1
I am developing a project using the Demoiselle Signer framework Demoiselle Signer. However I am unable to sign the document with the generated certificate. It always generates the following error:
org.demoiselle.Signer.core.Repository.Crlrepositoryexception: Could not recover a valid LCR address (list of revoked certificates) in the certificate.
Project code:
@RequestMapping(value = "/certificate", params= {"path"}, method = RequestMethod.GET)
public byte[] assinaturaCadesDetached(@RequestParam("path")String pathFileTxt) throws Exception {
byte[] content = readContent(pathFileTxt);
X509Certificate[] certificates = new X509Certificate[1];
CAdESSigner singer = (CAdESSigner) new PKCS7Factory().factoryDefault();
DataInputStream dis = new DataInputStream(new FileInputStream("/home/rcarauta/desenvolvimento/certificado/client.der"));
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(readContent("/home/rcarauta/desenvolvimento/certificado/client.der"));
certificates[0] = getCertificate();
singer.setCertificates(certificates);
KeyFactory factory = KeyFactory.getInstance("RSA");
PrivateKey privKey = factory.generatePrivate(spec);
Configuration config = Configuration.getInstance();
config.setOnline(false);
singer.setPrivateKey(privKey);
return singer.doDetachedSign(content);
}
private X509Certificate getCertificate() throws IOException, Exception {
String pathFile = "/home/rcarauta/desenvolvimento/certificado/client.crt";
ByteArrayInputStream bytes = new ByteArrayInputStream(readContent(pathFile));
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
return (X509Certificate) certFactory.generateCertificate(bytes);
}
private byte[] readContent(String pathFileTxt) throws IOException {
return Files.readAllBytes(new File(pathFileTxt).toPath());
}
Step by step how certificates were generated
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl x509 -in client.crt -out client.pem -outform PEM
openssl pkcs8 -topk8 -in private.pem -outform DER -nocrypt -out private.der
Failed to put the CDP extension (CRL Distribution Point) in the certificate, see examples of how to do here and here
– hkotsubo
You can also use Java itself to generate the certificates, you can use as base the code of this answer, and add the CDP by adapting these examples. Another way is to see in the Demoiselle documentation if you can disable the CRL check (I don’t know Demoiselle, but I’ve seen Apis that have this option)
– hkotsubo