Hi,
I have a "ClassCastException" when try to checking a certificate.
The error output is,
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
2008-12-18 09:38:06 [BouncyCastleNotaryFactory,ERROR] checkCertificate; OCSP Signature verification error!!!
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
2008-12-18 09:38:06 [DigiDocException,ERROR] handleException; java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
2008-12-18 09:38:06 [DigiDocException,ERROR] handleException; java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
Certificate is not OK!
---------------------------------------------------------------------
The error line is(BouncyCastleNotaryFactory.java, 800):
First, let me give you another link as well: http://www.sunsetsoftware.ee/tarkvara. Plase try version 2.3.19 from this website and then perhaps 2.3.25. The version in SF.net has not been updated so much lately as some submodules of library were not yet released to LGPL. Ok all you find in this website is LGPL as well and I'll update SF.net as well soon.
The tricky question is which librarys to use. Well if you look in the tar+gz files in this website, they contain all dependent jar-s. Offcourse one has to pick correct BouncyCastle lib for jdk you are using. As for JDigiDoc.jar itself I usually try to compile it separately with jdk1.4 compiler as this produces result that's useable also in jdk 1.5 and later. Yes you have to copy BouncyCastle jar and possibly xerces related jar's to jre\lib\ext or jre\lib\endorsed because jdk also contains versions of xerces that are newer and because otherwise BC library doesn't get registered as crypto lib.
If you use in jdigidoc.cfg:
CANONICALIZATION_FACTORY_IMPL=ee.sk.digidoc.c14n.TinyXMLCanonicalizer
then you need only tinyxmlcanonicalizer-0.9.0.jar and no xerces jar-s. This lar use platform default xml parser.
Ok, in the newest jar we still have this line:
X509Name name = new X509Name((ASN1Sequence)o);
So the new lib might not improve the situation. The background is that OCSP responder put's in OCSP response some id that tells caller which responder responded. We use this id in library to locate the responders CA cert which is necessary to verify OCSP response. This id can be in pure text and contain for example OCSP responder server cert's CN. That's the case if you use www. openxades.org. But according to spec it can also be some binary data. I think you used some other ocsp server that was configured to return some binary id.
I'll notify you once we have a solution to this.
best regards
Veiko
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
# PKCS#11 module settings - change this according to your signature device!!!
DIGIDOC_SIGN_PKCS11_DRIVER=C:\\Program Files\\Gemplus\\GemSafe Libraries Admin\\BIN\\gclib.dll
# VS: this is PKCS#11 driver for AID cards (GPK8000)
#DIGIDOC_SIGN_PKCS11_DRIVER=pk2priv
DIGIDOC_SIGN_PKCS11_WRAPPER=PKCS11Wrapper
DIGIDOC_VERIFY_ALGORITHM=RSA//NOPADDING
# VS: sign OCSP requests or not. Depends on your responder
SIGN_OCSP_REQUESTS=false
OCSP_SAVE_DIR=.
