Closed carher closed 3 years ago
Further investigation into this: As the stacktrace suggests, it is the OCSPRule that fails during the validation. And the exception occurs in this class, in the pkix-ocsp library included by no.difi.commons.commons-certvalidator: https://github.com/klakegg/pkix-ocsp/blob/master/src/main/java/net/klakegg/pkix/ocsp/AbstractOcspClient.java
If I start editing libraries and in commons-certvalidator remove OCSPType from the list of rules, I can get Oxalis up and running fine. That's not how we wish to solve the issue, though...
What actually fails in AbstractOcspClient.java is the first of these lines: DERTaggedObject location = (DERTaggedObject) obj.getObjectAt(1); if (location.getTagNo() == GeneralName.uniformResourceIdentifier) { DEROctetString uri = (DEROctetString) location.getObject(); return URI.create(new String(uri.getOctets())); }
It seems that for some reason, our test certificate gives a DLTaggedObject instead of a DERTaggedObject. It also seems that it should be possible to extract a URI from a DLTaggedObject. But then I wonder if we should really change the code of pkix-ocsp and go through the cascade of releases/updates versions of dependencies ending up in Oxalis, or if there is something else that is the problem here? Could it be something related to our Access Point certificate? It should be a standard certificate ordered through the standard OpenPEPPOL channels, though. And why are we the only ones reporting this problem? Could this be a configuration issue we have overlooked, or are not aware of?
I think you might have multiple dependencies to (incompatible) BouncyCastle (BC) packages ..
Yes, good observation.
Since we use maven-enforcer-plugin, we discovered that both 1.57 and 1.58 were included in the dependency tree. We tried excluding one version at the time, but couldn't see any difference in behaviour, though.
Interestingly, the solution was actually specifying which exact versions to include. This is what eventually worked for us:
bcmail-jdk15on-1.57.jar bcpkix-jdk15on-1.58.jar bcprov-jdk15on-1.58.jar
We got the same problem. The only difference between working and not working, was when a dependency to AS4 was included:
implementation 'network.oxalis:oxalis-as4:5.0.2'
This caused bcprov to bump version from 1.58 to 1.64. Reason unknown.
The solution we found was to ensure version 1.58. We did this by explicitly define that verson:
/// build.gradle
dependencies {
...
implementation('org.bouncycastle:bcprov-jdk15on') {
version {
strictly '1.58'
}
}
...
}
We are now up and running š
We are currently trying to upgrade our access point from using Oxalis 4.0.4 to 4.1.2. When starting up the test server, we get the following error:
{"timestamp":"2021-02-05 16:46:59,451","log_level":"ERROR","app_name":"ail-oxalis-inbound","jclass":"no.difi.oxalis.commons.guice.GuiceModuleLoader","thread":"main","log_type":"trace","payload":"Unable to detect mode.","stacktrace":"n.d.v.p.c.l.PeppolLoadingException: Unable to detect mode for certificate 'C=NO, O=SpareBank 1 Banksamarbeidet DA, OU=PEPPOL TEST AP, CN=PNO000287'.\n\tat n.d.v.p.s.ModeDetector.detect(ModeDetector.java:56)\n\tat n.d.o.c.m.ModeProvider.get(ModeProvider.java:74)\n\t... 64 common frames omitted\nWrapped by: n.d.o.a.l.OxalisLoadingException: Unable to detect mode.\n\tat n.d.o.c.m.ModeProvider.get(ModeProvider.java:78)\n\tat n.d.o.c.m.ModeProvider.get(ModeProvider.java:47)\n\tat c.g.i.i.ProviderInternalFactory.provision(ProviderInternalFactory.java:85)\n\tat c.g.i.i.BoundProviderFactory.provision(BoundProviderFactory.java:77)\n\tat c.g.i.i.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:59)\n\tat c.g.i.i.BoundProviderFactory.get(BoundProviderFactory.java:61)\n\tat c.g.i.i.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)\n\tat c.g.i.i.SingletonScope$1.get(SingletonScope.java:168)\n\tat c.g.i.i.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)\n\tat c.g.i.i.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211)\n\tat c.g.i.i.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182)\n\tat c.g.i.i.InternalInjectorCreator.build(InternalInjectorCreator.java:109)\n\tat c.g.inject.Guice.createInjector(Guice.java:87)\n\tat c.g.inject.Guice.createInjector(Guice.java:69)\n\tat n.d.o.c.g.GuiceModuleLoader.initiate(GuiceModuleLoader.java:66)\n\tat n.d.o.i.OxalisGuiceContextListener.(OxalisGuiceContextListener.java:45)\n\tat s.r.NativeConstructorAccessorImpl.newInstance0(NativeConstructorAccessorImpl.java)\n\tat s.r.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)\n\tat s.r.