Articles

Path Build Errors

Print

 

If you receive a Path Build Exception error this indicates that either the certificate path is not complete - in that a valid certificate path could not be found from the end-entity (signer) certificate to a trusted root certificate, or that there was another issue with one or more certificates in the path e.g. an expired certificate or a rule violation

 

Check the Logs

Where is the log file?

The EzSign log file should contain the actual reason for the failure. e.g.

  Path Build Exception: Path Build: Path building failed.  Could not find issuer for : CN=BANK001001, OU=Engineering, O=Krestfield Ltd, C=GB

This will give the reason for the path build failure 

 

 

Incomplete Paths

Errors such as the following:

  Path Build Exception: Path Build: Path building failed.  Could not find issuer for : CN=BANK001001, OU=Engineering, O=Krestfield Ltd, C=GB

Are caused because either the root certificate is not present in the channel or the signature itself does not contain the required intermediate certificates

To determine which, you may copy the Signature data sent, and paste into the Signature Toolkit tool.  This will display the certificates included in the signature which can then be analysed

You can install the root certificate (or any other certificates required, including the intermediate CA certificates) via the Management Utility, choosing the Import Certificate option

Once all the required certificates have been installed, restart EzSign and attempt the verification again

Note: This may not be an error condition at all.  The siganture being verified may have been signed by a rougue or spoofed certificate and EzSign is rejecting it for this reason

 

Rule Violation

Errors such as the following:

  Path Build Exception: The key size of the certificate CN=BANK001001, OU=Engineering, O=Krestfield Ltd, C=GB is 2048 bits.  This is less than the minimum key size of 4096 bits specified

Are due to the rules specified in the configuration, or within the custom path checker (if enabled)

In this specific case, the following property:

  channel.1.verify.minKeySize=4096

Requires that the certificate must have a key size of at least 4096 bits

The property can be relaxed (e.g. to 2048) but the rule may be in place for a specific security reason, in which case the signature has been rejected intentionally

Other settings that perform checks on the path and siganture are shown below:

  channel.1.verify.signedAttribsRequired=true
  channel.1.verify.denyWeakSignatureHash=false
  channel.1.verify.denyWeakCertificateHash=false
  channel.1.verify.relaxRootCertExtensionChecks=false
  channel.1.verify.relaxAllCertExtensionChecks=false
  channel.1.verify.nonRepudiationRequired=true
  channel.1.verify.caBasicConstraintsRequired=true
  channel.1.verify.minKeySize=2048
  channel.1.verify.maxKeySize=8192