phase4 and the Peppol French PoC #127

phax · 2023-05-17T18:25:52Z

phax
May 17, 2023
Maintainer

Hi all,
this thread should contain the collective wisdom of what is needed to use phase4 for the Peppol French PoC.
I am assuming, that you are using the latest version of phase4 (2.1.0 at the time of writing).

Summary

Here is a summary of the issues that have been identified and that you need to deal with:
a) The French PoC uses a different AP certificate that is not in the default trust stores
b) The French PoC does not support OCSP and CRL - that should not be an issue, because OCSP/CRL is only used, if a certificate indicates so.
c) The Document Type Identifier used by the French PoC breaks the default parsing rules because it contains a double "::"

a) AP certificates

This is the intermediate French PoC CA as PEM:
Subject: CN=Peppol FRPOC AP TEST CA,O=OpenPeppol AISBL,OU=FOR TEST ONLY,C=BE

The respective root certificate in PEM encoding is this:
Subject: C=BE,OU=FOR TEST ONLY,O=OpenPeppol AISBL,CN=Peppol POC Root TEST CA

To add the new certificate as trusted to phase4 you need to do this:

  final X509Certificate cert = CertificateHelper.convertStringToCertficate ("-----BEGIN CERTIFICATE-----\r\n" +
                                                                              "MIIFrzCCA5egAwIBAgIJAN2RI5fPyU3MMA0GCSqGSIb3DQEBCwUAMGIxIDAeBgNV\r\n" +
                                                                              "BAMMF1BlcHBvbCBQT0MgUm9vdCBURVNUIENBMRkwFwYDVQQKDBBPcGVuUGVwcG9s\r\n" +
                                                                              "IEFJU0JMMRYwFAYDVQQLDA1GT1IgVEVTVCBPTkxZMQswCQYDVQQGEwJCRTAgFw0y\r\n" +
                                                                              "MzAzMjgwNjUxMzdaGA8yMDUwMDgxMjA2NTEzMVowYjELMAkGA1UEBhMCQkUxFjAU\r\n" +
                                                                              "BgNVBAsMDUZPUiBURVNUIE9OTFkxGTAXBgNVBAoMEE9wZW5QZXBwb2wgQUlTQkwx\r\n" +
                                                                              "IDAeBgNVBAMMF1BlcHBvbCBGUlBPQyBBUCBURVNUIENBMIICIjANBgkqhkiG9w0B\r\n" +
                                                                              "AQEFAAOCAg8AMIICCgKCAgEAxD2g/dG7i2iOgqD5/xYOLCSEVQjh7/Tdl+0wndEu\r\n" +
                                                                              "pcnB1l9VWJCWC8l8o6u9Sc0cqxnyTisZEvIRpMEIbtLA6kBFs0kelxd1KlTPFeeF\r\n" +
                                                                              "LLYSzo8Sf+6V/OF5623BVLM+R0e6DkvU0j5+k5pwks6Xbix1GlbXhnCQKxa0cZZ5\r\n" +
                                                                              "ukwYd+InUgMxyjnvl3n/ASozC7DNswQ8qVkPgmTeOoe857Tl8fLU4Q76YV1kKpw2\r\n" +
                                                                              "omie+8W+OBcGdxXgt1IZC+kN7jVSJ3UAABIeP5GURJWylMUDpYT5M/97s6XFfb4a\r\n" +
                                                                              "4idqOcoVT4GQi4KQ9OOAV7qdjXHnQvrFk1+MKfb6gpKAf2+aloB53M1bWYXZQQIP\r\n" +
                                                                              "8QxSbZli5X5MZfkJZWNGqZnWubzGDoVvr/xOLdVDO/rXuNO0zy8TUT6014g1VW2M\r\n" +
                                                                              "gISrwNZBYIP3YG5AxRbQJd5jiLcH01USe9IVqunvPdZ6hI3wGs5P4C212q461dJW\r\n" +
                                                                              "HTEciRs6PubHFZWj1ryQZEAJ7Uphf5CSNAEESTT0Xw6a/UQELb6TOJZrOyQfsnFY\r\n" +
                                                                              "L+HmhtFTVuX7ct72UEMSNC5zTYtBfgHR700wlph7AKkC/qTOnNO3R/krK6m455eI\r\n" +
                                                                              "guad9UFI/WKawMGB0cvO/wLFt2gDUFp0qoiVSOU/G+U4aSQziAOtUvBpw+EwBrE+\r\n" +
                                                                              "Ui8CAwEAAaNmMGQwHQYDVR0OBBYEFE8pIE2utIOS/CB6ujlxXa6vzEYGMB8GA1Ud\r\n" +
                                                                              "IwQYMBaAFKenZyYNcBHLJ80NlusuoYdi19ycMBIGA1UdEwEB/wQIMAYBAf8CAQAw\r\n" +
                                                                              "DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQB8MsejentRQZZa+uxo\r\n" +
                                                                              "N7rwt9nuoCnkMqzv7XWAYOxodQLnYUnUuIUIN08JljaLlLowibFMs5NctqAmqURe\r\n" +
                                                                              "ZnMBTlMeW1JwUHI73g2HvY838vSPuwSwInWzNt/6X42svUxB8mQz9q5JBC7KuRx9\r\n" +
                                                                              "X+vJOA3Wb+oDpMvmvzCHgXNM5EuLO7u1rvN0yiOuS2ozg5T8i1Lae9ggF0ameNY7\r\n" +
                                                                              "Wds39tu1jkGh5b1A/Lf52nPIPP8GXLS1A3cvGOqt0/U3+c+yU0THXKvkEQDwoiJF\r\n" +
                                                                              "49yjWsFmRtSx/7xRlhjKi9PSP4Uis2cd4qwUUDq5jMjqz4WkRyqN9TSoWV5DoWf+\r\n" +
                                                                              "6cxEEErw+iQqk0e8XLiyMstkw+iPDCIi37kDD8nVctFFZMuCgAoKVQYrZj2udgjt\r\n" +
                                                                              "B0Yd8CLQCpE6uPynzM31XFkpJGo/xEqW11dqlQ3xB9nWM4ZoMQTLEkWJPwkqiW7z\r\n" +
                                                                              "TTqum48aWimEUOe0oNJz3Qw67v96JbZrtRnk4/VcmabRd/yOQF6NXtcZn3gsdCwt\r\n" +
                                                                              "sxHSlIN6qbkHcp25COHBWfhQJ8oc0/4twC98Pj/6LIneW5eP4G50qZS6vY9gwqJa\r\n" +
                                                                              "oOFfbzXVL9unGxd4Tx0svzpq+6D4+YlWN+nzgSDSxR4hJp3zHsAsbN1lzKDzZO0J\r\n" +
                                                                              "N5qMVrJhkquuEsfdHWbvPBHW9A==\r\n" +
                                                                              "-----END CERTIFICATE-----");
    PeppolCertificateChecker.addTrustedPeppolAPCACertificate (cert);

Note: instead of having it in the code, you can of course load it from a file.

Note: this requires the peppol-commons library 9.0.4

c) Issue with Document Type Identifier parsing

The French PoC uses this Document Type Identifier:

urn:oasis:names:specification:ubl:schema:xsd:AttachedDocument-2::AttachedDocument##urn:AIFE.fr::2023#urn:fdc:peppol.eu:2017:poac:UBL:1.0::2.1

The Syntax Specific ID is urn:oasis:names:specification:ubl:schema:xsd:AttachedDocument-2::AttachedDocument

The Customization ID is urn:AIFE.fr::2023#urn:fdc:peppol.eu:2017:poac:UBL:1.0

The Syntax version is 2.1

Due to the :: in the customization ID, identifier parsing fails in class PeppolDocumentTypeIdentifierParts because it assumes to split after the first ::. A bug fix release of peppol-commons was released. Each version >= 9.0.5 fixes this issue and parses this identifier correctly.

