApplicationDispatcher.java:546) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.dispatch(ApplicationDispatcher.java:428) [web-core.jar:na]
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:378) [web-core.jar:na]
at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:41) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:268) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:188) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316) [web-core.jar:na]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160) [web-core.jar:na]
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734) [web-core.jar:na]
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673) [web-core.jar:na]
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) [web-glue.jar:na]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174) [web-core.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415) [web-core.jar:na]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282) [web-core.jar:na]
at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459) [kernel.jar:na]
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167) [kernel.jar:na]
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565) [nucleus-grizzly-all.jar:na]
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545) [nucleus-grizzly-all.jar:na]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_75]
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) ~[na:1.7.0_75]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) ~[na:1.7.0_75]
at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:253) ~[xades4j-1.3.1.jar:na]
... 70 common frames omitted
我知道2.pdf已签名的签名已过期,但我想毫无例外地验证...当我在我的申请中验证未过期时1.docx验证成功。此外,我尝试在线验证这两个文件,在两种情况下验证是成功的。
下面我想在两个文件中显示证书链。
在第一个文件中,我将一个.cer文件放到java密钥库中,然后将此文件加载到cert store。在第二个文件中,我放了两个.cer文件,链的第一个和第二个元素。我的问题在哪里?
2 个答案:
答案 0 :(得分:0)
您使用的内置证书验证程序(总是defines the verification date 。这应该是导致验证失败的原因,因为未过期的证书不会失败。
如果您需要不同的行为,则应在验证资料中提供自己的CertificateValidationProvider和configure it。
编辑:如果您参考documentation,您会看到验证日期已提供给证书验证者。此日期由签名中的信息确定,即可能存在的任何时间戳。
答案 1 :(得分:0)
XML签名
<?xml version="1.0" encoding="UTF-8"?>
<Signatures Id="ID-437e56ad-bd1b-4d93-9387-0e2462699879">
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="ID-f0d708f0-49f8-4410-8551-37cc90ddbcee">
<ds:SignedInfo Id="ID-037809c4-025d-405b-aaa8-7b79b7ddc459">
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference Id="ID-07b4b35a-1285-4008-8ecc-1a773ad8ab65" URI="karta%20tytulowa%2059.2012.pdf">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>e6/5fPVwCzvxFPrQJCh9w95l8Uo=</ds:DigestValue>
</ds:Reference>
<ds:Reference Id="ID-1efc4682-4cb7-4801-9455-a86115d09814" URI="#ID-a62db972-ece5-4313-a888-5020ad7b9884" Type="http://uri.etsi.org/01903#SignedProperties">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Y2tQmmdbMF1YJqyncYKv5x1SXyw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="ID-0bf2af9e-4758-4bac-b477-574853fc32aa">DU6/QqMPhUDB+tIXY3rGMK7ccuD1Rb6CBp3Z0QzjHEMxnk75a5ukUtaHDYawiaUXGBr+T98ElfOYu/k5
LUPsJprG7dEHirpfVIo3BLqoyH0SYmg+R7kDVBk+RDKrSADxPBgp+FwAo8q/CAfPt7eoOof9e2hUTk9O
zJYO3YJvl34G70YgaUC/BXyITpQ6f8nmmrIjgRdmvacB06FPgibPiihtKUIptzKFHEl90OfSvbogV1CW
4Z+Dvi8TBOOGgC3nJpp4MgkakjccGYw8iToMiNMK4MlH0Nec9HUq9FEDD9J697OG0aaCNW6BIuTyV+XU
3BZhv03gJshP8Pn50GYptQ==</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>AJPbmujaAt95trOv8dg9Wm+EN4kl2RhvFGf7C0MgdiHM+2L1VBV0B6JZbSSTX538iyu6leXkiXXMTm3O
7/OIvVoqLYAYI5VFG1OJqdVxTHbg7cKRV0sv42GhP6TcvGOwXb80pgsRR01wcEz4SIDYgNArSBz9aq3r
yYuz/ZVmvBhlnXPwl3jzm3UfSKKZnFmaq98R9+8pMz3Ocfn82Y9zxLQzIhhQAFFHGQ+oQnqD988aRYyx
RmnnwVJDHpudyRbSghzIPQtwn7G4dOIE3Ate0fii1NbxpLIJGeO4UtYiPV2PYIMPNCQ4NCEHVUct1Xz3
