Home/ Questions/Q 8637317
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T10:27:01+00:00

When I validate a signature, that I have created before using the same keystore

  • 0

When I validate a signature, that I have created before using the same keystore (and XA), the following exception arises:

Verification failed for property ‘SigningCertificate’: SigningCertificate property contains one or more certificates that are not part of the certification path.

I’m using the following cert-chain:

  1. root-CA (globalsign),
  2. intermediate certificate
  3. company certificate
  4. project certificate

All certificate are stored in the used keystore.

However, when trying the same thing with a self-signed certificate, only it worked, I just needed to put the certificate in the certs-and-crls-directory, too.

KeyingDataProvider:

new FileSystemKeyStoreKeyingDataProvider(KeyStore.getDefaultType(),
    "D:\...\signing.keystore", 
    new FirstCertificateSelector(),
    new DirectStorePasswordProvider("pass"),
    new DirectKeyPasswordProvider("pass"), true);

CertificateValidationProvider:

FileSystemDirectoryCertStore certStore = new FileSystemDirectoryCertStore("D:\...\certs");
CertificateValidationProvider certValidator = new PKIXCertificateValidationProvider(
        loadKeystore(), 
        false, // should be true, when validation works.
        certStore.getStore());

private KeyStore loadKeystore() {
    // deleted exception handling for readability, here
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    FileInputStream keystoreInStream = new FileInputStream("D:\...\verification.keystore");
    keyStore.load(keystoreInStream, "pass".toCharArray());
    return keyStore;
}

Feedback on keystores

The signing-keystore contains all 4 certificates. The verification-keystore contains the root-certificate (globalsign-root-ca), only. The certs-directory contains all certificates but the root (globalsign-root-ca). Then I get the following error:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

When using the same keystore as for signing (a file-system-copy) then I get the error:

Caused by:
xades4j.verification.SigningCertificateCertsNotInCertPathException:
Verification failed for property ‘SigningCertificate’:
SigningCertificate property contains one or more certificates that are
not part of the certification path.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I finally figured it out (i.e. a colleague helped me to).
    The certificate/key (#3), I used to sign my self-created keypair (#4) with, was not allowed to sign other certificates. Although creating the signature was possible without any error, I got the error message unable to find valid certification path to requested target when verifying the signature, which was pretty misleading.

    As a ‘solution’, I only used certificates #1-3, and used the private key of #3 to create the signature.

    @lgoncalves thanks for your enduring help.

    P.S.: I get the same error message with my working setup, when I configure CRLs enabled, but do not provide all of them (i.e. one CRL issued by #2 and one issued by #1, when verifying a signature generated with #3).

    • 0