Menu
▾
▴
Re: [SignServer-develop] Timestamp configuration
|
From: Arnaud D. <arn...@gm...> - 2017-04-13 13:25:43
|
Thanks Markus, it works with PKCS#12. Have a good day ! 2017-04-09 21:26 GMT+02:00 Markus Kilås <ma...@pr...>: > On 03/21/2017 04:00 PM, Arnaud Defos wrote: > > Hi, > > > > Thanks Markus, it works. > > Hi Arnaud, > > > > > I try now to use JKS instead of P12. > > Any reason why you want to use JKS instead of PKCS#12? > > > > > We have a JKSCryptoToken which seems to work fine with this > configuration: > > > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.server.signers.CryptoWorker > > GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH=org.signserver. > server.cryptotokens.KeystoreCryptoToken > > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=CryptoJKS > > WORKERGENID1.KEYSTORETYPE=JKS > > WORKERGENID1.KEYSTOREPATH=/opt/signserver/keystore.jks > > WORKERGENID1.KEYSTOREPASSWORD=foobar > > WORKERGENID1.DEFAULTKEY=test > > > > The TimestampWorker configuration looks like: > > > > GLOB.WORKERGENID1.CLASSPATH=org.signserver.module.tsa.TimeStampSigner > > WORKERGENID1.NAME <http://WORKERGENID1.NAME>=TimeStampSigner > > WORKERGENID1.AUTHTYPE=NOAUTH > > WORKERGENID1.CRYPTOTOKEN=CryptoJKS > > WORKERGENID1.DEFAULTTSAPOLICYOID=1.1.1.1 > > WORKERGENID1.SIGNATUREALGORITHM=SHA256WithRSA > > WORKERGENID1.DEFAULTKEY=my-key > > > > We upload the signercert and signsercertchain to the TimeStampSigner > > without problem > > > > The getstatus command shows > > > > Current version of server is : SignServer CE 3.7.0 > > Status of CryptoWorker with id 1 (CryptoJKS) is: > > Worker status : Active > > Token status : Active > > > > Status of Signer with id 2 (PDFSigner) is: > > Worker status : Active > > Token status : Active > > > > Status of Signer with id 3 (TimeStampSigner) is: > > Worker status : Active > > Token status : Active > > Signings : 0 > > > > > > But when we are use the following command to test the setup is correct > > bin/signclient timestamp > > http://localhost:8080/signserver/process?workerName=TimeStampSigner > > The result is > > > > Exception in thread "main" > > org.signserver.cli.spi.UnexpectedCommandFailureException: > > java.io.IOException: Server returned HTTP response code: 500 for URL: > > http://localhost:8080/signserver/process?workerName=TimeStampSigner > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > execute(TimeStampCommand.java:343) > > at > > org.signserver.cli.CommandLineInterface.execute( > CommandLineInterface.java:97) > > at org.signserver.client.cli.ClientCLI.main(ClientCLI.java:45) > > Caused by: java.io.IOException: Server returned HTTP response code: 500 > > for URL: http://localhost:8080/signserver/process?workerName= > TimeStampSigner > > at > > sun.net.www.protocol.http.HttpURLConnection.getInputStream( > HttpURLConnection.java:1676) > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > tsaRequest(TimeStampCommand.java:676) > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > run(TimeStampCommand.java:364) > > at > > org.signserver.client.cli.defaultimpl.TimeStampCommand. > execute(TimeStampCommand.java:335) > > ... 2 more > > > > and the logs shows: > > > > [#|2017-03-21T14:42:59.564+0100|INFO|glassfish3.1.2| > javax.enterprise.system.std.com.sun.enterprise.server. > logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > > [TimeStampSigner] OperatorCreationException: > > org.bouncycastle.operator.OperatorCreationException: cannot create > > signer: no such algorithm: SHA256WITHRSA for provider SUN > > I believe this issue is because Bouncy Castle does not support JKS > keystores (at least not previously?) the provider used is the SUN > provider which apparently does not support the SHA256withRSA algorithm. > > So either you have to use a different signature algorithm (probably not > wanted) or to use a different keystore format such as PKCS#12. > > Cheers, > Markus > PrimeKey Solutions > > > at > > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > > Source) > > at > > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator( > TimeStampSigner.java:753) > > at > > org.signserver.module.tsa.TimeStampSigner.processData( > TimeStampSigner.java:477) > > at org.signserver.ejb.WorkerProcessImpl.process( > WorkerProcessImpl.java:282) > > at org.signserver.ejb.WorkerSessionBean.process( > WorkerSeƒssionBean.java:177) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod( > EJBSecurityManager.java:1052) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.invoke( > EJBSecurityManager.java:1124) > > at > > com.sun.ejb.containers.BaseContainer.invokeBeanMethod( > BaseContainer.java:5388) > > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround( > SystemInterceptorProxy.java:162) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke( > SystemInterceptorProxy.java:144) > > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor. > intercept(InterceptorManager.java:861) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at > > com.sun.ejb.containers.interceptors.InterceptorManager.intercept( > InterceptorManager.java:370) > > at com.sun.ejb.containers.BaseContainer.