Add a signature option to skip certificate validity checks during sig…

…nature production (#267) This is useful for testing, specifically to create signatures using incorrect certificates to check if test targets reject such signatures. Co-authored-by: Mirko Jechow <[email protected]>
luisgoncalves · Dec 27, 2022 · 8566e02 · 8566e02
1 parent 24df5d9
commit 8566e02
Show file tree

Hide file tree

Showing 14 changed files with 309 additions and 12 deletions.
diff --git a/src/main/java/xades4j/production/BasicSignatureOptions.java b/src/main/java/xades4j/production/BasicSignatureOptions.java
@@ -27,6 +27,7 @@
 public final class BasicSignatureOptions
 {
     private boolean checkKeyUsage = true;
+    private boolean checkCertificateValidity = true;
     private SigningCertificateMode includeSigningCertificateMode = SigningCertificateMode.SIGNING_CERTIFICATE;
     private boolean includeSubjectName = false;
     private boolean includeIssuerSerial = false;
@@ -48,11 +49,31 @@ public BasicSignatureOptions checkKeyUsage(boolean enabled)
         return this;
     }
 
+    /**
+     * Configures whether to check that an invalid (time) signing certificate
+     * is allowed for signing before creating a signature. If enabled (the default)
+     * signing will fail if the certificate is invalid in time (expired or not yet valid).
+     * You should only disable this for testing.
+     *
+     * @param enabled {@code true} to enable the check, {@code false} to disable
+     * @return the current instance
+     */
+    public BasicSignatureOptions checkCertificateValidity(final boolean enabled)
+    {
+        this.checkCertificateValidity = enabled;
+        return this;
+    }
+
     boolean checkKeyUsage()
     {
         return this.checkKeyUsage;
     }
 
+    boolean checkCertificateValidity()
+    {
+        return this.checkCertificateValidity;
+    }
+
     /**
      * Configures whether the signing certificate / chain should be included in {@code ds:KeyInfo}.
      * Defauls to {@link SigningCertificateMode#SIGNING_CERTIFICATE }.

diff --git a/src/main/java/xades4j/production/KeyInfoBuilder.java b/src/main/java/xades4j/production/KeyInfoBuilder.java
@@ -76,13 +76,13 @@ void buildKeyInfo(
             }
         }
 
-        try
-        {