To use this bugfix together with phase4 2.1.0, just enforce the version 9.0.5 in peppol-commons.

hth, Philip

ghost · 2023-05-23T11:07:34Z

ghost
May 23, 2023

Hi Philip,

We have an issue when adding the certificate.

We have changed the behavior of the 'Phase4PeppolWebAppListener._initPeppolAS4' method to add the certificate if previous one is invalid (line 189). We load the .pem from a file using a property describing its path and then retrieve the data from the file as byte[] and then invoke 'CertificateHelper.convertByteArrayToCertficate(data);' to get the certificate and finally validate it by computing a new eCheckResult.

Do we have to load the data as text and use ' CertificateHelper.convertStringToCertficate'?

Hereunder the added code:

 if (eCheckResult.isInvalid()) {
        LOGGER.warn("The certificate provided in the key store is not valid");
        final var trustStoreFile = AS4Configuration.getConfig().getAsString(PHASE4_TRUSTSTORE_FILE);

        if (trustStoreFile == null || trustStoreFile.trim().length() == 0) {
            LOGGER.warn("Property: {} is empty", PHASE4_TRUSTSTORE_FILE);
        } else {
            final var path = Paths.get(trustStoreFile);
            LOGGER.info("Reading certificate from path: {} (specified in property: {})", path, PHASE4_TRUSTSTORE_FILE);

            try {
                final var data = Files.readAllBytes(path);

                if (data == null || data.length == 0) {
                    LOGGER.warn("Certificate file is empty");
                } else {
                    aAPCert = CertificateHelper.convertByteArrayToCertficate(data);

                    if (LOGGER.isDebugEnabled()) {
                        LOGGER.debug("File content: {}", new String(data));
                    }

                    PeppolCertificateChecker.clearTrustedPeppolAPCACertificates();
                    PeppolCertificateChecker.clearOCSPCache();
                    eCheckResult = PeppolCertificateChecker.checkPeppolAPCertificate(aAPCert, MetaAS4Manager.getTimestampMgr().getCurrentDateTime(), ETriState.FALSE, null);
                }

                LOGGER.info("Certificate loaded from path: {}", path);
            } catch (final IOException | CertificateException e) {
                throw new InitializationException("The provided certificate cannot be loaded from file: " + path, e);
            }
        }

        if (eCheckResult.isInvalid()) {
            throw new InitializationException("The provided certificate is not a valid Peppol AP certificate. Check result: " + eCheckResult);
        }
    }

Here is the part off the logs:
[INFO ] 2023-05-23 14:56:36.179 [main] Phase4PeppolWebAppListener - Reading certificate from path: /com/peppol/keysPOC/ca.cert.pem (specified in property: phase4.truststore.file)
[DEBUG] 2023-05-23 14:56:36.182 [main] Phase4PeppolWebAppListener - File content: -----BEGIN CERTIFICATE-----
MIIFrzCCA5egAwIBAgIJAN2RI5fPyU3MMA0GCSqGSIb3DQEBCwUAMGIxIDAeBgNV
BAMMF1BlcHBvbCBQT0MgUm9vdCBURVNUIENBMRkwFwYDVQQKDBBPcGVuUGVwcG9s
IEFJU0JMMRYwFAYDVQQLDA1GT1IgVEVTVCBPTkxZMQswCQYDVQQGEwJCRTAgFw0y
MzAzMjgwNjUxMzdaGA8yMDUwMDgxMjA2NTEzMVowYjELMAkGA1UEBhMCQkUxFjAU
BgNVBAsMDUZPUiBURVNUIE9OTFkxGTAXBgNVBAoMEE9wZW5QZXBwb2wgQUlTQkwx
IDAeBgNVBAMMF1BlcHBvbCBGUlBPQyBBUCBURVNUIENBMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAxD2g/dG7i2iOgqD5/xYOLCSEVQjh7/Tdl+0wndEu
pcnB1l9VWJCWC8l8o6u9Sc0cqxnyTisZEvIRpMEIbtLA6kBFs0kelxd1KlTPFeeF
LLYSzo8Sf+6V/OF5623BVLM+R0e6DkvU0j5+k5pwks6Xbix1GlbXhnCQKxa0cZZ5
ukwYd+InUgMxyjnvl3n/ASozC7DNswQ8qVkPgmTeOoe857Tl8fLU4Q76YV1kKpw2
omie+8W+OBcGdxXgt1IZC+kN7jVSJ3UAABIeP5GURJWylMUDpYT5M/97s6XFfb4a
4idqOcoVT4GQi4KQ9OOAV7qdjXHnQvrFk1+MKfb6gpKAf2+aloB53M1bWYXZQQIP
8QxSbZli5X5MZfkJZWNGqZnWubzGDoVvr/xOLdVDO/rXuNO0zy8TUT6014g1VW2M
gISrwNZBYIP3YG5AxRbQJd5jiLcH01USe9IVqunvPdZ6hI3wGs5P4C212q461dJW
HTEciRs6PubHFZWj1ryQZEAJ7Uphf5CSNAEESTT0Xw6a/UQELb6TOJZrOyQfsnFY
L+HmhtFTVuX7ct72UEMSNC5zTYtBfgHR700wlph7AKkC/qTOnNO3R/krK6m455eI
guad9UFI/WKawMGB0cvO/wLFt2gDUFp0qoiVSOU/G+U4aSQziAOtUvBpw+EwBrE+
Ui8CAwEAAaNmMGQwHQYDVR0OBBYEFE8pIE2utIOS/CB6ujlxXa6vzEYGMB8GA1Ud
IwQYMBaAFKenZyYNcBHLJ80NlusuoYdi19ycMBIGA1UdEwEB/wQIMAYBAf8CAQAw
DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQB8MsejentRQZZa+uxo
N7rwt9nuoCnkMqzv7XWAYOxodQLnYUnUuIUIN08JljaLlLowibFMs5NctqAmqURe
ZnMBTlMeW1JwUHI73g2HvY838vSPuwSwInWzNt/6X42svUxB8mQz9q5JBC7KuRx9
X+vJOA3Wb+oDpMvmvzCHgXNM5EuLO7u1rvN0yiOuS2ozg5T8i1Lae9ggF0ameNY7
Wds39tu1jkGh5b1A/Lf52nPIPP8GXLS1A3cvGOqt0/U3+c+yU0THXKvkEQDwoiJF
49yjWsFmRtSx/7xRlhjKi9PSP4Uis2cd4qwUUDq5jMjqz4WkRyqN9TSoWV5DoWf+
6cxEEErw+iQqk0e8XLiyMstkw+iPDCIi37kDD8nVctFFZMuCgAoKVQYrZj2udgjt
B0Yd8CLQCpE6uPynzM31XFkpJGo/xEqW11dqlQ3xB9nWM4ZoMQTLEkWJPwkqiW7z
TTqum48aWimEUOe0oNJz3Qw67v96JbZrtRnk4/VcmabRd/yOQF6NXtcZn3gsdCwt
sxHSlIN6qbkHcp25COHBWfhQJ8oc0/4twC98Pj/6LIneW5eP4G50qZS6vY9gwqJa
oOFfbzXVL9unGxd4Tx0svzpq+6D4+YlWN+nzgSDSxR4hJp3zHsAsbN1lzKDzZO0J
N5qMVrJhkquuEsfdHWbvPBHW9A==
-----END CERTIFICATE-----

