On 06/02/2013 09:42 PM, lst_hoe02(a)kwsoft.de wrote:
Zitat von Martijn Brinkers <martijn(a)djigzo.com>om>:
On 05/31/2013 10:24 PM, Martijn Brinkers wrote:
On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de
wrote:
since release 2.5 some certificates fail with
"Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?
No this is new to me. Can you send me the certificates? Or are you
unable to export them?
The certificate contains invalid data (at least invalid according to RFC
5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK
7 seems to be more strict (the Virtual Appliance by default uses
OpenJDK 6).
Details:
The IssuerAltName extension is defined in RFC 5280 as:
IssuerAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
So there should be at least one GeneralName if the IssuerAltName
extension is defined. The certificate in question however contains an
empty IssuerAltName sequence. This is not allowed. In Java 6, this was
silently discarded but Java 7 seems to be more strict.
For a similar report see
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=4418011801.
Kind regards.
Martijn Brinkers
I see, so the real "fix" would be to get a more obvious error message in
Djigzo? If the certificate is invalid Djigzo is right to say so, but a
pointer to *what* is invalid would be great.
The problem is that the exception is thrown somewhere deep within a Java
class. The information which is shown is the information which is
available. Because I analysed the certificate manually (using a java
test and asn1 dump) I know why the certificate is not valid.
And BTW no need for
additional Djigzo workarounds as it is still possible to add such
certificates to the CTL.
You are right. I didn't thought about this workaround :)
Kind regards,
Martijn
--
DJIGZO email encryption