-            signingCertificate.checkValidity();
-        } catch (CertificateException ce)
-        {
-            // CertificateExpiredException or CertificateNotYetValidException
-            throw new SigningCertValidityException(signingCertificate);
+        if (this.basicSignatureOptions.checkCertificateValidity()) {
+            try {
+                signingCertificate.checkValidity();
+            } catch (final CertificateException ce) {
+                // CertificateExpiredException or CertificateNotYetValidException
+                throw new SigningCertValidityException(signingCertificate);
+            }
         }
 
         if (this.basicSignatureOptions.includeSigningCertificate() != SigningCertificateMode.NONE

diff --git a/src/test/cert/unchecked/expired.cer b/src/test/cert/unchecked/expired.cer
diff --git a/src/test/cert/unchecked/expired.key b/src/test/cert/unchecked/expired.key
diff --git a/src/test/cert/unchecked/expired.p12 b/src/test/cert/unchecked/expired.p12
diff --git a/src/test/cert/unchecked/expired.pem b/src/test/cert/unchecked/expired.pem
@@ -0,0 +1,110 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 662778eca63acd900fccf08300bb184799affe5b
+	Issuer: CN=Testing Authority
+	Validity:
+		Not Before: Sun Feb 20 15:21:42 UTC 2022
+		Not After: Wed Apr 20 14:21:41 UTC 2022
+	Subject: CN=Expired Test User
+	Subject Public Key Algorithm: RSA
+	Algorithm Security Level: High (3072 bits)
+		Modulus (bits 3072):
+			00:e0:ca:f6:87:ed:ad:79:b9:23:69:82:c3:bc:0c:48
+			19:a6:68:8e:9f:15:8c:82:ea:01:f5:af:40:e5:6e:3d
+			1a:dc:1b:eb:2f:ff:8e:b0:9e:f3:6f:d5:81:ac:ed:f6
+			de:d4:44:d7:14:20:a0:40:f9:f2:51:37:01:d7:fd:fb
+			90:2f:be:be:42:2a:3a:4e:e5:2b:2a:5b:28:d0:7f:40
+			1d:dd:8b:37:67:3b:33:d2:b8:7e:40:1d:d0:db:cd:cf
+			c6:e1:47:58:0d:88:ee:92:15:41:98:e2:16:9b:21:67
+			25:6d:d4:2d:bf:54:cc:b5:e9:67:54:fc:96:61:12:9f
+			59:8f:ac:81:95:db:ab:96:18:38:3d:2f:be:b2:93:2f
+			73:dd:80:43:72:fe:21:e2:7a:d7:18:3c:a4:89:3c:70
+			cd:53:a9:2a:76:39:56:6a:59:8e:9d:a1:e6:5b:a5:18
+			91:d6:6e:b0:ab:09:27:46:24:c4:22:6d:7f:1b:f8:4b
+			ed:9b:2f:51:50:7e:be:28:5d:31:c7:62:5e:de:55:dc
+			fc:fe:41:29:63:16:f4:26:09:7d:dd:74:b8:a0:5a:25
+			e7:8e:43:56:3b:7a:f9:9d:f5:27:56:08:f7:9b:4d:35
+			3a:0d:0e:14:05:cc:bb:d0:ab:f3:59:be:d6:53:fd:86
+			5f:77:e9:e8:47:33:ba:a0:87:ac:a4:36:8f:94:be:7c
