Re: Issue with Opensaml and Self-Signed Certificates
Rohit,
I have tried with public IdP [1], its not working with that even.
Do you use the same version of opensaml i.e. opensaml-2.6.4?
I am waiting for your test-case results.
[1] https://idp.ssocircle.com
Thanks,
Harika.
On 01/12/17, 2:14 PM, "Harika Punna" wrote:
Rohit,
I have debugged already and found that the password for keystore is null,
though I have provided the password in properties file, which is the cause for
the issue.
I will try with any publicly available SAML providers.
Thanks,
Harika.
On 30/11/17, 3:17 PM, "Rohit Yadav" wrote:
Harika,
I'm planning to run some tests by end of next week, I'll keep you
posted.
Meanwhile, try to debug the issue, attach a debugger and see what is
causing the failure and use one of the publicly available SAML idp providers,
the issue could also be related to your SAML sp/idp configuration.
Regards.
From: Harika Punna
Sent: Thursday, November 30, 2017 11:03:05 AM
To: Rohit Yadav; dev@cloudstack.apache.org
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Rohit,
I have tried the same thing on latest master, even on that I could the
same dependencies.
Are you using opensaml of version 2.6.4? Have you faced this issue when
working with self-signed certificates.
I would appreciate any help on this.
Thanks,
Harika.
From: Rohit Yadav
Date: Wednesday, 29 November 2017 at 1:09 PM
To: "dev@cloudstack.apache.org" , Harika
Punna
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Harika, Can you test the latest master and see if you can reproduce the
error?
Get Outlook for Android<https://aka.ms/ghei36>
rohit.ya...@shapeblue.com
www.shapeblue.com
@shapeblue
From: Harika Punna
Sent: Wednesday, November 29, 2017 10:57:53 AM
To: Rohit Yadav; dev@cloudstack.apache.org
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Rohit,
I was trying to configure ACS with ADFS using saml plugin.
I find the not-yet-commons-ssl.jar in the opensaml-2.6.4 dependency of
plugins/user-authentication/saml2/pom.xml
The dependency tree of not-yet-commons-ssl is as follows-
opensaml-2.6.4 > openws-1.5.4 > xmltooling-1.4.4 >
not-yet-commons-ssl-0.3.9
May I know which version of opensaml are you using?
Thanks,
Harika.
From: Rohit Yadav
Date: Tuesday, 28 November 2017 at 6:56 PM
To: Harika Punna ,
"dev@cloudstack.apache.org"
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Harika,
Can you share what exactly are you doing, perhaps you can submit a PR
and ask for review?
I did not find any usage of a KeyStoreBuilder class in current master,
nor we've a not-yet-commons-ssl dependency in current codebase.
Regard.
rohit.ya...@shapeblue.com
www.shapeblue.com
@shapeblue
From: Harika Punna
Sent: Tuesday, November 28, 2017 2:13:33 PM
To: dev@cloudstack.apache.org; Rohit Yadav
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Hi Rohit,
Could you please help me on this?
-Harika.
On 27/11/17, 4:26 PM, "Harika Punna"
wrote:
Hi,
When I use Opensaml on 4.10 with the self-signed certificates I get
the following error, though the configuration for the opensaml and ssl is
proper. It works fine if I debug and supply the password of the keystore in
KeyStoreBuilder class, which is in not-yet-commons-ssl.jar.
Has anyone faced this issue, I tried with different versions of
opensaml but nothing worked. Found similar issue on SO at [1], but
Re: Issue with Opensaml and Self-Signed Certificates
Rohit,
I have debugged already and found that the password for keystore is null,
though I have provided the password in properties file, which is the cause for
the issue.
I will try with any publicly available SAML providers.
Thanks,
Harika.
On 30/11/17, 3:17 PM, "Rohit Yadav" wrote:
Harika,
I'm planning to run some tests by end of next week, I'll keep you posted.
Meanwhile, try to debug the issue, attach a debugger and see what is
causing the failure and use one of the publicly available SAML idp providers,
the issue could also be related to your SAML sp/idp configuration.
Regards.
From: Harika Punna
Sent: Thursday, November 30, 2017 11:03:05 AM
To: Rohit Yadav; dev@cloudstack.apache.org
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Rohit,
I have tried the same thing on latest master, even on that I could the same
dependencies.
Are you using opensaml of version 2.6.4? Have you faced this issue when
working with self-signed certificates.
I would appreciate any help on this.
Thanks,
Harika.
From: Rohit Yadav
Date: Wednesday, 29 November 2017 at 1:09 PM
To: "dev@cloudstack.apache.org" , Harika Punna
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Harika, Can you test the latest master and see if you can reproduce the
error?
Get Outlook for Android<https://aka.ms/ghei36>
rohit.ya...@shapeblue.com
www.shapeblue.com
@shapeblue
From: Harika Punna
Sent: Wednesday, November 29, 2017 10:57:53 AM
To: Rohit Yadav; dev@cloudstack.apache.org
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Rohit,
I was trying to configure ACS with ADFS using saml plugin.
I find the not-yet-commons-ssl.jar in the opensaml-2.6.4 dependency of
plugins/user-authentication/saml2/pom.xml
The dependency tree of not-yet-commons-ssl is as follows-
opensaml-2.6.4 > openws-1.5.4 > xmltooling-1.4.4 > not-yet-commons-ssl-0.3.9
May I know which version of opensaml are you using?
Thanks,
Harika.
From: Rohit Yadav
Date: Tuesday, 28 November 2017 at 6:56 PM
To: Harika Punna , "dev@cloudstack.apache.org"
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Harika,
Can you share what exactly are you doing, perhaps you can submit a PR and
ask for review?
I did not find any usage of a KeyStoreBuilder class in current master, nor
we've a not-yet-commons-ssl dependency in current codebase.
Regard.
rohit.ya...@shapeblue.com
www.shapeblue.com
@shapeblue
From: Harika Punna
Sent: Tuesday, November 28, 2017 2:13:33 PM
To: dev@cloudstack.apache.org; Rohit Yadav
Subject: Re: Issue with Opensaml and Self-Signed Certificates
Hi Rohit,
Could you please help me on this?
-Harika.
On 27/11/17, 4:26 PM, "Harika Punna" wrote:
Hi,
When I use Opensaml on 4.10 with the self-signed certificates I get the
following error, though the configuration for the opensaml and ssl is proper.
It works fine if I debug and supply the password of the keystore in
KeyStoreBuilder class, which is in not-yet-commons-ssl.jar.
Has anyone faced this issue, I tried with different versions of
opensaml but nothing worked. Found similar issue on SO at [1], but none of them
helped.
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
at sun.security.util.DerValue.init(DerValue.java:365)
at sun.security.util.DerValue.(DerValue.java:320)
at
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914)
at java.security.KeyStore.load(KeyStore.java:1445)
at
org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450)
at
org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416)
at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207)
at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160)
at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165)
at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170)
Re: Issue with Opensaml and Self-Signed Certificates
Harika, I'm planning to run some tests by end of next week, I'll keep you posted. Meanwhile, try to debug the issue, attach a debugger and see what is causing the failure and use one of the publicly available SAML idp providers, the issue could also be related to your SAML sp/idp configuration. Regards. From: Harika Punna Sent: Thursday, November 30, 2017 11:03:05 AM To: Rohit Yadav; dev@cloudstack.apache.org Subject: Re: Issue with Opensaml and Self-Signed Certificates Rohit, I have tried the same thing on latest master, even on that I could the same dependencies. Are you using opensaml of version 2.6.4? Have you faced this issue when working with self-signed certificates. I would appreciate any help on this. Thanks, Harika. From: Rohit Yadav Date: Wednesday, 29 November 2017 at 1:09 PM To: "dev@cloudstack.apache.org" , Harika Punna Subject: Re: Issue with Opensaml and Self-Signed Certificates Harika, Can you test the latest master and see if you can reproduce the error? Get Outlook for Android<https://aka.ms/ghei36> rohit.ya...