Error eID-dss: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big.

[ko...@thomeer.be]

I have received a new certificate from the "eHealth Platform". It is strange, but eID-dss from e-contract doesn't accept the certificate because of the length?

I find it strange, because the length of the old and new certificate is not that different:

Size:

OLD: 1753 Byte

NEW: 1780 Byte

Or is it about the content?

OLD:

-----BEGIN CERTIFICATE-----

MIIE4jCCA8qgAwIBAgILAQAAAAABLbifVgwwDQYJKoZIhvcNAQEFBQAwNDELMAkG

A1UEBhMCQkUxFjAUBgNVBAMTDUdvdmVybm1lbnQgQ0ExDTALBgNVBAUTBDIwMTAw

HhcNMTEwMTI0MTU0MTU1WhcNMTIwNDI0MTU0MTU1WjCBvzEnMCUGA1UEAxMeQ0JF

PTA0MTA4NzIzMDMsIFdlYldhY2h0TWFpbGVyMQswCQYDVQQGEwJCRTEhMB8GA1UE

CxMYZUhlYWx0aC1wbGF0Zm9ybSBCZWxnaXVtMRUwEwYDVQQLEwxET01VUyBNRURJ

Q0ExFzAVBgNVBAsTDkNCRT0wNDEwODcyMzAzMRcwFQYDVQQLEw5XZWJXYWNodE1h

aWxlcjEbMBkGA1UEChMSRmVkZXJhbCBHb3Zlcm5tZW50MIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEA2aDv8X0axHbWJFIYhO2+qUueb/ggFWK1t/PSEYnf

vsm6lN5JiQNIydzAkqu9cvEx7Mbl8iEy8Kx33naDjRpa9+IZBIr8ykAjO+PxEXej

CaZL5vDTT6/YHUs8U7wUUrQc4WV3LSDyQthevTVWKAm+JH7owxU6tvY1KznnfGoG

5wXY5YO4cH4VVkvjYKeYDh3K7PuLhyXdt++OUmaPXhepSuoSBR4QJ1U/C2T9vMnf

VDpbJiybBJLcbWXIuN5SAVwaGttSo/3/Gi+Igv2xame8CP9OLUjzWbsitwisUn89

WTO/s6ZRCUVWLLJY1hQbZioof7Iv48q7/IrRHk6GwsTPtwIDAQABo4IBZzCCAWMw

HwYDVR0jBBgwFoAUQZbOhaflXugWWT0K8YTd8/K7TokwbgYIKwYBBQUHAQEEYjBg

MDYGCCsGAQUFBzAChipodHRwOi8vY2VydHMucGtpLmJlbGdpdW0uYmUvYmVsZ2l1

bXJzMi5jcnQwJgYIKwYBBQUHMAGGGmh0dHA6Ly9vY3NwLnBraS5iZWxnaXVtLmJl

MAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgdgOAkBAQMDMC4wLAYIKwYBBQUHAgEW

IGh0dHA6Ly9yZXBvc2l0b3J5LnBraS5iZWxnaXVtLmJlMD0GA1UdHwQ2MDQwMqAw

oC6GLGh0dHA6Ly9jcmwucGtpLmJlbGdpdW0uYmUvZ292ZXJubWVudDIwMTAuY3Js

MA4GA1UdDwEB/wQEAwIE8DARBglghkgBhvhCAQEEBAMCBLAwHQYDVR0OBBYEFJjY

HOpU+UxAdzfwkWo4XkBM16ggMA0GCSqGSIb3DQEBBQUAA4IBAQBAKkPILuhe0OCP

WgLE+BBGj/Hn+v5G4IkOm/CkWDtJ488kC0j4iKhnK39pzXkZ88+45jy82s2qFIBG

JJN+xB6yRad/W6GZ/K3TWli+2fZCzCv9d+mkjpIIPoSk+JuXoqt8RiAGU1Y6lY2S

r84ZSx0Hz4eaqkaZ/Z309MLkvgiJnGtflDxS6WFTzLiMCm1HIjDnSn8t7BJ+t58v

NOscbG43KaBifWg3Wmnb3MgZy3XPr+EsCvkzl304MBNFAXutLBICiz5CJr2GJIq4

fTnCE2yfY+FbD0ZvMjWx1tIqDzo6c2dYqu4vi/G8fpq8odHr3RIF2lG1lZC/e+Hu

sg5cLp8t

-----END CERTIFICATE-----

NEW:

-----BEGIN CERTIFICATE-----

MIIE4DCCA8igAwIBAgILAQAAAAABNWFczJYwDQYJKoZIhvcNAQEFBQAwNDELMAkG

A1UEBhMCQkUxFjAUBgNVBAMTDUdvdmVybm1lbnQgQ0ExDTALBgNVBAUTBDIwMTAw

HhcNMTIwMjA5MDkxMTQ0WhcNMTMwNTA5MDkxMTQ0WjCBvTEnMCUGA1UEAxMeQ0JF

PTA4NDMwMTg2ODQsIFdFQldBQ0hUTUFJTEVSMQswCQYDVQQGEwJCRTEXMBUGA1UE

CxMOV0VCV0FDSFRNQUlMRVIxFzAVBgNVBAsTDkNCRT0wODQzMDE4Njg0MRMwEQYD

VQQLEwpIRVJNRVMgVlpXMSEwHwYDVQQLExhlSGVhbHRoLXBsYXRmb3JtIEJlbGdp

dW0xGzAZBgNVBAoTEkZlZGVyYWwgR292ZXJubWVudDCCASIwDQYJKoZIhvcNAQEB

BQADggEPADCCAQoCggEBAL2QIIH1yKlEEidp5iA3kzLsyPrC9PeSBxiMY2P3qUGx

0GYuIyW94m7N/+hQgip0BAtiHoegKRYavcgD0LMbtNMlknYC170fr/f7q5VJBlJ2

L+3jW/0ckxLsigsNSLZ37TrqhQuKMUx1+hZtE3zifNeZA3LIcZNXhGskaTCiIwy5

Z9y1jkLkSSt/MCCt/7C+HAWLowq/yBIQqxmcN0jcMdD10gu+gsXndWneJMs+r7YG

6RW3GkC35bTtavkhFp5nn1yJkNnahGYUNOdR1igP7uDMPMqNFN9q2CerLjy5qNQC

fUv9gq4hzZfGV2DezdJ5xg/8h4LvGKJpcacZ0fKdQcsCAwEAAaOCAWcwggFjMB8G

A1UdIwQYMBaAFEGWzoWn5V7oFlk9CvGE3fPyu06JMG4GCCsGAQUFBwEBBGIwYDA2

BggrBgEFBQcwAoYqaHR0cDovL2NlcnRzLnBraS5iZWxnaXVtLmJlL2JlbGdpdW1y

czIuY3J0MCYGCCsGAQUFBzABhhpodHRwOi8vb2NzcC5wa2kuYmVsZ2l1bS5iZTAJ

BgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYHYDgJAQEDAzAuMCwGCCsGAQUFBwIBFiBo