# The PKCS#12 file used to sign OCSP requests
# DIGIDOC_PKCS12_CONTAINER=C:\\JDigiDoc\\VeikoSinivee-12-2003.p12d
# password for this key
# DIGIDOC_PKCS12_PASSWD=ImiM9Fk5
# serial number of your PKCS#12 signature cert.
# Use ee.sk.test.OCSPCertFinder to find this
# DIGIDOC_OCSP_SIGN_CERT_SERIAL=2147
# VS: CA certificates. Used to do a prelimenary check of signer.
# Not required. If used then signers cert will be accepted if
# it is directly issued by one of the CA-s here.
DIGIDOC_CA_CERTS=2
DIGIDOC_CA_CERT1=C:\\cer\\EBG_KOKSM.pem
DIGIDOC_CA_CERT2=C:\\cer\\EBG_ALTSM.pem
# VS: OCSP responder certificates - change this!!!
DIGIDOC_OCSP_COUNT=1
DIGIDOC_OCSP1_CN=EBG Sertifika Durum Protokolü Hizmet Sağlayıcısı
DIGIDOC_OCSP1_CERT=C:\\cer\\ocsp_etugra_asm_nes.pem
DIGIDOC_OCSP1_CA_CERT=C:\\cer\\EBG_KOKSM.pem
DIGIDOC_OCSP1_CA_CN=EBG Elektronik Sertifika Hizmet Sağlayıcısı
# OCSP or CRL selectors
DIGIDOC_CERT_VERIFIER=OCSP
DIGIDOC_SIGNATURE_VERIFIER=OCSP
# VS not required if you don't use CRL-s
# CRL settings
CRL_USE_LDAP=false
CRL_FILE=esteid.crl
CRL_URL=http://www.sk.ee/crls/esteid/esteid.crl
CRL_SEARCH_BASE=cn=ESTEID-SK,ou=ESTEID,o=AS Sertifitseerimiskeskus,c=EE
CRL_FILTER=(certificaterevocationlist;binary=*)
CLR_LDAP_DRIVER=com.ibm.jndi.LDAPCtxFactory
CRL_LDAP_URL=ldap://194.126.99.76:389
CRL_LDAP_ATTR=certificaterevocationlist;binary
CRL_PROXY_HOST=cache.eypsise
CRL_PROXY_PORT=8080
it is my config file. I am not sure if the problem is here. But I am afraid the problem is in the installation. I check the place of the Jar files maybe more then 20 times, but maybe there. So, please let me know: Which Jar files needed and where is placed accourding this config file.
Thanks,
Best Regards,
Muhammed ER.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I have a "ClassCastException" when try to checking a certificate.
The error output is,
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
2008-12-18 09:38:06 [BouncyCastleNotaryFactory,ERROR] checkCertificate; OCSP Signature verification error!!!
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
2008-12-18 09:38:06 [DigiDocException,ERROR] handleException; java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
2008-12-18 09:38:06 [DigiDocException,ERROR] handleException; java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.responderIDtoString(BouncyCastleNotaryFactory.java:812)
at ee.sk.digidoc.factory.BouncyCastleNotaryFactory.checkCertificate(BouncyCastleNotaryFactory.java:409)
at tugra.MainMenu.checkCert(MainMenu.java:196)
at tugra.MainMenu.main(MainMenu.java:79)
Certificate is not OK!
---------------------------------------------------------------------
The error line is(BouncyCastleNotaryFactory.java, 800):
private String responderIDtoString(BasicOCSPResp basResp) {
if(basResp != null) {
...
...
(This line, 800) X509Name name = new X509Name((ASN1Sequence)o);
...
}
else
return null;
}
------------------------------------------------------------------------
So it is,
java.lang.ClassCastException: org.bouncycastle.asn1.DEROctetString cannot be cast to org.bouncycastle.asn1.ASN1Sequence
I think the reason is about Library Files(because of ClassCastException),
I downloaded "JDigiDoc full package" from OpenXades.org then
copy all the library files from the package to "C:\Program Files\Java\jre6\lib\ext".
Please note me, which library files exactly should there?
Have a good works,
Thanks,
Muhammed ER.
Hello Muhammed,
First, let me give you another link as well: http://www.sunsetsoftware.ee/tarkvara. Plase try version 2.3.19 from this website and then perhaps 2.3.25. The version in SF.net has not been updated so much lately as some submodules of library were not yet released to LGPL. Ok all you find in this website is LGPL as well and I'll update SF.net as well soon.
The tricky question is which librarys to use. Well if you look in the tar+gz files in this website, they contain all dependent jar-s. Offcourse one has to pick correct BouncyCastle lib for jdk you are using. As for JDigiDoc.jar itself I usually try to compile it separately with jdk1.4 compiler as this produces result that's useable also in jdk 1.5 and later. Yes you have to copy BouncyCastle jar and possibly xerces related jar's to jre\lib\ext or jre\lib\endorsed because jdk also contains versions of xerces that are newer and because otherwise BC library doesn't get registered as crypto lib.
If you use in jdigidoc.cfg:
CANONICALIZATION_FACTORY_IMPL=ee.sk.digidoc.c14n.TinyXMLCanonicalizer
then you need only tinyxmlcanonicalizer-0.9.0.jar and no xerces jar-s. This lar use platform default xml parser.
Ok, in the newest jar we still have this line:
X509Name name = new X509Name((ASN1Sequence)o);
So the new lib might not improve the situation. The background is that OCSP responder put's in OCSP response some id that tells caller which responder responded. We use this id in library to locate the responders CA cert which is necessary to verify OCSP response. This id can be in pure text and contain for example OCSP responder server cert's CN. That's the case if you use www. openxades.org. But according to spec it can also be some binary data. I think you used some other ocsp server that was configured to return some binary id.
I'll notify you once we have a solution to this.
best regards
Veiko
Thanks for your helps,
I try all versions of DigiDoc :D and they occurs the same problem. In the computer there JDK 1.6.
