I'm trying to import a certificate that I've recently installed in Windows into Java to use with xades4j. Unfortunately, I'm pretty new when it comes to certificates and keys and all that.
Every time I run the program however, I get the following error:
>xades4j.verification.UnexpectedJCAException: The keystore couldn't be initialized
at xades4j.providers.impl.KeyStoreKeyingDataProvider.ensureInitialized(KeyStoreKeyingDataProvider.java:179)
at xades4j.providers.impl.KeyStoreKeyingDataProvider.getSigningCertificateChain(KeyStoreKeyingDataProvider.java:189)
at xades4j.production.SignerBES.sign(SignerBES.java:159)
at xades4j.production.SignerBES.sign(SignerBES.java:130)
at com.logic.test.signBes(test.java:138)
at com.logic.test.<init>(test.java:80)
at com.view.FrmMenu.<init>(FrmMenu.java:41)
at com.view.FrmMenu$9.run(FrmMenu.java:289)
at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:311)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:758)
at java.awt.EventQueue.access$500(EventQueue.java:97)
at java.awt.EventQueue$3.run(EventQueue.java:709)
at java.awt.EventQueue$3.run(EventQueue.java:703)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:74)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:728)
at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:205)
at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:116)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:105)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:82)
Caused by: java.security.KeyStoreException: KeyStore instantiation failed
at java.security.KeyStore$Builder$FileBuilder.getKeyStore(KeyStore.java:1862)
at xades4j.providers.impl.KeyStoreKeyingDataProvider.ensureInitialized(KeyStoreKeyingDataProvider.java:175)
... 21 more
Caused by: java.io.IOException: DER input, Integer tag error
at sun.security.util.DerInputStream.getInteger(DerInputStream.java:192)
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1940)
at java.security.KeyStore.load(KeyStore.java:1445)
at java.security.KeyStore$Builder$FileBuilder$1.run0(KeyStore.java:1848)
at java.security.KeyStore$Builder$FileBuilder$1.run(KeyStore.java:1807)
at java.security.KeyStore$Builder$FileBuilder$1.run(KeyStore.java:1796)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.KeyStore$Builder$FileBuilder.getKeyStore(KeyStore.java:1858)
... 22 more
>
I need to sign an XML document with the XaDeS-BES format. I have imported a key (or certificate?) from disc, and it is in the Windows Trusted Root Certification Authorities certificates. I exported it onto the root of the C drive from the Windows Certificate Manager (certmgr.msc).
I found one post on this website that mentioned trying the following to initialize the KeyStore:
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
Unfortunately, there was no change.
The code that I used, based off of the example wiki:
private static final String CERT_FOLDER = "C:/";
private static final String CERT = "testkey.cer";
private static final String PASS = "test1234"; //the same in cert and keystorage
private static final String SIGNED = "persistent/xml/001-001-000000000new1.xml";
private static final String DOCUMENT = "persistent/xml/001-001-000000000.xml";
private static void signBes() throws Exception {
Document doc = DocumentBuilderFactory
.newInstance()
.newDocumentBuilder()
.parse(new File(DOCUMENT));
Element elem = doc.getDocumentElement();
DOMHelper.useIdAsXmlId(elem);
KeyingDataProvider kdp = new FileSystemKeyStoreKeyingDataProvider(
"pkcs12",
CERT_FOLDER + CERT,
new FirstCertificateSelector(),
new DirectPasswordProvider(PASS),
new DirectPasswordProvider(PASS),
true);
DataObjectDesc obj = new DataObjectReference("#" + elem.getAttribute("Id"))
.withTransform(new EnvelopedSignatureTransform());
SignedDataObjects dataObjs = new SignedDataObjects().withSignedDataObject(obj);
// KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// ks.load(null, null);
XadesSigner signer = new XadesBesSigningProfile(kdp).newSigner();
signer.sign(dataObjs, elem);
TransformerFactory tFactory = TransformerFactory.newInstance();
Transformer transformer = tFactory.newTransformer();
DOMSource source = new DOMSource(doc);
StreamResult result = new StreamResult(new File(SIGNED));
transformer.transform(source, result);
}
Thank you for any and all help.
To execute a signing operation you need a key/certificate pair, namely a PKCS12 container. On Windows, that pair is usually a .pfx or .p12 file. I'm no sure what the problem is, but here are some considerations that may help you:
FileSystemKeyStoreKeyingDataProvider the trust chain is actually less relevant. It becomes relevant when you verify the signature..cer). I don't know how you got the certificate in the first place, but is should have been supplied along with a key, probably bundled in a .pfx file protected with a password.FileSystemKeyStoreKeyingDataProvider you should
pass the PKCS12 file (e.g. the .pfx)Hope this helps.