dHRwOi8vcmVwb3NpdG9yeS5wa2kuYmVsZ2l1bS5iZTA9BgNVHR8ENjA0MDKgMKAu

hixodHRwOi8vY3JsLnBraS5iZWxnaXVtLmJlL2dvdmVybm1lbnQyMDEwLmNybDAO

BgNVHQ8BAf8EBAMCBPAwEQYJYIZIAYb4QgEBBAQDAgSwMB0GA1UdDgQWBBQnsKEU

fivscqKZFKBQ+UusnrP8oTANBgkqhkiG9w0BAQUFAAOCAQEAQfkgzulnhgqFQSfK

TDVFEoYhlFWFh+Bxb298NULMMDNpA4qsSMHIVgCn5F93HrYYJP54cTsCit6w9qrK

g0CkJg2p/6EhVLWgAjeiBWCO/uu59hjp9DHB++0rBgiLwrVbpYgTwx25RgLuDB+Q

ZXKenNiWeJvW5d28B+IL/AX01ItPawKhOlUkJwsxGdlrwdy/b4exUbPH/qIFTSNn

dXOwM0px1VgVXn1q2zatK56LJnFZiv3HbnoGV/O+c//K1jt43Pes3HdlUcyskHnq

qa4YRCx6L60eUk0JHoDiXJb1LGoIW/LdS259LFuYJqInwMmnkdZKeSFDuYlr+xPE

R6kg3Q==

-----END CERTIFICATE-----

Bug or not?

[Bavo Van den Heuvel]

Ehealth cert is issued by gov ca, not citizen ca as eid

And cert is not same "level" as eid

,

Bavo

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/H2ATNYKA0IkJ.
To post to this group, send email to eid-a...@googlegroups.com.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

[Frank Cornelis]

Hi Koen,


What do you mean exactly with "eID-dss from e-contract doesn't accept
the certificate"?

The eID DSS can only accepts (signed) documents.


Kind Regards,
Frank.

[Bavo Van den Heuvel CRANIUM BVBA]

the old you received from the ehealth platform, it contains the specific string: "eHealth platform belgium"

the new one you ordered not from ehealth?

on the other hand, both certs come from gov ca, does not give qualified certs to my knowledge

--

You received this message because you are subscribed to the Google Groups "eID Applet" group.
To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/H2ATNYKA0IkJ.
To post to this group, send email to eid-a...@googlegroups.com.
To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--

[ko...@thomeer.be]

Hi Frank,

it is not for signing the documents, but for making the ServiceSignature in the eID DSS Browser POST Protocol (page 4 dev guide).

Koen

Op dinsdag 8 mei 2012 10:36:37 UTC+2 schreef Frank Cornelis het volgende:

> eid-applet+unsubscribe@googlegroups.com.

[Cornelis Frank]

Hi Koen,


OK, I see what you mean now. At first I couldn't find the corresponding exception in my logs, but then again I've installed a new eID services distribution on the e-contract.be server two days ago. In the old logs I indeed could locate the following:

2012-05-07 21:27:59,116 ERROR [be.fedict.eid.dss.webapp.ProtocolEntryServlet] (ajp-127.0.0.1-8009-169) Protocol error: cert decoding error: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big.: java.lang.IllegalArgumentException: cert decoding error: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big.
at be.fedict.eid.dss.protocol.simple.SimpleDSSProtocolService.handleIncomingRequest(SimpleDSSProtocolService.java:164) [:]
at be.fedict.eid.dss.webapp.ProtocolEntryServlet.handleRequest(ProtocolEntryServlet.java:149) [:]
at be.fedict.eid.dss.webapp.AbstractProtocolServiceServlet.doPost(AbstractProtocolServiceServlet.java:194) [:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [:1.0.0.Final]


This is probably BouncyCastle or so that has problems with parsing the certificate. I'll check it out. Can I use your provided certificates in a unit test (will be part of the eID DSS source code tree)?


Kind Regards,
Frank.
________________________________________
Van: eid-a...@googlegroups.com [eid-a...@googlegroups.com] namens ko...@thomeer.be [ko...@thomeer.be]
Verzonden: woensdag 9 mei 2012 20:58
Aan: eid-a...@googlegroups.com
Onderwerp: Re: [eid-applet] Error eID-dss: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big.

Hi Frank,

it is not for signing the documents, but for making the ServiceSignature in the eID DSS Browser POST Protocol (page 4 dev guide).

Koen

Op dinsdag 8 mei 2012 10:36:37 UTC+2 schreef Frank Cornelis het volgende:
Hi Koen,


What do you mean exactly with "eID-dss from e-contract doesn't accept
the certificate"?

