So far, I've been working with a certificate which I added to a SoapUI 5.2 project and which gave me access to a pre-production server. However, now that I'm ready to move to a production environment, I'm trying to check the new production certificate with SoapUI, but I'm getting the next error:
WARN:Using fallback method to load keystore/truststore due to: Invalid keystore format
ERROR:An error occurred [java.lang.NullPointerException], see error log for details
And the error log says:
ERROR:Could not load keystore/truststore
ERROR:java.lang.NullPointerException
java.lang.NullPointerException
at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:176)
at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:97)
at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:88)
at com.eviware.soapui.impl.wsdl.support.wss.crypto.KeyMaterialWssCrypto.fallbackLoad(KeyMaterialWssCrypto.java:206)
at com.eviware.soapui.impl.wsdl.support.wss.crypto.KeyMaterialWssCrypto.load(KeyMaterialWssCrypto.java:168)
at com.eviware.soapui.impl.wsdl.support.wss.crypto.KeyMaterialWssCrypto.getStatus(KeyMaterialWssCrypto.java:216)
at com.eviware.soapui.impl.wsdl.panels.project.WSSTabPanel$CryptoTableModel.getValueAt(WSSTabPanel.java:643)
at javax.swing.JTable.getValueAt(Unknown Source)
at javax.swing.JTable.prepareRenderer(Unknown Source)
...
The only difference I found between the pre-production and production certificates was that the latter did not have the CommonName field defined.
I know that field is not mandatory, so how is that possible? How can I solve this problem without asking for a new certificate? That's not an option.
Any suggestion would be appreciated.
I check the pom.xml of SOAPUI project for 5.2 versión, and it use not-yet-commons-ssl versión 0.3.11:
<dependency>
<groupId>commons-ssl</groupId>
<artifactId>not-yet-commons-ssl</artifactId>
<version>0.3.11</version>
</dependency>
And If you check the build method for org.apache.commons.ssl.KeyStoreBuilder class as the exception thrown in your error log you'll see:
public static KeyStore build(byte[] jksOrCerts, byte[] privateKey,
char[] jksPassword, char[] keyPassword)
throws IOException, CertificateException, KeyStoreException,
NoSuchAlgorithmException, InvalidKeyException,
NoSuchProviderException, ProbablyBadPasswordException,
UnrecoverableKeyException {
...
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, jksPassword);
Iterator keysIt = keys.iterator();
Iterator chainsIt = chains.iterator();
int i = 1;
while (keysIt.hasNext() && chainsIt.hasNext()) {
Key key = (Key) keysIt.next();
Certificate[] c = (Certificate[]) chainsIt.next();
X509Certificate theOne = buildChain(key, c);
String alias = "alias_" + i++;
// The theOne is not null, then our chain was probably altered.
// Need to trim out the newly introduced null entries at the end of
// our chain.
if (theOne != null) {
c = Certificates.trimChain(c);
alias = Certificates.getCN(theOne);
/* line 176 */ alias = alias.replace(' ', '_');
}
ks.setKeyEntry(alias, key, keyPassword, c);
}
return ks;
}
}
So seems that you're right and the problem is that your certificate has no common name, so org.apache.commons.ssl.Certificates.getCN(X509Certificate) returns null as alias and then alias.replace is throwing the NPE.
alias = Certificates.getCN(theOne);
/* line 176 */ alias = alias.replace(' ', '_');
I don't see nothing that says that Common Name is mandatory in RFC5280, however various code/software use it for different purposes as not-yet-commons-ssl does.
Your certificate is probably right but you can't use it with SOAPUI 5.2 version to test your environment if it hasn't the CN, so if you want to use SOAPUI to test your environment I think that you've to reissue the certificate generating a CSR with CN. Or you can report the problem to http://juliusdavies.ca/commons-ssl/ and then ask to SOAPUI to include the latest version...
Hope this helps,
Related
I have java code to read certificate from USB token. The code is working properly as stand alone Java class.
