Unknown Protocol - ldap

[olamiko]

Hi, I am trying to create an ASICS transaction with a test certificate. However, it fails to recognize the LDAP protocol and doesn't check the HTTP url during certificate validation. The error code is attached below and the certificate I am using is attached also

ip.zip https://gist.github.com/olamiko/77267a797b58997e12b9fdff0598fa4c

Is there a known solution?

[naare]

You are trying to sign with a certificate that is not present in the TSL (eg is not trusted certificate). It is possible to add this certificate to be trusted but maybe is just simpler to use some of the test keys/certs present in this repo? These can be used as is with DD4J in TEST mode.

the files can be found here: https://github.com/open-eid/digidoc4j/tree/master/digidoc4j/src/test/resources/testFiles/p12 The passwords can be found in the tests that use these keystores.

[olamiko]

Hi @naare, thanks for responding. I thought DD4J automatically uses eiDAS as the default TSL. The certificates I presented are test certificates that were created by a CA that is part of eiDAS.

[naare]

DD4J supports all the trusted certificates through the European LOTL. Your test certificate is issued by "IAIK Test Intermediate CA", this certificate is not in official Austrian Trust List (Test Trust List is supported only for Estonia).

[olamiko]

Thank you @naare, all is clear now.

[stefan2904]

@naare

You are trying to sign with a certificate that is not present in the TSL (eg is not trusted certificate)

If the issuer of the used cert is on the TSL which was set using container1.getConfiguration().setTslLocation(trustList);, it should be considered trusted, right? (Or is this the wrong option to set the TslLocation?)

It is possible to add this certificate to be trusted

Since this is Option B: Can I ask how to add a cert to be trusted? CertificatePool is not accessibly from the outside, and I cannot find any APIs/configuration options for this.

[stefan2904]

Btw, the mentioned Bug was fixed in esig/dss@f8405c735193e12b6d325f0da642f8c9dbd47a10: the loader.get(url); is now inside a try-catch block. Updating to the newest version did the job for me.

[naare]

@naare

You are trying to sign with a certificate that is not present in the TSL (eg is not trusted certificate)

If the issuer of the used cert is on the TSL which was set using container1.getConfiguration().setTslLocation(trustList);, it should be considered trusted, right? (Or is this the wrong option to set the TslLocation?)

It is possible to add this certificate to be trusted

Since this is Option B: Can I ask how to add a cert to be trusted? CertificatePool is not accessibly from the outside, and I cannot find any APIs/configuration options for this.

The parameter name TslLocation is a bit wrong. You need to point it to the LOTL (list of the lists), which contains all the trusted TSL-s, which contain all the trusted certificates. As long as your certificate is in this chain, it is trusted.

Option B: we have identified possible problem in adding trusted certificates directly in DD4J 3.1.0. You should be able to add certificates this way (remember, you need to add the whole certificate chain)

configuration.getTSL().addCertificate(certificate);

[stefan2904]

The parameter name TslLocation is a bit wrong. You need to point it to the LOTL (list of the lists), which contains all the trusted TSL-s, which contain all the trusted certificates. As long as your certificate is in this chain, it is trusted.

So if I don't have a LOL, just a TSL, I cannot use the container.validate(); method?

Apparently it is possible to create container under this condition, but not to verify it afterwards ...

[naare]

LOTL/TSL is base for validating a signature. You can take a look on this test LOTL: https://github.com/open-eid/test-TL/blob/master/tl-mp-test-EE.xml to get an example how to make your own if you need your own LOTL/TSL