KeyNotFoundException when remote partner and local parter resolve to the same server/certificate

[AlexandruCiobanu]

Hi Phillip,

I seem to have an issue when I try sending through peppol a message whose end client is myself. Seems that the same certificate gets added to the keystore after the smp lookup; this seems to cause a failure to locate the private key cos apparently it finds the public certificate alias and not the keypair.
Is there anything I can do to solve it?

Error sending AS2 message
com.helger.as2lib.cert.KeyNotFoundException: Alias: 0195:SGUEN201707606R in Certificate:   [0]         Version: 3         SerialNumber: 45537062033043752066974540736409135793             IssuerDN: C=BE,O=OpenPEPPOL AISBL,CN=PEPPOL ACCESS POINT CA - G2           Start Date: Tue Oct 08 00:00:00 UTC 2019           Final Date: Mon Sep 27 23:59:59 UTC 2021            SubjectDN: CN=PSG000308,OU=PEPPOL PRODUCTION AP,O=LinkFor,C=SG           Public Key: RSA Public Key [1f:07:b5:d8:bf:f5:4c:dd:b9:8f:24:86:c8:33:2c:e3:f7:4e:4b:1c],[56:66:d1:a4]        modulus: e85f45c689edb17664b7d5d8272ee66e9da31bdd9a620e7d3780d92f666bec54004daf4c9feca02044f6e3c4a3b2a3309c4ab7b997c6dbec654adbcb547896064b9f85c50c55bba9687b95989cf216b9f70e16cc87c589dea85d618bb1db855088443fc5df6b3d9eaffe803ca15489c5a75eb6a09faf38dcb2c0b46e632eb718568bb1c653e666c14f681ffb5fcc06733e65621e5d9c130dc0d953f3eb9c706e3fd3dcae11368e448e94c269c62315ee5c70a4137c68b9cc9bfe269960ee40edbce78234a1bf8ad2f30dda89a161d100a6fa1b4ed9d477731d4840e2e270789a48fd9f041d7ea4ee248f7a1f446db9e338af41b9e276f3b7b4a38091e899a6dfpublic exponent: 10001  Signature Algorithm: SHA256WITHRSA            Signature: 3f1a196e836d2b8bb44fcf213d88687bd153f9ed                       b196b87413e9ff97baf85774573dce20cb8863aa                       ea461f05fd4df4885f9fb6e7925190f5e7d11ff3                       035fa8a52ede09d2a4e11e6eb9bf485a9f6d8a05                       e09c2d0f9e5965d607ded15eb0ff5d1249f1c2d8                       015f3dcc13c4c1a731c4416b54aee49ef0595ebe                       d6f09be56a906a27d0a13414e902db9fb5529215                       5f4edb56e361c9381831f2c240b4a97ef9c86fae                       e273c9f02fdb2c4e362a124242fb9a0c8cd35e9a                       d16f518de396e41714217e645d0bd12dc5a1463f                       47d4edfa91cfc05b3ec2134138de81f76c98e8c7                       9c33ebb40f6f59e163f8594bfc7f657d64067675                       fbcce6604873fa964dccb445f6bb53307695336f                       0a72c710cc62d6f7ff2cd228af6b59fad4f37577                       704a06e721d4e0a043b2bff4e45fe3a16e783594                       f20c81d4c7f76960a3613de0ea9b8ccb36764da4                       db5770ec54598e01d81bacbc1b5cecb2ac2d1bb5                       1cef7f27bf769820b518c14d35ab7ab85fcd7db0                       11eaa531309aa8c4620d9d1e1fdde88b28e11a9a                       fc73cb5ae4460a588ee4bf951e0897e1a71ba767                       343000982e2e094cbc9241c6b77b72127a30285d                       0c940b730b778dbd6b7c54c8bab5592702664484                       50cb1d0f9e2771508977960a854d3a7761316bff                       4b1e922bf5ff69f5689bb5ede2919552edc05586                       7e88cd2d8b4659b85185719098193ecdce503f19                       5fd33483b6ea6bb2ff58cb0c       Extensions:                        critical(true) BasicConstraints: isCa(false)                       critical(true) KeyUsage: 0xa8                       critical(true) 2.5.29.37 value = Sequence    ObjectIdentifier(1.3.6.1.5.5.7.3.2)                       critical(false) 2.5.29.14 value = DER Octet String[20]                        critical(false) 2.5.29.31 value = Sequence    Sequence        Tagged [0]            Tagged [0]                Tagged [6] IMPLICIT                     DER Octet String[76]                        critical(false) 1.3.6.1.5.5.7.1.1 value = Sequence    Sequence        ObjectIdentifier(1.3.6.1.5.5.7.48.1)        Tagged [6] IMPLICIT             DER Octet String[27]                        critical(false) 2.5.29.35 value = Sequence    Tagged [0] IMPLICIT         DER Octet String[20]                        critical(false) 2.16.840.1.113733.1.16.3 value = Sequence    ObjectIdentifier(2.16.840.1.113733.1.16.1.2.3.1.1.374733366)    IA5String(957608)                        critical(false) 2.16.840.1.113733.1.16.5 value = Sequence    Integer(0)    IA5String(aHR0cHM6Ly9wa2ktcmEuc3ltYXV0aC5jb20=) 
	at com.helger.as2lib.cert.CertificateFactory.getPrivateKey(CertificateFactory.java:329)
	at com.helger.as2lib.cert.CertificateFactory.getPrivateKey(CertificateFactory.java:347)
	at com.helger.as2lib.processor.sender.AS2SenderModule.secure(AS2SenderModule.java:515)
	at com.helger.as2lib.processor.sender.AS2SenderModule.handle(AS2SenderModule.java:929)
	at com.helger.as2lib.client.AS2Client.sendSynchronous(AS2Client.java:432)
	at com.helger.peppol.as2client.AS2ClientBuilder.sendSynchronous(AS2ClientBuilder.java:1624)

