#27 Unable to sign pdf with JRE7 and Geotrust TSA

other
open-wont-fix
Other (11)
5
2014-10-08
2012-02-22
Anonymous
No

I can not use the Geotrust tsa server "https://timestamp.geotrust.com/tsa" with JRE7, only with JRE6. The exception below is thrown instead. As a workaround, I switched to the Startfield tsa server (http://tsa.starfieldtech.com/).

Starte JSignPdf
Checking input and output PDF paths.
Verwendet Schlüssel: XXXXX
Lade privaten Schlüssel
Hole Zertifikatskette
Öffne PDF Eingabedatei:XXXXX.pdf
Erzeuge PDF Ausgabedatei: YYYYYY.pdf
Erzeuge Signatur
Updating PDF version info 1.4 -> 1.7
Setze Ort: ZZZZZZ
Setze Zertifizierungsstufe
Konfiguriere visuelle Signatur
Verwendung nur die Acrobat 6 empfehlen Ebenen: true
Erzeuge Bild ZZZZZZZZ
Setze Bild
Skaliere Hintergrundbild
Setze Text der Ebene 2 (Beschreibung)
Setze Text der Ebene 4 (Status)
Setze Renderverfahren
Erzeuge visuelle Signatur
Bearbeite (es kann ein wenig länger dauern) ...
Creating TSA client.
Es ist ein Problem aufgetreten
ExceptionConverter: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTSAResponse(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)
at com.lowagie.text.pdf.TSAClientBouncyCastle.getTimeStampToken(Unknown Source)
at com.lowagie.text.pdf.PdfPKCS7.getEncodedPKCS7(Unknown Source)
at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:300)
at net.sf.jsignpdf.SignerLogic.run(SignerLogic.java:77)
at java.lang.Thread.run(Unknown Source)
Fertig: Erzeugen der Signatur fehlgeschlagen

Discussion

  • Josef Cacek

    Josef Cacek - 2012-02-22

    Hello, thank you for the report.
    Have you tried to start the InstallCert tool with the JRE7? The tool is included in the JSignPdf installation.
    If you didn't try it already, then run in the console:
    \pathToYourJRE7\bin\java -jar InstallCert.jar timestamp.geotrust.com
    and then fill the information:
    Enter certificate to add to trusted keystore or 'q' to quit [1]: 1

    press Enter and you should see an info about installed certificate:
    Added certificate to keystore '/pathToYourJRE7/lib/security/cacerts' using alias 'timestamp.geotrust.com-1'

    (You have to run the InstallCert tool with administrator rights - i.e. use sudo for iinstance on Linux).

     
  • Josef Cacek

    Josef Cacek - 2012-02-22

    The InstallCert tool is described in the chapter 10.1 of the JSignPdf guide (v. 1.2.6).

     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-02-23

    The CA-certificate of Equifax (Equifax Secure Certificate Authority), which was used to sign/issue the geotrust cert, is part of the JRE7 system certificate store and thus the validation of the geotrust cert should succeed. It looks more like a general issue with HTTPS. The Startfield tsa server does not use HTTPS and maybe thats why time-stamping works with this server.

    >Have you tried to start the InstallCert tool with the JRE7?
    yes, almost same error (see below)

    ############
    Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

    D:\Utilities\jsignpdf-1.2.6>java -jar InstallCert.jar timestamp.geotrust.com
    InstallCert - Install CA certificate to Java Keystore
    =====================================================
    Loading KeyStore C:\Program Files\Java\jre7\lib\security\cacerts...
    Opening connection to timestamp.geotrust.com:443...
    Starting SSL handshake...

    javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
    at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
    )
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at net.sf.jsignpdf.InstallCert.main(InstallCert.java:134)
    Could not obtain server certificate chain

    D:\Utilities\jsignpdf-1.2.6>
    ################

     
  • Josef Cacek

    Josef Cacek - 2012-02-23
    • status: open --> closed-wont-fix
     
  • Josef Cacek

    Josef Cacek - 2012-02-23

    OK, I see it now. It seems as a changed handling of the SSL alerts between Java 6 and Java 7.
    It was reported as a bug, but engineers from the Oracle mean it's not a bug. (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7127374)

    Nevertheless, you can solve it easily. Use -Djsse.enableSNIExtension=false command line argument:

    java -Djsse.enableSNIExtension=false -jar JSignPdf.jar ...

     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-02-24

    Works, thanks.

     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-02-24
    • status: closed-wont-fix --> open-wont-fix
     
    Last edit: Anonymous 2014-07-19

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks