Java 7 compatibility

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Create your .p12 file according to Apple´s workflow
2. Take the Java class found in wiki: 
http://code.google.com/p/javapns/wiki/ManagingPushErrors 
3. Run with JDK 1.6 - Works correct!
4. Change JDK to 1.7 - Does not work.

What is the expected output? What do you see instead?
Expected a "Push notification sent successfully to...." But got: 

javapns.communication.exceptions.InvalidCertificateChainException: Invalid 
certificate chain (Received fatal alert: certificate_unknown)!  Verify that the 
keystore you provided was produced according to specs...
    at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:410)
    at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:350)
    at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:320)
    at javapns.Push.sendPayload(Push.java:177)
    at javapns.Push.alert(Push.java:47)
    at my.test.JavapnsTest.main(JavapnsTest.java:17)

What version of the product are you using? On what operating system?
Javapns 2.2. with OSX10.8.2 

Please provide any additional information below.

Original issue reported on code.google.com by johannes...@gmail.com on 7 Feb 2013 at 3:33

[GoogleCodeExporter]

Indeed, the documented requirements indicates that there are problems with SSL 
connections under Java 7.

Original comment by sype...@gmail.com on 7 Feb 2013 at 4:02

[GoogleCodeExporter]

Yes, I have read the documentation. However since both Java 5 and 6 reached EOL 
and therefore, in the best of worlds, shouldn't be used, I raised this issue to 
see if anyone did come up with a solution to this problem. Anyone?

Original comment by johannes...@gmail.com on 8 Feb 2013 at 5:44

[GoogleCodeExporter]

Original comment by sype...@gmail.com on 1 Mar 2013 at 5:17

• Changed title: Java 7 compatibility
• Changed state: Accepted
• Added labels: Priority-Low, Type-Enhancement
• Removed labels: Priority-Medium, Type-Defect

[GoogleCodeExporter]

I'd like to voice my support for Java 7 support. Basically you can run javapns 
on Google App Engine since they now support Sockets / SSL, as long as you:

1) Remove META-INF/MANIFEST.MF from the BouncyCastle
2) Deploy your project with Java6 appcfg.sh -A {appid} --use_java6 update ./war

But Google are removing Java 6 support soon, so for this to keep working it 
would be great to sort out this issue.

Original comment by j...@jameslow.com on 23 Apr 2013 at 1:00

[GoogleCodeExporter]

I'm going to keep debugging to try and figure out a fix, but I'm not an SSL or 
sockets expert, so others may habe more luck.

Original comment by j...@jameslow.com on 23 Apr 2013 at 1:01

[GoogleCodeExporter]

I recompiled javapns exposing the original exception. A more complete stack 
trace is:

javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1943)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1059)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:685)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:111)
    at java.io.OutputStream.write(OutputStream.java:75)
    at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:402)
    at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:350)
    at javapns.notification.PushNotificationManager.sendNotification(PushNotificationManager.java:320)
    at javapns.Push.sendPayload(Push.java:177)
    at javapns.Push.alert(Push.java:47)

Original comment by j...@jameslow.com on 23 Apr 2013 at 2:37

[GoogleCodeExporter]

Ah... this is an explicitly known difference between Java 6 and Java 7, see the 
SSL note here:

http://www.oracle.com/technetwork/java/javase/compatibility-417013.html

Original comment by j...@jameslow.com on 23 Apr 2013 at 2:41

[GoogleCodeExporter]

Sorry for all the comments, but want to keep sharing what I've discovered. I 
set the sun.security.ssl.allowUnsafeRenegotiation=true when running in Java 7 
as mentioned in the above link but it still through the same exception, so 
maybe its something else.

Original comment by j...@jameslow.com on 23 Apr 2013 at 2:56

[GoogleCodeExporter]

GOT IT WORKING!!! :)

After a day of Googling SSL issues and Java 7, I finally came across this 
article:
http://blog.palominolabs.com/2011/10/18/java-2-way-tlsssl-client-certificates-an
d-pkcs12-vs-jks-keystores/

It basically talks about issues with Java's handling of .p12 files, so I 
thought I'd give it a shot and just convert the .p12 to a .jks and give it a 
try:
keytool -importkeystore -destkeystore CERTIFICATES.jks -srckeystore 
CERTIFICATES.p12 -srcstoretype PKCS12

I've written up everything I had to do to get JavaPNS working on Google App 
Engine on my blog:
http://jameslow.com/2013/04/24/iphone-push-notifications-with-javapns-on-google-
app-engine/

Original comment by j...@jameslow.com on 24 Apr 2013 at 12:38

[GoogleCodeExporter]

Sorry one more quick note. I had to use keytool from Java 6 to covert the .p12 
to .jks. Using keytool from Java 7 creates an invalid .jks file.