[phax]

Hi Alex,

• You are on an old version of as2-lib - please update to the latest version :)
• do you use a PKCS12 or JKS keystore? Are you sure the casing of your configured alias and the value in the keystore is correct?
• The full stacktrace would be nice - the cause of the KeyNotFoundException - it is some GeneralSecurityException...
  hth

[AlexandruCiobanu]

• true, silly me;
• PKCS12; casing is correct
• The cause is In CertificateFactory.getPrivateKey, it takes teh first entry which happens to be public certificate entry and not teh keypair entry
  I found a fix for it: I extended CertificateFactory and then AS2Client (to serve teh new certificate factory) to solve this issue:

@Override
	public PrivateKey getPrivateKey(@Nullable X509Certificate aCert) throws AS2Exception {
		debugLog ( () -> "getPrivateKey (" + _debug (aCert) + ")");
		String sRealAlias = null;
		m_aRWLock.readLock ().lock ();
		PrivateKey aKey = null;
		try	{
			String[] aliases = Collections.list(getKeyStore().aliases ()).toArray(new String[]{});
			for(int i = 0; i < aliases.length; i++) {
				// This method heuristically scans the keystore and delivers the first result.
				final String sAlias = aliases[i];
				if(!getKeyStore().getCertificate(sAlias).equals(aCert)){
					continue;
				}
				sRealAlias = getUnifiedAlias(sAlias);
				// Find the key - is null if the alias represents a Public Certificate
				aKey = (PrivateKey) getKeyStore().getKey(sRealAlias, getPassword());
				if (aKey == null) {
					continue;
				}
				break;
			}
			if (aKey == null) {
				debugLog(() -> "getPrivateKey -> null");
				throw new AS2KeyNotFoundException(aCert, sRealAlias, _getAllAliases(), null);
			}
			PrivateKey finalAKey = aKey;
			debugLog(() -> "getPrivateKey -> " + finalAKey);
			return aKey;
		}
		catch (final GeneralSecurityException ex) {
			debugLog ( () -> "getPrivateKey -> " + _debug (ex));
			throw new AS2KeyNotFoundException (aCert, sRealAlias, _getAllAliases (), ex);
		}
		finally
		{
			m_aRWLock.readLock ().unlock ();
		}
	}

[AlexandruCiobanu]

Not the sexiest fix but it does the job. :)

[phax]

I don't fully understand the consequences of your changes, so I need to take some time. Please be patient with me :)

[phax]

Finally - I understand and I agree. Part of the 5.1.2 release