Comments (7)
shred
commented on June 19, 2024
1
I guess that PKCS12SafeBagBuilder taCertBagBuilder = new JcaPKCS12SafeBagBuilder(chain[2]) is the line that is causing the exception.
Your buildAndGetPfx() method assumes that the certificate chain always consists of three certificates. However this is not always correct. For example, the Let's Encrypt staging server only returns two certificates (your own one, and a test root certificate). I assume you are testing against the staging server, and now your code breaks because it misses a third certificate.
Other CAs might even return a chain of four or more certificates, so you shouldn't make fixed assumptions on the number of certificates.
I would recommend you change your code so the PKCS12SafeBag is dynamically generated from all certificates that are passed in with your certs parameter.
from acme4j.
shred
commented on June 19, 2024
1
The code is looking good, except that you don't set a pkcs_9_at_friendlyName any more. I don't know much about PFX files, so I cannot say if this is a problem, and if the generated PFX file is generally correct. BTW, instead of the second for loop you could also do PKCS12SafeBag[] certsArray = certs.toArray(new PKCS12SafeBag[0]);.
You cannot create a org.shredzone.acme4j.Certificate resource from a file, because crucial information like the certificate URL, the certificate chain, and alternate chains would be missing. What you can do is store the location of the certificate (URL certificateUrl = certificate.getLocation()). Later you would do a login.bindCertificate(certificateUrl) to recreate the Certificate resource.
from acme4j.
Osiris-Team
commented on June 19, 2024
@shred How would that look in code?
Something like this?:
List<JcaPKCS12SafeBagBuilder> builders = new ArrayList<>();
for (X509Certificate cert :
chain) {
builders.add(new JcaPKCS12SafeBagBuilder(cert));
}
List<PKCS12SafeBag> certs = new ArrayList<>();
for (JcaPKCS12SafeBagBuilder builder :
builders) {
certs.add(builder.build());
}Edit1: This would be even faster requiring only one loop:
List<PKCS12SafeBag> certs = new ArrayList<>();
for (X509Certificate cert :
chain) {
certs.add(new JcaPKCS12SafeBagBuilder(cert).build());
}from acme4j.
Osiris-Team
commented on June 19, 2024
@shred So these
taCertBagBuilder.addBagAttribute(stuff...)dont matter at all?
from acme4j.
Osiris-Team
commented on June 19, 2024
@shred This is what I came up with:
public static PKCS12PfxPdu buildAndGetPfx(X509Certificate[] chain, PublicKey pubKey, PrivateKey privKey, char[] passwd) throws Exception{
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
List<PKCS12SafeBag> certs = new ArrayList<>();
for (X509Certificate cert :
chain) {
certs.add(new JcaPKCS12SafeBagBuilder(cert).build());
}
PKCS12SafeBag[] certsArray = new PKCS12SafeBag[certs.size()];
for (int i = 0; i < certs.size(); i++) {
certsArray[i] = certs.get(i);
}
PKCS12PfxPduBuilder pfxPduBuilder = new PKCS12PfxPduBuilder();
pfxPduBuilder.addEncryptedData(
new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC
, new CBCBlockCipher(new RC2Engine())).build(passwd)
, certsArray); // converting the certs list into an array ty using certs.toArray() didn't work :/ Thats why I used the loop above
PKCS12SafeBagBuilder keyBagBuilder = new JcaPKCS12SafeBagBuilder(privKey, new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC, new CBCBlockCipher(new DESedeEngine())).build(passwd));
keyBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString("Eric's Key"));
keyBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pubKey));
pfxPduBuilder.addData(keyBagBuilder.build());
return pfxPduBuilder.build(new BcPKCS12MacCalculatorBuilder(), passwd);
}from acme4j.
Osiris-Team
commented on June 19, 2024
@shred Another question. Is it possible to create a org.shredzone.acme4j.Certificate from the already existing files? Or must I order a new one every time?
from acme4j.
Osiris-Team
commented on June 19, 2024
@shred Thanks for the help!
from acme4j.
Related Issues (20)
- Getting urn:ietf:params:acme:error:unauthorized in http-01 challenge HOT 2
- Intermediate certificate required. Unable to get issuer certificate. HOT 6
- RFC8823: acme4j response does not match CA expectation HOT 8
- [Feature request / acme4j-smime] Add support for S/MIME validation HOT 16
- Create order failing with AcmeServerException without any exception message HOT 2
- Getting Unable to get local issuer certificate HOT 3
- Android: order is valid however certificate chain is not correctly downloaded HOT 19
- Allow to set a complete X500Name to CSRBuilder in addition to the single set-methods HOT 5
- [Feature request / acme4j] Allow to access delegations HOT 1
- Remove service loader mechanism HOT 3
- Did you find any provider for RFC8823 support / email-reply-00 challenges? HOT 4
- The challenge status is always "INVALID" HOT 5
- The challenge status was always "INVALID" HOT 13
- http://${domain}/.well-known/acme-challenge/${token}
- acme4j example is creating zero- length crt files HOT 10
- preferred-chain attribute, for alternate chains HOT 2
- Unable to update challenge :: authorization must be pending HOT 4
- Unable to update account message HOT 6
- Recovery from - Too many certificates already issued for exact set of domains HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acme4j.