__intercept( > BaseContainer.java:5360) > > at com.sun.ejb.containers.BaseContainer.intercept( > BaseContainer.java:5348) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke( > EJBLocalObjectInvocationHandler.java:214) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke( > EJBLocalObjectInvocationHandlerDelegate.java:88) > > at com.sun.proxy.$Proxy268.process(Unknown Source) > > at > > org.signserver.web.GenericProcessServlet.processRequest( > GenericProcessServlet.java:487) > > at > > org.signserver.web.GenericProcessServlet.doPost( > GenericProcessServlet.java:374) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > > at > > org.apache.catalina.core.StandardWrapper.service( > StandardWrapper.java:1542) > > at > > org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:281) > > at > > org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:175) > > at > > org.apache.catalina.core.StandardPipeline.doInvoke( > StandardPipeline.java:655) > > at > > org.apache.catalina.core.StandardPipeline.invoke( > StandardPipeline.java:595) > > at > > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:161) > > at > > org.apache.catalina.connector.CoyoteAdapter.doService( > CoyoteAdapter.java:331) > > at > > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:231) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper$ > AdapterCallable.call(ContainerMapper.java:317) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper. > service(ContainerMapper.java:195) > > at com.sun.grizzly.http.ProcessorTask.invokeAdapter( > ProcessorTask.java:849) > > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > > at > > com.sun.grizzly.http.DefaultProtocolFilter.execute( > DefaultProtocolFilter.java:228) > > at > > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter( > DefaultProtocolChain.java:137) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:104) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:90) > > at com.sun.grizzly.http.HttpProtocolChain.execute( > HttpProtocolChain.java:79) > > at > > com.sun.grizzly.ProtocolChainContextTask.doCall( > ProtocolChainContextTask.java:54) > > at > > com.sun.grizzly.SelectionKeyContextTask.call( > SelectionKeyContextTask.java:59) > > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker. > doWork(AbstractThreadPool.java:532) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker.run( > AbstractThreadPool.java:513) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > > SHA256WITHRSA for provider SUN > > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > > at java.security.Signature.getInstance(Signature.java:403) > > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > > Source) > > at > > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > > Source) > > ... 56 more > > |#] > > > > [#|2017-03-21T14:42:59.566+0100|INFO|glassfish3.1.2| > javax.enterprise.system.std.com.sun.enterprise.server. > logging|_ThreadID=92;_ThreadName=Thread-2;|ERROR > > [WorkerProcessImpl] SignServerException calling signer with id 3 : > > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN > > org.signserver.common.SignServerException: SignServerException calling > > signer with id 3 : cannot create signer: no such algorithm: > > SHA256WITHRSA for provider SUN > > at org.signserver.ejb.WorkerProcessImpl.process( > WorkerProcessImpl.java:286) > > at org.signserver.ejb.WorkerSessionBean.process( > WorkerSessionBean.java:177) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:57) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.runMethod( > EJBSecurityManager.java:1052) > > at > > org.glassfish.ejb.security.application.EJBSecurityManager.invoke( > EJBSecurityManager.java:1124) > > at > > com.sun.ejb.containers.BaseContainer.invokeBeanMethod( > BaseContainer.java:5388) > > at com.sun.ejb.EjbInvocation.invokeBeanMethod(EjbInvocation.java:619) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at com.sun.ejb.EjbInvocation.proceed(EjbInvocation.java:571) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.doAround( > SystemInterceptorProxy.java:162) > > at > > com.sun.ejb.containers.interceptors.SystemInterceptorProxy.aroundInvoke( > SystemInterceptorProxy.java:144) > > at sun.reflect.GeneratedMethodAccessor100.invoke(Unknown Source) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:606) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeInterceptor. > intercept(InterceptorManager.java:861) > > at > > com.sun.ejb.containers.interceptors.AroundInvokeChainImpl. > invokeNext(InterceptorManager.java:800) > > at > > com.sun.ejb.containers.interceptors.InterceptorManager.intercept( > InterceptorManager.java:370) > > at com.sun.ejb.containers.BaseContainer.__intercept( > BaseContainer.java:5360) > > at com.sun.ejb.containers.BaseContainer.intercept( > BaseContainer.java:5348) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke( > EJBLocalObjectInvocationHandler.java:214) > > at > > com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke( > EJBLocalObjectInvocationHandlerDelegate.java:88) > > at com.sun.proxy.