[WARN ] 2023-05-23 14:56:36.182 [main] PeppolCertificateChecker - Explicitly removing all 2 entries from the list of trusted Peppol AP CA certificates
[INFO ] 2023-05-23 14:56:36.182 [main] PeppolCertificateChecker - The PeppolCertificateChecker OCSP cache was cleared
[DEBUG] 2023-05-23 14:56:36.183 [main] PeppolCertificateChecker - Running Peppol Certificate Check against a list of 0 certificate issuers; not using a cache
[DEBUG] 2023-05-23 14:56:36.183 [main] PeppolCertificateChecker - Checking the Peppol Certificate validity against the provided date time Tue May 23 14:56:36 EDT 2023
[WARN ] 2023-05-23 14:56:36.183 [main] PeppolCertificateChecker - The provided Peppol Certificate issuer 'C=BE, OU=FOR TEST ONLY, O=OpenPeppol AISBL, CN=Peppol POC Root TEST CA' is not in the list of trusted issuers
[INFO ] 2023-05-23 14:56:36.183 [main] Phase4PeppolWebAppListener - Certificate loaded from path: /com/peppol/keysPOC/ca.cert.pem
[ERROR] 2023-05-23 14:56:36.183 [main] WebAppListener - Context Initialization Error
com.helger.commons.exception.InitializationException: The provided certificate is not a valid Peppol AP certificate. Check result: UNSUPPORTED_ISSUER
at com.helger.phase4.peppol.server.servlet.Phase4PeppolWebAppListener._initPeppolAS4(Phase4PeppolWebAppListener.java:223) ~[classes/:?]

Thanks for your help.

0 replies

phax · 2023-05-23T19:47:44Z

phax
May 23, 2023
Maintainer Author

I am on my phone only, so I might have missed some details, but it looks like you are only calling

PeppolCertificateChecker.clearTrustedPeppolAPCACertificates();

After this call you are not trusting any certificate. You have to add at least the French PoC CA afterwards. See my line from above:

PeppolCertificateChecker.addTrustedPeppolAPCACertificate (cert);

hth

0 replies

ghost · 2023-05-24T05:24:20Z

ghost
May 24, 2023

Guten Morgen Philip,

First, thanks for your support.
Unfortunately I have changed the code to only add the certificate and add that code just before the call on 'checkPeppolAPCertificate':

final var trustStoreFile = AS4Configuration.getConfig().getAsString(PHASE4_TRUSTSTORE_FILE);

if (trustStoreFile == null || trustStoreFile.trim().length() == 0) {
    LOGGER.warn("Property: {} is empty", PHASE4_TRUSTSTORE_FILE);
} else {
    final var path = Paths.get(trustStoreFile);
    LOGGER.info("Reading certificate from path: {} (specified in property: {})", path, PHASE4_TRUSTSTORE_FILE);

    try {
        final var data = Files.readAllBytes(path);

        if (data == null || data.length == 0) {
            LOGGER.warn("Certificate file is empty");
        } else {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("File content: {}", new String(data));
            }

            PeppolCertificateChecker.clearTrustedPeppolAPCACertificates();
            PeppolCertificateChecker.addTrustedPeppolAPCACertificate(CertificateHelper.convertByteArrayToCertficate(data));
        }

        LOGGER.info("Certificate loaded from path: {}", path);
    } catch (final IOException | CertificateException e) {
        throw new InitializationException("The provided certificate cannot be loaded from file: " + path, e);
    }
}

I tried without clearing the checker (no call on clearTrustedPeppolAPCACertificates), it's the same.

Now the error is due to a revoked certificate but its seems that all are valid and on the Debian, ca-certificates and ca-certificates-java are installed.

[DEBUG] 2023-05-24 01:14:22.733 [main] Config - Resolving variables in configuration value '/com/peppol/keysPOC/ca.cert.pem'
[INFO ] 2023-05-24 01:14:22.733 [main] Phase4PeppolWebAppListener - Reading certificate from path: /com/peppol/keysPOC/ca.cert.pem (specified in property: phase4.truststore.file)
[DEBUG] 2023-05-24 01:14:22.733 [main] Phase4PeppolWebAppListener - File content: -----BEGIN CERTIFICATE-----
MIIFrzCCA5egAwIBAgIJAN2RI5fPyU3MMA0GCSqGSIb3DQEBCwUAMGIxIDAeBgNV
BAMMF1BlcHBvbCBQT0MgUm9vdCBURVNUIENBMRkwFwYDVQQKDBBPcGVuUGVwcG9s
IEFJU0JMMRYwFAYDVQQLDA1GT1IgVEVTVCBPTkxZMQswCQYDVQQGEwJCRTAgFw0y
MzAzMjgwNjUxMzdaGA8yMDUwMDgxMjA2NTEzMVowYjELMAkGA1UEBhMCQkUxFjAU
BgNVBAsMDUZPUiBURVNUIE9OTFkxGTAXBgNVBAoMEE9wZW5QZXBwb2wgQUlTQkwx
IDAeBgNVBAMMF1BlcHBvbCBGUlBPQyBBUCBURVNUIENBMIICIjANBgkqhkiG9w0B
AQEFAAOCAg8AMIICCgKCAgEAxD2g/dG7i2iOgqD5/xYOLCSEVQjh7/Tdl+0wndEu
pcnB1l9VWJCWC8l8o6u9Sc0cqxnyTisZEvIRpMEIbtLA6kBFs0kelxd1KlTPFeeF
LLYSzo8Sf+6V/OF5623BVLM+R0e6DkvU0j5+k5pwks6Xbix1GlbXhnCQKxa0cZZ5
ukwYd+InUgMxyjnvl3n/ASozC7DNswQ8qVkPgmTeOoe857Tl8fLU4Q76YV1kKpw2
omie+8W+OBcGdxXgt1IZC+kN7jVSJ3UAABIeP5GURJWylMUDpYT5M/97s6XFfb4a
4idqOcoVT4GQi4KQ9OOAV7qdjXHnQvrFk1+MKfb6gpKAf2+aloB53M1bWYXZQQIP
8QxSbZli5X5MZfkJZWNGqZnWubzGDoVvr/xOLdVDO/rXuNO0zy8TUT6014g1VW2M
gISrwNZBYIP3YG5AxRbQJd5jiLcH01USe9IVqunvPdZ6hI3wGs5P4C212q461dJW
HTEciRs6PubHFZWj1ryQZEAJ7Uphf5CSNAEESTT0Xw6a/UQELb6TOJZrOyQfsnFY
L+HmhtFTVuX7ct72UEMSNC5zTYtBfgHR700wlph7AKkC/qTOnNO3R/krK6m455eI
guad9UFI/WKawMGB0cvO/wLFt2gDUFp0qoiVSOU/G+U4aSQziAOtUvBpw+EwBrE+
Ui8CAwEAAaNmMGQwHQYDVR0OBBYEFE8pIE2utIOS/CB6ujlxXa6vzEYGMB8GA1Ud
IwQYMBaAFKenZyYNcBHLJ80NlusuoYdi19ycMBIGA1UdEwEB/wQIMAYBAf8CAQAw
DgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQB8MsejentRQZZa+uxo
N7rwt9nuoCnkMqzv7XWAYOxodQLnYUnUuIUIN08JljaLlLowibFMs5NctqAmqURe
ZnMBTlMeW1JwUHI73g2HvY838vSPuwSwInWzNt/6X42svUxB8mQz9q5JBC7KuRx9
X+vJOA3Wb+oDpMvmvzCHgXNM5EuLO7u1rvN0yiOuS2ozg5T8i1Lae9ggF0ameNY7
Wds39tu1jkGh5b1A/Lf52nPIPP8GXLS1A3cvGOqt0/U3+c+yU0THXKvkEQDwoiJF
49yjWsFmRtSx/7xRlhjKi9PSP4Uis2cd4qwUUDq5jMjqz4WkRyqN9TSoWV5DoWf+
6cxEEErw+iQqk0e8XLiyMstkw+iPDCIi37kDD8nVctFFZMuCgAoKVQYrZj2udgjt
B0Yd8CLQCpE6uPynzM31XFkpJGo/xEqW11dqlQ3xB9nWM4ZoMQTLEkWJPwkqiW7z
TTqum48aWimEUOe0oNJz3Qw67v96JbZrtRnk4/VcmabRd/yOQF6NXtcZn3gsdCwt
sxHSlIN6qbkHcp25COHBWfhQJ8oc0/4twC98Pj/6LIneW5eP4G50qZS6vY9gwqJa
oOFfbzXVL9unGxd4Tx0svzpq+6D4+YlWN+nzgSDSxR4hJp3zHsAsbN1lzKDzZO0J
N5qMVrJhkquuEsfdHWbvPBHW9A==
-----END CERTIFICATE-----

