Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Troubleshooting certificate exceptions #98

Open
fwiersENO opened this issue Jul 20, 2018 · 1 comment
Open

Troubleshooting certificate exceptions #98

fwiersENO opened this issue Jul 20, 2018 · 1 comment

Comments

@fwiersENO
Copy link
Contributor

This issue is just for the documentation in case old/bad certificates are used. One question at the end though.

We tried using existing old certificates with keys and could import them via the "cert import" command.
This worked fine, however, on restart, we got the exception:

Exception in thread "main" org.openas2.WrappedException: Error creating component: org.openas2.cert.PKCS12CertificateFactory
at org.openas2.util.XMLUtil.getComponent(XMLUtil.java:80)
...
Caused by: java.lang.IllegalArgumentException: invalid info structure in RSA public key
at org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKey.populateFromPublicKeyInfo(BCRSAPublicKey.java:71)
...

Also, we tried importing the certificates with keys in the existing default "as2_certs.p12" keystore using the "Portecle" tool (mentioned in the manual) but that failed immediatly with the message "could not load keystore".

The problems go away when the BouncyCastle option "org.bouncycastle.asn1.allow_unsafe_integer" is used. E.g. start Portecle with:

start "portecle" /B C:\java\jdk8\bin\javaw -Dorg.bouncycastle.asn1.allow_unsafe_integer=true -jar portecle.jar

The documentation/manual should probably mention this problem and BouncyCastle option since the error messages are not really helpful.

I am not sure if using these old/bad certificates with keys is going to give problems down the line, e.g. in bad signatures / MDNs. Apparenlty there is a bad number in there and that might corrupt/fail to verify generated signatures / MDNs?
@uhurusurfa
Copy link
Contributor

Thanks for the feedback.

It will only fail on the OpenAS2 side if the system property you have pointed out is not set because all certificate handling in OpenAS2 is done via BouncyCastle libraries.
The issue appears to be restricted mainly to self signed certificates but can be certificates from certain providers. See here for a discussion on this issue: http://bouncy-castle.1462172.n4.nabble.com/Strict-Public-Key-checking-leads-to-broken-certificates-td4658848.html
I will modify the importer to verify the certificate via BouncyCastle before storing it and that should solve the issue of allowing certificates that would fail to be loaded even though they successfully imported.

@uhurusurfa uhurusurfa mentioned this issue Sep 12, 2018
Closed
@uhurusurfa uhurusurfa mentioned this issue Feb 27, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@uhurusurfa @fwiersENO