cUqv+/9wreHGnmkQMDp71ZE=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
<ds:X509Data>
<ds:X509Certificate>MIIF7jCCBNagAwIBAgIEAQHNtjANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJQTDEoMCYGA1UECgwf
S3Jham93YSBJemJhIFJvemxpY3plbmlvd2EgUy5BLjEkMCIGA1UEAwwbQ09QRSBTWkFGSVIgLSBLd2Fs
aWZpa293YW55MRQwEgYDVQQFEwtOciB3cGlzdTogNjAeFw0xNDAzMTQwODAwMDBaFw0xNTAzMTQwODAw
MDBaMG4xCzAJBgNVBAYTAlBMMRswGQYDVQQFExJQRVNFTDogNzYwOTAzMDAzMDIxGzAZBgNVBAMMEkl6
YWJlbGEgRXdhIEhlbGJpbjEUMBIGA1UEKgwLSXphYmVsYSBFd2ExDzANBgNVBAQMBkhlbGJpbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJPbmujaAt95trOv8dg9Wm+EN4kl2RhvFGf7C0MgdiHM
+2L1VBV0B6JZbSSTX538iyu6leXkiXXMTm3O7/OIvVoqLYAYI5VFG1OJqdVxTHbg7cKRV0sv42GhP6Tc
vGOwXb80pgsRR01wcEz4SIDYgNArSBz9aq3ryYuz/ZVmvBhlnXPwl3jzm3UfSKKZnFmaq98R9+8pMz3O
cfn82Y9zxLQzIhhQAFFHGQ+oQnqD988aRYyxRmnnwVJDHpudyRbSghzIPQtwn7G4dOIE3Ate0fii1Nbx
pLIJGeO4UtYiPV2PYIMPNCQ4NCEHVUct1Xz3cUqv+/9wreHGnmkQMDp71ZECAwEAAaOCAo0wggKJMAwG
A1UdEwEB/wQCMAAwggFPBgNVHSABAf8EggFDMIIBPzCCATsGCSqEaAGG9yMBATCCASwwgd0GCCsGAQUF
BwICMIHQDIHNRGVrbGFyYWNqYSB0YSBqZXN0IG/Fm3dpYWRjemVuaWVtIHd5ZGF3Y3ksIMW8ZSB0ZW4g
Y2VydHlmaWthdCB6b3N0YcWCIHd5ZGFueSBqYWtvIGNlcnR5ZmlrYXQga3dhbGlmaWtvd2FueSB6Z29k
bmllIHogd3ltYWdhbmlhbWkgdXN0YXd5IG8gcG9kcGlzaWUgZWxla3Ryb25pY3pueW0gb3JheiB0b3dh
cnp5c3rEhWN5bWkgamVqIHJvenBvcnrEhWR6ZW5pYW1pLjBKBggrBgEFBQcCARY+aHR0cDovL3d3dy5l
bGVrdHJvbmljem55cG9kcGlzLnBsL2luZm9ybWFjamUvZG9rdW1lbnR5LWktdW1vd3kwCQYDVR0JBAIw
ADAmBgNVHREEHzAdgRtpaGVsYmluQGJpdXJvZmVzdGl3YWxvd2UucGwwDgYDVR0PAQH/BAQDAgZAMIGg
BgNVHSMEgZgwgZWAFEV92NbMKmP4/b19ACpTpueq3ltMoXekdTBzMQswCQYDVQQGEwJQTDEoMCYGA1UE
CgwfS3Jham93YSBJemJhIFJvemxpY3plbmlvd2EgUy5BLjEkMCIGA1UEAwwbQ09QRSBTWkFGSVIgLSBL
d2FsaWZpa293YW55MRQwEgYDVQQFEwtOciB3cGlzdTogNoIEAP///zBABgNVHR8EOTA3MDWgM6Axhi9o
dHRwOi8vZWxla3Ryb25pY3pueXBvZHBpcy5wbC9jcmwvY3JsX296azQyLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEAP4RpKbR0YRsg8uDk54mCM3S/v5TquvSyhAiNvuCtTx1OV13us3nUU95Bdrp/1yuKjGDeF7IS
NVW/jAQruzXlriAmYjetboa1fkRfZYu8oeUznVv7og3m+haZlroPeBOA4HbGFA9t1qEpfOox+Y5J5xtr
NzFLPaBR9HmdHqterSx7CvrMzaPyWisU3wWAIksTKuCFf94V0Ml7uSSMs1AtJsWXtVkgaqG/Bk9RcH3q
kMabWEgo/5xcc2XcP4avpmE0QbXMKibBCmjxhUb5lav+XsZYGFAZJj0gkZpJGvrkLsXVNVUasVcaCAlH
vhl6PpeF8iTO6wxyCgtvnKK4nixyKQ==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<ds:Object>
<xades:QualifyingProperties
xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="ID-35683a63-cb3b-4b75-91e8-0c11773a3be1" Target="#ID-f0d708f0-49f8-4410-8551-37cc90ddbcee">
<xades:SignedProperties Id="ID-a62db972-ece5-4313-a888-5020ad7b9884">
<xades:SignedSignatureProperties>
<xades:SigningTime>2014-11-05T08:56:51Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>zpiuFxm5gcAa6/IzkEqPyLP/K38=</ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>serialNumber=Nr wpisu: 6,CN=COPE SZAFIR - Kwalifikowany,O=Krajowa Izba Rozliczeniowa S.A.,C=PL</ds:X509IssuerName>
<ds:X509SerialNumber>16895414</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
<xades:SignedDataObjectProperties>
<xades:DataObjectFormat ObjectReference="#ID-07b4b35a-1285-4008-8ecc-1a773ad8ab65">
<xades:Description>Dokument Adobe Acrobat [PDF]</xades:Description>
<xades:MimeType>application/octet-stream</xades:MimeType>
</xades:DataObjectFormat>
<xades:CommitmentTypeIndication>
<xades:CommitmentTypeId>
<xades:Identifier>http://uri.etsi.org/01903/v1.2.2#ProofOfApproval</xades:Identifier>
</xades:CommitmentTypeId>
<xades:AllSignedDataObjects/>
</xades:CommitmentTypeIndication>
</xades:SignedDataObjectProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
</Signatures>
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?