Unable to retrieve certificate chain

Hi guys.

I'm in the process of evaluating your JCAPI product with a rainbow iKey 2032. I've run into a little problem while attempting to retrieve the certificate chain from a signing certificate.

The problematic code is as following:

keystore = KeyStore.getInstance("msks", "JCAPI");
keystore.load(null, null);

keystore.getCertificateChain(_alias); //where _alias is a valid cert alias

which causes the response:

****************
Another exception has been detected while we were handling last error.
Dumping information about last error:
ERROR REPORT FILE = (N/A)
PC = 0x0807a2b5
SIGNAL = -1073741819
FUNCTION NAME = (N/A)
OFFSET = 0xFFFFFFFF
LIBRARY NAME = C:\j2sdk1.4.2_06\jre\bin\client\jvm.dll
Please check ERROR REPORT FILE for further information, if there is any.
Good bye.

Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x807A2B5
Function=[Unknown.]
Library=C:\j2sdk1.4.2_06\jre\bin\client\jvm.dll

NOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.

Current Java thread:

************************

Can you provide me with any assistance in determing why this would occur?

Hi,

Nice stack trace

Luckely, we don't see these memory faults too often.

In order to help you, please read chapter 7 in the JCAPI User's Guide and post the requested information (I guess you can skip step 1).

What CSP is your Rainbow iKey using?

Regards,
Tommy

Ya, not sure whats up with the stack trace..kinda slim. The CSP is "DataKey RSA CSP". I've tried this with the
default Microsoft CSP and forcing the CSP to DataKey. Both no go.

anyway, here's a test program to exemplify the problem:

public class CertChainTest
{
public static void main(String[] args)
{
try {

Security.addProvider(new JCAPIProvider());
JCAPIProperties.setLogging(true);
System.out.println(JCAPIUtil.getEnvironmentInfo());

KeyStore ks = KeyStore.getInstance("msks", "JCAPI");
ks.load(null, null);

//JCAPIProperties.getInstance().setMSCSP("Datakey RSA CSP");

PublicKey pub = null;
PrivateKey priv = null;
java.security.cert.Certificate[] certChain = null;
String alias = null;

//Get first available key entry matching the given alias (i.e. a certificate with a corresponding private key).
for(java.util.Enumeration e = ks.aliases(); e.hasMoreElements(); )
{
alias = (String)e.nextElement();
String fName = JCAPIUtil.getCertificateFriendlyName(alias);
if(null != fName && fName.equals(args[0]))
if (ks.isKeyEntry(alias))
{
priv = (RSAPrivateKey)ks.getKey(alias, null);
pub = (RSAPublicKey)ks.getCertificate(alias).getPublicKey();
System.out.println("Found certificate, friendly name " + args[0] + " to sign with.");
break; //Ok, we found the cert with the given fiendly name and loaded keys.
}
}

if(priv == null)
throw new Exception("Sorry, cannot proceed. Couldn't find cerificate with friendly name = " +args[0] + " or this certificate does not have a private key available from Microsoft's key store.");

//problem caused here when requesting the cert chain
certChain = ks.getCertificateChain(alias);
System.out.println("Size of Cert chain associated with alias " + alias + " = " + certChain.length);

} catch(Throwable t) {
System.err.println("Example program failed.");
t.printStackTrace();
}
}
}

Heres the output.....

-------------- Environment info start --------------
JCAPI version: 1.1.0.0
JCAPI DLL version: 1.1.0.0

Certificate/system stores:
My
Root
Trust
CA
UserDS
TrustedPublisher
Disallowed
AuthRoot
TrustedPeople
ACRS
ADDRESSBOOK
REQUEST

Using cert entry store: ADDRESSBOOK
Using key entry store: My
Using intermediate cert store: CA
Using root cert store: Root
Using untrusted cert store: null

Available CSPs:
Datakey DSA CSP
Datakey RSA CSP
Entrust Enhanced Cryptographic Provider
Entrust Symmetric Cryptographic Provider
Gemplus GemSAFE Card CSP v1.0
Infineon SICRYPT Base Smart Card CSP
Microsoft Base Cryptographic Provider v1.0
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
Microsoft Base DSS Cryptographic Provider
Microsoft DH SChannel Cryptographic Provider
Microsoft Enhanced Cryptographic Provider v1.0
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
Microsoft Exchange Cryptographic Provider v1.0
Microsoft RSA SChannel Cryptographic Provider
Microsoft Strong Cryptographic Provider
Schlumberger Cryptographic Service Provider

Using CSP: Microsoft Enhanced Cryptographic Provider v1.0

Supported PKCS#11 CSPs:
FTSafe ePass2000 RSA Cryptographic Service Provider
eToken Base Cryptographic Provider
SmartTrust Cryptographic Service Provider
SI_CSP
SafeSign CSP Version 1.0
AR Base Cryptographic Provider
Athena ASECard Crypto CSP

User added PKCS#11 CSPs:

Loaded JCAPI plugins:
JCAPI Certificate Factory Plugin, version 1.0.1.0

Registered JCE providers: SUN, version 1.42
SunJSSE, version 1.42
SunRsaSign, version 1.42
SunJCE, version 1.42
SunJGSS, version 1.0
JCAPI, version 1.1

java.version: 1.4.2_06
java.vendor: Sun Microsystems Inc.
java.vm.version: 1.4.2_06-b03
java.vm.vendor: Sun Microsystems Inc.
os.name: Windows XP
os.arch: x86
os.version: 5.1
java.library.path: C:\j2sdk1.4.2_06\bin;.;C:\WINDOWS\System32;C:\WINDOWS;C:\Program C:\PROGRA~1\PVCS\VM\win32\bin;C:\shaun\tools;C:\j2sdk1.4.2_06\bin;c:\oracle\ids9i\jdk\jre\bin\classic;c:\oracle\ids9i\jdk\jre\bin;c:\oracle\ids9i\bin;c:\oracle\ids9i\jlib;C:\Program Files\Oracle\jre\1.1.8\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Oracle\tools6i\bin;C:\Perl\bin\;C:\Oracle\orant\bin;c:\Oracle\ora8i\bin;C:\Program Files\Oracle\jdev9i_902\jdk\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\unix\bin;C:\Magicsql\netmap;C:\Program Files\jakarta-ant-1.5\bin;C:\Program Files\cvsnt;C:\Batch;;C:\WINDOWS\system32;C:\WINDOWS;C:\ORAWIN\BIN;
-------------- Environment info end --------------
Found certificate, friendly name Millar Shaun Key Usage: Digital Signature to sign with.

****************
Another exception has been detected while we were handling last error.
Dumping information about last error:
ERROR REPORT FILE = (N/A)
PC = 0x0807a2b5
SIGNAL = -1073741819
FUNCTION NAME = (N/A)
OFFSET = 0xFFFFFFFF
LIBRARY NAME = C:\j2sdk1.4.2_06\jre\bin\client\jvm.dll
Please check ERROR REPORT FILE for further information, if there is any.
Good bye.

Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x807A2B5
Function=[Unknown.]
Library=C:\j2sdk1.4.2_06\jre\bin\client\jvm.dll

NOTE: We are unable to locate the function name symbol for the error
just occurred. Please refer to release documentation for possible
reason and solutions.

Current Java thread:

//nothing reported???

Hi,

Thank you for the information. You gave us a good starting point.

This problem might be a bit tricky to solve without the actual HW key and certificates, but we'll give it a best try.
Could you please export your certificate chain (base 64 encoded) and post it to us? For each certificate exported, please specify the name of the system store (MY, CA, ROOT etc, you can use their friendly names if desirable) the certificate was exported from.
By importing your certificate chain, we can simulate your operation and hopefully trigger the error.

Regards,
Tommy

Hi Tommy

I can now tell you that I've tried the posted code with a Verisign certificate and it's correspoding chain of certificates rather than the Rainbow iKey and it's chain of certificate. The code posted above then worked. The chain of certs could be requested without encountering the error from hell.

The problem was absolutely linked to the hardware token (Rainbow iKey 2032) or the way in which the chain of certs was written in the same.

Just so you know, I required the chain of certifcates to build a PKCS7 encoded signature block using the Bouncy Castle JCE. This requires creating a CertStore object.

What I did to resolve problem was to build the certificate list using only the first certificate rather than the entire certificate chain.

So instead of doing...

ArrayList certList = new ArrayList();

Certificate[] certChain = ks.getCertificateChain(_alias);

for (int i = 0; i < certChain.length; i++)
certList.add(certChain[i]);

CertStore certs = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(certList), "BC");

I'm now doing...

ArrayList certList = new ArrayList();

certList.add(keystore.getCertificate(_alias));

CertStore certs = CertStore.getInstance("Collection",
new CollectionCertStoreParameters(certList), "BC");

This then gives me the iKey certifcate and it's cert chain in the
PKCS7 encoded signature. Not exactly sure why this works, but it does.

Thanks for your kind assitance. I hope this helps someone else.

Shaun

Hmm, ok.
From your given code snippet it should be impossible to get the whole chain since only the certificate associated with your private key is fed into the CertStore instance. The reason that you will still get the whole chain for your single certificate is probably due to:
1. You are using a qualified certificate i.e. your cert was issued by a trusted CA whose root CA cert and intermediate certificate(s) are already present in the JKS trusted key store.
2. You are using classes, not included in your code snippet, that access the JKS trusted key store based on your certificate.

From the above line of reasoning, your program will fail if you are using a certificate chain whose root CA is not trusted i.e not present in your JKS key store.

Anyway, great that you found a solution to overcome your specific problem. However, we (Pheox) must lay our hands on a Rainbow iKey 2032 HW token to find out the original reason for why the JVM is aborted since we couldn't find any anomalies when inspecting the JCAPI source code another round. Yet another challenge I suppose.

Please let us know if you encounter more issues related to JCAPI.

Regards,
Tommy