000014650 - Cert-J: Does CertPathCtx.trustedCerts affect SignedData message generation?

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014650
Applies ToRSA BSAFE Cert-J
IssueCert-J: Does CertPathCtx.trustedCerts affect SignedData message generation?

When creating a SignedData message, you need to generate a SignedData object, which requires a CertPathCtx object. When creating a CertPathCtx object, you need to specify trusted certificates.

public CertPathCtx(int pathOptions,
                   Certificate[] trustedCerts,
                   byte[][] policies,
                   java.util.Date validationTime,
                   DatabaseService database)
trustedCerts - A Certificate array that holds one or more certificates whose public keys are trusted by the application.

The SignedData samples in Cert-J (SignedMsg.java and DetachedMsg.java) do the following:

            pathCtx = new CertPathCtx(CertPathCtx.PF_IGNORE_REVOCATION,
                CertUtilities.loadTrustedCerts(certJ),
                null, new Date(), dbService);
...
            SignedData data = (SignedData) ContentInfo.getInstance
                (ContentInfo.SIGNED_DATA, certJ, pathCtx); 

Does the signer certificate have to chain up to a trusted certificate in the CertPathCtx.trustedCerts in order to successfully create the SignedData message? 

Resolution

The CertPathCtx.trustedCerts parameter doesn't affect the signed message generation, but they are specified in the samples in order to do verification afterwards.

Even if you specify CertPathCtx.trustedCerts that are unrelated to the signer certificate, the signed message is generated successfully. However, since the sample uses the same pathCtx for the SignedData object that it creates for verifying, verification fails if the trusted cert path can't be built for the signer.

A valid array of certificates must still be specified for CertPathCtx.trustedCerts (an exception is thrown if it is null).
Legacy Article IDa48681

Attachments

    Outcomes