Menu
▾
▴
Re: [SignServer-develop] Timestamp configuration
|
From: Markus K. <ma...@pr...> - 2017-04-09 19:26:37
|
On 03/21/2017 04:00 PM, Arnaud Defos wrote: > Hi, > > Thanks Markus, it works. Hi Arnaud, > > I try now to use JKS instead of P12. Any reason why you want to use JKS instead of PKCS#12? > > We have a JKSCryptoToken which seems to work fine with this configuration: > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker > GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.KeystoreCryptoToken > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=CryptoJKS > WORKERGENID1.KEYSTORETYPE=JKS > WORKERGENID1.KEYSTOREPATH=/opt/signserver/keystore.jks > WORKERGENID1.KEYSTOREPASSWORD=foobar > WORKERGENID1.DEFAULTKEY=test > > The TimestampWorker configuration looks like: > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.module.tsa.TimeStampSigner > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=TimeStampSigner > WORKERGENID1.AUTHTYPE=NOAUTH > WORKERGENID1.CRYPTOTOKEN=CryptoJKS > WORKERGENID1.DEFAULTTSAPOLICYOID=1.1.1.1 > WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSA > WORKERGENID1.DEFAULTKEY=my-key > > We upload the signercert and signsercertchain to the TimeStampSigner > without problem > > The getstatus command shows > > Current version of server is : SignServer CE 3.7.0 > Status of CryptoWorker with id 1 (CryptoJKS) is: > Worker status : Active > Token status : Active > > Status of Signer with id 2 (PDFSigner) is: > Worker status : Active > Token status : Active > > Status of Signer with id 3 (TimeStampSigner) is: > Worker status : Active > Token status : Active > Signings : 0 > > > But when we are use the following command to test the setup is correct > bin/signclient timestamp > http://localhost:8080/signserver/process?workerName=TimeStampSigner > The result is > > Exception in thread "main" > org.signserver.cli.spi.UnexpectedCommandFailureException: > java.io.IOException: Server returned HTTP response code: 500 for URL: > http://localhost:8080/signserver/process?workerName=TimeStampSigner > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:343) > at > org.signserver.cli.CommandLineInterface.execute(CommandLineInterface.java:97) > at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45) > Caused by: java.io.IOException: Server returned HTTP response code: 500 > for URL: http://localhost:8080/signserver/process?workerName=TimeStampSigner > at > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1676) > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.tsaRequest(TimeStampCommand.java:676) > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.run(TimeStampCommand.java:364) > at > org.signserver.client.cli.defaultimpl.TimeStampCommand.execute(TimeStampCommand.java:335) > ... 2 more > > and the logs shows: > > [#|2017-03-21T14:42:59.564+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > [TimeStampSigner] OperatorCreationException: > org.bouncycastle.operator.OperatorCreationException: cannot create > signer: no such algorithm: SHA256WITHRSA for provider SUN I believe this issue is because Bouncy Castle does not support JKS keystores (at least not previously?) the provider used is the SUN provider which apparently does not support the SHA256withRSA algorithm. So either you have to use a different signature algorithm (probably not wanted) or to use a different keystore format such as PKCS#12. Cheers, Markus PrimeKey Solutions > at > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > Source) > at > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:753) > at > org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:477) > at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:282) > at org.signserver.ejb.WorkerSessionBean.process(WorkerSeƒssionBean.java:177) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1052) > at > org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1124) > at > com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:5388) > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround(SystemInterceptorProxy.java:162) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:144) > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:861) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at > com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:370) > at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:5360) > at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:5348) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:214) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88) > at com.sun.proxy.$Proxy268.process(Unknown Source) > at > org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:487) > at > org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:374) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > at > org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1542) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655) > at > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161) > at > org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231) > at > com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317) > at > com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195) > at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849) > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > at > com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228) > at > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) > at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) > at > com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) > at > com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > SHA256WITHRSA for provider SUN > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > at java.security.Signature.getInstance(Signature.java:403) > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > Source) > at > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > Source) > ... 