search

nowina-solutions / nexu

87 stars 51 forks source link

Assistance Needed: KeyStore Format Issue #75

Open kuba1990 opened 8 months ago

kuba1990 commented 8 months ago

Dear Support Team, I trust this message finds you well. My name is Jakub , and I am reaching out to you regarding an issue that we have encountered with the KeyStore for DSS Demonstration WebApp.

Upon further investigation, we observed the following error in our logs: 2024-03-09 18:33:53,995 ERROR [GetCertificateFlow] Flow error eu.europa.esig.dss.DSSException: Unable to instantiate KeyStoreSignatureTokenConnection at eu.europa.esig.dss.token.KeyStoreSignatureTokenConnection.<init>(KeyStoreSignatureTokenConnection.java:53) at eu.europa.esig.dss.token.JKSSignatureToken.<init>(JKSSignatureToken.java:45) at lu.nowina.nexu.keystore.KeystoreProductAdapter$KeystoreTokenProxy.initSignatureTokenConnection(KeystoreProductAdapter.java:216) at lu.nowina.nexu.keystore.KeystoreProductAdapter$KeystoreTokenProxy.getKeys(KeystoreProductAdapter.java:240) at lu.nowina.nexu.flow.operation.SelectPrivateKeyOperation.perform(SelectPrivateKeyOperation.java:89) at lu.nowina.nexu.flow.GetCertificateFlow.process(GetCertificateFlow.java:104) at lu.nowina.nexu.flow.GetCertificateFlow.process(GetCertificateFlow.java:49) at lu.nowina.nexu.flow.Flow.execute(Flow.java:55) at lu.nowina.nexu.InternalAPI.lambda$executeRequest$15(InternalAPI.java:195) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) We understand that this error indicates an issue with the KeyStore format. We have reviewed our configuration and checked the integrity of the KeyStore file, but the problem persists.

Could you kindly provide guidance or assistance on how to resolve this KeyStore format issue? We would greatly appreciate any insights or recommendations you can offer to help us address this matter.

If additional information or logs are needed to assist in the troubleshooting process, please let us know, and we will provide them promptly.

Thank you very much for your time and support. We look forward to your guidance in resolving this matter.

Best regards, Jakub Wisniowski

hello-earth-gh commented 8 months ago

hi. judging from the stack trace, you are trying to sign using a local JKS keystore. are you sure the store exists? can you find it and open it with other tools like KeyStoreExplorer? Are you sure its type is JKS and not PKCS12, for instance? Are you sure the JKS file you supply actually contains a private key? It's not enough to supply a JKS file with a public certificate, it has to contain a private key too, as far as I remember - so that to give NexU something it can sign with.

You can find the path of the keystore NexU tries to open in C:\Users{your username}\AppData\Local\Nowina\NexU\keystore-database.xml

You could also try to delete the above file and try again - NexU will ask you again to browse for JKS keystore - it may have recorded an older keystore that does not exist anymore.

Finally, you could try using Windows keystore or inserting a PKCS11 USB token with a signature and trying those.

kuba1990 commented 8 months ago

Dear Andrey,

Thank you very much for your prompt response and assistance. I truly appreciate it.

  1. I have carefully checked the specified location, but unfortunately, I couldn't find the file - keystore-database.xml [image: image.png]

  2. It was an automatically created file web-server-keystore.jks, but I do not know the password.

  3. I've also verified my keys, that I created myself, and they appear to be correct. [image: image.png]

. Is there a possibility that you have a test JKS or PKCS12 file that is known to be valid and would pass the validation step shown in the screenshot?

[image: image.png]

Once again, thank you for your help.

Best regards, Jakub Wisniowski

niedz., 10 mar 2024 o 09:11 Andrey Zhukov @.***> napisał(a):

hi. judging from the stack trace, you are trying to sign using a local JKS keystore. are you sure the store exists? can you find it and open it with other tools like KeyStoreExplorer? Are you sure its type is JKS and not PKCS12, for instance? Are you sure the JKS file you supply actually contains a private key? It's not enough to supply a JKS file with a public certificate, it has to contain a private key too, as far as I remember - so that to give NexU something it can sign with.