@shapeblue.com www.shapeblue.com @shapeblue From: Harika Punna Sent: Wednesday, November 29, 2017 10:57:53 AM To: Rohit Yadav; dev@cloudstack.apache.org Subject: Re: Issue with Opensaml and Self-Signed Certificates Rohit, I was trying to configure ACS with ADFS using saml plugin. I find the not-yet-commons-ssl.jar in the opensaml-2.6.4 dependency of plugins/user-authentication/saml2/pom.xml The dependency tree of not-yet-commons-ssl is as follows- opensaml-2.6.4 > openws-1.5.4 > xmltooling-1.4.4 > not-yet-commons-ssl-0.3.9 May I know which version of opensaml are you using? Thanks, Harika. From: Rohit Yadav Date: Tuesday, 28 November 2017 at 6:56 PM To: Harika Punna , "dev@cloudstack.apache.org" Subject: Re: Issue with Opensaml and Self-Signed Certificates Harika, Can you share what exactly are you doing, perhaps you can submit a PR and ask for review? I did not find any usage of a KeyStoreBuilder class in current master, nor we've a not-yet-commons-ssl dependency in current codebase. Regard. rohit.ya...@shapeblue.com www.shapeblue.com @shapeblue From: Harika Punna Sent: Tuesday, November 28, 2017 2:13:33 PM To: dev@cloudstack.apache.org; Rohit Yadav Subject: Re: Issue with Opensaml and Self-Signed Certificates Hi Rohit, Could you please help me on this? -Harika. On 27/11/17, 4:26 PM, "Harika Punna" wrote: Hi, When I use Opensaml on 4.10 with the self-signed certificates I get the following error, though the configuration for the opensaml and ssl is proper. It works fine if I debug and supply the password of the keystore in KeyStoreBuilder class, which is in not-yet-commons-ssl.jar. Has anyone faced this issue, I tried with different versions of opensaml but nothing worked. Found similar issue on SO at [1], but none of them helped. java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.se
Re: Issue with Opensaml and Self-Signed Certificates
Rohit, I have tried the same thing on latest master, even on that I could the same dependencies. Are you using opensaml of version 2.6.4? Have you faced this issue when working with self-signed certificates. I would appreciate any help on this. Thanks, Harika. From: Rohit Yadav Date: Wednesday, 29 November 2017 at 1:09 PM To: "dev@cloudstack.apache.org" , Harika Punna Subject: Re: Issue with Opensaml and Self-Signed Certificates Harika, Can you test the latest master and see if you can reproduce the error? Get Outlook for Android<https://aka.ms/ghei36> rohit.ya...@shapeblue.com www.shapeblue.com @shapeblue From: Harika Punna Sent: Wednesday, November 29, 2017 10:57:53 AM To: Rohit Yadav; dev@cloudstack.apache.org Subject: Re: Issue with Opensaml and Self-Signed Certificates Rohit, I was trying to configure ACS with ADFS using saml plugin. I find the not-yet-commons-ssl.jar in the opensaml-2.6.4 dependency of plugins/user-authentication/saml2/pom.xml The dependency tree of not-yet-commons-ssl is as follows- opensaml-2.6.4 > openws-1.5.4 > xmltooling-1.4.4 > not-yet-commons-ssl-0.3.9 May I know which version of opensaml are you using? Thanks, Harika. From: Rohit Yadav Date: Tuesday, 28 November 2017 at 6:56 PM To: Harika Punna , "dev@cloudstack.apache.org" Subject: Re: Issue with Opensaml and Self-Signed Certificates Harika, Can you share what exactly are you doing, perhaps you can submit a PR and ask for review? I did not find any usage of a KeyStoreBuilder class in current master, nor we've a not-yet-commons-ssl dependency in current codebase. Regard. rohit.ya...@shapeblue.com www.shapeblue.com @shapeblue From: Harika Punna Sent: Tuesday, November 28, 2017 2:13:33 PM To: dev@cloudstack.apache.org; Rohit Yadav Subject: Re: Issue with Opensaml and Self-Signed Certificates Hi Rohit, Could you please help me on this? -Harika. On 27/11/17, 4:26 PM, "Harika Punna" wrote: Hi, When I use Opensaml on 4.10 with the self-signed certificates I get the following error, though the configuration for the opensaml and ssl is proper. It works fine if I debug and supply the password of the keystore in KeyStoreBuilder class, which is in not-yet-commons-ssl.jar. Has anyone faced this issue, I tried with different versions of opensaml but nothing worked. Found similar issue on SO at [1], but none of them helped. java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.
