Hey All,
I am currently building a PKI bolt-on for an exisiting insecure web
application and have run into trouble at the last hurdle. I have written
a CA using BouncyCastle's library with JCE which will be used to create
certificates to gain entry to certain restricted areas.
I am using Apache 2.0.44 (Slackware 8) mod_ssl 2.0.44 (OpenSSL 0.9.6d)
mod_jk 1.2.2 with Tomcat 4.1.18, and JDK 1.4.1
When I try and access a restricted area, I am prevented, as expected. I
then build my self a certificate and attempt to access the same area and
I am let in with the usual warnings about self-signed certificates. My
problem occurs when I set "SSLOptions +StdEnvVars +ExportCertData" in
httpd.conf. I do this so that I can access the certificate in a servlet
that sits behind in Tomcat which needs to do some further processing
with the certificate.
Catalina throws an exception:
Mar 14, 2003 12:40:58 PM org.apache.jk.server.JkCoyoteHandler action
SEVERE: Certificate convertion failed
java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: DerInputStream.getLength(): lengthTag=62, too big.
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:289)
at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:94)
at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:389)
at
org.apache.jk.server.JkCoyoteHandler.action(JkCoyoteHandler.java:395)
at org.apache.coyote.Response.action(Response.java:222)
at
org.apache.coyote.tomcat4.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:310)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:221)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:632)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:590)
at
org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:707)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:530)
at java.lang.Thread.run(Thread.java:536)
Caused by: java.io.IOException: DerInputStream.getLength():
lengthTag=62, too big.
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:502)
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:476)
at sun.security.util.DerValue.<init>(DerValue.java:233)
at
sun.security.util.DerInputStream.getDerValue(DerInputStream.java:358)
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1608)
at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:286)
... 13 more
Apache seems OK (no error in error_log or catalina_log) and I seem to
go through the authentication process OK. I have no idea what this error
means, since my only theory that the browser cert is invalid cannot be
true if mod_ssl accepts it... or can it?
Any help would be appreciated - thanks for your patience.
Ramsay
============================================================================
A R K E M E D I A T E C H N O L O G I E S L T D
VIEW POINT BASING VIEW BASINGSTOKE HAMPSHIRE RG21 4HG
http://www.arkemedia.com
mailto:[EMAIL PROTECTED]
Tel : +44 1256 869 200 Fax : +44 1256 329 119
============================================================================
The information in this e-mail and in any attachments is confidential and
is intended solely for the attention and use of the named addressee(s).
============================================================================
If you are not the intended recipient, or a person responsible for passing
it on to the intended recipient, you are not authorised to hold a copy of
this information and you must therefore not disclose, copy, distribute, or
retain this message or any part of it. MAILTO:[EMAIL PROTECTED]
============================================================================