[DEBUG] 2023-05-24 01:14:22.746 [main] KeyStoreHelper - Trying to load key store from path 'truststore/2018/prod-truststore.jks' using type JKS
[DEBUG] 2023-05-24 01:14:22.748 [main] KeyStoreHelper - Trying to load key store from path 'truststore/2018/smp-prod-truststore.jks' using type JKS
[DEBUG] 2023-05-24 01:14:22.753 [main] KeyStoreHelper - Trying to load key store from path 'truststore/2018/pilot-truststore.jks' using type JKS
[DEBUG] 2023-05-24 01:14:22.754 [main] KeyStoreHelper - Trying to load key store from path 'truststore/2018/smp-pilot-truststore.jks' using type JKS
[INFO ] 2023-05-24 01:14:22.868 [main] Phase4PeppolWebAppListener - Certificate loaded from path: /com/peppol/keysPOC/ca.cert.pem
[DEBUG] 2023-05-24 01:14:22.870 [main] PeppolCertificateChecker - Running Peppol Certificate Check against a list of 3 certificate issuers; not using a cache
[DEBUG] 2023-05-24 01:14:22.873 [main] PeppolCertificateChecker - Checking the Peppol Certificate validity against the provided date time Wed May 24 01:14:22 EDT 2023
[DEBUG] 2023-05-24 01:14:22.873 [main] PeppolCertificateChecker - Testing if the Peppol Certificate is revoked, without a cache
[DEBUG] 2023-05-24 01:14:22.877 [main] CertificateRevocationChecker - Performing certificate revocation check on certificate 'CN=PFR000013,OU=PEPPOL FRPOC AP,O=ARTEVA,C=FR' for datetime Wed May 24 01:14:22 EDT 2023 [synchronized]
[DEBUG] 2023-05-24 01:14:22.877 [main] CertificateRevocationChecker - Certificate revocation check is performed using mode OCSP
[DEBUG] 2023-05-24 01:14:22.880 [main] CertificateRevocationChecker - Setting system property 'ocsp.enable' to true
[DEBUG] 2023-05-24 01:14:22.898 [main] CertificateRevocationChecker - Checking certificate
[
[
Version: V3
Subject: CN=PFR000013, OU=PEPPOL FRPOC AP, O=ARTEVA, C=FR
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits
params: null
modulus: 28952732006240943212670718164535296706095749718871730607294329501108445156966210465557071505419159144655747777195852834188839357935143764731150277853016956959962840439299991005250855482124473739483810315016286640721145926758439381660206086075609834779252307676146684059981842949337945916032044757108264453157921588266041349334029360586226920651468554194718629853092496304575329811350842532408204960276583623627149238492215646083228339546120390149594099752389081265234979423296694597763592181756439542373691812204672176979389381076496718685586977900497324924161848663139001047209589535679192711453674365970706534067057
public exponent: 65537
Validity: [From: Wed Apr 19 05:24:34 EDT 2023,
To: Thu Apr 18 05:24:34 EDT 2024]
Issuer: CN=Peppol FRPOC AP TEST CA, O=OpenPeppol AISBL, OU=FOR TEST ONLY, C=BE
SerialNumber: [ 100c]

Certificate Extensions: 7
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 26 16 24 4F 70 65 6E 53 53 4C 20 47 65 6E 65 .&.$OpenSSL Gene
0010: 72 61 74 65 64 20 53 65 72 76 65 72 20 43 65 72 rated Server Cer
0020: 74 69 66 69 63 61 74 65 tificate

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4F 29 20 4D AE B4 83 92 FC 20 7A BA 39 71 5D AE O) M..... z.9q].
0010: AF CC 46 06 ..F.
]
[C=BE, OU=FOR TEST ONLY, O=OpenPeppol AISBL, CN=Peppol POC Root TEST CA]
SerialNumber: [ dd912397 cfc94dcc]
]

