#27 Unable to sign pdf with JRE7 and Geotrust TSA

other
open-wont-fix
Josef Cacek
Other (11)
5
2012-02-24
2012-02-22
Anonymous
No

I can not use the Geotrust tsa server "https://timestamp.geotrust.com/tsa" with JRE7, only with JRE6. The exception below is thrown instead. As a workaround, I switched to the Startfield tsa server (http://tsa.starfieldtech.com/).

Starte JSignPdf
Checking input and output PDF paths.
Verwendet Schlüssel: XXXXX
Lade privaten Schlüssel
Hole Zertifikatskette
Öffne PDF Eingabedatei:XXXXX.pdf
Erzeuge PDF Ausgabedatei: YYYYYY.pdf
Erzeuge Signatur
Updating PDF version info 1.4 -> 1.7
Setze Ort: ZZZZZZ
Setze Zertifizierungsstufe
Konfiguriere visuelle Signatur
Verwendung nur die Acrobat 6 empfehlen Ebenen: true
Erzeuge Bild ZZZZZZZZ
Setze Bild
Skaliere Hintergrundbild
Setze Text der Ebene 2 (Beschreibung)
Setze Text der Ebene 4 (Status)
Setze Renderverfahren
Erzeuge visuelle Signatur
Bearbeite (es kann ein wenig länger dauern) ...
Creating TSA client.
Es ist ein Problem aufgetreten
ExceptionConverter: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTSAResponse(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)
at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(Unknown Source)
at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:300)
at net.sf.jsignpdf.SignerLogic.run(SignerLogic.java:77)
at java.lang.Thread.run(Unknown Source)
Fertig: Erzeugen der Signatur fehlgeschlagen

Discussion

  • Josef Cacek
    Josef Cacek
    2012-02-22

    Hello, thank you for the report.
    Have you tried to start the InstallCert tool with the JRE7? The tool is included in the JSignPdf installation.
    If you didn't try it already, then run in the console:
    \pathToYourJRE7\bin\java -jar InstallCert.jar timestamp.geotrust.com
    and then fill the information:
    Enter certificate to add to trusted keystore or 'q' to quit [1]: 1

    press Enter and you should see an info about installed certificate:
    Added certificate to keystore '/pathToYourJRE7/lib/security/cacerts' using alias 'timestamp.geotrust.com-1'

    (You have to run the InstallCert tool with administrator rights - i.e. use sudo for iinstance on Linux).

     
  • Josef Cacek
    Josef Cacek
    2012-02-22

    The InstallCert tool is described in the chapter 10.1 of the JSignPdf guide (v. 1.2.6).

     

  • Anonymous
    2012-02-23

    The CA-certificate of Equifax (Equifax Secure Certificate Authority), which was used to sign/issue the geotrust cert, is part of the JRE7 system certificate store and thus the validation of the geotrust cert should succeed. It looks more like a general issue with HTTPS. The Startfield tsa server does not use HTTPS and maybe thats why time-stamping works with this server.

    >Have you tried to start the InstallCert tool with the JRE7?
    yes, almost same error (see below)

    ############
    Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

    D:\Utilities\jsignpdf-1.2.6>java -jar InstallCert.jar timestamp.geotrust.com
    InstallCert - Install CA certificate to Java Keystore
    =====================================================
    Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts...
    Opening connection to timestamp.geotrust.com:443...
    Starting SSL handshake...

    javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
    at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
    )
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at net.sf.jsignpdf.InstallCert.main(InstallCert.java:134)
    Could not obtain server certificate chain

    D:\Utilities\jsignpdf-1.2.6>
    ################

     
  • Josef Cacek
    Josef Cacek
    2012-02-23

    • status: open --> closed-wont-fix
     
  • Josef Cacek
    Josef Cacek
    2012-02-23

    OK, I see it now. It seems as a changed handling of the SSL alerts between Java 6 and Java 7.
    It was reported as a bug, but engineers from the Oracle mean it's not a bug. (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7127374)

    Nevertheless, you can solve it easily. Use -Djsse.enableSNIExtension=false command line argument:

    java -Djsse.enableSNIExtension=false -jar JSignPdf.jar ...

     

  • Anonymous
    2012-02-24

    Works, thanks.

     

  • Anonymous
    2012-02-24

    • status: closed-wont-fix --> open-wont-fix
     
    Last edit: Anonymous 2014-07-19