0

XAdES我在使用Xades4jAPI的应用程序中验证签名时遇到问题。我尝试验证两个 singed 文件1.docx2.pdf. 当我验证2.pdf我得到一个异常

18:03:38.230 [http-listener-1(5)] ERROR p.c.k.i.repository.pki.DigitalSignVerifierService - Invalid certification path. 
xades4j.providers.CannotBuildCertificationPathException: unable to find valid certification path to requested target
    at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:257) ~[xades4j-1.3.1.jar:na]
    at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:175) ~[xades4j-1.3.1.jar:na]
    at pl.comp.kbf.services.ejb.repository.pki.DigitalSignVerifierServiceImpl.verifyFileSignature(DigitalSignVerifierServiceImpl.java:95) ~[KBFPortalEJB.jar/:na]
    at pl.comp.kbf.services.ejb.repository.pki.DigitalSignVerifierServiceImpl$Proxy$_$$_WeldClientProxy.verifyFileSignature(Unknown Source) [KBFPortalEJB.jar/:na]
    at pl.comp.kbf.portal.documents.registered.FileSignatureBean.verifyXadesSignature(FileSignatureBean.java:210) [FileSignatureBean.class:na]
    at pl.comp.kbf.portal.documents.registered.FileSignatureBean.verifySignature(FileSignatureBean.java:174) [FileSignatureBean.class:na]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_75]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[na:1.7.0_75]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.7.0_75]
    at java.lang.reflect.Method.invoke(Method.java:606) ~[na:1.7.0_75]
    at com.sun.el.parser.AstValue.invoke(AstValue.java:289) [javax.el.jar:3.0.1-b03]
    at com.sun.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:304) [javax.el.jar:3.0.1-b03]
    at org.jboss.weld.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-osgi-bundle.jar:2014-06-18 10:59]
    at org.jboss.weld.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-osgi-bundle.jar:2014-06-18 10:59]
    at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [javax.faces.jar:2.2.7]
    at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:87) [javax.faces.jar:2.2.7]
    at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102) [javax.faces.jar:2.2.7]
    at javax.faces.component.UICommand.broadcast(UICommand.java:315) [javax.faces.jar:2.2.7]
    at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790) [javax.faces.jar:2.2.7]
    at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282) [javax.faces.jar:2.2.7]
    at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81) [javax.faces.jar:2.2.7]
    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [javax.faces.jar:2.2.7]
    at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [javax.faces.jar:2.2.7]
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:646) [javax.faces.jar:2.2.7]
    at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:344) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
    at org.primefaces.webapp.filter.FileUploadFilter.doFilter(FileUploadFilter.java:105) [primefaces-5.1.jar:5.1]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
    at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:205) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationDispatcher.doInvoke(ApplicationDispatcher.java:873) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:739) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:575) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationDispatcher.doDispatch(ApplicationDispatcher.java:546) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationDispatcher.dispatch(ApplicationDispatcher.java:428) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:378) [web-core.jar:na]
    at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:41) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
    at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:268) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
    at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:188) [rewrite-servlet-2.0.12.Final.jar:2.0.12.Final]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256) [web-core.jar:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [web-core.jar:na]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316) [web-core.jar:na]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160) [web-core.jar:na]
    at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734) [web-core.jar:na]
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673) [web-core.jar:na]
    at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99) [web-glue.jar:na]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174) [web-core.jar:na]
    at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:415) [web-core.jar:na]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:282) [web-core.jar:na]
    at com.sun.enterprise.v3.services.impl.ContainerMapper$HttpHandlerCallable.call(ContainerMapper.java:459) [kernel.jar:na]
    at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:167) [kernel.jar:na]
    at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:201) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:175) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:235) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565) [nucleus-grizzly-all.jar:na]
    at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545) [nucleus-grizzly-all.jar:na]
    at java.lang.Thread.run(Thread.java:745) [na:1.7.0_75]
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) ~[na:1.7.0_75]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) ~[na:1.7.0_75]
    at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:253) ~[xades4j-1.3.1.jar:na]
    ... 70 common frames omitted

我知道签名2.pdf的签名已过期,但我想毫无例外地验证......当我1.docx在我的应用程序中验证未过期时,验证成功。我也尝试在线验证这两个文件,并且在两种情况下验证成功。下面我想在两个文件中显示证书链。

1.docx

2.pdf

在第一个文件中,我将一个.cer文件放入 java 密钥库,然后将此文件加载到证书库。在第二个文件中,我放了两个.cer文件,链的第一个和第二个元素。我的问题在哪里?

