ESig DSS signature verification always returns INDETERMINATE

php editor Xinyi introduces to you: In Java development, ESig DSS signature verification always returns "INDETERMINATE", which may be due to the signature being incomplete or unable to be verified. This problem usually involves digital certificates, signature algorithms, etc., and requires careful inspection of the signature data and verification process. Solutions include checking the signature algorithm, certificate validity, signature data integrity, etc. to ensure that all steps are correct. By carefully troubleshooting possible issues, you can resolve this common signature verification headache and ensure the data security and integrity of your system.

Question content

I am trying to use the European Commission-sponsored Digital Signature Service (DSS) library 5.12.1 to verify electronic signatures of digital signatures pdf and xml.

The code I used is

byte[] binaryPdf = Base64.getDecoder().decode(base64EncodedDocument);
CommonTrustedCertificateSource trustedCertSource = new CommonTrustedCertificateSource();
CertificateVerifier cv = new CommonCertificateVerifier();
cv.setAIASource(new DefaultAIASource());
cv.setOcspSource(new OnlineOCSPSource());
cv.setCrlSource(new OnlineCRLSource());
cv.addTrustedCertSources(trustedCertSource);
DSSDocument document = new InMemoryDocument(binaryPdf, shortFileName);
SignedDocumentValidator documentValidator = SignedDocumentValidator.fromDocument(document);
documentValidator.setCertificateVerifier(cv);
UserFriendlyIdentifierProvider userFriendlyIdentifierProvider = new UserFriendlyIdentifierProvider();
documentValidator.setTokenIdentifierProvider(userFriendlyIdentifierProvider);
Reports reports = documentValidator.validateDocument();

As indicated in the dss documentation pdf. My application always gets the no_certificate_chain_found indication with the indeterminate sub-indication (visible in the certificate element of the certificate chain). It cannot find the trust anchor. When I use the sample application 5.12.1 for signature verification and try to verify the same document, I get the expected total_passed indication. My application has access to the internet. What did i do wrong? Thanks!

Workaround

There are differences between the sample application and your code.
The sample application comes with a preconfigured trusted root list (EU LOTL).
Your code comes with an empty CommonTrustedCertificateSource (i.e. no certificate is trusted)

SeeDSS FAQ

So you need to add some certificates to CommonTrustedCertificateSource. If you are only validating signatures you create, add your CA root/signing certificate to Trusted Sources. If you want to verify a third-party signature, the solution is more complicated. For example, you can extract all certified content from a PDF and add them to a trusted list before validating

The above is the detailed content of ESig DSS signature verification always returns INDETERMINATE. For more information, please follow other related articles on the PHP Chinese website!