+			46:76:9b:cf:f7:71:f0:ac:c8:cb:b5:c5:db:d5:ae:34
+			b3:1e:95:f0:42:95:5c:8a:66:77:07:82:78:9a:02:f9
+			6f:a5:d6:ee:92:df:86:c2:02:a5:fa:7a:a1:85:e3:d5
+			95:51:85:71:62:10:7e:4e:d7:b6:82:c6:75:70:a2:ea
+			f1:62:51:05:a7:6e:fd:ac:fa:8e:ec:7f:aa:be:37:96
+			a3:e8:d8:08:43:db:80:1d:85:de:25:b9:67:8d:d3:48
+			19:bd:22:18:fc:0b:fc:d6:99:37:43:31:9d:a6:db:4d
+			3b
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Basic Constraints (critical):
+			Certificate Authority (CA): FALSE
+		Subject Alternative Name (not critical):
+			RFC822Name: [email protected]
+		Key Usage (critical):
+			Digital signature.
+		Subject Key Identifier (not critical):
+			460ce5dace20e609e8752399b87c5c65a56b2b7d
+		Authority Key Identifier (not critical):
+			2d9102974080012532664e5eb801f54a7dbf8277
+	Signature Algorithm: RSA-SHA256
+	Signature:
+		36:8a:bf:82:b3:97:56:ea:f7:1e:ee:03:9e:8e:d2:16
+		41:41:13:57:56:fa:84:16:df:1a:38:c5:49:56:f3:a7
+		c7:b1:f7:91:6d:dc:9e:c7:20:b5:36:f2:bd:9a:25:38
+		48:e7:2d:22:84:2d:b3:24:34:2a:58:33:56:c0:45:dd
+		8b:3c:2d:a9:df:bc:6c:d7:8a:c5:06:c1:b7:d1:47:f9
+		02:6f:9d:c8:52:5a:c2:a6:b8:c4:6b:51:ed:68:4a:b3
+		14:51:b7:9b:ae:5f:6e:9c:ab:e5:2d:15:05:df:2b:06
+		97:91:17:43:0f:51:34:10:a4:60:ef:ee:9f:18:61:ea
+		09:b2:c7:6a:39:0f:bf:dc:8f:fe:de:a5:a5:69:01:f7
+		0b:b2:55:30:23:f8:81:e4:16:45:13:af:16:24:ef:8d
+		e8:52:c4:e9:80:45:a0:6f:eb:eb:6f:51:a3:90:2c:05
+		44:ef:b3:77:f7:3a:5c:fd:dc:51:fe:d7:04:ff:75:13
+		81:b7:dc:f9:94:92:61:a3:17:7e:74:fc:65:e5:68:fb
+		f1:05:7b:d7:15:5e:22:a7:2a:77:81:b2:ee:2e:87:1e
+		25:7b:fe:fe:38:e7:9d:11:59:3c:65:72:b8:62:69:ef
+		ba:3e:e4:39:c2:1c:f9:2f:91:1d:c7:9d:8d:6e:41:27
+		7e:15:75:36:57:f8:cb:66:7b:56:04:54:da:57:6a:03
+		a8:58:ff:76:16:7e:72:d7:07:df:e1:ed:c7:75:eb:dc
+		c0:f6:1d:ef:42:01:bb:2d:a3:6f:8b:d3:38:0b:7e:2a
+		41:04:6a:b1:81:6c:d6:11:62:7c:e6:d1:90:b9:83:71
+		8f:68:34:90:6a:7c:c2:01:e3:d4:0d:1f:f0:43:43:ef
+		12:4f:7e:1a:6b:c4:5f:3f:62:f5:3c:aa:27:73:22:1a
+		a6:cb:31:42:78:f4:b9:6c:87:78:c8:c2:2b:77:05:76
+		8d:60:11:60:e5:ab:af:a4:96:dc:c7:fd:56:68:1d:27
+Other Information:
+	Fingerprint:
+		sha1:194bebac711d18677d9b056455ec917b8cbcedd7
+		sha256:801ff1608501d7222befb4b92d6817f52202f7575b35cf88092648338eb4864e
+	Public Key ID:
+		sha1:460ce5dace20e609e8752399b87c5c65a56b2b7d