After importing Java class into Oracle Database (19c), with loadjava utility, the Java class is imported successfully but after execution it gives the below error:
java.security.KeyStoreException: PKCS11 not found
The above error means the security provider not added. In the stand alone Java class, to fix this error, just add the following line to java.security file in Java directory:
security.provider.13=SunPKCS11 configration_file.cfg
I also added the above line to java.security, in javavm folder, in the database home but that didn't fix the error.
The used Java code is:
class GetSignatureNew {
public static void main(String args[])
{
GetSignatureNew sdk = new GetSignatureNew();
}
public static String GetSignatureFun(String serialized)
{
String pwd = "*******";
char[] pin = new char[pwd.length()];
try
{
for (int i = 0; i < pwd.length(); i++) {
pin[i] = pwd.charAt(i);
}
// Get Certificate and private key from token
KeyStore ks = KeyStore.getInstance("PKCS11");
ks.load(null, pin);
Enumeration enu = ks.aliases();
String alias = String.valueOf(enu.nextElement());
X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
PrivateKey pk = (PrivateKey) ks.getKey(alias, pin);
byte [] output = cert.getEncoded();
String b64 = Base64.getEncoder().encodeToString(output);
return b64;
}
catch (Exception e) {
e.printStackTrace();
return e.toString();
}
}
}
Anybody has an idea.
Thanks in advance.
Execute Java Procedure
the output is not correct because it gives
"java.security.KeyStoreException: PKCS11 not found"
As a workaround, I tried to create a schedule job on oracle to run batch and this batch will run java code.
Unfortunately, when i run the batch the batch is run successfully but if i run the oracle job it run with error also
STANDARD_ERROR="java.security.KeyStoreException: PKCS11 not found
at java.base/java.security.KeyStore.getInstance(KeyStore.java:878)
at GetSignatureDB.main(GetSignatureDB.java:102)
Caused by: java.security.NoSuc"
Schedule Job
BEGIN
SYS.DBMS_SCHEDULER.CREATE_JOB( job_name => 'einvoice_signature_job',
job_type => 'EXECUTABLE',
job_action => 'C:\WINDOWS\system32\cmd.exe',
job_class => 'DEFAULT_JOB_CLASS',
comments => 'Job to call batch script on Windows',
auto_drop => FALSE,
number_of_arguments => 3,
enabled => FALSE);
SYS.DBMS_SCHEDULER.SET_JOB_ARGUMENT_VALUE( job_name => 'einvoice_signature_job', argument_position => 1, argument_value => '/q');
SYS.DBMS_SCHEDULER.SET_JOB_ARGUMENT_VALUE( job_name => 'einvoice_signature_job', argument_position => 2, argument_value => '/c');
SYS.DBMS_SCHEDULER.SET_JOB_ARGUMENT_VALUE( job_name => 'einvoice_signature_job', argument_position => 3, argument_value => '"E:\Backup\eInvoice\GetCert.bat"');
SYS.DBMS_SCHEDULER.ENABLE( 'einvoice_signature_job' );
END;
/
batch file
cd E:\Backup\eInvoice
E:
"C:\Program Files\Java\jdk-9.0.1\bin\java" GetSignatureNew
which GetSignatureNew is the java class listed in the original post.
the batch works fine if i run it manually.
but when i run the Oracle job
BEGIN
DBMS_SCHEDULER.RUN_JOB ('einvoice_signature_job');
END;
it runs and return the above error
I'm going to generate a cert and set this value:
TBSCertificate::=SEQUENCE{
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,***<---this one***
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] EXPLICIT Extensions OPTIONAL
}
this is my code,right now I can only set SerialNumber,IssuerDN,NotBefore,NotAfter,SubjectDN,PublicKey,SignatureAlgorithm,:
public X509Certificate generateCert(String[] info, KeyPair keyPair_root,KeyPair keyPair_user) throws InvalidKeyException, NoSuchProviderException, SecurityException, SignatureException {
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X509Certificate cert = null;
certGen.setSerialNumber(new BigInteger(info[8]));
certGen.setIssuerDN(new X509Name(
"CN=huahua, OU=hnu, O=university , C=china"));
certGen.setNotBefore(new Date(Long.parseLong(info[6])));
certGen.setNotAfter(new Date(Long.parseLong(info[7])));
certGen.setSubjectDN(new X509Name("C=" + info[0] + ",OU=" + info[1]
+ ",O=" + info[2] + ",C=" + info[3] + ",L=" + info[4] + ",ST="
+ info[3]));
certGen.setPublicKey(keyPair_user.getPublic());
certGen.setSignatureAlgorithm("SHA1WithRSA");
cert = certGen.generateX509Certificate(keyPair_root.getPrivate(), "BC");
return cert;
}
I will be appreciate it if any one could help me!I have find many solutions but none of them can help me.
