19

When I try to using java APNS to send the push notification to iOS, I got this error message:

com.notnoop.exceptions.InvalidSSLConfig: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I already try converting the certificate to Personal Information Exchange (.p12) also getting the same error. Anyone know to problem and how to resolve it?

Here are my java code:

ApnsService service =
    APNS.newService()
   .withCert("src/net/notification/ck.jks", "******")
   .withSandboxDestination()
   .build();

String payload = APNS.newPayload().alertBody(record.getSendMsg()).build();
String token = record.getToken();
service.push(token, payload);

Thanks.

Rashad
  • 10,839
  • 4
  • 43
  • 71
user3479640
  • 249
  • 1
  • 4
  • 9
  • To reproduce: `> keytool -list -keystore keystore.jks -storetype pkcs12` gives `keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.`. Make sure you specify `-storetype` when using `keytool`. – Nick Grealy Apr 28 '16 at 06:45

6 Answers6

29

This occurs because the system thinks you are trying to read a different type of keystore and not JKS. You will need to specify that the file is JKS or convert it to the other format.

I see that you have already tried converting to .p12. If you did this correctly, perhaps there is some other default format. I recommend finding out how to specify JKS instead.

user3251514
  • 391
  • 1
  • 2
  • 3
  • 1
    Thank you. I am using java app with embedded jetty server. Specifying trustStoreType: JKS made problem go away. – Goran Nov 19 '15 at 11:01
  • 2
    fyi: Even files ending with .p12 might not work when used with type "pkcs12" - I just removed the explicitly set type from my server.ssl.trust-store, now it's working – crusy May 17 '17 at 13:48
14

I had the same problem but my solution will help you only if you are using maven.

Maven resource filtering (that let's you include variables in your resource files) can mess up your binaries - and certificates are especially sensitive to modification.

In general, binary content shouldn't be filtered. But I couldn't just simply disable resource filtering because I have some .properties files that include variables. So the solution was to exclude .p12 files from filtering.

<build>
    [...]
    <resources>
        <resource>
            <directory>src/main/resources</directory>
            <filtering>true</filtering>
            <excludes>
                <exclude>**/*.p12</exclude>
            </excludes>
        </resource>
        <resource>
            <directory>src/main/resources</directory>
            <filtering>false</filtering>
            <includes>
                <include>**/*.p12</include>
            </includes>
        </resource>
    </resources>
    [...]
</build>

More about maven resource filtering: http://maven.apache.org/plugins/maven-resources-plugin/examples/filter.html

Zsolt Safrany
  • 12,680
  • 6
  • 49
  • 61
6

Delete "keystoreType" line

I don't know WHY this works. But if I have this line in my server.xml..

keystoreType="PKCS12"

...then Tomcat will NOT start and give me the DerInputStream.getLength(): lengthTag=109, too big error instead.

But if I DELETE that line then Tomcat will start nicely. No idea why that works. Feels dirty.

StackzOfZtuff
  • 2,187
  • 24
  • 21
  • 1
    This solution helped me, but not sure whether it will affect or make a security breach? – mramsath Dec 23 '19 at 06:46
  • @mramsath this just defaults the keystoreType, according to this: http://support.ptc.com/help/thingworx/azure_connector_scm/en/index.html#page/thingworx_scm_azure/azure_connector/c_azure_trbl_input_stream_getlength_too_big.html – Omri Shayo Nov 11 '21 at 14:38
  • 1
    Had the same problem with keytool. This helped! Most likely the initial keystore was not of the type pkcs12. Show the type of your keystore with `keytool -list -keystore ck.jks`. – leo Mar 25 '22 at 10:27
4

If you use maven, this is probably occurring because of the Maven filtering in your whole resources folder. I've tried Zsolt Safrany solution above and did not work. However, reading the documentation he shared, I've found this:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-resources-plugin</artifactId>
  <version>3.0.1</version>
  <configuration>
    <nonFilteredFileExtensions>
      <nonFilteredFileExtension>p12</nonFilteredFileExtension>
    </nonFilteredFileExtensions>
  </configuration>
</plugin>

Which excludes binary extensions (or any extension you want) from being filtered.

alevilla86
  • 69
  • 8
3

I had this problem and figured out the problem is the truststore.p12 is actually in JKS or corrupted.

The keytool command to test the truststore for PKCS12 compliance is:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12
keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I was able to correct this by doing forced JKS to PKCS12 conversion.

With the following instruction:

 keytool.exe -importkeystore -srckeystore truststore.jks  -destkeystore truststore1.p12 -srcstoretype JKS -deststoretype PKCS12

Than successful test would provide something like:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12


Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 3 entries

certificates-4, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): CF:E3:01:1F:A3:30:C5:B1:B9:2B:C5:28:1B:8C:66:71:EA:B8:67:0D
certificates-3, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
certificates-2, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): FA:5F:98:E8:02:2E:81:05:DB:DF:24:48:65:6A:E5:76:C1:31:CB:28
Dudi Boy
  • 4,105
  • 1
  • 13
  • 26
1

In my case I found that something accidentally changed javax.net.ssl.trustStore system property. SSL debug property -Djavax.net.debug=ssl:trustmanager helped me a lot with investigation.

bedla.czech
  • 469
  • 1
  • 5
  • 12