+		sha256:cedfc6597bf6f4ffaebd763a0fb1d48620873d68aebfac3e907a69643d1d12d3
+	Public Key PIN:
+		pin-sha256:zt/GWXv29P+uvXY6D7HUhiCHPWiuv6w+kHppZD0dEtM=
+
+-----BEGIN CERTIFICATE-----
+MIIERTCCAq2gAwIBAgIUZid47KY6zZAPzPCDALsYR5mv/lswDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAxMRVGVzdGluZyBBdXRob3JpdHkwHhcNMjIwMjIwMTUyMTQy
+WhcNMjIwNDIwMTQyMTQxWjAcMRowGAYDVQQDExFFeHBpcmVkIFRlc3QgVXNlcjCC
+AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAODK9oftrXm5I2mCw7wMSBmm
+aI6fFYyC6gH1r0Dlbj0a3BvrL/+OsJ7zb9WBrO323tRE1xQgoED58lE3Adf9+5Av
+vr5CKjpO5SsqWyjQf0Ad3Ys3Zzsz0rh+QB3Q283PxuFHWA2I7pIVQZjiFpshZyVt
+1C2/VMy16WdU/JZhEp9Zj6yBldurlhg4PS++spMvc92AQ3L+IeJ61xg8pIk8cM1T
+qSp2OVZqWY6doeZbpRiR1m6wqwknRiTEIm1/G/hL7ZsvUVB+vihdMcdiXt5V3Pz+
+QSljFvQmCX3ddLigWiXnjkNWO3r5nfUnVgj3m001Og0OFAXMu9Cr81m+1lP9hl93
+6ehHM7qgh6ykNo+UvnxGdpvP93HwrMjLtcXb1a40sx6V8EKVXIpmdweCeJoC+W+l
+1u6S34bCAqX6eqGF49WVUYVxYhB+Tte2gsZ1cKLq8WJRBadu/az6jux/qr43lqPo
+2AhD24Adhd4luWeN00gZvSIY/Av81pk3QzGdpttNOwIDAQABo38wfTAMBgNVHRMB
+Af8EAjAAMBwGA1UdEQQVMBOBEXRlc3RAeGFkZXM0ai50ZXN0MA8GA1UdDwEB/wQF
+AwMHgAAwHQYDVR0OBBYEFEYM5drOIOYJ6HUjmbh8XGWlayt9MB8GA1UdIwQYMBaA
+FC2RApdAgAElMmZOXrgB9Up9v4J3MA0GCSqGSIb3DQEBCwUAA4IBgQA2ir+Cs5dW
+6vce7gOejtIWQUETV1b6hBbfGjjFSVbzp8ex95Ft3J7HILU28r2aJThI5y0ihC2z
+JDQqWDNWwEXdizwtqd+8bNeKxQbBt9FH+QJvnchSWsKmuMRrUe1oSrMUUbebrl9u
+nKvlLRUF3ysGl5EXQw9RNBCkYO/unxhh6gmyx2o5D7/cj/7epaVpAfcLslUwI/iB
+5BZFE68WJO+N6FLE6YBFoG/r629Ro5AsBUTvs3f3Olz93FH+1wT/dROBt9z5lJJh
+oxd+dPxl5Wj78QV71xVeIqcqd4Gy7i6HHiV7/v44550RWTxlcrhiae+6PuQ5whz5
+L5Edx52NbkEnfhV1Nlf4y2Z7VgRU2ldqA6hY/3YWfnLXB9/h7cd169zA9h3vQgG7
+LaNvi9M4C34qQQRqsYFs1hFifObRkLmDcY9oNJBqfMIB49QNH/BDQ+8ST34aa8Rf
+P2L1PKoncyIapssxQnj0uWyHeMjCK3cFdo1gEWDlq6+kltzH/VZoHSc=
+-----END CERTIFICATE-----
diff --git a/src/test/cert/unchecked/expired.template b/src/test/cert/unchecked/expired.template
@@ -0,0 +1,6 @@
+cn = "Expired Test User"
+email = [email protected]
+signing_key
+# set dates expired
+activation_date = "2022-02-20 16:21:42"
+expiration_date = "2022-04-20 16:21:41"
diff --git a/src/test/cert/unchecked/notYetValid.cer b/src/test/cert/unchecked/notYetValid.cer
diff --git a/src/test/cert/unchecked/notYetValid.key b/src/test/cert/unchecked/notYetValid.key
diff --git a/src/test/cert/unchecked/notYetValid.p12 b/src/test/cert/unchecked/notYetValid.p12
