[Djigzo users] Some certificates fail with "Error building certPath. No data available in passed DER encoded value."
31 May
2013
31 May
'13
10:21 p.m.
Hello,
since release 2.5 some certificates fail with "Error building
certPath. No data available in passed DER encoded value." The Issuer
certificates are available and shown as valid, Djigzo Version 2.4.x
also show the certs as valid. Any idea what could be wrong?
Regards
Andreas
31 May
31 May
10:24 p.m.
On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de wrote:
since release 2.5 some certificates fail with
"Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?
No this is new to me. Can you send me the certificates? Or are you
unable to export them?
Kind regards,
Martijn
--
DJIGZO email encryption
1 Jun
1 Jun
12:01 a.m.
On 05/31/2013 10:24 PM, Martijn Brinkers wrote:
On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de wrote:
The certificate contains invalid data (at least invalid according to RFC
5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK
7 seems to be more strict (the Virtual Appliance by default uses OpenJDK 6).
Details:
The IssuerAltName extension is defined in RFC 5280 as:
IssuerAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
So there should be at least one GeneralName if the IssuerAltName
extension is defined. The certificate in question however contains an
empty IssuerAltName sequence. This is not allowed. In Java 6, this was
silently discarded but Java 7 seems to be more strict.
For a similar report see
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=4418011801.
Kind regards.
Martijn Brinkers
--
DJIGZO email encryption
since release 2.5 some certificates fail with
"Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?
No this is new to me. Can you send me the certificates? Or are you
unable to export them?
2 Jun
2 Jun
9:42 p.m.
Zitat von Martijn Brinkers <martijn(a)djigzo.com>om>:
On 05/31/2013 10:24 PM, Martijn Brinkers wrote:
I see, so the real "fix" would be to get a more obvious error message
in Djigzo? If the certificate is invalid Djigzo is right to say so,
but a pointer to *what* is invalid would be great. And BTW no need for
additional Djigzo workarounds as it is still possible to add such
certificates to the CTL.
Many Thanks
Andreas
On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de
wrote:
The certificate contains invalid data (at least invalid according to RFC
5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK
7 seems to be more strict (the Virtual Appliance by default uses OpenJDK 6).
Details:
The IssuerAltName extension is defined in RFC 5280 as:
IssuerAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
So there should be at least one GeneralName if the IssuerAltName
extension is defined. The certificate in question however contains an
empty IssuerAltName sequence. This is not allowed. In Java 6, this was
silently discarded but Java 7 seems to be more strict.
For a similar report see
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=4418011801.
Kind regards.
Martijn Brinkers since release 2.5 some certificates fail with
"Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?
No this is new to me. Can you send me the certificates? Or are you
unable to export them?
10:11 p.m.
On 06/02/2013 09:42 PM, lst_hoe02(a)kwsoft.de wrote:
Zitat von Martijn Brinkers <martijn(a)djigzo.com>om>:
The problem is that the exception is thrown somewhere deep within a Java
class. The information which is shown is the information which is
available. Because I analysed the certificate manually (using a java
test and asn1 dump) I know why the certificate is not valid.
On 05/31/2013 10:24 PM, Martijn Brinkers wrote:
I see, so the real "fix" would be to get a more obvious error message in
Djigzo? If the certificate is invalid Djigzo is right to say so, but a
pointer to *what* is invalid would be great. On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de
wrote:
The certificate contains invalid data (at least invalid according to RFC
5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK
7 seems to be more strict (the Virtual Appliance by default uses
OpenJDK 6).
Details:
The IssuerAltName extension is defined in RFC 5280 as:
IssuerAltName ::= GeneralNames
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
So there should be at least one GeneralName if the IssuerAltName
extension is defined. The certificate in question however contains an
empty IssuerAltName sequence. This is not allowed. In Java 6, this was
silently discarded but Java 7 seems to be more strict.
For a similar report see
https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=4418011801.
Kind regards.
Martijn Brinkers since release 2.5 some certificates fail with
"Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?
No this is new to me. Can you send me the certificates? Or are you
unable to export them? And BTW no need for
additional Djigzo workarounds as it is still possible to add such
certificates to the CTL.
You are right. I didn't thought about this workaround :)
Kind regards,
Martijn
--
DJIGZO email encryption
3466
days inactive
3468
days old
4 comments
2 participants
participants (2)
-
lst_hoe02@kwsoft.de -
Martijn Brinkers