search

LibreSign / libresign

✍️ Nextcloud app to sign PDF documents
https://libresign.coop
488 stars 57 forks source link

NC 25.0.1+Libresign V6.1.2 error contact admin (but the signed document is created) #1165

Closed tasagore closed 1 year ago

tasagore commented 2 years ago

Hi

NC 25.0.1 and Libresign v6.1.2, I try to sign a document and after introduce the password it shows a popup error "Internal Error. Contact with admin". Same occurs with NC24 and v.5.2.1 as described in another post.

The .signed document is created in the repository but without the QR code (it's just a copy of the original document).

Nextcloud.log only shows this:

{"reqId":"Pkg42JzATDLVEEHqQtqE","level":3,"time":"2022-11-08T14:22:23+00:00","remoteAddr":"192.168.100.20","user":"test","app":"libresign","method":"POST","url":"/index.php/apps/libresign/api/0.1/s ign/uuid/9affedfe-803b-4791-b6e0-3e44c11e9b0b","message":"Error to sign PDF. [\"FINE Default property file doesn't exists.\",\"FINE Default property file doesn't exists.\",\"INFO Checking input and output PDF paths.\",\"java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)\",\"\tat sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12K eyStore.java:787)\",\"\tat sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1951)\",\"\tat java.security.KeyStore.load(KeyStore.java:1445)\",\"\tat net.sf.jsignpdf.utils.KeyStore Utils.loadKeyStore(KeyStoreUtils.java:359)\",\"\tat net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:411)\",\"\tat net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154)\",\"\ tat net.sf.jsignpdf.Signer.signFiles(Signer.java:246)\",\"\tat net.sf.jsignpdf.Signer.main(Signer.java:139)\",\"Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)\",\"\tat sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253)\",\"\tat sun.security.util.DerInputStream.getOID(DerInputStream.java:281)\",\"\tat com.sun.crypto.provider.PBES2P arameters.engineInit(PBES2Parameters.java:267)\",\"\tat java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)\",\"\tat sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12Ke yStore.java:783)\",\"\t... 7 more\",\"WARNING Keystore was not loaded succesfully. Check if the keystore type, path and password are valid.\",\"SEVERE Problem occured\",\"java.lang.NullPointerExcep tion: Keystore was not loaded succesfully. Check if the keystore type, path and password are valid.\",\"\tat net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliasInternal(KeyStoreUtils.java:224)\",\"\ta t net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:413)\",\"\tat net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154)\",\"\tat net.sf.jsignpdf.Signer.signFiles(Signer.java:24 6)\",\"\tat net.sf.jsignpdf.Signer.main(Signer.java:139)\",\"\",\"INFO Finished: Creating of signature failed.\"]","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (K HTML, like Gecko) Chrome/106.0.0.0 Safari/537.36","version":"25.0.1.1","data":{"app":"libresign"}}

vitormattos commented 1 year ago

Install the newest release compatible with stable25 and do a new test. If the problem persist, reopen this issue.

tasagore commented 1 year ago

No changes after upgrade, same error.

vitormattos commented 1 year ago

Check the newest release. Go to administration settings > LibreSign and check if all dependencies is OK.

tasagore commented 1 year ago

Same with v6.2.1 and NC 25.0.2, the dependencies are all ok but the document can't be signed (contact with admin). The .signed file is created, but without signature.

vitormattos commented 1 year ago

Could you update to latest version and share your nextcloud.log in the same time that this error occur?

tasagore commented 1 year ago

Upgraded to 6.2.2, the error persist, this is the log:

{"reqId":"IaK681XwU4f7uU0F5o6T","level":3,"time":"2022-12-19T15:36:12+00:00","remoteAddr":"192.168.100.20","user":"user","app":"libresign","method":"POST","url":"/index.php/apps/libresign/api/0.1/sign/uuid/66d399a8-4fdb-4a5d-9ed0-082ede83a16c","message":"Error to sign PDF. [\"FINE Default property file doesn't exists.\",\"FINE Default property file doesn't exists.\",\"INFO Checking input and output PDF paths.\",\"java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)\",\"\tat sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:787)\",\"\tat sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1951)\",\"\tat java.security.KeyStore.load(KeyStore.jav a:1445)\",\"\tat net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:359)\",\"\tat net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:411)\",\"\tat net.s f.jsignpdf.SignerLogic.signFile(SignerLogic.java:154)\",\"\tat net.sf.jsignpdf.Signer.signFiles(Signer.java:246)\",\"\tat net.sf.jsignpdf.Signer.main(Signer.java:139)\",\"Caused by: ja va.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)\",\"\tat sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253)\",\"\tat sun.security.util.Der InputStream.getOID(DerInputStream.java:281)\",\"\tat com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267)\",\"\tat java.security.AlgorithmParameters.init(Algori thmParameters.java:293)\",\"\tat sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:783)\",\"\t... 7 more\",\"WARNING Keystore was not loaded succesfully. Check if the keystore type, path and password are valid.\",\"SEVERE Problem occured\",\"java.lang.NullPointerException: Keystore was not loaded succesfully. Check if the keystore type, path an d password are valid.\",\"\tat net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliasInternal(KeyStoreUtils.java:224)\",\"\tat net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java :413)\",\"\tat net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154)\",\"\tat net.sf.jsignpdf.Signer.signFiles(Signer.java:246)\",\"\tat net.sf.jsignpdf.Signer.main(Signer.java:1 39)\",\"\",\"INFO Finished: Creating of signature failed.\"]","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/60 5.1.15","version":"25.0.2.3","data":{"app":"libresign"}}

tasagore commented 1 year ago

Don't know if it could be important, but the test environment is under Ubuntu 22.04.1 LTS

vitormattos commented 1 year ago

Very very strange.

Is this occurring with all PDF or is only with a specific file?

Could you try to sign the same document with the same certificate using the follow command? Change all necessary to your data. This is the command that LibreSign run in this step that is returning an error in your environment.

java
    -jar JSignPdf.jar
    document.pdf
    -ksf digital-cert.pfx
    -ksp 'password of digital cert'
    -a
    -kst PKCS12
    -d /destination/path/of/signed/file

Follow the same command that I get from my development environment:

/var/www/html/data/appdata_oczj2jt7c50q/libresign/java/jdk-17.0.5+8-jre/bin/java -jar /var/www/html/data/appdata_oczj2jt7c50q/libresign/jsignpdf-2.2.0/JSignPdf.jar /tmp/f014551c50f79cf65262b6312332a337.pdf -ksf /tmp/f014551c50f79cf65262b6312332a337.pfx -ksp 'password' -a -kst PKCS12 -d /tmp/ 2>&1
tasagore commented 1 year ago

Hi, sorry for the delay. Exactly the same error if I execute the command from the shell, it's in spanish, but basically the same error "WARNING Keystore was not loaded succesfully.":

DETALLADO Default property file doesn't exists. DETALLADO Default property file doesn't exists. INFORMACIÓN Comprobación de rutas de PDF de entrada y salida. java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48) at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:787) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1951) at java.security.KeyStore.load(KeyStore.java:1445) at net.sf.jsignpdf.utils.KeyStoreUtils.loadKeyStore(KeyStoreUtils.java:359) at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:411) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154) at net.sf.jsignpdf.Signer.signFiles(Signer.java:246) at net.sf.jsignpdf.Signer.main(Signer.java:139) Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48) at sun.security.util.ObjectIdentifier.(ObjectIdentifier.java:253) at sun.security.util.DerInputStream.getOID(DerInputStream.java:281) at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:783) ... 7 more ADVERTENCIA El almacén de claves no se cargó correctamente. Compruebe si el tipo de almacén de claves, la ruta y la contraseña son válidos. GRAVE Ocurrió un problema java.lang.NullPointerException: El almacén de claves no se cargó correctamente. Compruebe si el tipo de almacén de claves, la ruta y la contraseña son válidos. at net.sf.jsignpdf.utils.KeyStoreUtils.getKeyAliasInternal(KeyStoreUtils.java:224) at net.sf.jsignpdf.utils.KeyStoreUtils.getPkInfo(KeyStoreUtils.java:413) at net.sf.jsignpdf.SignerLogic.signFile(SignerLogic.java:154) at net.sf.jsignpdf.Signer.signFiles(Signer.java:246) at net.sf.jsignpdf.Signer.main(Signer.java:139)

INFORMACIÓN Finalizado: No se pudo crear la firma.

tasagore commented 1 year ago

BUT I guess I've found something interesting.