And my config file is,
# JDigiDoc config file
# Signature processor settings
DIGIDOC_SIGN_IMPL=ee.sk.digidoc.factory.PKCS11SignatureFactory
DIGIDOC_SIGN_IMPL_PKCS11=ee.sk.digidoc.factory.PKCS11SignatureFactory
DIGIDOC_NOTARY_IMPL=ee.sk.digidoc.factory.BouncyCastleNotaryFactory
#DIGIDOC_NOTARY_IMPL=ee.sk.digidoc.factory.IAIKNotaryFactory
DIGIDOC_FACTORY_IMPL=ee.sk.digidoc.factory.SAXDigiDocFactory
CANONICALIZATION_FACTORY_IMPL=ee.sk.digidoc.factory.DOMCanonicalizationFactory
CRL_FACTORY_IMPL=ee.sk.digidoc.factory.CRLCheckerFactory
# Security settings
DIGIDOC_SECURITY_PROVIDER=org.bouncycastle.jce.provider.BouncyCastleProvider
# PKCS#11 module settings - change this according to your signature device!!!
DIGIDOC_SIGN_PKCS11_DRIVER=C:\\Program Files\\Gemplus\\GemSafe Libraries Admin\\BIN\\gclib.dll
# VS: this is PKCS#11 driver for AID cards (GPK8000)
#DIGIDOC_SIGN_PKCS11_DRIVER=pk2priv
DIGIDOC_SIGN_PKCS11_WRAPPER=PKCS11Wrapper
DIGIDOC_VERIFY_ALGORITHM=RSA//NOPADDING
DIGIDOC_DRIVER_BASE_URL=http://localhost:8080/XMLSign/
# VS: log4j config file - change this!!!
DIGIDOC_LOG4J_CONFIG=C:\\ETUGRA\\work\\SignatureLogging.properties
# OCSP responder URL - change this!!!
DIGIDOC_OCSP_RESPONDER_URL=http://ocsp.e-tugra.com/status/ocsp
# your HTTP proxy if necessary - change this!!!
# DIGIDOC_PROXY_HOST=proxy.sebank.se
# DIGIDOC_PROXY_PORT=8080
# VS: sign OCSP requests or not. Depends on your responder
SIGN_OCSP_REQUESTS=false
OCSP_SAVE_DIR=.
# The PKCS#12 file used to sign OCSP requests
# DIGIDOC_PKCS12_CONTAINER=C:\\JDigiDoc\\VeikoSinivee-12-2003.p12d
# password for this key
# DIGIDOC_PKCS12_PASSWD=ImiM9Fk5
# serial number of your PKCS#12 signature cert.
# Use ee.sk.test.OCSPCertFinder to find this
# DIGIDOC_OCSP_SIGN_CERT_SERIAL=2147
# VS: CA certificates. Used to do a prelimenary check of signer.
# Not required. If used then signers cert will be accepted if
# it is directly issued by one of the CA-s here.
DIGIDOC_CA_CERTS=2
DIGIDOC_CA_CERT1=C:\\cer\\EBG_KOKSM.pem
DIGIDOC_CA_CERT2=C:\\cer\\EBG_ALTSM.pem
# VS: OCSP responder certificates - change this!!!
DIGIDOC_OCSP_COUNT=1
DIGIDOC_OCSP1_CN=EBG Sertifika Durum Protokolü Hizmet Sağlayıcısı
DIGIDOC_OCSP1_CERT=C:\\cer\\ocsp_etugra_asm_nes.pem
DIGIDOC_OCSP1_CA_CERT=C:\\cer\\EBG_KOKSM.pem
DIGIDOC_OCSP1_CA_CN=EBG Elektronik Sertifika Hizmet Sağlayıcısı
# OCSP or CRL selectors
DIGIDOC_CERT_VERIFIER=OCSP
DIGIDOC_SIGNATURE_VERIFIER=OCSP
# VS not required if you don't use CRL-s
# CRL settings
CRL_USE_LDAP=false
CRL_FILE=esteid.crl
CRL_URL=http://www.sk.ee/crls/esteid/esteid.crl
CRL_SEARCH_BASE=cn=ESTEID-SK,ou=ESTEID,o=AS Sertifitseerimiskeskus,c=EE
CRL_FILTER=(certificaterevocationlist;binary=*)
CLR_LDAP_DRIVER=com.ibm.jndi.LDAPCtxFactory
CRL_LDAP_URL=ldap://194.126.99.76:389
CRL_LDAP_ATTR=certificaterevocationlist;binary
CRL_PROXY_HOST=cache.eypsise
CRL_PROXY_PORT=8080
it is my config file. I am not sure if the problem is here. But I am afraid the problem is in the installation. I check the place of the Jar files maybe more then 20 times, but maybe there. So, please let me know: Which Jar files needed and where is placed accourding this config file.
Thanks,
Best Regards,
Muhammed ER.