Java, JDK 1.4.2_16, Certificate chaining error (keystore, truststore)

Hi experts

I have generated a web serive stub client using eclipse (just downloaded the newest version)

My problem is that I have to use a https connection, hence I need to install a GlobalSign Certificate into my java Keytool.
I tried to follow the guideline from http://www.globalsign.com/support/code-signing/codesign_sunjava.html
however I cannot se how I can fulfill it since the "CN" parameter including my email is not excepted?

Here is what I done so far:

%java_home%\bin\keytool -genkey -alias codesigncert -keypass changeit -keyalg RSA -keysize 1024 -dname "CN=localhost,O=telmore" -keystore codesignstore -storepass changeit
%java_home%\bin\keytool -certreq -v -alias codesigncert -file codesigncsr.pem -keystore codesignstore
Enter keystore password:  changeit
Enter key password for <codesigncert>changeit

C:\>more codesigncsr.pem
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBZTCBzwIBADAmMRAwDgYDVQQKEwd0ZWxtb3JlMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMkYzu0vrhzNrROwfYFroAPZpBDxBeDVSfr09HZD2dVBe/kD
Hp7CkocGBREH0y3QCDu6stcRMdtGBfGthu9kTrtsgy8vof5S3lKYEOa5weMjQxHFAbL9ss8Ia2Zj
EF0KCUJDzk27AdW01PNmIDs4fXfz76kDWSe3z4hFQvkASRyXAgMBAAGgADANBgkqhkiG9w0BAQQF
AAOBgQCEwuZoaFEliDJdcO83My0tFlqIpBbo9OJCn0kJbQ6yxVb+WJotI4MhnjVdY4S1hIPRbbsf
mWJczmgxFcQzbS7Vn8FddF2euhchIySnSSWVkO8I371iYl601dJ4Vqf9Zb9IQhSeF/iwrJ1P4GEt
gpBBJFXAb8F30M4Ba85k/WKNGw
-----END NEW CERTIFICATE REQUEST-----

C:\>%java_home%\bin\keytool -printcert -v -file codesigncsr.pem

sun.security.pkcs.ParsingException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.pkcs.PKCS7.parse(PKCS7.java:118)
        at sun.security.pkcs.PKCS7.<init>(PKCS7.java:68)
        at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:530)
        at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:407)
        at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:511)
        at sun.security.tools.KeyTool.doPrintCert(KeyTool.java:1021)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:539)
        at sun.security.tools.KeyTool.run(KeyTool.java:124)
        at sun.security.tools.KeyTool.main(KeyTool.java:118)
Caused by: java.io.IOException: X509.ObjectIdentifier() -- data isn't an object ID (tag = 48)
        at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:134)
        at sun.security.util.DerInputStream.getOID(DerInputStream.java:250)
        at sun.security.pkcs.ContentInfo.<init>(ContentInfo.java:117)
        at sun.security.pkcs.PKCS7.parse(PKCS7.java:136)
        at sun.security.pkcs.PKCS7.parse(PKCS7.java:115)
        ... 8 more
keytool error: java.lang.Exception: Failed to parse input

When I execute the java program I get the following exception:

nested exception is:
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error


Please help me with getting the VM to accept the certification (so that I can execute the program ).
mhci_nneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

adrpoCommented:

Hi,

I believe what you do wrong is using -certreq to create a certificate signing request:
http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html#certreqCmd
The result of running ketool with -certreq should be send to a certificate authority to be signed. I think you don't want that.

I believe that you will need to sign your certificate yourself (self signed) instead of
using -certreq:
keytool -selfcert -alias mine -keystore some_keystore

More here:
http://java.sys-con.com/read/216388.htm

If you can give more information on what plugin were you using to create the
web application we might be able to help you more.

Cheers,
za-k/



keytool -genkey -keystore some_keystore -alias mine 
keytool -selfcert -alias mine -keystore some_keystore
keytool -list -keystore some_keystore

Open in new window

0
mhci_nneAuthor Commented:
Hi za-k

Thanks for your reply.
When I asked asked the question I was a little confused about client truststores, but all I needed was to make and import ..... to make it work. Unfortuately I have only made it work on a jdk 1.5 and higher, but I need it to work jdk1.4.2_16 which means that I need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2 see http://java.sun.com/j2se/1.4.2/download.html

I downloaded the file 1201615856781-integrated.jnlp and made sure the following line is inclueded in the java.security file (which is located at C:\java\j2sdk1.4.2_16\jre\lib\security)

security.provider.4=com.sun.crypto.provider.SunJCE

My problem is that need help with making it work.
Does anyone know what I should do?

/Michael
0
mhci_nneAuthor Commented:
Hi Experts,

By the way I have followed the readme file and done the following:

Here are the installation instruction:

1)  Download the unlimited strength JCE policy files.

2)  Uncompress and extract the downloaded file.

    This will create a subdirectory called jce.
    This directory contains the following files:

        README.txt            This file
        COPYRIGHT.html        Copyright information
        local_policy.jar      Unlimited strength local policy file
        US_export_policy.jar  Unlimited strength US export policy file

3)  Install the unlimited strength policy JAR files.

      To utilize the encryption/decryption functionalities of
      the JCE framework without any limitation, first make a copy of
      the original JCE policy files (US_export_policy.jar and
      local_policy.jar in the standard place for JCE
      jurisdiction policy JAR files) in case you later decide
      to revert to these "strong" versions. Then replace the strong
      policy files with the unlimited strength versions extracted in the
      previous step.

    The standard place for JCE jurisdiction policy JAR files is:

        <java-home>\lib\security         [Win32]
        <java-home>/lib/security         [Solaris]

BR. Michael
0
mhci_nneAuthor Commented:
Sorry for to tel the that I still get the following error in eclipse using JDK1.4.2_16

nested exception is:
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error
thus the new US_export_policy.jar & the local_policy.jar doesn't seam to make any difference

Please Help

BR. Michael
0
mhci_nneAuthor Commented:
Hi Experts

I forgot to update this thread. The problem wasn't the installation of the Java Cryptography Extension (JCE). The provider was not sending the certificate chain correctly.
Certificate1... Certificate2... RootCertificate ....Certificate3....

In JDK1.4.2 it has to be like this:
Certificate1... Certificate2... Certificate3....RootCertificate

Problem solved :-)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Editors IDEs

From novice to tech pro — start learning today.