search

phax / phase4

phase4 - AS4 client and server for integration into existing systems. Specific support for Peppol and CEF eDelivery built-in.
Apache License 2.0
154 stars 47 forks source link

Trust anchor for certification path not found error for Incoming AS4 messages #232

Closed sheerishtanwar closed 6 months ago

sheerishtanwar commented 7 months ago

I am getting following exception for the message received on my Phase4 AS4 standalone application. However, I have checked the truststore contains all the certificates including intermediate and root.

ERROR SOAPHeaderElementProcessorWSS4J [http-nio-8083-exec-3] Error processing the WSSSecurity Header org.apache.wss4j.common.ext.WSSecurityException: Error during certificate path validation: Trust anchor for certification path not found. at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:891) ~[wss4j-ws-security-common-3.0.2.jar!/:3.0.2] at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:906) ~[wss4j-ws-security-common-3.0.2.jar!/:3.0.2] at org.apache.wss4j.dom.validate.SignatureTrustValidator.verifyTrustInCerts(SignatureTrustValidator.java:112) ~[wss4j-ws-security-dom-3.0.2.jar!/:3.0.2] at org.apache.wss4j.dom.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64) ~[wss4j-ws-security-dom-3.0.2.jar!/:3.0.2] at org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:189) ~[wss4j-ws-security-dom-3.0.2.jar!/:3.0.2] at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) ~[wss4j-ws-security-dom-3.0.2.jar!/:3.0.2] at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:251) ~[wss4j-ws-security-dom-3.0.2.jar!/:3.0.2] at com.helger.phase4.servlet.soap.SOAPHeaderElementProcessorWSS4J._verifyAndDecrypt(SOAPHeaderElementProcessorWSS4J.java:179) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.soap.SOAPHeaderElementProcessorWSS4J.processHeaderElement(SOAPHeaderElementProcessorWSS4J.java:503) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4IncomingHandler._processSoapHeaderElements(AS4IncomingHandler.java:466) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4IncomingHandler.processEbmsMessage(AS4IncomingHandler.java:635) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4RequestHandler._handleSoapMessage(AS4RequestHandler.java:1389) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4RequestHandler.lambda$handleRequest$5(AS4RequestHandler.java:1846) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4IncomingHandler.parseAS4Message(AS4IncomingHandler.java:366) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4RequestHandler.handleRequest(AS4RequestHandler.java:1865) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4RequestHandler.handleRequest(AS4RequestHandler.java:1904) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4XServletHandler.handleRequest(AS4XServletHandler.java:436) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.phase4.servlet.AS4XServletHandler.handleRequest(AS4XServletHandler.java:474) ~[phase4-lib-2.7.4.jar!/:2.7.4] at com.helger.xservlet.handler.simple.XServletHandlerToSimpleHandler.onRequest(XServletHandlerToSimpleHandler.java:241) ~[ph-xservlet-10.1.7.jar!/:10.1.7] at com.helger.xservlet.AbstractXServlet._invokeHandler(AbstractXServlet.java:355) ~[ph-xservlet-10.1.7.jar!/:10.1.7] at com.helger.xservlet.AbstractXServlet.service(AbstractXServlet.java:540) ~[ph-xservlet-10.1.7.jar!/:10.1.7] at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658) ~[tomcat-embed-core-10.1.19.jar!/:?] at com.helger.xservlet.AbstractXServlet.service(AbstractXServlet.java:596) ~[ph-xservlet-10.1.7.jar!/:10.1.7] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:205) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51) ~[tomcat-embed-websocket-10.1.19.jar!/:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.4.jar!/:6.1.4] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.4.jar!/:6.1.4] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.4.jar!/:6.1.4] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.4.jar!/:6.1.4] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:174) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:149) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:673) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:391) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:896) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1744) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.19.jar!/:?] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.19.jar!/:?] at java.base/java.lang.Thread.run(Thread.java:1583) [?:?] Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi_8.engineValidate(Unknown Source) ~[bcprov-jdk18on-1.77.jar!/:1.77.00.0] at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?] at org.apache.wss4j.common.crypto.Merlin.verifyTrust(Merlin.java:885) ~[wss4j-ws-security-common-3.0.2.jar!/:3.0.2] ... 60 more

phax commented 6 months ago

I assume you want to setup for Peppol. Most likely youre trust store configuration is not correct. How are you providing the truststore in your configuration? The default setup in application.properties looks like this, which references a truststore that is shipped with the solution and works with test and production:

org.apache.wss4j.crypto.merlin.load.cacerts=false
org.apache.wss4j.crypto.merlin.truststore.type=jks
org.apache.wss4j.crypto.merlin.truststore.file=truststore/complete-truststore.jks
org.apache.wss4j.crypto.merlin.truststore.password=peppol
sheerishtanwar commented 6 months ago

Hi Phax, Thanks for your response, you are right my Truststore configuration was incorrect and I fixed it. and I was not correctly setting the Truststore in IncomingSecurityConfiguration for inbound messages.

sheerishtanwar commented 6 months ago

resolved