search

open-eid / digidoc4j

DigiDoc for Java. Javadoc:
http://open-eid.github.io/digidoc4j
GNU Lesser General Public License v2.1
72 stars 40 forks source link

Serverless environment OCSP in TEST mode #91

Closed diidiiman closed 3 years ago

diidiiman commented 3 years ago

Hello!

Maybe somebody can provide a helping hand?

Have configured PROD and TEST environments, both running on AWS Lambdas. The production environment functions properly and allows signing the documents with no issues (had only to gerenate new SSL truststore for LV) and appropriate configuration in digidoc4j.yaml:

SSL_TRUSTSTORE_PATH: classpath:truststore.p12
SSL_TRUSTSTORE_PASSWORD: changeit
SSL_TRUSTSTORE_TYPE: PKCS12

For TEST environment however empty digidoc4j-test.yaml throws error about LOTL. That got addressed by specifying SSL keystore, which got generated for "https://open-eid.github.io/test-TL/tl-mp-test-EE.xml" LOTL error went away, but now the strange OCSP error appeared: ERROR org.digidoc4j.impl.asic.AsicSignatureFinalizer - Signature does not contain OCSP response

Followed the instructions here: https://github.com/open-eid/digidoc4j/wiki/Questions-&-Answers#if-ocsp-request-has-failed

It is TEST configuration, It is DEMO certificate from SmartID, version of library is 4.0.3

Part which was not clear in terms of necessity is this one: digidoc4j.yaml can also be configured with the following parameters: DIGIDOC_PKCS12_CONTAINER, DIGIDOC_PKCS12_PASSWD and SIGN_OCSP_REQUESTS.

Question which I would appreciate some guidance with, is there any other reason why OCSP would fail on TEST mode if no overrides are provided and DEMO smartID is used?

Whole request output below:

