Unable to sign pdf with JRE7 and Geotrust TSA
Brought to you by:
kwart
Menu
▾
▴
#27 Unable to sign pdf with JRE7 and Geotrust TSA
I can not use the Geotrust tsa server "https://timestamp.geotrust.com/tsa" with JRE7, only with JRE6. The exception below is thrown instead. As a workaround, I switched to the Startfield tsa server (http://tsa.starfieldtech.com/).
Starte JSignPdf
Checking input and output PDF paths.
Verwendet Schlüssel: XXXXX
Lade privaten Schlüssel
Hole Zertifikatskette
Öffne PDF Eingabedatei:XXXXX.pdf
Erzeuge PDF Ausgabedatei: YYYYYY.pdf
Erzeuge Signatur
Updating PDF version info 1.4 -> 1.7
Setze Ort: ZZZZZZ
Setze Zertifizierungsstufe
Konfiguriere visuelle Signatur
Verwendung nur die Acrobat 6 empfehlen Ebenen: true
Erzeuge Bild ZZZZZZZZ
Setze Bild
Skaliere Hintergrundbild
Setze Text der Ebene 2 (Beschreibung)
Setze Text der Ebene 4 (Status)
Setze Renderverfahren
Erzeuge visuelle Signatur
Bearbeite (es kann ein wenig länger dauern) ...
Creating TSA client.
Es ist ein Problem aufgetreten
ExceptionConverter: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTSAResponse(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)
at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(Unknown Source)
at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:300)
at net.sf.jsignpdf.SignerLogic.run(SignerLogic.java:77)
at java.lang.Thread.run(Unknown Source)
Fertig: Erzeugen der Signatur fehlgeschlagen
Hello, thank you for the report.
Have you tried to start the InstallCert tool with the JRE7? The tool is included in the JSignPdf installation.
If you didn't try it already, then run in the console:
\pathToYourJRE7\bin\java -jar InstallCert.jar timestamp.geotrust.com
and then fill the information:
Enter certificate to add to trusted keystore or 'q' to quit [1]: 1
press Enter and you should see an info about installed certificate:
Added certificate to keystore '/pathToYourJRE7/lib/security/cacerts' using alias 'timestamp.geotrust.com-1'
(You have to run the InstallCert tool with administrator rights - i.e. use sudo for iinstance on Linux).
The InstallCert tool is described in the chapter 10.1 of the JSignPdf guide (v. 1.2.6).
View and moderate all "bugs-change-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs & Change requests"
The CA-certificate of Equifax (Equifax Secure Certificate Authority), which was used to sign/issue the geotrust cert, is part of the JRE7 system certificate store and thus the validation of the geotrust cert should succeed. It looks more like a general issue with HTTPS. The Startfield tsa server does not use HTTPS and maybe thats why time-stamping works with this server.
>Have you tried to start the InstallCert tool with the JRE7?
yes, almost same error (see below)
############
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
D:\Utilities\jsignpdf-1.2.6>java -jar InstallCert.jar timestamp.geotrust.com
InstallCert - Install CA certificate to Java Keystore
=====================================================
Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts...
Opening connection to timestamp.geotrust.com:443...
Starting SSL handshake...
javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at net.sf.jsignpdf.InstallCert.main(InstallCert.java:134)
Could not obtain server certificate chain
D:\Utilities\jsignpdf-1.2.6>
################
OK, I see it now. It seems as a changed handling of the SSL alerts between Java 6 and Java 7.
It was reported as a bug, but engineers from the Oracle mean it's not a bug. (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7127374)
Nevertheless, you can solve it easily. Use -Djsse.enableSNIExtension=false command line argument:
java -Djsse.enableSNIExtension=false -jar JSignPdf.jar ...
View and moderate all "bugs-change-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs & Change requests"
Works, thanks.
View and moderate all "bugs-change-requests Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Bugs & Change requests"
Last edit: Anonymous 2014-07-19