$Proxy268.process(Unknown Source) > > at > > org.signserver.web.GenericProcessServlet.processRequest( > GenericProcessServlet.java:487) > > at > > org.signserver.web.GenericProcessServlet.doPost( > GenericProcessServlet.java:374) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:688) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:770) > > at > > org.apache.catalina.core.StandardWrapper.service( > StandardWrapper.java:1542) > > at > > org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:281) > > at > > org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:175) > > at > > org.apache.catalina.core.StandardPipeline.doInvoke( > StandardPipeline.java:655) > > at > > org.apache.catalina.core.StandardPipeline.invoke( > StandardPipeline.java:595) > > at > > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:161) > > at > > org.apache.catalina.connector.CoyoteAdapter.doService( > CoyoteAdapter.java:331) > > at > > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:231) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper$ > AdapterCallable.call(ContainerMapper.java:317) > > at > > com.sun.enterprise.v3.services.impl.ContainerMapper. > service(ContainerMapper.java:195) > > at com.sun.grizzly.http.ProcessorTask.invokeAdapter( > ProcessorTask.java:849) > > at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:746) > > at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:1045) > > at > > com.sun.grizzly.http.DefaultProtocolFilter.execute( > DefaultProtocolFilter.java:228) > > at > > com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter( > DefaultProtocolChain.java:137) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:104) > > at > > com.sun.grizzly.DefaultProtocolChain.execute( > DefaultProtocolChain.java:90) > > at com.sun.grizzly.http.HttpProtocolChain.execute( > HttpProtocolChain.java:79) > > at > > com.sun.grizzly.ProtocolChainContextTask.doCall( > ProtocolChainContextTask.java:54) > > at > > com.sun.grizzly.SelectionKeyContextTask.call( > SelectionKeyContextTask.java:59) > > at com.sun.grizzly.ContextTask.run(ContextTask.java:71) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker. > doWork(AbstractThreadPool.java:532) > > at > > com.sun.grizzly.util.AbstractThreadPool$Worker.run( > AbstractThreadPool.java:513) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: org.signserver.common.SignServerException: cannot create > > signer: no such algorithm: SHA256WITHRSA for provider SUN > > at > > org.signserver.module.tsa.TimeStampSigner.processData( > TimeStampSigner.java:600) > > at org.signserver.ejb.WorkerProcessImpl.process( > WorkerProcessImpl.java:282) > > ... 52 more > > Caused by: org.bouncycastle.operator.OperatorCreationException: cannot > > create signer: no such algorithm: SHA256WITHRSA for provider SUN > > at > > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > > Source) > > at > > org.signserver.module.tsa.TimeStampSigner.getTimeStampTokenGenerator( > TimeStampSigner.java:753) > > at > > org.signserver.module.tsa.TimeStampSigner.processData( > TimeStampSigner.java:477) > > ... 53 more > > Caused by: java.security.NoSuchAlgorithmException: no such algorithm: > > SHA256WITHRSA for provider SUN > > at sun.security.jca.GetInstance.getService(GetInstance.java:100) > > at sun.security.jca.GetInstance.getInstance(GetInstance.java:218) > > at java.security.Signature.getInstance(Signature.java:403) > > at org.bouncycastle.jcajce.ProviderJcaJceHelper.createSignature(Unknown > > Source) > > at > > org.bouncycastle.operator.jcajce.OperatorHelper.createSignature(Unknown > > Source) > > ... 56 more > > |#] > > > > [#|2017-03-21T14:42:59.584+0100|INFO|glassfish3.1.2| > javax.enterprise.system.std.com.sun.enterprise.server. > logging|_ThreadID=92;_ThreadName=Thread-2;|INFO > > [IWorkerLogger] AUDIT; DefaultTimeStampLogger; LOG_ID: > > 0ed1fc43-f42b-4622-ae4f-99fba7304288; CLIENT_IP: 127.0.0.1; > > REQUEST_FULLURL: > > http://localhost:8080/signserver/process?workerName=TimeStampSigner; > > RequestTime: 1490103779263; ResponseTime: 15; TimeStamp: 1490103779445; > > TimeSource: LocalComputerTimeSource; PKIStatus: ${TSA_PKISTATUS}; > > PKIFailureInfo: ${TSA_PKIFAILUREINFO}; SerialNumber: 4569cf4ec5c6cd9c; > > TSA_POLICYID: 1.2.250.1.302.2.1.1.0; SIGNER_CERT_SERIALNUMBER: > > 6cc9d2ed368a8e4d; SIGNER_CERT_ISSUERDN: CN=TEST - SIGN2 TEST > > CA,OU=794513986,O=TEST,L=CAEN,ST=CALVADOS,C=FR; > > TIMESTAMPREQUEST_ENCODED: > > MCwCAQEwITAJBgUrDgMCGgUABBQAAAAAAAAAAAAAAAAAAAAAAAAAAAIExHyg+Q==; > > TSA_TIMESTAMPRESPONSE_ENCODED: ${TSA_TIMESTAMPRESPONSE_ENCODED}; > > ARCHIVE_IDS: ${ARCHIVE_IDS}; PURCHASED: ${PURCHASED}; TSA_EXCEPTION: > > cannot create signer: no such algorithm: SHA256WITHRSA for provider SUN; > > EXCEPTION: SignServerException calling signer with id 3 : cannot create > > signer: no such algorithm: SHA256WITHRSA for provider SUN > > > > |#] > > > > We use signserver 3.7.0, we are using openjdk-7 and we have installed > > the JCE package. > > > > Have we made something wrong ? > > Can you help us going to the right direction ? > > > > Thanks a lot > > |
