Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide better support for IBM JDK #107

Open
gcontini opened this issue Mar 18, 2017 · 1 comment
Open

Provide better support for IBM JDK #107

gcontini opened this issue Mar 18, 2017 · 1 comment
Labels
help wanted

Comments

@gcontini
Copy link
Contributor

We're using your library in AIX environment, that uses IBM JDK. When i run tests on our servers i notice a large number of failures (30 errors).

Most of them are caused by different behavior of the jvm PKIXCertificateValidationProvider. For instance:

XadesVerifierImplTest.testVerifyTBES is failing with the following exception.

xades4j.verification.TimeStampInvalidSignatureException: Verification failed for property 'SignatureTimeStamp': invalid token signature
	at xades4j.verification.TimeStampVerifierBase.getEx(TimeStampVerifierBase.java:114)
	at xades4j.verification.TimeStampVerifierBase.verify(TimeStampVerifierBase.java:89)
	at xades4j.verification.TimeStampVerifierBase.verify(TimeStampVerifierBase.java:1)
	at xades4j.verification.QualifyingPropertiesVerifierImpl.verifyProperties(QualifyingPropertiesVerifierImpl.java:59)
	at xades4j.verification.XadesVerifierImpl.getValidationDate(XadesVerifierImpl.java:251)
	at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:174)
	at xades4j.verification.VerifierTestBase.verifySignature(VerifierTestBase.java:108)
	at xades4j.verification.VerifierTestBase.verifySignature(VerifierTestBase.java:101)
	at xades4j.verification.VerifierTestBase.verifySignature(VerifierTestBase.java:93)
	at xades4j.verification.XadesVerifierImplTest.testVerifyTBES(XadesVerifierImplTest.java:158)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
	at java.lang.reflect.Method.invoke(Method.java:611)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:86)
	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:678)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
Caused by: xades4j.providers.TimeStampTokenTSACertException: cannot validate TSA certificate
	at xades4j.providers.impl.DefaultTimeStampVerificationProvider.verifyToken(DefaultTimeStampVerificationProvider.java:146)
	at xades4j.verification.TimeStampVerifierBase.verify(TimeStampVerifierBase.java:71)
	... 32 more
Caused by: xades4j.providers.CannotSelectCertificateException: The available certificate selector didn't match any certificates
	at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:263)
	at xades4j.providers.impl.DefaultTimeStampVerificationProvider.verifyToken(DefaultTimeStampVerificationProvider.java:133)
	... 33 more
Caused by: java.security.InvalidAlgorithmParameterException: TargetSubject must be set
	at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:209)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258)
	at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:253)
	... 34 more

My suggestion is to use BouncyCastle as default. This provides consistent behavior across jvm implementations.

I noticed I can specify the security provider in PKIXCertificateValidationProvider constructor (certPathBuilderProvider parameter)... the only problem is that this solution has never passed your unit tests.
@luisgoncalves
Copy link
Owner

I imagine this still happens. Did you find the cause for failures when the BC provider is specified?

@nekkiy nekkiy mentioned this issue Oct 5, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gcontini @luisgoncalves