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)\n\tat j.l.r.Constructor.newInstance(Constructor.java:423)\n\tat o.e.j.s.h.ContextHandler$StaticContext.createInstance(ContextHandler.java:2784)\n\tat o.e.j.s.ServletContextHandler$Context.createInstance(ServletContextHandler.java:1280)\n\tat o.e.j.s.h.ContextHandler$StaticContext.createListener(ContextHandler.java:2795)\n\tat o.e.j.s.ListenerHolder.doStart(ListenerHolder.java:92)\n\tat o.e.j.u.c.AbstractLifeCycle.start(AbstractLifeCycle.java:72)\n\tat o.e.j.s.ServletContextHandler.startContext(ServletContextHandler.java:350)\n\tat o.e.j.w.WebAppContext.startWebapp(WebAppContext.java:1445)\n\tat o.e.j.w.WebAppContext.startContext(WebAppContext.java:1409)\n\tat o.e.j.s.h.ContextHandler.doStart(ContextHandler.java:822)\n\tat o.e.j.s.ServletContextHandler.doStart(ServletContextHandler.java:275)\n\t... 35 frames truncated\n"}
So I did some more investigation, and added a bit of logging in the source code and compiled new snapshots. We then got curious information about the underlying exception:
no.difi.vefa.peppol.security.lang.PeppolSecurityException: Exception when reading AIA: 'org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject'. at no.difi.vefa.peppol.security.util.DifiCertificateValidator.validate(DifiCertificateValidator.java:67) at no.difi.vefa.peppol.security.ModeDetector.detect(ModeDetector.java:52) at no.difi.oxalis.commons.mode.ModeProvider.get(ModeProvider.java:72) at no.difi.oxalis.commons.mode.ModeProvider.get(ModeProvider.java:46) at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:85) at com.google.inject.internal.BoundProviderFactory.provision(BoundProviderFactory.java:77) at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:59) at com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65) at com.google.inject.internal.ProviderMethod.doProvision(ProviderMethod.java:173) at com.google.inject.internal.InternalProviderInstanceBindingImpl$CyclicFactory.provision(InternalProviderInstanceBindingImpl.java:185) at com.google.inject.internal.InternalProviderInstanceBindingImpl$CyclicFactory.get(InternalProviderInstanceBindingImpl.java:162) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:42) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:65) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:52) at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:147) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:124) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:52) at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:147) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:124) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62) at com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:52) at com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:147) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:124) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62) at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40) at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168) at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39) at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211) at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182) at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109) at com.google.inject.Guice.createInjector(Guice.java:87) at com.google.inject.Guice.createInjector(Guice.java:69) at no.difi.oxalis.commons.guice.GuiceModuleLoader.initiate(GuiceModuleLoader.java:66) at no.difi.oxalis.outbound.OxalisOutboundComponent.(OxalisOutboundComponent.java:45)
at no.difi.oxalis.outbound.OxalisOutboundComponent$$FastClassByGuice$$727f1988.newInstance()
at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1050)
at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1086)
at no.sb1.peppol.oxalis.AilPersisterHandler.(AilPersisterHandler.java:93)
at no.sb1.peppol.oxalis.AilPersisterHandler$$FastClassByGuice$$b2564860.newInstance()
at com.google.inject.internal.DefaultConstructionProxyFactory$FastClassProxy.newInstance(DefaultConstructionProxyFactory.java:89)
at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:306)
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:62)
at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:168)
at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:39)
at com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:211)
at com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:182)
at com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:109)
at com.google.inject.Guice.createInjector(Guice.java:87)
at com.google.inject.Guice.createInjector(Guice.java:69)
at no.difi.oxalis.commons.guice.GuiceModuleLoader.initiate(GuiceModuleLoader.java:66)
at no.difi.oxalis.inbound.OxalisGuiceContextListener.(OxalisGuiceContextListener.java:45)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.eclipse.jetty.server.handler.ContextHandler$StaticContext.createInstance(ContextHandler.java:2784)