[3]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

[6]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 38 98 30 03 F2 54 5D 29 E2 09 7C 92 9E 1E 9A 7E 8.0..T])........
0010: 29 92 33 BF ).3.
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 94 97 99 21 A5 F5 80 DE A9 D8 6A 51 47 8B BF BE ...!......jQG...
0010: 86 B6 21 F5 DA 44 F9 F9 B4 EC 9F 89 6C B0 A3 30 ..!..D......l..0
0020: 38 3A 3B 2F 4D 8D F8 60 FF 0A E4 56 28 13 D0 8C 8:;/M.....V(... 0030: 6A D5 25 58 16 9B 0E D0 E0 59 33 B8 02 1C 2D 3C j.%X.....Y3...-< 0040: 71 F8 C0 2F 15 AE 61 18 0B B6 0D 22 6A 97 BE 4A q../..a...."j..J 0050: 88 3F AB 73 22 35 16 49 FE 00 85 BF 05 69 58 74 .?.s"5.I.....iXt 0060: B2 B0 D2 2C 40 94 AA 41 BD 00 F1 C7 13 AC 6D E0 ...,@..A......m. 0070: 8F D3 F2 F9 52 43 37 7E 04 84 BD 3D EC EC 3E 19 ....RC7....=..>. 0080: E1 B4 EF 85 AF B7 1C 48 2E 58 01 45 75 71 E1 D8 .......H.X.Euq.. 0090: 44 F4 70 67 5B 33 8B 7D 19 23 E3 B8 7D DA DE F5 D.pg[3...#...... 00A0: F3 8C DA 5E DD 0A 4F 82 45 14 9D 65 31 0B F2 51 ...^..O.E..e1..Q 00B0: CE 54 0C CD 0A 58 FA 62 B9 5E 3D 0D E1 70 46 5B .T...X.b.^=..pF[ 00C0: 7F 73 92 07 C4 27 67 01 DD 33 81 51 92 EC 4B 58 .s...'g..3.Q..KX 00D0: D0 DC 5A 64 7C 47 F1 29 52 1B 16 A6 49 00 23 A3 ..Zd.G.)R...I.#. 00E0: 87 1B 22 5F 7F 23 16 53 6A 0F 76 0B 1A AE D5 8D .."_.#.Sj.v..... 00F0: 15 F0 26 8D 37 A6 2D E7 D3 37 F9 55 3C 45 14 5E ..&.7.-..7.U<E.^ 0100: 50 3C 03 7D E0 A6 B3 9F 61 CD A0 D7 B6 42 30 6E P<......a....B0n 0110: D3 A8 CC CB 96 0B 7D 6A 9D DC D8 88 62 36 96 0A .......j....b6.. 0120: 7B 52 AB E7 A8 AA 33 61 4B F0 8E 4D 48 3B 05 7B .R....3aK..MH;.. 0130: 02 69 5A 06 A0 D0 3F 1E E3 81 BD AB 27 21 D0 A3 .iZ...?.....'!.. 0140: 38 86 DD EF AC F1 28 BB 0F 2C 22 21 09 C9 1C AB 8.....(..,"!.... 0150: 96 67 47 DF 47 70 97 7C 4D 1D CB AE DE 14 DE 69 .gG.Gp..M......i 0160: CC 76 A2 85 4A 80 EF DA 4B 2B 67 A4 E2 72 48 ED .v..J...K+g..rH. 0170: 9C 5C 90 5A D9 03 E7 D6 3B 2B AC 2D EA 2F E8 FA .\.Z....;+.-./.. 0180: 26 14 C2 44 09 4C 53 43 60 9E 6B 09 45 F6 97 68 &..D.LSC.k.E..h
0190: 1F 96 27 22 71 F6 A0 87 08 6E 96 86 74 1D F1 66 ..'"q....n..t..f
01A0: 53 89 71 DD 02 CA BF 8F 5B 4D A6 75 37 54 4B 1A S.q.....[M.u7TK.
01B0: FC B6 A0 C3 1E 02 30 92 08 86 F1 58 60 E9 DD 64 ......0....X`..d
01C0: 03 4A DA A5 BF F7 E1 7D F0 37 34 F6 73 D8 1B DA .J.......74.s...
01D0: 1A 84 A5 36 50 B5 44 E4 C6 76 AE D5 CA 38 15 DF ...6P.D..v...8..
01E0: 0E 07 62 A6 3B 35 8D B0 3A EB 33 4A 15 46 7C F0 ..b.;5..:.3J.F..
01F0: 93 D5 B0 4A 40 AF AA 5C 9F BF 32 1A 1D 4A 91 B5 ...J@....2..J..

]

against 3 valid CAs:
[[
[
Version: V3
Subject: CN=PEPPOL ACCESS POINT TEST CA - G2, OU=FOR TEST ONLY, O=OpenPEPPOL AISBL, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 4096 bits
params: null
modulus: 702670376281732177179361795446115091455613494938546790540863100810360289859788859464340388283668675006467579706932132561117665273292280034883571848704645482209824279233775801879654810164786441247258878184648798268311188278719159223115847926738311253538914139831691245160151339859271895857863261441069456628132672198184787178891003984173259102256722924127571864567987316755204560816026889177935904880116306627413263671701345521860443856583898003028711704861399475532851444204036464286796419019904276371865956652223079348455675138128107876327230719363590615307922737053230717909451379618078400275750134773824780594897665223552400109784276016714697310857982982618566491508731139858101466489337607414865152293260856386980054119579755067188005442612486757254864839046221351353640308468654080673543737918071876876149967458215484134400296631472646066655467397467960782063724197908138564707112663965600231034067025182038226556781284671222353379316794545835861515782843995603429331501887520620089126589036013112157545954069384666559467767852098267069349815151922930706753220769016764780315905915580516879441088672074635047030637319050012708345718252672532856668372071737842147270717590975771167751227955667778102390887888839673212294251586753
public exponent: 65537
Validity: [From: Wed Jan 03 19:00:00 EST 2018,
To: Sun Jan 02 18:59:59 EST 2028]
Issuer: CN=PEPPOL Root TEST CA - G2, OU=FOR TEST ONLY, O=OpenPEPPOL AISBL, C=BE
SerialNumber: [ 36549386 b9e6b821 d2892d5a 9ee9ae60]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FC 8A 99 9B 1E F2 1D 53 B5 94 52 F7 CE 92 18 E0 .......S..R.....
0010: 59 DE 6F 5A Y.oZ
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki-crl.symauth.com/offlineca/OpenPEPPOLAISBLPEPPOLRootTESTCAG2.crl]
]]

[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=SYMC-4096-9
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6B 6F 4B B6 F1 37 BA 2B 3C 7F 18 CD BA 2B B2 B9 koK..7.+<....+..
0010: 7C 2A 37 EB .*7.
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 84 40 F7 4B 58 A5 EE 73 02 DF DF A4 84 DE 5B EE .@.KX..s......[.
0010: 20 C7 85 D2 65 A3 99 0E 0E 20 B4 84 62 8A E2 AD ...e.... ..b...
0020: 21 6E D2 09 FA B8 E4 04 59 D6 FF B2 86 37 6E 44 !n......Y....7nD
0030: 82 64 57 8C 2F 46 ED 7D A2 DC A0 73 CE E7 0C 53 .dW./F.....s...S
0040: 0D FA 14 E4 81 DB B2 86 F5 AA 56 6D FA 86 4D 66 ..........Vm..Mf
0050: E8 C8 75 11 EB A7 5E EC D7 8E EB 84 55 B4 02 1D ..u...^.....U...
0060: 11 64 1C 83 12 63 E1 08 2B 98 28 1F 86 A1 F4 46 .d...c..+.(....F
0070: E8 C6 F7 6D E7 3E 78 B5 75 A7 6A 12 A6 DB 41 B0 ...m.>x.u.j...A.
0080: 35 38 9D DC 0D 60 C0 FE 60 7D 56 F9 A2 16 DF 64 58......V....d
0090: CD 08 CA 2E 6C A4 CA 8B 7B AB A0 10 D3 64 4E 56 ....l........dNV
00A0: AA FB 8A 19 23 A7 1E B7 4B 77 80 58 39 8E 68 8A ....#...Kw.X9.h.
00B0: B7 63 61 57 1D 91 0D D7 41 89 55 E7 5A 73 4E 45 .caW....A.U.ZsNE
00C0: F2 4E 11 87 2A DE DF 94 FF 5E 92 95 BD A8 CC 27 .N......^.....'
00D0: 86 E6 A6 8B 8B E9 A5 E8 E5 34 88 F0 9E 68 15 D4 .........4...h..
00E0: 20 8F F9 25 36 06 F5 FC 1D AD 48 35 40 86 44 17 ..%6.....H5@.D.
00F0: 77 EE EE 83 37 73 AD EF B1 FC 99 6C 73 99 A3 9A w...7s.....ls...
0100: 92 53 DA DF 1A B2 0C F1 49 14 AC 31 3C C9 68 38 .S......I..1<.h8
0110: EB 55 1F 71 45 77 C0 89 5E BE B7 03 91 B1 6C DA .U.qEw..^.....l.
0120: DE E8 FF 5E 16 08 C8 49 04 6B 59 1D 47 CF 6C A4 ...^...I.kY.G.l.
0130: 0D 98 D2 9B D0 6C 59 A8 9B D7 9B EB 0F C3 A4 F4 .....lY.........
0140: D0 D9 9E 87 E3 32 0F 28 2F 79 F2 48 DC F0 BA 01 .....2.(/y.H....
0150: 16 01 3A 98 F9 01 88 A7 5B 83 CC 91 96 1D 50 B4 ..:.....[.....P.
0160: 21 66 06 BF 56 93 E0 3E A7 3D 03 76 90 54 21 D7 !f..V..>.=.v.T!.
0170: 1F CC FB 9F 9F 16 FB B7 8B 90 18 41 1B B6 9D F1 ...........A....
0180: A4 0C 35 EB 9E 70 DF 26 57 AD 07 27 AF E3 D1 CC ..5..p.&W..'....
0190: 40 4C 0F 44 05 64 41 FB 88 53 12 1A 50 0C 9B 16 @L.D.dA..S..P...
01A0: FC 62 7C 3E 81 0E 85 A1 6A 58 18 B4 E6 AC 80 1F .b.>....jX......
01B0: 1C 19 E0 A7 B1 3F 54 15 B4 73 E9 C9 86 9A 48 55 .....?T..s....HU
01C0: 21 1B 29 9A 8C B8 91 49 28 15 FB 75 BA 49 E0 A7 !.)....I(..u.I..
01D0: 2E E0 C7 62 08 7C 8E E5 04 5F 08 59 31 DF 5E D2 ...b....._.Y1.^.
01E0: C9 91 90 21 51 4E 2A E3 27 39 9A DA 47 F8 1A 49 ...!QN.'9..G..I
01F0: E1 A9 B2 A9 54 11 B9 BB C7 76 50 5D 80 8C 72 F7 ....T....vP]..r.

