On 06/02/2013 09:42 PM, [email protected] wrote: > > Zitat von Martijn Brinkers <[email protected]>: > >> On 05/31/2013 10:24 PM, Martijn Brinkers wrote: >>> On 05/31/2013 10:21 PM, [email protected] wrote: >>>> since release 2.5 some certificates fail with "Error building certPath. >>>> No data available in passed DER encoded value." The Issuer certificates >>>> are available and shown as valid, Djigzo Version 2.4.x also show the >>>> certs as valid. Any idea what could be wrong? >>> >>> No this is new to me. Can you send me the certificates? Or are you >>> unable to export them? >> >> The certificate contains invalid data (at least invalid according to RFC >> 5280). The invalid data was silently ignored with OpenJDK 6 but OpenJDK >> 7 seems to be more strict (the Virtual Appliance by default uses >> OpenJDK 6). >> >> Details: >> >> The IssuerAltName extension is defined in RFC 5280 as: >> >> IssuerAltName ::= GeneralNames >> >> GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName >> >> So there should be at least one GeneralName if the IssuerAltName >> extension is defined. The certificate in question however contains an >> empty IssuerAltName sequence. This is not allowed. In Java 6, this was >> silently discarded but Java 7 seems to be more strict. >> >> For a similar report see >> https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=441801. >> >> Kind regards. >> >> Martijn Brinkers > > I see, so the real "fix" would be to get a more obvious error message in > Djigzo? If the certificate is invalid Djigzo is right to say so, but a > pointer to *what* is invalid would be great.
The problem is that the exception is thrown somewhere deep within a Java class. The information which is shown is the information which is available. Because I analysed the certificate manually (using a java test and asn1 dump) I know why the certificate is not valid. > And BTW no need for > additional Djigzo workarounds as it is still possible to add such > certificates to the CTL. You are right. I didn't thought about this workaround :) Kind regards, Martijn -- DJIGZO email encryption _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