Re: Issue with Opensaml and Self-Signed Certificates
Harika, Can you test the latest master and see if you can reproduce the error? Get Outlook for Android<https://aka.ms/ghei36> From: Harika Punna Sent: Wednesday, November 29, 2017 10:57:53 AM To: Rohit Yadav; dev@cloudstack.apache.org Subject: Re: Issue with Opensaml and Self-Signed Certificates Rohit, I was trying to configure ACS with ADFS using saml plugin. I find the not-yet-commons-ssl.jar in the opensaml-2.6.4 dependency of plugins/user-authentication/saml2/pom.xml The dependency tree of not-yet-commons-ssl is as follows- opensaml-2.6.4 > openws-1.5.4 > xmltooling-1.4.4 > not-yet-commons-ssl-0.3.9 May I know which version of opensaml are you using? Thanks, Harika. From: Rohit Yadav Date: Tuesday, 28 November 2017 at 6:56 PM To: Harika Punna , "dev@cloudstack.apache.org" Subject: Re: Issue with Opensaml and Self-Signed Certificates Harika, Can you share what exactly are you doing, perhaps you can submit a PR and ask for review? I did not find any usage of a KeyStoreBuilder class in current master, nor we've a not-yet-commons-ssl dependency in current codebase. Regard. rohit.ya...@shapeblue.com www.shapeblue.com @shapeblue From: Harika Punna Sent: Tuesday, November 28, 2017 2:13:33 PM To: dev@cloudstack.apache.org; Rohit Yadav Subject: Re: Issue with Opensaml and Self-Signed Certificates Hi Rohit, Could you please help me on this? -Harika. On 27/11/17, 4:26 PM, "Harika Punna" wrote: Hi, When I use Opensaml on 4.10 with the self-signed certificates I get the following error, though the configuration for the opensaml and ssl is proper. It works fine if I debug and supply the password of the keystore in KeyStoreBuilder class, which is in not-yet-commons-ssl.jar. Has anyone faced this issue, I tried with different versions of opensaml but nothing worked. Found similar issue on SO at [1], but none of them helped. java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCert
Re: Issue with Opensaml and Self-Signed Certificates
Rohit, I was trying to configure ACS with ADFS using saml plugin. I find the not-yet-commons-ssl.jar in the opensaml-2.6.4 dependency of plugins/user-authentication/saml2/pom.xml The dependency tree of not-yet-commons-ssl is as follows- opensaml-2.6.4 > openws-1.5.4 > xmltooling-1.4.4 > not-yet-commons-ssl-0.3.9 May I know which version of opensaml are you using? Thanks, Harika. From: Rohit Yadav Date: Tuesday, 28 November 2017 at 6:56 PM To: Harika Punna , "dev@cloudstack.apache.org" Subject: Re: Issue with Opensaml and Self-Signed Certificates Harika, Can you share what exactly are you doing, perhaps you can submit a PR and ask for review? I did not find any usage of a KeyStoreBuilder class in current master, nor we've a not-yet-commons-ssl dependency in current codebase. Regard. rohit.ya...@shapeblue.com www.shapeblue.com @shapeblue From: Harika Punna Sent: Tuesday, November 28, 2017 2:13:33 PM To: dev@cloudstack.apache.org; Rohit Yadav Subject: Re: Issue with Opensaml and Self-Signed Certificates Hi Rohit, Could you please help me on this? -Harika. On 27/11/17, 4:26 PM, "Harika Punna" wrote: Hi, When I use Opensaml on 4.10 with the self-signed certificates I get the following error, though the configuration for the opensaml and ssl is proper. It works fine if I debug and supply the password of the keystore in KeyStoreBuilder class, which is in not-yet-commons-ssl.jar. Has anyone faced this issue, I tried with different versions of opensaml but nothing worked. Found similar issue on SO at [1], but none of them helped. java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML
Re: Issue with Opensaml and Self-Signed Certificates