TBSCertificate.signature is named poorly, it isn't a signature, just the signature algorithm identifier.
This value is presumably controlled by certGen.setSignatureAlgorithm(...), which you're already using.
I want to update my previous self-signed certificate with new one eg: chains which is returned (signed CSR) from TEST CA. My default keystore is: Windows-MY
Step 1: I have created a private-public key pair, self-signed
certifcate and CSR(private key is stored in Windows-MY with
self-signed certificate).
Step 2: sent CSR to CA.
Step 3: CA returns a certificate chain for that public key.
Now I want to replace that self-signed certificate with the CA returned certificate. NB: I have the private key stored in my store.
Key privKey = keyStore.getKey(commonName, keyPass);
System.out.println("invalid private key :" + (privKey == null));
// keyStore.deleteEntry(commonName);
// keyStore.load(null, keyPass);
if (isPrivateKeyAvailable) {
System.out.println("name:" + commonName + " is updatded");
keyStore.setKeyEntry(commonName, privKey, keyPass, chains);
} else {
System.out.println("name:" + commonName + " does not exist");
}
But I am getting these errors:
java.lang.UnsupportedOperationException: Cannot assign the key to the
given alias. at
sun.security.mscapi.KeyStore.engineSetKeyEntry(KeyStore.java:415) at
sun.security.mscapi.KeyStore$MY.engineSetKeyEntry(KeyStore.java:55)
at java.security.KeyStore.setKeyEntry(Unknown Source) at
keygenerator.KeyInstaller.installCertificateInWindowsStore(KeyInstaller.java:284)
at keygenerator.KeyInstaller.doJob(KeyInstaller.java:167) at
keygenerator.KeyGeneration.installCertificate(KeyGeneration.java:171)
at keygenerator.KeyGeneration.main(KeyGeneration.java:68)
Windows keystore (named Windows-MY from Java) is not directly writable. You need to pack the private key and the certificate chain returned by CA into a PKCS#12 file (.p12) and import it using The Windows import tool.
When I try to verify signed pdf document I get RuntimeException:
Exception in thread "main" java.lang.RuntimeException: algorithm identifier 1.2.398.3.10.1.1.1.1 in key not recognised
at org.bouncycastle.jce.provider.JDKKeyFactory.createPublicKeyFromPublicKeyInfo(Unknown Source)
at org.bouncycastle.jce.provider.X509CertificateObject.getPublicKey(Unknown Source)
at com.itextpdf.text.pdf.PdfPKCS7.<init>(PdfPKCS7.java:582)
at com.itextpdf.text.pdf.PdfPKCS7.<init>(PdfPKCS7.java:421)
at com.itextpdf.text.pdf.AcroFields.verifySignature(AcroFields.java:2307)
at Main.verifyPDF(Main.java:62)
at Main.main(Main.java:90)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
my verification piece of code looks like this:
public static boolean verifyPDF(String fileToVerify, KeyStore trustedStore, CRL crl) throws IOException, GeneralSecurityException {
List<CRL> crls = null;
if (crl != null) {
crls = new ArrayList<CRL>(1);
crls.add(crl);
}
boolean result = false;
PdfReader checker = new PdfReader(fileToVerify);
AcroFields af = checker.getAcroFields();
ArrayList<String> names = af.getSignatureNames();
for (int k = 0; k < names.size(); ++k) {
String name = (String) names.get(k);
System.out.println("Signature: " + name);
com.itextpdf.text.pdf.PdfPKCS7 pk = af.verifySignature(name, "KALKAN");
result = pk.verify();
System.out.println("Signer certificate DN: " + pk.getSigningCertificate().getSubjectDN());
Calendar cal = pk.getSignDate();
X509Certificate pkc[] = (X509Certificate[]) pk.getSignCertificateChain();
System.out.println("Document modified: " + !result);
Object fails[] = PdfPKCS7.verifyCertificates(pkc, trustedStore, crls, cal);
if (fails == null)
System.out.println("Certificates verified against the KeyStore");
else
System.out.println("Certificate failed: " + fails[1]);
}
return result;
}
the exception occurs on this string:
com.itextpdf.text.pdf.PdfPKCS7 pk = af.verifySignature(name, "KALKAN");
I use patched iText library. I had to patch it because there was no algorithm like ECGOST34310 and I just added it. Signing is performed in usual way, there is no problem with it.