], [
[
Version: V3
Subject: CN=PEPPOL ACCESS POINT CA - G2, O=OpenPEPPOL AISBL, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 4096 bits
params: null
modulus: 806300775412356148433025459266696314493160985673292907714781687765283932342429535883072325819888981507513607324483930481865770241157173171704196339129750552536789629635509050583750549707189038918632181492661362104283298076957025060311126427505367224608081304584055697094704097516896670163923994497458384176271506704135996267087543912684482810132780403321982224618583239520861841211681644878912366588473233111183936890354103221069065478309297157672237849287121823828866135471165128431994352942334965428528803603897490011918702509193462741304933980169416559926795197338265104156414485991639181994973435700335882328070840485461366703553004548468232089189707513152253264568239105783752899429394030884891823917010642475963494038822763179457026874977557284449609130509603596667623954424682021100386788041316288132739023102252709904215527324463291279807323251505755355682291035677255836373487999709019017198865162359395443700788696146609536204988592099869978825454798362868980805991092485566472024987329413460755719543232205459846521168990398193456247806980378796445764552887468460269921464540758688553123882060106098027730824365550360425939983623490477576337369473456464481917802288769677390257514236594269739258575689469432699148919172089
public exponent: 65537
Validity: [From: Wed Jan 03 19:00:00 EST 2018,
To: Sun Jan 02 18:59:59 EST 2028]
Issuer: CN=PEPPOL Root CA - G2, O=OpenPEPPOL AISBL, C=BE
SerialNumber: [ 40487879 fbece82c 9a926b83 3467eb39]

Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 69 FB 0A C7 4F C0 AD 10 3A E1 AC 14 C8 DA C5 .i...O...:......
0010: C2 FF B4 86 ....
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://pki-crl.symauth.com/offlineca/OpenPEPPOLAISBLPEPPOLRootCAG2.crl]
]]

[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=SYMC-4096-7
]

[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 87 25 DF 5B 23 A6 C4 3B F9 9F DF 1B A5 20 91 DD .%.[#..;..... ..
0010: E4 F4 3C 81 ..<.
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 7A EB 14 58 94 D2 63 48 3C C4 8E 48 43 8C E7 3D z..X..cH<..HC..=
0010: A5 01 04 54 F3 43 79 4F 79 08 DD F7 FE 4B 58 E7 ...T.CyOy....KX.
0020: 94 0B 79 EF 6C 0E 20 21 7C F3 96 97 41 A1 46 8B ..y.l. !....A.F.
0030: F4 68 94 5A B5 C3 DF D0 DF 08 F5 86 EA 85 9D E9 .h.Z............
0040: D2 B5 11 B7 B7 3D 7F F9 32 AC 15 67 A4 38 4F 02 .....=..2..g.8O.
0050: 34 3D DA C0 DD E8 93 38 C4 1F 88 56 00 7D D6 DD 4=.....8...V....
0060: 83 6F 36 D0 66 2B 25 EA 66 00 3B 93 8A 56 C3 8E .o6.f+%.f.;..V..
0070: E0 45 08 2E 24 79 26 53 5A F1 2D F6 2D 83 41 A0 .E..$y&SZ.-.-.A.
0080: 1D B8 D4 85 42 57 3F 90 DF 33 6B BA 3D 68 46 27 ....BW?..3k.=hF'
0090: E4 C2 9A 40 F5 27 19 43 3C CF 1B FE 15 18 C2 A2 ...@.'.C<.......
00A0: E3 36 02 64 FD 4A E7 E8 2B B4 60 14 E7 A8 B3 55 .6.d.J..+.....U 00B0: 9B F6 F3 78 DF FC 0F F6 EA C4 6B DC 4A 30 9C F4 ...x......k.J0.. 00C0: 4F 3C B2 46 E5 31 A8 0D 73 50 C4 3A 15 FE F1 4F O<.F.1..sP.:...O 00D0: A9 81 84 F3 CA 2C 2D 83 E0 3A 10 5E 82 A8 52 7B .....,-..:.^..R. 00E0: D5 EA 62 58 CE 4A C6 22 4C A8 CF 35 20 52 F9 BA ..bX.J."L..5 R.. 00F0: DB 91 CA F5 06 2D 5E D5 E5 4D 82 B2 05 64 95 48 .....-^..M...d.H 0100: 32 B1 06 75 6F 67 62 F3 AB 75 BA 6F 75 25 7B 8D 2..uogb..u.ou%.. 0110: F9 6D B1 CA D0 F6 60 1A 00 E6 89 C8 12 59 D9 A2 .m..........Y..
0120: EE CD E2 01 88 6D 3F 1F 53 EB 03 77 EA 62 D4 EB .....m?.S..w.b..
0130: 04 67 50 0E 4E E5 CB D1 F2 9A 59 43 4F 1D 5B 3F .gP.N.....YCO.[?
0140: 6A 40 D0 49 F9 CE 6E 1A 81 BF 03 0D 53 2B EF F2 j@.I..n.....S+..
0150: 5B F6 27 E4 48 22 D0 73 82 96 3D 42 65 1F 46 39 [.'.H".s..=Be.F9
0160: D0 71 2F 0F 19 36 13 BB E9 3E 79 41 2A C6 13 F7 .q/..6...>yA*...
0170: 20 31 02 15 2E DD 7B 78 41 56 7F 92 81 5F 14 76 1.....xAV....v
0180: 99 8E 93 69 08 70 10 3D 6F 4E 59 7A 8E D7 34 51 ...i.p.=oNYz..4Q
0190: E4 B4 00 B7 3D 08 0B 45 A8 F3 9E C5 CF F9 BD A0 ....=..E........
01A0: A8 88 1C CE 11 8A 40 C0 3B 2D EC 9F A3 05 2B B8 ......@.;-....+.
01B0: C7 1D D9 86 21 5F D9 38 45 99 81 74 41 49 22 07 ....!.8E..tAI".
01C0: B5 2C B6 6A 98 06 49 50 0E 89 9D C5 7A E4 B1 20 .,.j..IP....z..
01D0: DE FA 41 51 B8 73 FF B9 32 57 6B 91 0C D7 08 4F ..AQ.s..2Wk....O
01E0: 26 B6 2F 9A 7C F1 94 3B A7 A6 6E 4E 11 DF A2 49 &./....;..nN...I
01F0: C3 AD 3B 2C 79 A1 53 4E B0 2E F3 F0 5C 9A 26 09 ..;,y.SN.....&.