56 more > |#] > > [#|2017-03-21T14:42:59.566+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > [WorkerProcessImpl] SignServerException calling signer with id 3 : > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN > org.signserver.common.SignServerException: SignServerException calling > signer with id 3 : cannot create signer: no such algorithm: > SHA256WITHRSA for provider SUN > at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:286) > at org.signserver.ejb.WorkerSessionBean.process(WorkerSessionBean.java:177) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1052) > at > org.glassfish.ejb.security.application.EJBSecurityManager.invoke(EJBSecurityManager.java:1124) > at > com.sun.ejb.containers.BaseContainer.invokeBeanMethod(BaseContainer.java:5388) > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround(SystemInterceptorProxy.java:162) > at > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke(SystemInterceptorProxy.java:144) > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor.intercept(InterceptorManager.java:861) > at > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl.invokeNext(InterceptorManager.java:800) > at > com.sun.ejb.containers.interceptors.InterceptorManager.intercept(InterceptorManager.java:370) > at com.sun.ejb.containers.BaseContainer.__intercept(BaseContainer.java:5360) > at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:5348) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:214) > at > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:88) > at com.sun.proxy.$Proxy268.process(Unknown Source) > at > org.signserver.web.GenericProcessServlet.processRequest(GenericProcessServlet.java:487) > at > org.signserver.web.GenericProcessServlet.doPost(GenericProcessServlet.java:374) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > at > org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1542) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:281) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > at > org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:655) > at > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:595) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161) > at > org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:331) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:231) > at > com.sun.enterprise.v3.services.impl.ContainerMapper$AdapterCallable.call(ContainerMapper.java:317) > at > com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:195) > at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:849) > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > at > com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:228) > at > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:137) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:104) > at > com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:90) > at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:79) > at > com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:54) > at > com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:59) > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:532) > at > com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:513) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.signserver.common.SignServerException: cannot create > signer: no such algorithm: SHA256WITHRSA for provider SUN > at > org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:600) > at org.signserver.ejb.WorkerProcessImpl.process(WorkerProcessImpl.java:282) > ... 52 more > Caused by: org.bouncycastle.operator.OperatorCreationException: cannot > create signer: no such algorithm: SHA256WITHRSA for provider SUN > at > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > Source) > at > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator(TimeStampSigner.java:753) > at > org.signserver.module.tsa.TimeStampSigner.processData(TimeStampSigner.java:477) > ... 53 more > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > SHA256WITHRSA for provider SUN > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > at java.security.Signature.getInstance(Signature.java:403) > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > Source) > at > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > Source) > ... 56 more > |#] > > [#|2017-03-21T14:42:59.584+0100|INFO|glassfish3.1.2|javax.enterprise.system.std.com.sun.enterprise.server.logging|_ThreadID=92;_ThreadName=Thread-2;|INFO > [IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID: > 0ed1fc43-f42b-4622-ae4f-99fba7304288; CLIENT_IP: 127.0.0.1; > REQUEST_FULLURL: > http://localhost:8080/signserver/process?workerName=TimeStampSigner; > RequestTime: 1490103779263; ResponseTime: 15; TimeStamp: 1490103779445; > TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS}; > PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: 4569cf4ec5c6cd9c; > TSA_POLICYID: 1.2.250.1.302.2.1.1.0; SIGNER_CERT_SERIALNUMBER: > 6cc9d2ed368a8e4d; SIGNER_CERT_ISSUERDN: CN=TEST - SIGN2 TEST > CA,OU=794513986,O=TEST,L=CAEN,ST=CALVADOS,C=FR; > TIMESTAMPREQUEST_ENCODED: > MCwCAQEwITAJBgUrDgMCGgUABBQAAAAAAAAAAAAAAAAAAAAAAAAAAAIExHyg+Q==; > TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED}; > ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION: > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN; > EXCEPTION: SignServerException calling signer with id 3 : cannot create > signer: no such algorithm: SHA256WITHRSA for provider SUN > > |#] > > We use signserver 3.7.0, we are using openjdk-7 and we have installed > the JCE package. > > Have we made something wrong ? > Can you help us going to the right direction ? > > Thanks a lot |