Harika, Can you share what exactly are you doing, perhaps you can submit a PR and ask for review? I did not find any usage of a KeyStoreBuilder class in current master, nor we've a not-yet-commons-ssl dependency in current codebase. Regard. From: Harika Punna Sent: Tuesday, November 28, 2017 2:13:33 PM To: dev@cloudstack.apache.org; Rohit Yadav Subject: Re: Issue with Opensaml and Self-Signed Certificates Hi Rohit, Could you please help me on this? -Harika. On 27/11/17, 4:26 PM, "Harika Punna" wrote: Hi, When I use Opensaml on 4.10 with the self-signed certificates I get the following error, though the configuration for the opensaml and ssl is proper. It works fine if I debug and supply the password of the keystore in KeyStoreBuilder class, which is in not-yet-commons-ssl.jar. Has anyone faced this issue, I tried with different versions of opensaml but nothing worked. Found similar issue on SO at [1], but none of them helped. java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password? at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:436) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.ja
Re: Issue with Opensaml and Self-Signed Certificates
Hi Rohit, Could you please help me on this? -Harika. On 27/11/17, 4:26 PM, "Harika Punna" wrote: Hi, When I use Opensaml on 4.10 with the self-signed certificates I get the following error, though the configuration for the opensaml and ssl is proper. It works fine if I debug and supply the password of the keystore in KeyStoreBuilder class, which is in not-yet-commons-ssl.jar. Has anyone faced this issue, I tried with different versions of opensaml but nothing worked. Found similar issue on SO at [1], but none of them helped. java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password? at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:436) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.
Issue with Opensaml and Self-Signed Certificates
Hi, When I use Opensaml on 4.10 with the self-signed certificates I get the following error, though the configuration for the opensaml and ssl is proper. It works fine if I debug and supply the password of the keystore in KeyStoreBuilder class, which is in not-yet-commons-ssl.jar. Has anyone faced this issue, I tried with different versions of opensaml but nothing worked. Found similar issue on SO at [1], but none of them helped. java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(DerInputStream.java:561) at sun.security.util.DerValue.init(DerValue.java:365) at sun.security.util.DerValue.(DerValue.java:320) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914) at java.security.KeyStore.load(KeyStore.java:1445) at org.apache.commons.ssl.KeyStoreBuilder.tryJKS(KeyStoreBuilder.java:450) at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:416) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.access$200(SAML2AuthManagerImpl.java:92) at org.apache.cloudstack.saml.SAML2AuthManagerImpl$MetadataRefreshTask.run(SAML2AuthManagerImpl.java:349) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password? at org.apache.commons.ssl.KeyStoreBuilder.parse(KeyStoreBuilder.java:436) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:207) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:160) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:165) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:170) at org.apache.commons.ssl.TrustMaterial.(TrustMaterial.java:83) at org.opensaml.xml.security.x509.X509Util.decodeCertificate(X509Util.java:359) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificate(KeyInfoHelper.java:201) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:176) at org.opensaml.xml.security.keyinfo.KeyInfoHelper.getCertificates(KeyInfoHelper.java:150) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.addIdpToMap(SAML2AuthManagerImpl.java:293) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.discoverAndAddIdp(SAML2AuthManagerImpl.java:323) at org.apache.cloudstack.saml.SAML2AuthManagerImpl.a
