0

I'm trying to import a certificate that I've recently installed in Windows into Java to use with xades4j. Unfortunately, I'm pretty new when it comes to certificates and keys and all that.

Every time I run the program however, I get the following error:

>xades4j.verification.UnexpectedJCAException: The keystore couldn't be initialized
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.ensureInitialized(KeyStoreKeyingDataProvider.java:179)
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.getSigningCertificateChain(KeyStoreKeyingDataProvider.java:189)
    at xades4j.production.SignerBES.sign(SignerBES.java:159)
    at xades4j.production.SignerBES.sign(SignerBES.java:130)
    at com.logic.test.signBes(test.java:138)
    at com.logic.test.<init>(test.java:80)
    at com.view.FrmMenu.<init>(FrmMenu.java:41)
    at com.view.FrmMenu$9.run(FrmMenu.java:289)
    at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
    at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
    at java.awt.EventQueue.access$500(EventQueue.java:97)
    at java.awt.EventQueue$3.run(EventQueue.java:709)
    at java.awt.EventQueue$3.run(EventQueue.java:703)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)
    at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
    at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
    at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
    at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
    at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
    at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
Caused by: java.security.KeyStoreException: KeyStore instantiation failed
    at java.security.KeyStore$Builder$FileBuilder.getKeyStore(KeyStore.java:1862)
    at xades4j.providers.impl.KeyStoreKeyingDataProvider.ensureInitialized(KeyStoreKeyingDataProvider.java:175)
    ... 21 more
Caused by: java.io.IOException: DER input, Integer tag error
    at sun.security.util.DerInputStream.getInteger(DerInputStream.java:192)
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1940)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at java.security.KeyStore$Builder$FileBuilder$1.run0(KeyStore.java:1848)
    at java.security.KeyStore$Builder$FileBuilder$1.run(KeyStore.java:1807)
    at java.security.KeyStore$Builder$FileBuilder$1.run(KeyStore.java:1796)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.security.KeyStore$Builder$FileBuilder.getKeyStore(KeyStore.java:1858)
    ... 22 more
>

I need to sign an XML document with the XaDeS-BES format. I have imported a key (or certificate?) from disc, and it is in the Windows Trusted Root Certification Authorities certificates. I exported it onto the root of the C drive from the Windows Certificate Manager (certmgr.msc).

I found one post on this website that mentioned trying the following to initialize the KeyStore:

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(null, null);

Unfortunately, there was no change.

The code that I used, based off of the example wiki:

private static final String CERT_FOLDER = "C:/";
private static final String CERT        = "testkey.cer";

private static final String PASS        = "test1234"; //the same in cert and keystorage
private static final String SIGNED      = "persistent/xml/001-001-000000000new1.xml";
private static final String DOCUMENT    = "persistent/xml/001-001-000000000.xml";

private static void signBes() throws Exception {
    Document doc = DocumentBuilderFactory
            .newInstance()
            .newDocumentBuilder()
            .parse(new File(DOCUMENT));
    Element elem = doc.getDocumentElement();
    DOMHelper.useIdAsXmlId(elem);

    KeyingDataProvider kdp = new FileSystemKeyStoreKeyingDataProvider(
            "pkcs12",
            CERT_FOLDER + CERT,
            new FirstCertificateSelector(),
            new DirectPasswordProvider(PASS),
            new DirectPasswordProvider(PASS),
            true);
    DataObjectDesc obj = new DataObjectReference("#" + elem.getAttribute("Id"))
            .withTransform(new EnvelopedSignatureTransform());
    SignedDataObjects dataObjs = new SignedDataObjects().withSignedDataObject(obj);

//        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
//        ks.load(null, null);

    XadesSigner signer = new XadesBesSigningProfile(kdp).newSigner();
    signer.sign(dataObjs, elem);

    TransformerFactory tFactory = TransformerFactory.newInstance();
    Transformer transformer = tFactory.newTransformer();
    DOMSource source = new DOMSource(doc);        
    StreamResult result = new StreamResult(new File(SIGNED));
    transformer.transform(source, result);
}

Thank you for any and all help.

chessplayerjames
  • 83
  • 1
  • 5

2 Answers2

2

To execute a signing operation you need a key/certificate pair, namely a PKCS12 container. On Windows, that pair is usually a .pfx or .p12 file. I'm no sure what the problem is, but here are some considerations that may help you:

  • A certificate that is used for signing is usually a "personal" certificate, not a trusted authority root certificate.
  • A root certificate is one that belongs to an entity that usually emits certificates to other subjects.
  • Part of the process of validating a certificate is to establish a trust chain from the subject's certificate up to a root certificate. On Windows, the trusted root certificates are on the store you mentioned: "Windows Trusted Root Certification Authorities". Your signing certificate probably shouldn't be there.
  • Since you are doing a sign operation (for a BES signature) and using FileSystemKeyStoreKeyingDataProvider the trust chain is actually less relevant. It becomes relevant when you verify the signature.
  • From you code it seems that you have a certificate-only file (.cer). I don't know how you got the certificate in the first place, but is should have been supplied along with a key, probably bundled in a .pfx file protected with a password.
  • When creating the FileSystemKeyStoreKeyingDataProvider you should pass the PKCS12 file (e.g. the .pfx)
  • If you have the certificate installed in some other Windows store, try exporting it with the key (if it is possible; depends on how it was imported in the first place).

Hope this helps.

lgoncalves
  • 2,040
  • 1
  • 14
  • 12
0

In my case, the password was wrong

EdwinCab
  • 361
  • 1
  • 3
  • 17