This question already has answers here:
Why does SSL handshake give 'Could not generate DH keypair' exception?
(22 answers)
Closed 4 years ago.
I have a java program and it send mails to the users. Since 1 week the mails doesn't been send anymore. I didn't change anything, but now I get this error:
connexion failed: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Exception in thread "main" java.lang.RuntimeException: javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at Launcher$Connexion.<init>(Launcher.java:33)
at Launcher.main(Launcher.java:52)
Caused by: javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:1407)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1205)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:322)
at javax.mail.Service.connect(Service.java:236)
at javax.mail.Service.connect(Service.java:137)
at Launcher$Connexion.<init>(Launcher.java:28)
I contacted fastmail (mailing server) and they say that the insecure cert is self-signed, and does not expire until 2021.
So I don't know what the problem is.
Please add DH parameter limits to the certificate of target server. Custom DH parameters by using openssl dhparam command should be generated and applied with the SSLCertificateFile directive. Please note that the custom DH parameters with a 1024-bit prime will always have precedence over any of the built-in DH parameters.
You should update your Java version to at least version 8 as the 1024-bit restriction should have been lifted to accept 2048-bit parameters.
Please see: Java: Why does SSL handshake give 'Could not generate DH keypair' exception?
Related
I trying to send pkcs10Request to EJBCA by SOAP web service. Method signature is
(from the docs)
CertificateResponse pkcs10Request(java.lang.String username,
java.lang.String password,
java.lang.String pkcs10,
java.lang.String hardTokenSN,
java.lang.String responseType)
where
pkcs10 - the base64 encoded PKCS10 (only the public key is used.)
username - the unique username
password - the password sent with editUser call
hardTokenSN - Hard Token support was dropped since 7.1.0. Use null as this parameter
responseType - indicating which type of answer that should be returned, on of the CertificateHelper.RESPONSETYPE_ parameters.
The goal is generating a certificate for a user.
PKCS#10 was made with java keytoll, and looks like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC7jCCAdYCAQAweTELMAkGA1UEBhMCUlUxEjAQBgNVBAgTCVRhdGFyc3RhbjEO
MAwGA1UEBxMFS2F6YW4xGTAXBgNVBAoTEE9yZ2FuaXphdGlvbk5hbWUxFTATBgNV
BAsTDE9yZ2FuaXphdGlvbjEUMBIGA1UEAxMLdGVzdHVzZXIucnUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSDWv0Pt1cBDiqWAYLfQs2Dl0jDWmTK9/k
A46/SMg7GP3VY/KKFiMf0LbaYGHQclIy4wlkUA9408NEOoY6Ynuyh3rRHBnBGkpc
LflcTKfV74V5CbTXyIjFsFFN+WNVvfk+BPh6TVMhJ9NiDrcR4C80l0/MhT4OjG1T
2s5sShrYpdkmplFxIBXQd29aTTNVdgm11Vvs08OBXu8a9x3ND+ZxduXUgTxVmoOu
AA0PrE5lXTxD5zcTDuJi+Y2RTPS2SVeu4ghSbE64941W6PA3fzHz90n9uoeeJdUM
9jfWP/7LAeWahKJCtt+cAZ2yD2W1zBmz0LuHeH8YRUb//gGICf+3AgMBAAGgMDAu
BgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBSUO5s19l5tiHYPcvBYnVG0ULEYCTAN
BgkqhkiG9w0BAQsFAAOCAQEAD0Kpt9/CBwODUyv4lpt7i0ge6Wf0s/Oqbhbvw9Ih
zJnEaFzOHDaVufB1iJ+m3c+Arx7heCRQTnJRTOZ8a9pl3vGyy9Ik+O4+mc5qpLOs
bENMbg5t4KCI08+SjU/7S3woaWwXDL6QIzsoyhMmx8BhnK04T0P46PsTf2h/PE1E
Z5qRW8/VFTI7K1/q+/tbvIo1TCfb9eUDi+9h1GAQLVhBCNjR459qxzybmyhIclpr
I51hwyhkAi3u7uIIGXgvdfjt/pRbH5XmBaoaK5DC6ppEM4btp12aRZh8QB3xoO7q
2Geas0gYqew6MfHflHvktOk8RpAC+cM/rnfRYIWY7C96LQ==
-----END NEW CERTIFICATE REQUEST-----
I send request like this:
Pkcs10Request request = new Pkcs10Request();
request.setArg0(certRqDto.getUsername());
request.setArg1(certRqDto.getPassword());
request.setArg2(certRqDto.getPkcs10());
request.setArg3(null);
request.setArg4("CERTIFICATE");
JAXBElement<Pkcs10Request> element = objectFactory.createPkcs10Request(request);
JAXBElement<Pkcs10RequestResponse> response = (JAXBElement<Pkcs10RequestResponse>) wsClient.getWebServiceTemplate().marshalSendAndReceive(element, new SoapActionCallback(EMPTY_ACTION_STRING));
But I'm getting error, and in EJBCA's log I see this error:
2021-05-18 09:33:00,429 DEBUG [org.cesecore.certificates.certificate.request.RequestMessageUtils] (default task-2) Message not base64 encoded? Trying as binary: Error in input buffer, missing -----BEGIN NEW CERTIFICATE REQUEST----- boundary
2021-05-18 09:33:00,429 WARN [org.cesecore.certificates.certificate.request.PKCS10RequestMessage] (default task-2) PKCS10 not initiated! unknown tag 13 encountered
...