Original comment by j...@jameslow.com on 24 Apr 2013 at 12:55

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

thx. jameslow
I solved this issue.  here is my solution.

first change p12 file to jks file in JDK6 environment by using keytool. james 
mentioned it above.

but it may still not work.
you have to unzip entire javaPNS source code and fix it little bit.

change source to
this(keystore, password, ConnectionToAppleServer.KEYSTORE_TYPE_JKS, production);

in JavaPNS_2.2_complete\src\javapns\feedback\AppleFeedbackServerBasicImpl.java 
and
JavaPNS_2.2_complete\src\javapns\notification\AppleNotificationServerBasicImpl.j
ava

and run method!
Push.alert(message, keystore.jks , password, true or false , devices)

it all works in JUNIT and TOMCAT (JDK 7,Junit, windows7 64, linux64)

Original comment by SongH...@gmail.com on 7 Aug 2013 at 2:25

[GoogleCodeExporter]

Yep, you have to edit the JavaPNS if you want to use the basic methods. My blog 
post explains how to instantiate the JavaPNS classes from scratch, and if you 
do that you can configure it to use JKS instead of P12,

Glad you got it working!

Original comment by j...@jameslow.com on 7 Aug 2013 at 2:32

[GoogleCodeExporter]

A simple solution is

Convert .p12 into .jks with Java6 keytool as discribed above.
But then simply use Java7!!! keytool to convert the .jks back into .p12 format 
with this command:
keytool -importkeystore -srckeystore CERTIFICATES.jks -srcstoretype JKS 
-deststoretype PKCS12 -destkeystore CERTIFICATES.p12

The new .p12 Keystore works with Java7 and Java6 and you don’t have to change 
the JavaPNS codebase.

Original comment by thomasp...@googlemail.com on 18 Nov 2013 at 11:06

[GoogleCodeExporter]

@thomasp thanks. You saved my day.

Original comment by ashishgp...@gmail.com on 21 Nov 2013 at 12:47

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

@thomasp clever, didn't think of that one!

Original comment by j...@jameslow.com on 21 Nov 2013 at 1:45

[GoogleCodeExporter]

Just to be sure, there is no other way to get it working with Java7 than using 
the Java6 keytool to convert the p12 file?

Original comment by sanderbe...@gmail.com on 17 Dec 2013 at 9:24

[GoogleCodeExporter]

In jdk 1.7 and using p12, javapns works well only when the passwd length of p12 
file must be greater than or equal 6. otherwise, the following error happens:
[[1] not transmitted to token 595d8..725bf  
javapns.communication.exceptions.InvalidCertificateChainException: Invalid 
certificate chain (Received fatal alert: certificate_unknown)!  Verify that the 
keystore you provided was produced according to specs...]

Original comment by xinqian...@gmail.com on 18 Jan 2014 at 5:25

[GoogleCodeExporter]

I have tried converting .p12 file into .jks file and again reconverting into 
.p12 file and tried to run in java 1.7 environment but I got the same error as 
follows:

[1] not transmitted to token 2b99e..99a7f  
javapns.communication.exceptions.InvalidCertificateChainException: Invalid 
certificate chain (Received fatal alert: certificate_unknown)!  Verify that the 
keystore you provided was produced according to specs...

any help will be appreciate.

Original comment by sudhakar...@gmail.com on 22 Sep 2014 at 8:26

[GoogleCodeExporter]

In r398 (trunk), added the ability to customize the default keystore type using 
a system property (javapns.communication.keystoreType), which can be set to 
"PKCS12", "JKS", or any type supported by the JVM.  Also, BouncyCastle was 
removed in an earlier revision, so that takes care of that unwanted dependency.

Original comment by sype...@gmail.com on 13 Oct 2014 at 2:49

• Changed state: Fixed