diff --git a/src/test/cert/unchecked/notYetValid.pem b/src/test/cert/unchecked/notYetValid.pem
@@ -0,0 +1,110 @@
+X.509 Certificate Information:
+	Version: 3
+	Serial Number (hex): 617cc39f9eb26744f0a690cb1369b8189184496f
+	Issuer: CN=Testing Authority
+	Validity:
+		Not Before: Mon Feb 20 15:21:42 UTC 2040
+		Not After: Fri Apr 20 14:21:41 UTC 2040
+	Subject: CN=Not-yet-valid Test User
+	Subject Public Key Algorithm: RSA
+	Algorithm Security Level: High (3072 bits)
+		Modulus (bits 3072):
+			00:d0:aa:c2:a0:f2:3c:a9:ce:53:3e:92:9f:73:28:ae
+			a4:38:42:48:21:5a:dd:a9:4b:47:48:01:c0:f1:7f:9c
+			ae:18:cb:ef:b2:9a:4b:d0:32:09:6d:11:73:30:21:03
+			3a:9c:b4:d0:43:08:b4:57:22:21:be:11:7f:e6:5a:74
+			03:5d:5a:41:9a:c8:48:66:d7:b7:c9:64:7c:6f:ff:88
+			24:4e:98:6e:61:31:72:95:94:d8:ab:7f:3b:ac:ff:9c
+			4f:de:ae:f5:e2:90:ea:82:99:03:d9:35:2b:17:8a:80
+			2e:ed:05:ef:cb:de:4c:71:93:e7:a9:9a:ab:73:b7:52
+			26:6d:4d:34:da:50:1a:cc:2f:29:9f:9a:81:a2:39:37
+			aa:26:f7:79:f1:d2:b7:91:d4:69:0b:d7:8d:f7:98:75
+			32:9e:1b:b5:63:94:5d:25:c2:85:85:f9:6e:e4:d8:83
+			bb:b3:8d:50:35:c8:9a:90:56:13:e4:2e:e4:e9:0a:da
+			4d:82:e2:33:18:8b:a0:2f:11:bf:a4:29:07:16:8b:82
+			e0:89:62:25:e2:9f:25:24:97:43:57:84:c3:c2:64:5e
+			40:a4:f8:ca:69:8c:d9:9b:65:d7:34:1f:68:06:d8:14
+			2d:87:01:6f:00:e0:cc:4b:63:c9:6e:77:1f:a2:a9:b7
+			73:ae:84:d0:6e:46:70:a2:5a:5a:5d:d6:47:1a:66:fa
+			e0:ef:57:16:8d:cf:91:6a:d2:e6:d4:68:88:ba:0a:81
+			b7:ad:35:5a:eb:3f:3e:ac:01:2d:3f:ef:0f:e8:83:0c
+			f3:67:a4:de:d4:49:64:14:c3:bb:f5:1f:b5:6d:57:a4
+			74:2d:ec:e1:0d:92:81:d1:d1:f3:5e:ad:8b:e0:9e:ef
+			cb:2c:4b:c2:34:81:85:f9:59:b7:b4:b7:a9:22:e9:03
+			f8:ff:d4:56:70:05:18:67:97:69:0b:1b:4b:62:95:cb
+			eb:23:4a:f7:e4:bb:3c:0a:65:9c:cf:89:4f:65:02:c8
+			af
+		Exponent (bits 24):
+			01:00:01
+	Extensions:
+		Basic Constraints (critical):
+			Certificate Authority (CA): FALSE
+		Subject Alternative Name (not critical):
+			RFC822Name: [email protected]
+		Key Usage (critical):
+			Digital signature.
+		Subject Key Identifier (not critical):
+			2f935ed36f521e975615821f9ad2d7dbea746d15
+		Authority Key Identifier (not critical):
+			2d9102974080012532664e5eb801f54a7dbf8277
+	Signature Algorithm: RSA-SHA256
+	Signature:
+		3d:69:0f:fc:0c:c7:15:f6:12:34:dc:5b:a0:36:e9:f2