2021-05-18 09:33:00,431 ERROR [org.jboss.as.ejb3.invocation] (default task-2) WFLYEJB0034: EJB Invocation failed on component CertificateCreateSessionBean for method public abstract org.cesecore.certificates.certificate.request.CertificateResponseMessage org.cesecore.certificates.certificate.CertificateCreateSessionLocal.createCertificate(...)
...
Caused by: java.lang.NullPointerException
at org.cesecore.certificates.certificate.request.PKCS10RequestMessage.verify(PKCS10RequestMessage.java:444)
at org.cesecore.certificates.certificate.request.PKCS10RequestMessage.verify(PKCS10RequestMessage.java:430)
If I'm not mistaken, the reason is in pkcs10.
But it contains substring "-----BEGIN NEW CERTIFICATE REQUEST-----".
I can't understand, in what format I must send pkcs#10.
I'm new to this, please help.
Sending request without header
-----BEGIN NEW CERTIFICATE REQUEST-----
and footer helped me.
I am using tomcat8 Server, .bouncycastle for Document signature.
one war file already running on my server. when i have deployed new war file for my second project then Getting below exception.
I have hit and trial every link on stackoverflow but not luck
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading
Illegal access: this web application instance has been stopped
already. Could not load
[org.bouncycastle.jcajce.provider.digest.GOST3411$Mappings]. The
following stack trace is thrown for debugging purposes as well as to
attempt to terminate the thread which caused the illegal access.
java.lang.IllegalStateException: Illegal access: this web application
instance has been stopped already. Could not load
public static void xmlSigner(File xmlFile,String pfxFilePath){
try{
File pfxFile=new File(pfxFilePath);
Security.addProvider(new BouncyCastleProvider());
log.info("Above key store ");
KeyStore keyStore = KeyStore.getInstance("pkcs12", "BC");
log.info("below key store ");
keyStore.load(new FileInputStream(pfxFile),password.toCharArray());
log.info("load pfx file key store ");
String alias = (String) keyStore.aliases().nextElement();
PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, password.toCharArray());
Certificate[] certificateChain = keyStore.getCertificateChain(alias);
X509Certificate publickeyCertificate = (X509Certificate) certificateChain[certificateChain.length - 1];
//log.info("privateKey : " + privateKey);
//log.info("xmlSigner : " + xmlFile);
log.info("SignerClient - Above Sign and Zip");
SignerUtil.signAndzipFile(xmlFile, privateKey, publickeyCertificate);
log.info("Successfully Signed");
}
catch(Exception xmlSignerException){
log.error("xmlSigner : ", xmlSignerException);
xmlSignerException.printStackTrace();
}
}
i am getting exception on below line
KeyStore keyStore = KeyStore.getInstance("pkcs12", "BC");
I have face the same issue, Tomcat restart has resolved the issue.
keystore = KeyStore.getInstance("PKCS12", "BC");
// java.security.KeyStoreException: PKCS12 not found
Caused by: java.security.NoSuchAlgorithmException: class configured for KeyStore (provider: BC) cannot be found.
