dss
dss copied to clipboard
esig
Adding option to skip certificate validation for Signed Documents
I'm not sure if this would be the correct (or best) point to add it, but this is what I came up after debugging the validation process.
Our use case is that the Brazilian Government-issued certificates have specific OIDs to be validated, and there are a few well-known national frameworks around to do that. So, instead of letting DSS try to retrieve revokation data, perform a validation, etc; we can just set this flag to inform the SignedDocumentValidator to skip that phase and perform a separate certificate validation using one of the national frameworks mentioned.
Please let me know your thoughts about this solution.
Signed-off-by: Bruno Melo [email protected]
Hello Bruno,
With this parameter, I think that whole signature is not processed. What do you think about an offline validation like we do in our unit tests ?
The signature will be processed but we avoid to collect online resources (AIA, CRL, OCSP,...). The validation as specified in EN 319 102-1 should work and conclude with a coherent result.
Regards,
Pierrick
Hi,
Is there any difference between
SignedDocumentValidator validadorDss = SignedDocumentValidator.fromDocument(documentoDSS);
//(...)
CommonCertificateVerifier ccv = new CommonCertificateVerifier(true);
validadorDss.setCertificateVerifier(ccv);
and
private CertificateVerifier getOfflineCertificateVerifier() {
CertificateVerifier cv = new CommonCertificateVerifier();
cv.setDataLoader(new IgnoreDataLoader());
return cv;
}
SignedDocumentValidator validadorDss = SignedDocumentValidator.fromDocument(documentoDSS);
//(...)
validadorDss.setCertificateVerifier(getOfflineCertificateVerifier());
?
In both cases I see output like this in the console:
[main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - External revocation check is skipped for untrusted certificate : C210DA2FDD8004DDACDF0502D1BFB3BAEFBAAA055909635A2F974AAE5E1832DA
[main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - No revocation found for certificate C210DA2FDD8004DDACDF0502D1BFB3BAEFBAAA055909635A2F974AAE5E1832DA
With this parameter, I think that whole signature is not processed. What do you think about an offline validation like we do in our unit tests ?
I might be wrong about this, as I'm still learning my way through DSS... But my idea with the added parameter is to skip certificate validation completely (as done in https://github.com/esig/dss/pull/120/files#diff-26db36561ab333e3ae11c3f903be11bcL329) without skipping actual signature processing and validation against defined policy (eg.: constraint.xml) file, as done in https://github.com/esig/dss/pull/120/files#diff-26db36561ab333e3ae11c3f903be11bcR348.
Thanks for the answers and Best Regards, Bruno Melo.
Hello @bsmelo ,
The validation of a certificate chain is essential within a SignatureValidationContext, because in this way DSS verifiers validity of all tokens, finds its issuers and builds the respective certificate chain(s). Without this step you would not be able to run 102-1 validation process properly. If you have only issue with revocation data extraction, and you want to skip it, you may have different possibilities: provide NULL revocation sources to the CertificateVerifier, or maybe to configure a RevocationDataLoadingStrategy within the CertificateVerifier.
Would it work for you?
Best regards, Aleksandr.