+		c9:87:5d:5e:b7:a9:46:4d:61:31:ab:90:a8:bd:62:0e
+		21:1a:e0:c2:50:92:6f:ab:0d:1f:9c:c0:76:2e:62:43
+		62:dd:09:2b:8c:d9:b1:51:8f:07:97:71:2b:e7:a1:94
+		a0:2a:6d:96:82:62:71:e0:57:20:4e:73:88:7a:72:7b
+		c4:06:a5:19:8e:86:79:c6:0d:a2:dd:49:4a:19:b6:02
+		21:5c:a0:97:55:8e:f3:0f:49:42:46:b1:71:95:32:73
+		80:1b:b0:00:54:73:59:3c:3d:8e:fb:b7:33:d1:12:73
+		c8:3d:37:f8:9a:25:20:33:e3:f4:39:c2:dd:d0:fc:47
+		18:22:60:b7:6f:07:f8:8b:12:32:91:2c:da:be:05:1e
+		d8:d4:9e:03:a1:4f:8a:11:6c:ea:99:60:84:bc:93:71
+		90:e2:b9:c3:04:a2:2a:ac:83:09:44:2b:c6:c1:53:0d
+		de:fd:52:3e:8b:be:88:13:48:c7:b8:98:01:4c:54:08
+		18:41:f9:0b:a1:33:a2:59:68:53:dd:13:a4:40:82:c4
+		51:50:1f:88:4a:97:07:10:24:6a:aa:3d:71:02:23:42
+		2d:0d:71:24:f4:08:0d:c5:2e:08:5a:72:69:6b:e3:0b
+		18:f2:90:41:5a:c6:13:89:80:ed:cf:7d:c3:9b:fd:10
+		e1:02:bd:84:a8:77:14:a5:54:e1:b5:2a:3b:1b:fa:d5
+		7d:77:15:6c:b3:17:79:9a:d1:80:9a:ce:22:b3:78:42
+		ba:53:68:6f:cc:29:7c:bf:01:b3:d5:74:57:3c:56:df
+		b1:62:81:0b:fd:6e:38:fa:8e:8f:f7:7d:63:e7:ae:b1
+		ff:0a:8d:6d:e6:33:91:e8:ca:da:63:e4:cd:74:3c:51
+		20:a8:18:4b:8a:d2:19:b5:f9:55:a6:09:3b:4a:73:59
+		b8:de:6d:c2:df:e5:cd:5b:06:f8:35:87:cd:70:56:d9
+Other Information:
+	Fingerprint:
+		sha1:cfd96d6ee0ad783b129455d80e3f9680ce487f43
+		sha256:0566a55223d13fedfb400e3f5f9fa5ebe205aab748c5cd61e196818167fef490
+	Public Key ID:
+		sha1:2f935ed36f521e975615821f9ad2d7dbea746d15
+		sha256:2a746208e2561e79834e91916f64340089e07db7553dce227e02f489cc7b8658
+	Public Key PIN:
+		pin-sha256:KnRiCOJWHnmDTpGRb2Q0AIngfbdVPc4ifgL0icx7hlg=
+
+-----BEGIN CERTIFICATE-----
+MIIESzCCArOgAwIBAgIUYXzDn56yZ0TwppDLE2m4GJGESW8wDQYJKoZIhvcNAQEL
+BQAwHDEaMBgGA1UEAxMRVGVzdGluZyBBdXRob3JpdHkwHhcNNDAwMjIwMTUyMTQy
+WhcNNDAwNDIwMTQyMTQxWjAiMSAwHgYDVQQDExdOb3QteWV0LXZhbGlkIFRlc3Qg
+VXNlcjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANCqwqDyPKnOUz6S
+n3MorqQ4QkghWt2pS0dIAcDxf5yuGMvvsppL0DIJbRFzMCEDOpy00EMItFciIb4R
+f+ZadANdWkGayEhm17fJZHxv/4gkTphuYTFylZTYq387rP+cT96u9eKQ6oKZA9k1
+KxeKgC7tBe/L3kxxk+epmqtzt1ImbU002lAazC8pn5qBojk3qib3efHSt5HUaQvX
+jfeYdTKeG7VjlF0lwoWF+W7k2IO7s41QNciakFYT5C7k6QraTYLiMxiLoC8Rv6Qp
+BxaLguCJYiXinyUkl0NXhMPCZF5ApPjKaYzZm2XXNB9oBtgULYcBbwDgzEtjyW53
+H6Kpt3OuhNBuRnCiWlpd1kcaZvrg71cWjc+RatLm1GiIugqBt601Wus/PqwBLT/v
+D+iDDPNnpN7USWQUw7v1H7VtV6R0LezhDZKB0dHzXq2L4J7vyyxLwjSBhflZt7S3