4

2 回答 2

0

您使用的内置证书验证程序 ()始终定义验证日期。这应该是导致验证失败的原因,因为未过期的证书不会失败。

如果您需要不同的行为,您应该提供自己的行为CertificateValidationProvider并在验证配置文件中进行配置。

编辑:如果您参考文档,您会看到验证日期已提供给证书验证者。该日期由签名中的信息确定,即可能存在的任何时间戳。

于 2015-07-06T14:20:59.173 回答
0

XML 签名

<?xml version="1.0" encoding="UTF-8"?>
<Signatures Id="ID-437e56ad-bd1b-4d93-9387-0e2462699879">
    <ds:Signature
        xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="ID-f0d708f0-49f8-4410-8551-37cc90ddbcee">
        <ds:SignedInfo Id="ID-037809c4-025d-405b-aaa8-7b79b7ddc459">
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference Id="ID-07b4b35a-1285-4008-8ecc-1a773ad8ab65" URI="karta%20tytulowa%2059.2012.pdf">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>e6/5fPVwCzvxFPrQJCh9w95l8Uo=</ds:DigestValue>
            </ds:Reference>
            <ds:Reference Id="ID-1efc4682-4cb7-4801-9455-a86115d09814" URI="#ID-a62db972-ece5-4313-a888-5020ad7b9884" Type="http://uri.etsi.org/01903#SignedProperties">
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>Y2tQmmdbMF1YJqyncYKv5x1SXyw=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue Id="ID-0bf2af9e-4758-4bac-b477-574853fc32aa">DU6/QqMPhUDB+tIXY3rGMK7ccuD1Rb6CBp3Z0QzjHEMxnk75a5ukUtaHDYawiaUXGBr+T98ElfOYu/k5
LUPsJprG7dEHirpfVIo3BLqoyH0SYmg+R7kDVBk+RDKrSADxPBgp+FwAo8q/CAfPt7eoOof9e2hUTk9O
zJYO3YJvl34G70YgaUC/BXyITpQ6f8nmmrIjgRdmvacB06FPgibPiihtKUIptzKFHEl90OfSvbogV1CW
4Z+Dvi8TBOOGgC3nJpp4MgkakjccGYw8iToMiNMK4MlH0Nec9HUq9FEDD9J697OG0aaCNW6BIuTyV+XU
3BZhv03gJshP8Pn50GYptQ==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:KeyValue>
                <ds:RSAKeyValue>
                    <ds:Modulus>AJPbmujaAt95trOv8dg9Wm+EN4kl2RhvFGf7C0MgdiHM+2L1VBV0B6JZbSSTX538iyu6leXkiXXMTm3O
7/OIvVoqLYAYI5VFG1OJqdVxTHbg7cKRV0sv42GhP6TcvGOwXb80pgsRR01wcEz4SIDYgNArSBz9aq3r
yYuz/ZVmvBhlnXPwl3jzm3UfSKKZnFmaq98R9+8pMz3Ocfn82Y9zxLQzIhhQAFFHGQ+oQnqD988aRYyx
RmnnwVJDHpudyRbSghzIPQtwn7G4dOIE3Ate0fii1NbxpLIJGeO4UtYiPV2PYIMPNCQ4NCEHVUct1Xz3
cUqv+/9wreHGnmkQMDp71ZE=</ds:Modulus>
                    <ds:Exponent>AQAB</ds:Exponent>
                </ds:RSAKeyValue>
            </ds:KeyValue>
            <ds:X509Data>
                <ds:X509Certificate>MIIF7jCCBNagAwIBAgIEAQHNtjANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJQTDEoMCYGA1UECgwf
S3Jham93YSBJemJhIFJvemxpY3plbmlvd2EgUy5BLjEkMCIGA1UEAwwbQ09QRSBTWkFGSVIgLSBLd2Fs
aWZpa293YW55MRQwEgYDVQQFEwtOciB3cGlzdTogNjAeFw0xNDAzMTQwODAwMDBaFw0xNTAzMTQwODAw
MDBaMG4xCzAJBgNVBAYTAlBMMRswGQYDVQQFExJQRVNFTDogNzYwOTAzMDAzMDIxGzAZBgNVBAMMEkl6
YWJlbGEgRXdhIEhlbGJpbjEUMBIGA1UEKgwLSXphYmVsYSBFd2ExDzANBgNVBAQMBkhlbGJpbjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJPbmujaAt95trOv8dg9Wm+EN4kl2RhvFGf7C0MgdiHM
+2L1VBV0B6JZbSSTX538iyu6leXkiXXMTm3O7/OIvVoqLYAYI5VFG1OJqdVxTHbg7cKRV0sv42GhP6Tc
vGOwXb80pgsRR01wcEz4SIDYgNArSBz9aq3ryYuz/ZVmvBhlnXPwl3jzm3UfSKKZnFmaq98R9+8pMz3O
cfn82Y9zxLQzIhhQAFFHGQ+oQnqD988aRYyxRmnnwVJDHpudyRbSghzIPQtwn7G4dOIE3Ate0fii1Nbx
pLIJGeO4UtYiPV2PYIMPNCQ4NCEHVUct1Xz3cUqv+/9wreHGnmkQMDp71ZECAwEAAaOCAo0wggKJMAwG
A1UdEwEB/wQCMAAwggFPBgNVHSABAf8EggFDMIIBPzCCATsGCSqEaAGG9yMBATCCASwwgd0GCCsGAQUF
BwICMIHQDIHNRGVrbGFyYWNqYSB0YSBqZXN0IG/Fm3dpYWRjemVuaWVtIHd5ZGF3Y3ksIMW8ZSB0ZW4g
Y2VydHlmaWthdCB6b3N0YcWCIHd5ZGFueSBqYWtvIGNlcnR5ZmlrYXQga3dhbGlmaWtvd2FueSB6Z29k
bmllIHogd3ltYWdhbmlhbWkgdXN0YXd5IG8gcG9kcGlzaWUgZWxla3Ryb25pY3pueW0gb3JheiB0b3dh