You can find the path of the keystore NexU tries to open in C:\Users{your username}\AppData\Local\Nowina\NexU\keystore-database.xml

You could also try to delete the above file and try again - NexU will ask you again to browse for JKS keystore - it may have recorded an older keystore that does not exist anymore.

Finally, you could try using Windows keystore or inserting a PKCS11 USB token with a signature and trying those.

— Reply to this email directly, view it on GitHub https://github.com/nowina-solutions/nexu/issues/75#issuecomment-1987138800, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE63JREZSPQGVWXY34REIVLYXQIRNAVCNFSM6AAAAABEOIQWL6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBXGEZTQOBQGA . You are receiving this because you authored the thread.Message ID: @.***>

hello-earth-gh commented 8 months ago

hi. first of all, I can't see the screenshots that you attached. I can see only things like "[image: image.png]". That being said, the truth is that I am testing with a slightly modified version of NexU and might not see the exact behavior that you discribe. But the normal course of action is that when you are in a DSS demo (https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/sign-a-pdf) and choose to sign a PDF, having NexU up and running and visible in the system tray, and there are no USB tokens with signatures inserted into the PC, it will first ask you to choose "New keystore" or "Windows keystore" - if you choose Windows it might show you PFX keys you already installed in the Personal Windows certificate store, or if you choose "New" it will ask you to point to a valid JKS or PKCS12 file - in fact I have never handled software signature certificates stored in a software keystore like that (this is not supposed to be very secure, as this file is not stored in a unique secure location, like a dedicated USB token) - but NexU will use it, if you provide one such keystore. Acrobat Reader will later complain that the signature has problems. But for testing you could try that. You have to know the password. There's a handly tool called "mkcert" that you can use to create a keystore like that, even though it's for creating keystores used with SSL/TLS. I've created one such example - the password is "changeit". I can't attach it - but try to download it from here: https://github.com/hello-earth-gh/grumpy-hellcat/blob/master/localhost.p12

kuba1990 commented 8 months ago

Hi, thank you a lot for your support - it helps me a lot:)

niedz., 10 mar 2024 o 21:02 Andrey Zhukov @.***> napisał(a):

hi. first of all, I can't see the screenshots that you attached. I can see only things like "[image: image.png]". That being said, the truth is that I am testing with a slightly modified version of NexU and might not see the exact behavior that you discribe. But the normal course of action is that when you are in a DSS demo and choose to sign a PDF, having NexU up and running and visible in the system tray, and there are no USB tokens with signatures inserted into the PC, it will first ask you to choose "New keystore" or "Windows keystore" - if you choose Windows it might show you PFX keys you already installed in the Personal Windows certificate store, or if you choose "New" it will ask you to point to a valid JKS or PKCS12 file - in fact I have never handled software signature certificates stored in a software keystore like that (this is not supposed to be very secure, as this file is not stored in a unique secure location, like a dedicated USB token) - but NexU will use it, if you provide one such keystore. Acrobat Reader will later complain that the signature has problems. But for testing you could try that. You have to know the password. There's a handly tool called "mkcert" that you can use to create a keystore like that, even though it's for creating keystores used with SSL/TLS. I've created one such example - the password is "changeit". I can't attach it - but try to download it from here: https://github.com/hello-earth-gh/grumpy-hellcat/blob/master/localhost.p12

— Reply to this email directly, view it on GitHub https://github.com/nowina-solutions/nexu/issues/75#issuecomment-1987346421, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE63JRG2TDKYUPBOZJ23PYTYXS34NAVCNFSM6AAAAABEOIQWL6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBXGM2DMNBSGE . You are receiving this because you authored the thread.Message ID: @.***>