Please help!
Thanks.
At first glance that OID 1.2.398.3.10.1.1.1.1 seems to be defined by a Kazakh authority (cf. this page), related to GOST 34,310-2.004 represented by the parent OID, without having yet been included in the mainstream BouncyCastle distribution, cf. the BouncyCastle specifications.
Thus, just like you have extended iText to be able to sign using GOST 34,310-2.004
I use patched iText library. I had to patch it because there was no algorithm like ECGOST34310 and I just added it.
you have to extend it (or in this case more exactly the crypto library BouncyCastle used by iText) to be able to verify signatures using GOST 34,310-2.004. Maybe, though, someone else already has done that and comes forth to help?
By the way, it would be great if you shared the results as soon as they work.
That all been said I am not aware of GOST being mentioned in the context of either ISO 32000-1 or PAdES integrated PDF signatures. Using GOST for PDF signatures, therefore, will likely result in very limited interoperability.
I'm trying to read certificate from smime.p7s file, the certificate chain is:
Baltimora Cyber Trust --> DigitPA --> Aruba PEC
So when i'm trying to extract, I retrieve only the last two certificate, the last like subject and the first like issuer.
What am I wrong?
the code:
private List<CertificateInfo> reading(ASN1InputStream asn1Stream) throws IOException, CMSException, CertificateException {
ArrayList<CertificateInfo> infos = new ArrayList<CertificateInfo>();
ASN1Primitive obj = asn1Stream.readObject();
ContentInfo contentInfo = ContentInfo.getInstance(obj);
CMSSignedData cms = new CMSSignedData(contentInfo);
JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
Store store = cms.getCertificates();
SignerInformationStore signersInfoStore = cms.getSignerInfos();
Collection<SignerInformation> signers = signersInfoStore.getSigners();
logger.debug("signers num [" + signers.size() + "]");
for (SignerInformation si : signers) {
SignerId sid = si.getSID();
Collection<X509CertificateHolder> holders = store.getMatches(sid);
logger.debug("holders num [" + holders.size() + "]");
for (X509CertificateHolder certholder : holders) {
X509Certificate cert = converter.getCertificate(certholder);
logger.debug("Issuer [" + cert.getPublicKey() + "]");
CertificateInfo certInfo = util.parse(cert);
infos.add(certInfo);
}
}
return infos;
}
I'm using these bouncy castle jar like dependecies:
<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcprov-jdk15</artifactId>
<version>150</version>
</dependency>
<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcmail-jdk15</artifactId>
<version>150</version>
</dependency>
<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcpg-jdk15</artifactId>
<version>150</version>
</dependency>
<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcpkix-jdk15</artifactId>
<version>150</version>
</dependency>
thanks in advance.
Probably nothing is wrong. PKI works with a tree-like structure. It is possible to trust Aruba PEC using DigitPA. But how can you trust DigitPA? The most common method is to store the root certificate in a trust store. This trust store is e.g. distributed by the application (like the trust store within web browsers).
Now if the Baltimora Cyber Trust is already in the trust store, there is no need to send it within the PKCS#7 container. The certificate chain can be constructed to the trusted root without it.
So you either read the cert from the trust store directly, or you retrieve the root cert from the certificate chain created for verification.