The eID DSS can only accepts (signed) documents.


Kind Regards,
Frank.

> To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-a...@googlegroups.com>.

> To unsubscribe from this group, send email to

> eid-applet+...@googlegroups.com<mailto:eid-applet%2Bunsu...@googlegroups.com>.

> For more options, visit this group at
> http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/GXDherpJ4BcJ.

To post to this group, send email to eid-a...@googlegroups.com.

To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.

[Koen Thomeer]

You can use the certificates, but you won't get the private keys. The certs are used in production for the eHealth Platform.

Sincerely,

Koen

2012/5/10 Cornelis Frank <Frank.C...@fedict.be>

--
Koen Thomeer, MD, MSc
http://koen.thomeer.be

[Frank Cornelis]

Hi Koen,


Just added a unit test to verify the correct parsing of both your certificates:
http://code.google.com/p/eid-dss/source/detail?r=274

Nothing wrong with that. Are you sure that you pass the certificate as base64 DER encoded? So not as base64 PEM encoded?


Kind Regards,
Frank.

[ko...@thomeer.be]

PEM = BASE64 ENCODED of DER Certificate

But, it works now: I repasted the PEM certificate and it works.

It' strange, because the certificate was already used for other applications (Shibboleth, eHealth Codage, PDF Signing, ...). Maybe a whitespace problem?

The cert that is used now (copy/paste from file):

Koen

Op vrijdag 11 mei 2012 11:42:23 UTC+2 schreef Frank Cornelis het volgende:

Sincerely,

Koen

2012/5/10 Cornelis Frank <Frank.C...@fedict.be>

> To post to this group, send email to eid-a...@googlegroups.com<mailto:eid-applet@googlegroups.com>.

> To unsubscribe from this group, send email to

> eid-applet+unsubscribe@googlegroups.com<mailto:eid-applet%2Bunsubscribe@googlegroups.com>.

> For more options, visit this group at
> http://groups.google.com/group/eid-applet?hl=en.


--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/GXDherpJ4BcJ.
To post to this group, send email to eid-a...@googlegroups.com.

To unsubscribe from this group, send email to eid-applet+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.

To post to this group, send email to eid-a...@googlegroups.com.

To unsubscribe from this group, send email to eid-applet+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/eid-applet?hl=en.

--
Koen Thomeer, MD, MSc
http://koen.thomeer.be

--
You received this message because you are subscribed to the Google Groups "eID Applet" group.
To post to this group, send email to eid-a...@googlegroups.com.

To unsubscribe from this group, send email to eid-applet+unsubscribe@googlegroups.com.

[Frank Cornelis]

Hi Koen,

PEM = BASE64 ENCODED of DER Certificate

Not exactly as PEM also adds a header/footer to it. The point here is that you probably did a double base64 by doing base64 on the PEM, or by directly passing the PEM, which is not OK as there are the PEM header/footer in that case.


Kind Regards,
Frank.

To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/OnYWbv8IY0kJ.

To post to this group, send email to eid-a...@googlegroups.com.

To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.

[ko...@thomeer.be]

The error was the whitespace.

I let my PHP code find the file and strip the header/footer off. If there is a whitespace too much, stripping didn't work.

Thanks for the work. I shall use econtract.be in production from next week. You can expect a higher load: many General Practitioners will use the application!

Sincerely,

Koen

Op maandag 14 mei 2012 11:36:03 UTC+2 schreef Frank Cornelis het volgende:

[Frank Cornelis]

Hi Koen,


Glad you've found the issue.

Handling the load still is no problem at all, but thanks for letting me know. Within like a month I'll be moving e-contract.be to new hardware anyway.


Kind Regards,
Frank.

To view this discussion on the web visit https://groups.google.com/d/msg/eid-applet/-/XQCVKq-FinoJ.

To post to this group, send email to eid-a...@googlegroups.com.

To unsubscribe from this group, send email to eid-applet+...@googlegroups.com.