cnp5c3rEhWN5bWkgamVqIHJvenBvcnrEhWR6ZW5pYW1pLjBKBggrBgEFBQcCARY+aHR0cDovL3d3dy5l
bGVrdHJvbmljem55cG9kcGlzLnBsL2luZm9ybWFjamUvZG9rdW1lbnR5LWktdW1vd3kwCQYDVR0JBAIw
ADAmBgNVHREEHzAdgRtpaGVsYmluQGJpdXJvZmVzdGl3YWxvd2UucGwwDgYDVR0PAQH/BAQDAgZAMIGg
BgNVHSMEgZgwgZWAFEV92NbMKmP4/b19ACpTpueq3ltMoXekdTBzMQswCQYDVQQGEwJQTDEoMCYGA1UE
CgwfS3Jham93YSBJemJhIFJvemxpY3plbmlvd2EgUy5BLjEkMCIGA1UEAwwbQ09QRSBTWkFGSVIgLSBL
d2FsaWZpa293YW55MRQwEgYDVQQFEwtOciB3cGlzdTogNoIEAP///zBABgNVHR8EOTA3MDWgM6Axhi9o
dHRwOi8vZWxla3Ryb25pY3pueXBvZHBpcy5wbC9jcmwvY3JsX296azQyLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEAP4RpKbR0YRsg8uDk54mCM3S/v5TquvSyhAiNvuCtTx1OV13us3nUU95Bdrp/1yuKjGDeF7IS
NVW/jAQruzXlriAmYjetboa1fkRfZYu8oeUznVv7og3m+haZlroPeBOA4HbGFA9t1qEpfOox+Y5J5xtr
NzFLPaBR9HmdHqterSx7CvrMzaPyWisU3wWAIksTKuCFf94V0Ml7uSSMs1AtJsWXtVkgaqG/Bk9RcH3q
kMabWEgo/5xcc2XcP4avpmE0QbXMKibBCmjxhUb5lav+XsZYGFAZJj0gkZpJGvrkLsXVNVUasVcaCAlH
vhl6PpeF8iTO6wxyCgtvnKK4nixyKQ==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
        <ds:Object>
            <xades:QualifyingProperties
                xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="ID-35683a63-cb3b-4b75-91e8-0c11773a3be1" Target="#ID-f0d708f0-49f8-4410-8551-37cc90ddbcee">
                <xades:SignedProperties Id="ID-a62db972-ece5-4313-a888-5020ad7b9884">
                    <xades:SignedSignatureProperties>
                        <xades:SigningTime>2014-11-05T08:56:51Z</xades:SigningTime>
                        <xades:SigningCertificate>
                            <xades:Cert>
                                <xades:CertDigest>
                                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    <ds:DigestValue>zpiuFxm5gcAa6/IzkEqPyLP/K38=</ds:DigestValue>
                                </xades:CertDigest>
                                <xades:IssuerSerial>
                                    <ds:X509IssuerName>serialNumber=Nr wpisu: 6,CN=COPE SZAFIR - Kwalifikowany,O=Krajowa Izba Rozliczeniowa S.A.,C=PL</ds:X509IssuerName>
                                    <ds:X509SerialNumber>16895414</ds:X509SerialNumber>
                                </xades:IssuerSerial>
                            </xades:Cert>
                        </xades:SigningCertificate>
                    </xades:SignedSignatureProperties>
                    <xades:SignedDataObjectProperties>
                        <xades:DataObjectFormat ObjectReference="#ID-07b4b35a-1285-4008-8ecc-1a773ad8ab65">
                            <xades:Description>Dokument Adobe Acrobat [PDF]</xades:Description>
                            <xades:MimeType>application/octet-stream</xades:MimeType>
                        </xades:DataObjectFormat>
                        <xades:CommitmentTypeIndication>
                            <xades:CommitmentTypeId>
                                <xades:Identifier>http://uri.etsi.org/01903/v1.2.2#ProofOfApproval</xades:Identifier>
                            </xades:CommitmentTypeId>
                            <xades:AllSignedDataObjects/>
                        </xades:CommitmentTypeIndication>
                    </xades:SignedDataObjectProperties>
                </xades:SignedProperties>
            </xades:QualifyingProperties>
        </ds:Object>
    </ds:Signature>
</Signatures>
于 2015-07-06T17:16:12.993 回答