13:11:00 3|signer   | START RequestId: cf6e3305-40a7-4e29-92b1-5694800ccd94 Version: $LATEST
13:11:00 3|signer   | 233 [main] INFO org.digidoc4j.Configuration - DigiDoc4J will be executed in <TEST> mode
13:11:00 3|signer   | 532 [main] INFO org.digidoc4j.Configuration - Configuration loaded ...
13:11:00 3|signer   | 4130 [main] INFO eu.europa.esig.dss.validation.CommonCertificateVerifier - + New CommonCertificateVerifier created.
13:11:00 3|signer   | 4908 [main] INFO org.digidoc4j.Configuration - Source by country <LV> not found, using default TSP source
13:11:00 3|signer   | 5255 [main] INFO eu.europa.esig.dss.tsl.service.TSLRepository - New version of EU TSL is stored in cache
13:11:00 3|signer   | 6439 [main] WARN eu.europa.esig.dss.tsl.service.TSLValidationJob - OJ keystore is outdated! Newer keystore can be found at the address: [https://open-eid.github.io/test-TL/]
13:11:00 3|signer   | 6442 [pool-2-thread-1] INFO eu.europa.esig.dss.validation.CommonCertificateVerifier - + New CommonCertificateVerifier created.
13:11:00 3|signer   | 6653 [pool-2-thread-1] INFO eu.europa.esig.dss.validation.SignedDocumentValidator - Document validation...
13:11:00 3|signer   | 6804 [pool-2-thread-1] INFO eu.europa.esig.dss.xades.validation.XAdESCertificateSource - +XAdESCertificateSource
13:11:00 3|signer   | 6835 [pool-2-thread-1] INFO eu.europa.esig.dss.xades.validation.XAdESSignature - Determining signing certificate from certificate candidates list succeeded
13:11:00 3|signer   | 7296 [main] INFO eu.europa.esig.dss.tsl.service.TSLRepository - Synchronizing the trustedListsCertificateSource...
13:11:00 3|signer   | 7297 [main] INFO eu.europa.esig.dss.tsl.service.TSLRepository - Synchronization of the trustedListsCertificateSource : done
13:11:00 3|signer   | 7298 [main] INFO eu.europa.esig.dss.tsl.service.TSLRepository - Nb of loaded trusted lists : 1/1
13:11:00 3|signer   | 7298 [main] INFO eu.europa.esig.dss.tsl.service.TSLRepository - Nb of trusted certificates : 0
13:11:00 3|signer   | 7298 [main] INFO eu.europa.esig.dss.tsl.service.TSLRepository - Nb of trusted public keys : 0
13:11:00 3|signer   | 7394 [main] INFO eu.europa.esig.dss.xades.signature.XAdESLevelBaselineT - ====> Extending: IN MEMORY DOCUMENT
13:11:00 3|signer   | 7413 [main] INFO eu.europa.esig.dss.xades.validation.XAdESCertificateSource - +XAdESCertificateSource
13:11:00 3|signer   | 7419 [main] INFO eu.europa.esig.dss.xades.validation.XAdESSignature - Determining signing certificate from certificate candidates list succeeded
13:11:00 3|signer   | 7587 [main] INFO eu.europa.esig.dss.service.tsp.OnlineTSPSource - TSP Status: Operation Okay
13:11:00 3|signer   | 7587 [main] INFO eu.europa.esig.dss.service.tsp.OnlineTSPSource - TSP SID : SN 149438394417344836205421746525828011645, Issuer C=EE,O=AS Sertifitseerimiskeskus,CN=TEST of EE Certification Centre Root CA,E=pki@sk.ee
13:11:00 3|signer   | 7733 [main] WARN eu.europa.esig.dss.CertificateReorderer - Issuer not found for certificate C-DBE95D7DC7F948156668888A0F6E86E364BA2FCC04E0CAF277B8B0FF535C8D28
13:11:00 3|signer   | 7737 [main] WARN eu.europa.esig.dss.CertificateReorderer - Issuer not found for certificate C-444E34B4ECF4D620A8A981D97B98FFF87982CDCC7A41FA0CB340957D4841A2F7
13:11:00 3|signer   | 7738 [main] INFO eu.europa.esig.dss.validation.SignatureValidationContext - Retrieving C-DBE95D7DC7F948156668888A0F6E86E364BA2FCC04E0CAF277B8B0FF535C8D28 certificate's issuer using AIA.
13:11:00 3|signer   | 7869 [main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - External revocation check is skipped for untrusted certificate : C-DBE95D7DC7F948156668888A0F6E86E364BA2FCC04E0CAF277B8B0FF535C8D28
13:11:00 3|signer   | 7870 [main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - No revocation found for certificate C-DBE95D7DC7F948156668888A0F6E86E364BA2FCC04E0CAF277B8B0FF535C8D28
13:11:00 3|signer   | 7873 [main] INFO eu.europa.esig.dss.validation.SignatureValidationContext - Retrieving C-444E34B4ECF4D620A8A981D97B98FFF87982CDCC7A41FA0CB340957D4841A2F7 certificate's issuer using AIA.
13:11:00 3|signer   | 8052 [main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - External revocation check is skipped for untrusted certificate : C-444E34B4ECF4D620A8A981D97B98FFF87982CDCC7A41FA0CB340957D4841A2F7
13:11:00 3|signer   | 8052 [main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - No revocation found for certificate C-444E34B4ECF4D620A8A981D97B98FFF87982CDCC7A41FA0CB340957D4841A2F7
