xades4j icon indicating copy to clipboard operation
xades4j copied to clipboard

Published 20 hours ago verified publisher icon luisgoncalves

Provide better support for IBM JDK

Open gcontini opened this issue 7 years ago • 1 comments

We're using your library in AIX environment, that uses IBM JDK. When i run tests on our servers i notice a large number of failures (30 errors).

Most of them are caused by different behavior of the jvm PKIXCertificateValidationProvider. For instance:

XadesVerifierImplTest.testVerifyTBES is failing with the following exception.

xades4j.verification.TimeStampInvalidSignatureException: Verification failed for property 'SignatureTimeStamp': invalid token signature
	at xades4j.verification.TimeStampVerifierBase.getEx(TimeStampVerifierBase.java:114)
	at xades4j.verification.TimeStampVerifierBase.verify(TimeStampVerifierBase.java:89)
	at xades4j.verification.TimeStampVerifierBase.verify(TimeStampVerifierBase.java:1)
	at xades4j.verification.QualifyingPropertiesVerifierImpl.verifyProperties(QualifyingPropertiesVerifierImpl.java:59)
	at xades4j.verification.XadesVerifierImpl.getValidationDate(XadesVerifierImpl.java:251)
	at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:174)
	at xades4j.verification.VerifierTestBase.verifySignature(VerifierTestBase.java:108)
	at xades4j.verification.VerifierTestBase.verifySignature(VerifierTestBase.java:101)
	at xades4j.verification.VerifierTestBase.verifySignature(VerifierTestBase.java:93)
	at xades4j.verification.XadesVerifierImplTest.testVerifyTBES(XadesVerifierImplTest.java:158)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
	at java.lang.reflect.Method.invoke(Method.java:611)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:86)
	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:459)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:678)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:382)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:192)
Caused by: xades4j.providers.TimeStampTokenTSACertException: cannot validate TSA certificate
	at xades4j.providers.impl.DefaultTimeStampVerificationProvider.verifyToken(DefaultTimeStampVerificationProvider.java:146)
	at xades4j.verification.TimeStampVerifierBase.verify(TimeStampVerifierBase.java:71)
	... 32 more
Caused by: xades4j.providers.CannotSelectCertificateException: The available certificate selector didn't match any certificates
	at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:263)
	at xades4j.providers.impl.DefaultTimeStampVerificationProvider.verifyToken(DefaultTimeStampVerificationProvider.java:133)
	... 33 more
Caused by: java.security.InvalidAlgorithmParameterException: TargetSubject must be set
	at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:209)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:258)
	at xades4j.providers.impl.PKIXCertificateValidationProvider.validate(PKIXCertificateValidationProvider.java:253)
	... 34 more

My suggestion is to use BouncyCastle as default. This provides consistent behavior across jvm implementations.

I noticed I can specify the security provider in PKIXCertificateValidationProvider constructor (certPathBuilderProvider parameter)... the only problem is that this solution has never passed your unit tests.

gcontini avatar Mar 18 '17 08:03 gcontini

I imagine this still happens. Did you find the cause for failures when the BC provider is specified?

luisgoncalves avatar Sep 20 '18 22:09 luisgoncalves