at java.security.Provider$Service.getImplClass(Provider.java:1649)
at java.security.Provider$Service.newInstance(Provider.java:1592)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:206)
at java.security.Security.getImpl(Security.java:698)
at java.security.KeyStore.getInstance(KeyStore.java:896)
... 11 more
Caused by: java.lang.ClassNotFoundException: Illegal access: this web application instance has been stopped already. Could not load [org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi$BCPKCS12KeyStore]. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1354)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1211)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1172)
at java.security.Provider$Service.getImplClass(Provider.java:1636)
... 16 more
Caused by: java.lang.IllegalStateException: Illegal access: this web application instance has been stopped already. Could not load [org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi$BCPKCS12KeyStore]. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access.
at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1364)
at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1352)
... 19 more
Please first check that org.bouncycastle has many versions. Keep one version, and if use tomcat, restart tomcat.
I use Netty to implement a server with secure socket. My code of sslHandler is:
SslHandler sslHandler = SslContextBuilder
.forServer(certFile, keyFile)
.trustManager(trustFile)
.clientAuth(ClientAuth.REQUIRE)
.build()
.newHandler(channel.alloc());
trustFile is a File object which contains around 700 pieces of certificate text, like:
-----BEGIN CERTIFICATE-----
MIIEHDCCAwSgAwIBAgIJAOR6+3G8C6f7MA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
VQQGEwJVUzESMBAGA1UECAwJQ2FsaWZvbWlhMRwwGgYDVQQKDBNDaXNjbyBTeXN0
................................................................
igHdyc519KbYSMfhuM9gXw35LPmFWStBGYikBcMZJ1WmWxb/eZOK1SMjVQ/L/JVg
-----END CERTIFICATE-----
When I connect the server with
curl -k -v -E client.pem --key client.key.pem --cacert rootCA.pem https://10.140.28.33:31069
an exception pops up:
11:00:18.636 [nioEventLoopGroup-3-2] WARN io.netty.channel.DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: java.lang.RuntimeException: Field length overflow, the field length (106142) should be less than 65536
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:138)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException: Field length overflow, the field length (106142) should be less than 65536
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1476)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
... 16 common frames omitted
Caused by: java.lang.RuntimeException: Field length overflow, the field length (106142) should be less than 65536
at sun.security.ssl.HandshakeOutStream.checkOverflow(HandshakeOutStream.java:231)
at sun.security.ssl.HandshakeOutStream.putInt16(HandshakeOutStream.java:163)
at sun.security.ssl.HandshakeMessage$CertificateRequest.send(HandshakeMessage.java:1442)
at sun.security.ssl.HandshakeMessage.write(HandshakeMessage.java:143)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:971)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:224)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214)
... 19 common frames omitted
But if I trim the trust file with only a few certificates left, no error happen.
Is it a JDK bug? How can I avoid it?
It may be a bug that JSSE doesn't give a clearer alert, but there is a fundamental problem.
When an SSL/TLS server requests client authentication, it normally sends a list of the certificate authorities the client should use in the Certificate Request message, see rfc5246 7.4.4 or earlier. Since you trust a huge number of selfsigned certs, where each selfsigner effectively acts as a CA for itself, this means your server needs to send a huge list of CAs -- but this list is limited to 65535 bytes total. Your exception shows you are trying to send 106142 bytes which doesn't fit in 65535 bytes; this means your cert names (Subjects) average about 150 bytes, which seems to me a bit on the high side if these are used entirely within your enterprise and thus presumably don't need globally unique names like the public web (especially EV with its enhanced identity requirements).
One possible workaround, if all your clients know which cert to use without being prompted, is for the server to send the CA list as empty, which is permitted though not encouraged. JSSE simply populates CertReq.CAlist from the trustmanager's getAcceptedIssuers() method, and the TrustManager API is designed for customization, so you could just wrap the real X509TrustManager with one that validates the received cert chain normally, but returns getAcceptedIssuers() as an empty array. This is fairly easy with the actual Java classes (SSLContext et amici) but I'm not sure exactly where to look in Netty's 'improvements'.