13:11:00 3|signer   | 8057 [main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - External revocation check is skipped for untrusted certificate : C-4F7E0BFDBBF45E2D06A971F903B3C017FDCB53138EC5D46E26C81B973DCEEADE
13:11:00 3|signer   | 8057 [main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - No revocation found for certificate C-4F7E0BFDBBF45E2D06A971F903B3C017FDCB53138EC5D46E26C81B973DCEEADE
13:11:00 3|signer   | 8057 [main] WARN eu.europa.esig.dss.validation.DefaultAdvancedSignature - Revocation data is missing
13:11:00 3|signer   | 8058 [main] WARN eu.europa.esig.dss.validation.DefaultAdvancedSignature - A POE is not covered by an usable revocation data
13:11:00 3|signer   | 8058 [main] WARN eu.europa.esig.dss.validation.SignatureValidationContext - No revocation data found after the best signature time [Tue Jan 19 11:10:59 GMT 2021] for the certificate : C-DBE95D7DC7F948156668888A0F6E86E364BA2FCC04E0CAF277B8B0FF535C8D28
13:11:00 3|signer   | 8058 [main] WARN eu.europa.esig.dss.validation.DefaultAdvancedSignature - Revocation data thisUpdate time is after the bestSignatureTime
13:11:00 3|signer   | 8085 [main] INFO eu.europa.esig.dss.validation.CommonCertificateVerifier - + New CommonCertificateVerifier created.
13:11:00 3|signer   | 8095 [main] INFO eu.europa.esig.dss.xades.validation.XAdESCertificateSource - +XAdESCertificateSource
13:11:00 3|signer   | 8103 [main] INFO eu.europa.esig.dss.xades.validation.XAdESSignature - Determining signing certificate from certificate candidates list succeeded
13:11:00 3|signer   | 8173 [main] ERROR org.digidoc4j.impl.asic.AsicSignatureFinalizer - Signature does not contain OCSP response
13:11:00 3|signer   | 8174 [main] ERROR edoks.signer.models.SignatureObject - Signature finalization threw error:
13:11:00 3|signer   | (Signature ID: id-35525ca25717941b4732355a4cfd3fd4) - OCSP request failed. Please check GitHub Wiki for more information: https://github.com/open-eid/digidoc4j/wiki/Questions-&-Answers#if-ocsp-request-has-failed
13:11:00 3|signer   |   at org.digidoc4j.impl.asic.AsicSignatureFinalizer.validateOcspResponse(AsicSignatureFinalizer.java:166)
13:11:00 3|signer   |   at org.digidoc4j.impl.asic.AsicSignatureFinalizer.createSignature(AsicSignatureFinalizer.java:110)
13:11:00 3|signer   |   at org.digidoc4j.impl.asic.AsicSignatureFinalizer.finalizeSignature(AsicSignatureFinalizer.java:86)
13:11:00 3|signer   |   at org.digidoc4j.DataToSign.finalize(DataToSign.java:93)
13:11:00 3|signer   |   at edoks.signer.service.FileSigner.placeSignatureOnXML(FileSigner.java:69)
13:11:00 3|signer   |   at edoks.signer.models.SignatureObject.finalizeSignature(SignatureObject.java:101)
13:11:00 3|signer   |   at edoks.signer.PlaceSignature.handleRequest(PlaceSignature.java:35)
13:11:00 3|signer   |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
13:11:00 3|signer   |   at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
13:11:00 3|signer   |   at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
13:11:00 3|signer   |   at java.base/java.lang.reflect.Method.invoke(Unknown Source)
13:11:00 3|signer   |   at lambdainternal.EventHandlerLoader$PojoMethodRequestHandler.handleRequest(EventHandlerLoader.java:282)
13:11:00 3|signer   |   at lambdainternal.EventHandlerLoader$PojoHandlerAsStreamHandler.handleRequest(EventHandlerLoader.java:199)
13:11:00 3|signer   |   at lambdainternal.EventHandlerLoader$2.call(EventHandlerLoader.java:899)
13:11:00 3|signer   |   at lambdainternal.AWSLambda.startRuntime(AWSLambda.java:258)
13:11:00 3|signer   |   at lambdainternal.AWSLambda.startRuntime(AWSLambda.java:192)
13:11:00 3|signer   |   at lambdainternal.AWSLambda.main(AWSLambda.java:187)
13:11:00 3|signer   | END RequestId: cf6e3305-40a7-4e29-92b1-5694800ccd94
diidiiman commented 3 years ago

I managed to replicate this also on project that is not inside AWS Lambda container using Spring Boot with zero configuration for test environment. Maybe someone knows of other reasons besides the ones described here https://github.com/open-eid/digidoc4j/wiki/Questions-&-Answers#if-ocsp-request-has-failed why it might fail?

diidiiman commented 3 years ago

Just for someone who might stumble upon this - I had setTrustedTerritories set in configuration which does not work with TEST environment... https://github.com/open-eid/digidoc4j/issues/80