], [
[
Version: V3
Subject: CN=Peppol FRPOC AP TEST CA, O=OpenPeppol AISBL, OU=FOR TEST ONLY, C=BE
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 4096 bits
params: null
modulus: 800592361808702220462672843098399188125556215679971511657102654496224235024826113149810387147530440645730793072195355231802579907801188693581214872845499468503719273356590008248128506955961286909584642856196415022753893115334362069173777237835135505941013104846901220693109140829602008009237897152600607759095714586404236342552377162405115539989471850453121741154408548599131548858678046630926482959373157971172049846363616768274397303213018306089404781186650750322055602246598688738410611527790282975024048045868372163873564602824125276713470804433816176762568472573825407471068286947896280074953955784113427949980412639939726868338547327263659438637751679938254883546971029999795855731601729538765312262120957465323306816429443580828234210152714129444044764127649983335917999524700845326494978382148661581358206033939093096052044727817142861049779957745740774337040521038301229985092608075191040687888103239313220494130629834442621389817054830233972922425737624224267443207516786523972942493240380361571451929090777859490857352868925203918967715268915621867843220184814636387661770552237542036402460054934524644128875572134386154673359170498590574675304896354249399975624574463933401613311685498664192203608971591538274548123062831
public exponent: 65537
Validity: [From: Tue Mar 28 02:51:37 EDT 2023,
To: Fri Aug 12 02:51:31 EDT 2050]
Issuer: C=BE, OU=FOR TEST ONLY, O=OpenPeppol AISBL, CN=Peppol POC Root TEST CA
SerialNumber: [ dd912397 cfc94dcc]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A7 A7 67 26 0D 70 11 CB 27 CD 0D 96 EB 2E A1 87 ..g&.p..'.......
0010: 62 D7 DC 9C b...
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4F 29 20 4D AE B4 83 92 FC 20 7A BA 39 71 5D AE O) M..... z.9q].
0010: AF CC 46 06 ..F.
]
]

]
Algorithm: [SHA256withRSA]
Signature:
0000: 7C 32 C7 A3 7A 7B 51 41 96 5A FA EC 68 37 BA F0 .2..z.QA.Z..h7..
0010: B7 D9 EE A0 29 E4 32 AC EF ED 75 80 60 EC 68 75 ....).2...u..hu 0020: 02 E7 61 49 D4 B8 85 08 37 4F 09 96 36 8B 94 BA ..aI....7O..6... 0030: 30 89 B1 4C B3 93 5C B6 A0 26 A9 44 5E 66 73 01 0..L..\..&.D^fs. 0040: 4E 53 1E 5B 52 70 50 72 3B DE 0D 87 BD 8F 37 F2 NS.[RpPr;.....7. 0050: F4 8F BB 04 B0 22 75 B3 36 DF FA 5F 8D AC BD 4C ....."u.6.._...L 0060: 41 F2 64 33 F6 AE 49 04 2E CA B9 1C 7D 5F EB C9 A.d3..I......_.. 0070: 38 0D D6 6F EA 03 A4 CB E6 BF 30 87 81 73 4C E4 8..o......0..sL. 0080: 4B 8B 3B BB B5 AE F3 74 CA 23 AE 4B 6A 33 83 94 K.;....t.#.Kj3.. 0090: FC 8B 52 DA 7B D8 20 17 46 A6 78 D6 3B 59 DB 37 ..R... .F.x.;Y.7 00A0: F6 DB B5 8E 41 A1 E5 BD 40 FC B7 F9 DA 73 C8 3C ....A...@....s.< 00B0: FF 06 5C B4 B5 03 77 2F 18 EA AD D3 F5 37 F9 CF ..\...w/.....7.. 00C0: B2 53 44 C7 5C AB E4 11 00 F0 A2 22 45 E3 DC A3 .SD.\......"E... 00D0: 5A C1 66 46 D4 B1 FF BC 51 96 18 CA 8B D3 D2 3F Z.fF....Q......? 00E0: 85 22 B3 67 1D E2 AC 14 50 3A B9 8C C8 EA CF 85 .".g....P:...... 00F0: A4 47 2A 8D F5 34 A8 59 5E 43 A1 67 FE E9 CC 44 .G*..4.Y^C.g...D 0100: 10 4A F0 FA 24 2A 93 47 BC 5C B8 B2 32 CB 64 C3 .J..$*.G.\..2.d. 0110: E8 8F 0C 22 22 DF B9 03 0F C9 D5 72 D1 45 64 CB ...""......r.Ed. 0120: 82 80 0A 0A 55 06 2B 66 3D AE 76 08 ED 07 46 1D ....U.+f=.v...F. 0130: F0 22 D0 0A 91 3A B8 FC A7 CC CD F5 5C 59 29 24 ."...:......\Y)$ 0140: 6A 3F C4 4A 96 D7 57 6A 95 0D F1 07 D9 D6 33 86 j?.J..Wj......3. 0150: 68 31 04 CB 12 45 89 3F 09 2A 89 6E F3 4D 3A AE h1...E.?.*.n.M:. 0160: 9B 8F 1A 5A 29 84 50 E7 B4 A0 D2 73 DD 0C 3A EE ...Z).P....s..:. 0170: FF 7A 25 B6 6B B5 19 E4 E3 F5 5C 99 A6 D1 77 FC .z%.k.....\...w. 0180: 8E 40 5E 8D 5E D7 19 9F 78 2C 74 2C 2D B3 11 D2 .@^.^...x,t,-... 0190: 94 83 7A A9 B9 07 72 9D B9 08 E1 C1 59 F8 50 27 ..z...r.....Y.P' 01A0: CA 1C D3 FE 2D C0 2F 7C 3E 3F FA 2C 89 DE 5B 97 ....-./.>?.,..[. 01B0: 8F E0 6E 74 A9 94 BA BD 8F 60 C2 A2 5A A0 E1 5F ..nt.......Z.._
01C0: 6F 35 D5 2F DB A7 1B 17 78 4F 1D 2C BF 3A 6A FB o5./....xO.,.:j.
01D0: A0 F8 F9 89 56 37 E9 F3 81 20 D2 C5 1E 21 26 9D ....V7... ...!&.
01E0: F3 1E C0 2C 6C DD 65 CC A0 F3 64 ED 09 37 9A 8C ...,l.e...d..7..
01F0: 56 B2 61 92 AB AE 12 C7 DD 1D 66 EF 3C 11 D6 F4 V.a.......f.<...

