Support certificate chain verification logic for TSA even when provided in Root→Leaf order.

[jooseong-lee]

Currently, the certificate chain verification logic for TSA seems to assume that the provided certificate chain is ordered from Leaf → Root (i.e., end-entity first). However, in some cases — such as when the TSA certificate chain is provided from Root → Leaf — verification may fail or require manual reordering before validation. It would be helpful if the verification logic could automatically detect and handle both chain orders by matching certificates based on their issuer and subject fields, instead of relying on the array order.

Why this is useful:
Strictly speaking, according to [RFC 5652](5.1. SignedData Type), the certificate chain type is defined as SET OF rather than SEQUENCE, so the order of the chain cannot be enforced. Nonetheless, it is customary to use SEQUENCE, so there is no particular issue with the current implementation.

However, one drawback is that some external systems or APIs may present the root certificate instead of the leaf certificate as the first element in the certificate chain. Supporting both directions would make the verification process more robust and developer-friendly.

[mauricefisher64]

Please attach a sample

[bgon]

Starting with c2patool 0.19.1 or later, these files fail to validate with a signingCredential.expired failure while using current Verify tool and various error while not using the trust list with c2patool.

All the files have a TSA certificate chain ordered from Root to Leaf.

Is it the expected result?

c2patool 0.19.1 -> 0.22.3 without trust list:

"failure": [
        {
          "code": "signingCredential.expired",
          "url": "self#jumbf=/c2pa/urn:uuid:aad60f43-0503-42ab-9d6e-6c506cc6bf39/c2pa.signature",
          "explanation": "certificate expired"
        },
        {
          "code": "claimSignature.mismatch",
          "url": "self#jumbf=/c2pa/urn:uuid:aad60f43-0503-42ab-9d6e-6c506cc6bf39/c2pa.signature",
          "explanation": "claim signature is not valid"
        }
      ]

c2patool 0.23.1 -> 0.23.4 without trust list:

"failure": [
        {
          "code": "signingCredential.expired",
          "url": "self#jumbf=/c2pa/urn:uuid:aad60f43-0503-42ab-9d6e-6c506cc6bf39/c2pa.signature",
          "explanation": "certificate expired"
        }
      ]

c2patool 0.24.0 or later without trust list:

"failure": [
        {
          "code": "signingCredential.untrusted",
          "url": "self#jumbf=/c2pa/urn:uuid:aad60f43-0503-42ab-9d6e-6c506cc6bf39/c2pa.signature",
          "explanation": "signing certificate untrusted"
        }
      ]

c2patool 0.19.1 -> 0.23.4 with trust list:

"validation_state": "Valid"

c2patool 0.24.0 or later with trust list:

"validation_state": "Trusted"

current Verify tool (Verify site running revision 68669a0):

{
  "code": "signingCredential.expired",
  "url": "self#jumbf=/c2pa/com.truepic:urn:uuid:ff0ffe70-a028-4e89-9069-a4da74402ceb/c2pa.signature",
  "explanation": "certificate expired"
}

Anti-Corruption headquarters Providence Project

• Image Sample

The 2024 Elections Content Credential repository

• Image Sample

Arizona Secretary of State's office

• Image Sample

Minden Pictures

• Image Sample

Westdeutscher Rundfunk

• Video Sample

Deutsche Welle

• Image Sample

Black Forest Labs

[jin-gyu-kim]

We have prepared a patch for this issue - #1600
Please share the opinion.

[github-jira-sync-bot]

✅ Jira issue https://jira.corp.adobe.com/browse/CAI-10153 is successfully created for this GitHub issue.