at org.eclipse.jetty.servlet.ServletContextHandler$Context.createInstance(ServletContextHandler.java:1280)
at org.eclipse.jetty.server.handler.ContextHandler$StaticContext.createListener(ContextHandler.java:2795)
at org.eclipse.jetty.servlet.ListenerHolder.doStart(ListenerHolder.java:92)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:350)
at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1445)
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1409)
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:822)
at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:275)
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:524)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:46)
at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:188)
at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:513)
at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:154)
at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:173)
at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:447)
at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:66)
at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:784)
at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:753)
at org.eclipse.jetty.util.Scanner.scan(Scanner.java:641)
at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:540)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:146)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:599)
at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:249)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
at org.eclipse.jetty.server.Server.start(Server.java:407)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:100)
at org.eclipse.jetty.server.Server.doStart(Server.java:371)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$0(XmlConfiguration.java:1888)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1837)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:218)
at org.eclipse.jetty.start.Main.start(Main.java:491)
at org.eclipse.jetty.start.Main.main(Main.java:77)
Caused by: no.difi.certvalidator.api.FailedValidationException: Exception when reading AIA: 'org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject'.
at no.difi.certvalidator.rule.OCSPRule.validate(OCSPRule.java:44)
at no.difi.certvalidator.rule.AbstractRule.validate(AbstractRule.java:24)
at no.difi.certvalidator.rule.HandleErrorRule.validate(HandleErrorRule.java:44)
at no.difi.certvalidator.rule.AbstractRule.validate(AbstractRule.java:17)
at no.difi.certvalidator.structure.AndJunction.validate(AndJunction.java:29)
at no.difi.certvalidator.structure.AbstractJunction.validate(AbstractJunction.java:36)
at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:43)
at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:13)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155)
at no.difi.certvalidator.structure.AbstractJunction.validate(AbstractJunction.java:36)
at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:43)
at no.difi.certvalidator.util.CachedValidatorRule.load(CachedValidatorRule.java:13)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2045)
at com.google.common.cache.LocalCache.get(LocalCache.java:3951)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)
at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4958)
at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4964)
at no.difi.certvalidator.util.CachedValidatorRule.validate(CachedValidatorRule.java:30)
at no.difi.certvalidator.util.CachedValidatorRule.validate(CachedValidatorRule.java:35)
at no.difi.certvalidator.structure.AndJunction.validate(AndJunction.java:29)
at no.difi.certvalidator.ValidatorGroup.validate(ValidatorGroup.java:79)
at no.difi.certvalidator.ValidatorGroup.validate(ValidatorGroup.java:70)
at no.difi.vefa.peppol.security.util.DifiCertificateValidator.validate(DifiCertificateValidator.java:63)
... 132 more
Caused by: net.klakegg.pkix.ocsp.OcspException: Exception when reading AIA: 'org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject'.
at net.klakegg.pkix.ocsp.AbstractOcspClient.detectOcspUri(AbstractOcspClient.java:95)
at net.klakegg.pkix.ocsp.OcspClient.verify(OcspClient.java:56)
at net.klakegg.pkix.ocsp.OcspClient.verify(OcspClient.java:49)
at net.klakegg.pkix.ocsp.OcspClient.verify(OcspClient.java:45)
at no.difi.certvalidator.rule.OCSPRule.validate(OCSPRule.java:35)
... 153 more
Caused by: java.lang.ClassCastException: org.bouncycastle.asn1.DLTaggedObject cannot be cast to org.bouncycastle.asn1.DERTaggedObject
at net.klakegg.pkix.ocsp.AbstractOcspClient.detectOcspUri(AbstractOcspClient.java:87)
... 157 more
Is this a known error? Is there something we need to do differently with Oxalis 4.1.2?