I've taken a look to your command and I've seen that you are using jdk-17.0.5+8-jre, but my standard LibreSign uses java-se-8u41-ri so I've installed jdk-17.0.2, change the path of the java binary in the command and it works ok:

FINE Default property file doesn't exists. FINE Default property file doesn't exists. INFO Comprobación de rutas de PDF de entrada y salida. INFO Obtener un alias de clave INFO Alias de clave utilizado: user INFO Cargando clave privada INFO Obteniendo la cadena de certificados INFO Abriendo archivo PDF de entrada: /data/cloudwb/user/files/DOC/testpdf INFO Creando archivo PDF de salida: /tmp/test.pdf INFO Creando firma INFO Establecer el nivel de certificación INFO Procesando (puede llevar un tiempo) ... INFO Cerrar flujo de PDF INFO Finalizado: firma creada correctamente.

The signed document is properly created, so it's something related to the java version.

I've changed the path for the java binary in the oc_appconfig table and now it seems to work perfectly. I'm going to make more tests, but the first look seems fine.

My test environment is a clean Ubuntu 22.04 with just NC+Libresign so this error probably will affect to more people.

tasagore commented 1 year ago

I've tested in two installations more that were very problematic with Libresign, with jdk-17.0.x the app seems more stable and runs without problems (both under Ubuntu 22.04 and 20.04).

vitormattos commented 1 year ago

I think that you are using an old version of Java. We already identified problems with java-se-8u41-ri/ and was replaced by jdk-17.0.5+8-jre here fb1e0f6f96e502bc423c9421d0183a50c09f2713

On the server that you got the problem, when you go to Administration Settings > LibreSign, what's the result of checks? Are all green?

For now, every when the app is updated to a new version, is good to check if all is green on LibreSing settings. If any dependency will be replaced by a newest version, will be possible fix on this page.

Thanks by your analysis and help to identify what happen.

tasagore commented 1 year ago

All the checks were green and the java-se-8e41-ri was downloaded from Libresign since all the steps I did was:

1) Install clean Ubuntu 22.04 2) Install latest NC 3) Install latest Libresign 4) Install binaries from Libresign

Tested in two more servers and the downloaded version is always 8e41, don't know if it's something related to Ubuntu since all of them are 20.04/22.04.

With the jdk-17 all checks remain green, but now it works.

vitormattos commented 1 year ago

Is too strange to LibreSign download the java-se-8u41-ri using the latest release of LibreSign. I changed to jdk-17 here https://github.com/LibreSign/libresign/commit/fb1e0f6f96e502bc423c9421d0183a50c09f2713. I checked the code of branch stable25 and the version that is downloaded is jdk-17.0.5+8-jre.

The Java version to download is hardcoded here: https://github.com/LibreSign/libresign/blob/stable25/lib/Service/InstallService.php#L192-L203

tasagore commented 1 year ago

Does it delete the old java and replace it by the new one?

tasagore commented 1 year ago

I've verified that the checks in dependencies page doesn't verify the right versions of the tools. For example I've upgraded a installation from v5 to latest, the check page shows all ok but the app does not work because cfssl is incorrect and java version is the bad one. I removed manually the directories reinstall both with occ command and all works fine again.

So the check page should verify that the binaries exists AND they are the right versions, I guess that was all the problem I had.

vitormattos commented 1 year ago

@tasagore thanks for your contribution testing and analyzing this flow. I created a pull request changing the verification flow to make possible return error when java and cfssl version is invalid.