But a better solution, as noted in comments by EJP, is not to individually trust a huge number of selfsigned certs but instead have a CA issue the client certs and then the server need only trust that CA (and transitively the certs it issues) and CertReq automatically specifies only that CA. If you don't already have a suitable established CA to use, there are many options to do your own CA, discussed in other Qs here and other Stacks (IME mostly security.SX unix.SX and serverfault), but given you are using Java remember that since j7 keytool -gencert does a minimal but usable CA function. (In addition to keypair and CSR generation which keytool has done back to the dark ages.)
This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
How do i configure my Java Application for using Port 993 with TLS to read Mails from IMAP Postbox.
I store the certificate for my mailserver in the default javakeystore cacerts.
After trying to connect to the postbox. I got this stacktrace (it's a full trace):
javax.mail.MessagingException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:670)
at javax.mail.Service.connect(Service.java:317)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at imap.IMAP.receive(IMAP.java:77)
at imap.IMAP.main(IMAP.java:46)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1725)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1708)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1237)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:548)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:352)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:207)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:113)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:111)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:637)
... 5 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:57)
at sun.security.validator.Validator.getInstance(Validator.java:161)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:108)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:204)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230)
... 12 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:103)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:87)
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:55)
... 23 more
15.03.2013 13:54:50 imap.IMAP main
SCHWERWIEGEND: null
java.lang.NullPointerException
at imap.IMAP.receive(IMAP.java:123)
at imap.IMAP.main(IMAP.java:46)
And this are my proporties:
System.setProperty("javax.net.ssl.trustStore", "/usr/java/jdk_1.6.0_35/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Properties props = System.getProperties();
props.setProperty("mail.imaps.host", server);
props.setProperty("mail.imaps.user", user);
props.setProperty("mail.imaps.password", password);
props.setProperty("mail.imaps.auth", "true");
props.setProperty("mail.imaps.starttls.enable", "true");
props.setProperty("mail.imaps.socketFactory.port", "993");
props.setProperty("mail.imaps.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.imaps.socketFactory.fallback", "false");
MailAuthenticator auth = new MailAuthenticator(user, password);
Session session = Session.getDefaultInstance(props, auth);
store = session.getStore("imaps");
store.connect();
Is something missing? In the internet there are so many posts about this problem. But the most are for SMTP. I haven't found something which really explain, which properties do you really need to get this case working.
I hope someone can help me to find my mistake.
Thanks a lot.
First a few comments, that aren't the cause of your problem, but will simplify your program...
Get rid of the socketFactory properties, you don't need them.
Use Session.getInstance instead of Session.getDefaultInstance.
Get rid of the MailAuthenticator and call store.connect(user, password).
See the JavaMail FAQ for details.
As for the exception you're getting, it seems to be some problem related to your certificate or your trust store. This JavaMail FAQ entry has pointers to tips for debugging these kinds of problems. You may need a Java SSL/networking/security expert to explain what's wrong.
You say you've already added your certificate to your trust store, but just in case you might want to check this JavaMail FAQ entry.
I am trying to use Java APNS - an open source project - to send push notifications to iPhones.
I am getting an error, though.
I have used a .pem file as certificate. Should this have been a .p12 file? I am not sure what the difference is, but I read somewhere online that there is a difference between these file formats.
Here is the code:
ApnsService service =
APNS.newService()
.withCert("gpk.pem", "XXXX")
.withSandboxDestination()
.build();
String payload = APNS.newPayload().alertBody("Can't be simpler than this!").build();
String token = "theTokenIsRemoveHere";
service.push(token, payload);
And here is the error:
Exception in thread "main" com.notnoop.exceptions.InvalidSSLConfig: java.io.IOException: toDerInputStream rejects tag type 45
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:102)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:161)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:124)
at com.geomobsters.cli.ApnsClient.main(ApnsClient.java:12)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.io.IOException: toDerInputStream rejects tag type 45
at sun.security.util.DerValue.toDerInputStream(DerValue.java:806)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1201)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:87)
... 8 more
Java APNS is expecting the cert as .p12 file.
You have to check both privatekey and certificate in your keychain.
then right click-> "export 2 files"
and export them
you have to give it a password, this password you have to type here
.withCert("gpk.pem", "XXXX")
as your XXXX
good luck
EDIT:
.P12 – PKCS#12, contains certificates an private keys saved with a password
.PEM – is Base64-encoded certificate, lockedby „-----BEGIN CERTIFICATE-----“ and „-----END CERTIFICATE-----“