+qSLpA/j/1FZwBRhnl2kLG0tilcvrI0r35Ls8CmWcz4lPZQLIrwIDAQABo38wfTAM
+BgNVHRMBAf8EAjAAMBwGA1UdEQQVMBOBEXRlc3RAeGFkZXM0ai50ZXN0MA8GA1Ud
+DwEB/wQFAwMHgAAwHQYDVR0OBBYEFC+TXtNvUh6XVhWCH5rS19vqdG0VMB8GA1Ud
+IwQYMBaAFC2RApdAgAElMmZOXrgB9Up9v4J3MA0GCSqGSIb3DQEBCwUAA4IBgQA9
+aQ/8DMcV9hI03FugNunyyYddXrepRk1hMauQqL1iDiEa4MJQkm+rDR+cwHYuYkNi
+3QkrjNmxUY8Hl3Er56GUoCptloJiceBXIE5ziHpye8QGpRmOhnnGDaLdSUoZtgIh
+XKCXVY7zD0lCRrFxlTJzgBuwAFRzWTw9jvu3M9ESc8g9N/iaJSAz4/Q5wt3Q/EcY
+ImC3bwf4ixIykSzavgUe2NSeA6FPihFs6plghLyTcZDiucMEoiqsgwlEK8bBUw3e
+/VI+i76IE0jHuJgBTFQIGEH5C6EzolloU90TpECCxFFQH4hKlwcQJGqqPXECI0It
+DXEk9AgNxS4IWnJpa+MLGPKQQVrGE4mA7c99w5v9EOECvYSodxSlVOG1Kjsb+tV9
+dxVssxd5mtGAms4is3hCulNob8wpfL8Bs9V0VzxW37FigQv9bjj6jo/3fWPnrrH/
+Co1t5jOR6MraY+TNdDxRIKgYS4rSGbX5VaYJO0pzWbjebcLf5c1bBvg1h81wVtk=
+-----END CERTIFICATE-----
diff --git a/src/test/cert/unchecked/notYetValid.template b/src/test/cert/unchecked/notYetValid.template
@@ -0,0 +1,6 @@
+cn = "Not-yet-valid Test User"
+email = [email protected]
+signing_key
+# set dates expired
+activation_date = "2040-02-20 16:21:42"
+expiration_date = "2040-04-20 16:21:41"
diff --git a/src/test/cert/unchecked/readme.md b/src/test/cert/unchecked/readme.md
@@ -28,9 +28,23 @@ certtool --outder --outfile noSignKeyUsage.key --generate-privkey
 certtool --outder --outfile noSignKeyUsage.cer --generate-certificate --inder --load-ca-certificate TestCA.cer --load-ca-privkey TestCA.key --load-privkey noSignKeyUsage.key --template noSignKeyUsage.template
 ```
 
+Bad certificate expired validation date.
+
+```
+certtool --outder --outfile expired.key --generate-privkey
+certtool --outder --outfile expired.cer --generate-certificate --inder --load-ca-certificate TestCA.cer --load-ca-privkey TestCA.key --load-privkey expired.key --template expired.template
+```
+
+Bad certificate not yet valid validation date.
+
+```
+certtool --outder --outfile notYetValid.key --generate-privkey
+certtool --outder --outfile notYetValid.cer --generate-certificate --inder --load-ca-certificate TestCA.cer --load-ca-privkey TestCA.key --load-privkey notYetValid.key --template notYetValid.template
+```
+
 ## Create PKCS#12 keystores used for signing
 
-These are needed for both end entity certificates.
+These are needed for all end entity certificates.
