Some certificates fail with "Error building certPath. No data available in passed DER encoded value."

Hello,

since release 2.5 some certificates fail with "Error building
certPath. No data available in passed DER encoded value." The Issuer
certificates are available and shown as valid, Djigzo Version 2.4.x
also show the certs as valid. Any idea what could be wrong?

Regards

Andreas

No this is new to me. Can you send me the certificates? Or are you
unable to export them?

Kind regards,

Martijn

···

On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de wrote:

since release 2.5 some certificates fail with "Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?

--
DJIGZO email encryption

The certificate contains invalid data (at least invalid according to RFC
5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK
7 seems to be more strict (the Virtual Appliance by default uses OpenJDK 6).

Details:

The IssuerAltName extension is defined in RFC 5280 as:

IssuerAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

So there should be at least one GeneralName if the IssuerAltName
extension is defined. The certificate in question however contains an
empty IssuerAltName sequence. This is not allowed. In Java 6, this was
silently discarded but Java 7 seems to be more strict.

For a similar report see
Full Text Bug Listing.

Kind regards.

Martijn Brinkers

···

On 05/31/2013 10:24 PM, Martijn Brinkers wrote:

On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de wrote:

since release 2.5 some certificates fail with "Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?

No this is new to me. Can you send me the certificates? Or are you
unable to export them?

--
DJIGZO email encryption

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

since release 2.5 some certificates fail with "Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?

No this is new to me. Can you send me the certificates? Or are you
unable to export them?

The certificate contains invalid data (at least invalid according to RFC
5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK
7 seems to be more strict (the Virtual Appliance by default uses OpenJDK 6).

Details:

The IssuerAltName extension is defined in RFC 5280 as:

IssuerAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

So there should be at least one GeneralName if the IssuerAltName
extension is defined. The certificate in question however contains an
empty IssuerAltName sequence. This is not allowed. In Java 6, this was
silently discarded but Java 7 seems to be more strict.

For a similar report see
Full Text Bug Listing.

Kind regards.

Martijn Brinkers

I see, so the real "fix" would be to get a more obvious error message
in Djigzo? If the certificate is invalid Djigzo is right to say so,
but a pointer to *what* is invalid would be great. And BTW no need for
additional Djigzo workarounds as it is still possible to add such
certificates to the CTL.

Many Thanks

Andreas

···

On 05/31/2013 10:24 PM, Martijn Brinkers wrote:

On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de wrote:

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

since release 2.5 some certificates fail with "Error building certPath.
No data available in passed DER encoded value." The Issuer certificates
are available and shown as valid, Djigzo Version 2.4.x also show the
certs as valid. Any idea what could be wrong?

No this is new to me. Can you send me the certificates? Or are you
unable to export them?

The certificate contains invalid data (at least invalid according to RFC
5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK
7 seems to be more strict (the Virtual Appliance by default uses
OpenJDK 6).

Details:

The IssuerAltName extension is defined in RFC 5280 as:

IssuerAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

So there should be at least one GeneralName if the IssuerAltName
extension is defined. The certificate in question however contains an
empty IssuerAltName sequence. This is not allowed. In Java 6, this was
silently discarded but Java 7 seems to be more strict.

For a similar report see
Full Text Bug Listing.

Kind regards.

Martijn Brinkers

I see, so the real "fix" would be to get a more obvious error message in
Djigzo? If the certificate is invalid Djigzo is right to say so, but a
pointer to *what* is invalid would be great.

The problem is that the exception is thrown somewhere deep within a Java
class. The information which is shown is the information which is
available. Because I analysed the certificate manually (using a java
test and asn1 dump) I know why the certificate is not valid.

And BTW no need for
additional Djigzo workarounds as it is still possible to add such
certificates to the CTL.

You are right. I didn't thought about this workaround :slight_smile:

Kind regards,

Martijn

···

On 06/02/2013 09:42 PM, lst_hoe02(a)kwsoft.de wrote:

On 05/31/2013 10:24 PM, Martijn Brinkers wrote:

On 05/31/2013 10:21 PM, lst_hoe02(a)kwsoft.de wrote:

--
DJIGZO email encryption