Bug #402
closedKeyLengthVerifier does not support certificates which use brainpoolP*r1 in the domain parameters.
0%
Description
The KeyLengthVerifier tries to convert a BouncyCastle Certificate, which contains the complete certificate chain, into an java security CertPath object. This conversion fails in case the certificate uses brainpool curves in the domain parameters.
2015-07-03 15:04:26,183 [Thread-7] ERROR o.o.crypto.tls.ClientCertDefaultTlsClient:230 - TLS(FATAL): Internal error [internal_error=80] --> Failed to read record
org.openecard.crypto.tls.CertificateVerificationException: Failed to convert certificates to JCA format.
at org.openecard.crypto.tls.verify.KeyLengthVerifier.isValid(KeyLengthVerifier.java:58) ~[richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.crypto.tls.auth.CertificateVerifierBuilder$1.isValid(CertificateVerifierBuilder.java:144) ~[richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.crypto.tls.auth.DynamicAuthentication.notifyServerCertificate(DynamicAuthentication.java:156) ~[richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:156) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocol.processHandshake(TlsProtocol.java:306) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocol.processRecord(TlsProtocol.java:228) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.bouncycastle.crypto.tls.RecordStream.readRecord(RecordStream.java:170) ~[richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(TlsProtocol.java:464) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocol.completeHandshake(TlsProtocol.java:149) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsClientProtocol.connect(TlsClientProtocol.java:77) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.ResourceContext.getStreamInt(ResourceContext.java:244) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.ResourceContext.getStream(ResourceContext.java:197) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.ResourceContext.getStream(ResourceContext.java:174) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.TCTokenContext.generateTCToken(TCTokenContext.java:73) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.TCTokenRequest.parseTCTokenRequestURI(TCTokenRequest.java:201) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.TCTokenRequest.convert(TCTokenRequest.java:115) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.ActivationAction.processTcTokenOrActivationObject(ActivationAction.java:375) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.ActivationAction.processRequest(ActivationAction.java:244) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.ActivationAction.checkRequestParameters(ActivationAction.java:224) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.binding.tctoken.ActivationAction.execute(ActivationAction.java:111) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.addon.bind.AppPluginActionProxy.execute(AppPluginActionProxy.java:55) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.control.binding.http.handler.HttpAppPluginActionHandler.handle(HttpAppPluginActionHandler.java:111) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:436) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:341) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.control.binding.http.HttpService$1.run(HttpService.java:131) [richclient-1.1.0-rc17-bundle-cifs.jar:na]
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.3.36.3.3.2.8.1.1.7
at sun.security.x509.X509CertInfo.<init>(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.X509CertImpl.parse(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.X509CertImpl.<init>(Unknown Source) ~[na:1.8.0_45]
at sun.security.provider.X509Factory.engineGenerateCertificate(Unknown Source) ~[na:1.8.0_45]
at java.security.cert.CertificateFactory.generateCertificate(Unknown Source) ~[na:1.8.0_45]
at org.openecard.crypto.common.keystore.KeyTools.convertCertificates(KeyTools.java:108) ~[richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.crypto.common.keystore.KeyTools.convertCertificates(KeyTools.java:88) ~[richclient-1.1.0-rc17-bundle-cifs.jar:na]
at org.openecard.crypto.tls.verify.KeyLengthVerifier.isValid(KeyLengthVerifier.java:54) ~[richclient-1.1.0-rc17-bundle-cifs.jar:na]
... 24 common frames omitted
*Caused by: java.io.IOException: Unknown named curve: 1.3.36.3.3.2.8.1.1.7
at sun.security.ec.ECParameters.engineInit(ECParameters.java:143) ~[sunec.jar:1.8.0_20]*
at java.security.AlgorithmParameters.init(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.AlgorithmId.decodeParams(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.AlgorithmId.<init>(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.AlgorithmId.parse(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.X509Key.parse(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.CertificateX509Key.<init>(Unknown Source) ~[na:1.8.0_45]
at sun.security.x509.X509CertInfo.parse(Unknown Source) ~[na:1.8.0_45]