]]
[DEBUG] 2023-05-24 01:14:22.901 [main] CertificateRevocationChecker - OCSP/CLR effective options = [ONLY_END_ENTITY, NO_FALLBACK]
[ERROR] 2023-05-24 01:14:22.910 [main] CertificateRevocationChecker - Error running certification revocation check: sun.security.provider.certpath.SunCertPathBuilderException - unable to find valid certification path to requested target
[WARN ] 2023-05-24 01:14:22.910 [main] CertificateRevocationChecker - Certificate is revoked
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
at com.helger.peppol.utils.CertificateRevocationChecker$AbstractRevocationCheckBuilder.lambda$build$1(CertificateRevocationChecker.java:679) ~[peppol-commons-9.0.5.jar:9.0.5]
at com.helger.peppol.utils.CertificateRevocationChecker$AbstractRevocationCheckBuilder.build(CertificateRevocationChecker.java:703) [peppol-commons-9.0.5.jar:9.0.5]
at com.helger.peppol.utils.PeppolCertificateChecker.checkCertificate(PeppolCertificateChecker.java:477) [peppol-commons-9.0.5.jar:9.0.5]
at com.helger.peppol.utils.PeppolCertificateChecker.checkPeppolAPCertificate(PeppolCertificateChecker.java:515) [peppol-commons-9.0.5.jar:9.0.5]
at com.helger.phase4.peppol.server.servlet.Phase4PeppolWebAppListener._initPeppolAS4(Phase4PeppolWebAppListener.java:213) [classes/:?]
at com.helger.phase4.peppol.server.servlet.Phase4PeppolWebAppListener.initManagers(Phase4PeppolWebAppListener.java:333) [classes/:?]
at com.helger.photon.core.servlet.WebAppListener.contextInitialized(WebAppListener.java:722) [ph-oton-core-9.1.0.jar:9.1.0]
at org.eclipse.jetty.server.handler.ContextHandler.callContextInitialized(ContextHandler.java:1046) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:624) [jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ContextHandler.contextInitialized(ContextHandler.java:983) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:740) [jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:392) [jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1305) [jetty-webapp-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:902) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:306) [jetty-servlet-11.0.15.jar:11.0.15]
at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:533) [jetty-webapp-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.bindings.StandardStarter.processBinding(StandardStarter.java:40) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCycle.java:183) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(DeploymentManager.java:516) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.DeploymentManager.addApp(DeploymentManager.java:151) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileAdded(ScanningAppProvider.java:186) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded(WebAppProvider.java:462) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fileAdded(ScanningAppProvider.java:58) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.Scanner$DiscreteListener.pathAdded(Scanner.java:282) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:836) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.java:802) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.Scanner.scan(Scanner.java:709) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:597) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doStart(ScanningAppProvider.java:158) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider(DeploymentManager.java:605) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.deploy.DeploymentManager.doStart(DeploymentManager.java:246) [jetty-deploy-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:171) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.Server.start(Server.java:470) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:89) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.server.Server.doStart(Server.java:415) [jetty-server-11.0.15.jar:11.0.15]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) [jetty-util-11.0.15.jar:11.0.15]
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1875) [jetty-xml-11.0.15.jar:11.0.15]
[DEBUG] 2023-05-24 01:14:22.921 [main] CertificateRevocationChecker - OCSP/CLR revocation check took 43 milliseconds
[WARN ] 2023-05-24 01:14:22.921 [main] PeppolCertificateChecker - The Peppol Certificate is revoked [no caching]
[ERROR] 2023-05-24 01:14:22.922 [main] WebAppListener - Context Initialization Error
com.helger.commons.exception.InitializationException: The provided certificate is not a valid Peppol AP certificate. Check result: REVOKED

1 reply

phax May 24, 2023
Maintainer Author

Okay, that looks much better. Most likely you are running Java 17.0.4 or later, that has a broken OSCP check. See #124 for details and the related JDK bug in https://bugs.openjdk.org/browse/JDK-8296343
So either downgrade to Java 11 or wait for Java 17.0.8

hth

P.S. to disable the OSCP check in general, try setting this globally before the certificate check kicks in: CertificateRevocationChecker.setRevocationCheckMode(ERevocationCheckMode.NONE) - but be careful, this disables the revocation check globally.

ghost · 2023-05-24T18:49:17Z

ghost
May 24, 2023

Nein :(,
We are running Jetty 11.0.15 with OpenJDK 11.0.18.
The workaround can be used for the PoC but not for production (Disabling revocation check is working).
Any idea on the root cause or perhaps a wrong coding ?

1 reply

phax May 24, 2023
Maintainer Author

Well, for the French PoC certificate, no OCSP is available, because it is based on a self-created PKI (for cost reasons). Therefore we need to be able to disable the OCSP per use case. On startup you can clearly disable the OCSP by passing ERevocationCheckMode.NONE as the last parameter to PeppolCertificateChecker.checkPeppolAPCertificate - that just assumes you trust your certificate setup :)

For the sending and reception of messages, separate activities are necessary, as also the SMP client should not check for the result of
Are you on the latest phase4 version? Than I can try to add some quick switch...

ghost · 2023-05-24T19:25:48Z

ghost
May 24, 2023

In brief, we have already added some code to load both certificates according to the associated settings in the configuration.
If these settings are set, then we load the certificates using the given paths and disable the revocation check (as you described previously).
The phase4 used is the 2.1.0.
We will check the behavior of our client used to send messages and disable revocation if a similar issue appears.
Did you use some code analyzer like SonarQube or else ?

0 replies

binaradarsha · 2023-09-27T10:02:23Z

binaradarsha
Sep 27, 2023

Hi, is adding the Peppol France POC CA cert to certificate checker essential? PeppolCertificateChecker.addTrustedPeppolAPCACertificate (cert);
Does that just check the certificate expiration?
When it is retrieved from our trustore.jks won't it be automatically validated without adding to the PeppolCertificateChecker?

3 replies

phax Sep 27, 2023
Maintainer Author

Adding the trusted certificate is essential.
Checking the expirarion can be done with the certificate itself, but to check the chain to the issuer, the trusted certificate is needed.
See below picture for the structure:

binaradarsha Sep 27, 2023

Actually we have stored Peppol CA certs in our truststore.jks. But as I realize now no need of do that, correct place to store those is PeppolCertificateChecker.PEPPOL_AP_CA_CERTS.

In a scenario we send a document to a Peppol customer, it will send back the signal message including its certificate. Since that individual certificate is not stored in our truststore.jks to validate, then it will be checked whether it is signed by the Peppol CA cert retrieved from PeppolCertificateChecker.PEPPOL_AP_CA_CERTS.
Is this correct?

phax Sep 27, 2023
Maintainer Author

For the first thing: yes
Regarding the Signal message - that is handled via the wss4j "Crypto" object and therefore it needs to be in the configured truststore.
I think my approach with the PeppolCertificateChecker is a bad choice, and instead I just should have used a TrustStore instead - I will try to think this through for future releases (using #173 for that)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

phase4 and the Peppol French PoC #127

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 6 comments 5 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

phase4 and the Peppol French PoC #127

phax May 17, 2023 Maintainer

Summary

a) AP certificates

c) Issue with Document Type Identifier parsing

Replies: 6 comments · 5 replies

ghost May 23, 2023

phax May 23, 2023 Maintainer Author

ghost May 24, 2023

phax May 24, 2023 Maintainer Author

ghost May 24, 2023

phax May 24, 2023 Maintainer Author

ghost May 24, 2023

binaradarsha Sep 27, 2023

phax Sep 27, 2023 Maintainer Author

binaradarsha Sep 27, 2023

phax Sep 27, 2023 Maintainer Author

phax
May 17, 2023
Maintainer

Replies: 6 comments 5 replies

ghost
May 23, 2023

phax
May 23, 2023
Maintainer Author

ghost
May 24, 2023

phax May 24, 2023
Maintainer Author

ghost
May 24, 2023

phax May 24, 2023
Maintainer Author

ghost
May 24, 2023

binaradarsha
Sep 27, 2023

phax Sep 27, 2023
Maintainer Author

phax Sep 27, 2023
Maintainer Author