 
 ```
 certtool -i --inder --infile good.cer --outfile good.pem
@@ -39,5 +53,15 @@ certtool --outder --outfile=good.p12 --to-p12 --password=password --p12-name=goo
 
 ```
 certtool -i --inder --infile noSignKeyUsage.cer --outfile noSignKeyUsage.pem
-certtool --outder --outfile=noSignKeyUsage.p12 --to-p12 --password=password --p12-name=good --inder --load-privkey=noSignKeyUsage.key --load-certificate=noSignKeyUsage.pem --load-ca-certificate=TestCA.cer
+certtool --outder --outfile=noSignKeyUsage.p12 --to-p12 --password=password --p12-name=noSignKeyUsage --inder --load-privkey=noSignKeyUsage.key --load-certificate=noSignKeyUsage.pem --load-ca-certificate=TestCA.cer
+```
+
+```
+certtool -i --inder --infile expired.cer --outfile expired.pem
+certtool --outder --outfile=expired.p12 --to-p12 --password=password --p12-name=expired --inder --load-privkey=expired.key --load-certificate=expired.pem --load-ca-certificate=TestCA.cer
+```
+
 ```
+certtool -i --inder --infile notYetValid.cer --outfile notYetValid.pem
+certtool --outder --outfile=notYetValid.p12 --to-p12 --password=password --p12-name=notYetValid --inder --load-privkey=notYetValid.key --load-certificate=notYetValid.pem --load-ca-certificate=TestCA.cer
+```
diff --git a/src/test/java/xades4j/production/UncheckedSignerBESTest.java b/src/test/java/xades4j/production/UncheckedSignerBESTest.java
@@ -19,6 +19,7 @@
 import xades4j.algorithms.EnvelopedSignatureTransform;
 import xades4j.algorithms.ExclusiveCanonicalXMLWithoutComments;
 import xades4j.properties.DataObjectDesc;
+import xades4j.providers.CannotBuildCertificationPathException;
 import xades4j.providers.CertificateValidationProvider;
 import xades4j.providers.KeyingDataProvider;
 import xades4j.providers.impl.PKIXCertificateValidationProvider;
@@ -50,13 +51,16 @@ public class UncheckedSignerBESTest extends SignerTestBase
 {
     private KeyingDataProvider keyingProviderGood;
     private KeyingDataProvider keyingProviderNoSign;
+    private KeyingDataProvider keyingProviderExp;
+    private KeyingDataProvider keyingProviderNyv;
     private CertificateValidationProvider validationProvider;
 
     public UncheckedSignerBESTest() throws Exception
     {
         keyingProviderGood = createFileSystemKeyingDataProvider("PKCS12", "unchecked/good.p12", "password", true);
-        keyingProviderNoSign = createFileSystemKeyingDataProvider("PKCS12", "unchecked/noSignKeyUsage.p12", "password",
-                true);
+        keyingProviderNoSign = createFileSystemKeyingDataProvider("PKCS12", "unchecked/noSignKeyUsage.p12", "password",true);
+        keyingProviderExp = createFileSystemKeyingDataProvider("PKCS12", "unchecked/expired.p12", "password", true);
+        keyingProviderNyv = createFileSystemKeyingDataProvider("PKCS12", "unchecked/notYetValid.p12", "password", true);
         validationProvider = genValidationProvider("unchecked/TestCA.cer", "unchecked");
     }
 
@@ -75,7 +79,8 @@ private void trySignAndVerify(final KeyingDataProvider signProvider,
 
         final XadesBesSigningProfile signProfile = new XadesBesSigningProfile(signProvider);
         final BasicSignatureOptions opts = new BasicSignatureOptions();
-        opts.checkKeyUsage(false);
+        opts.checkKeyUsage(false)
+            .checkCertificateValidity(false);
         signProfile.withBasicSignatureOptions(opts);
         XadesSigner signer = signProfile.newSigner();
 
@@ -156,4 +161,19 @@ public void testUncheckedSignBesNoSignKeyUsageUncheckedVerify() throws Exception
         // check disabled during verification
         trySignAndVerify(keyingProviderNoSign, validationProvider, "document.unchecked.signed.bes.nosign.xml", false);
     }
+
+    @Test(expected = CannotBuildCertificationPathException.class)
+    public void testUncheckedSignBesExpired() throws Exception
+    {
+        System.out.println("uncheckedSignBesExpired");
+        trySignAndVerify(keyingProviderExp, validationProvider, "document.unchecked.signed.bes.expired.xml");
+    }
+
+    @Test(expected = CannotBuildCertificationPathException.class)
+    public void testUncheckedSignBesNyv() throws Exception
+    {
+        System.out.println("uncheckedSignBesExpired");
+        trySignAndVerify(keyingProviderNyv, validationProvider, "document.unchecked.signed.bes.nyv.xml");
+    }
+
 }