spring boot https PKCS12 DerInputStream.getLength(): lengthTag=111, too big

Question

I need to use a Spring boot app on https. I have a letsencrypt signed key. I converted this cert to PKCS12 like this:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root

I copied this keystore file to resource directory and here is the config part:

require-ssl: true

server:
  port: 8443
  ssl:
    key-store-type: PKCS12
    key-store: classpath:keystore.p12
    key-store-password: xxxxx
    key-alias: tomcat

If I check this keystore, I've got this:

keytool -list -keystore keystore.p12 
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, May 15, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 

And when I start my app:

Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:599)
at sun.security.util.DerValue.init(DerValue.java:391)
at sun.security.util.DerValue.<init>(DerValue.java:332)
at sun.security.util.DerValue.<init>(DerValue.java:345)
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1938)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:449)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:353)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:606)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:371)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:763)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:491)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:986)

Do I need to config any other? thx, Zamek

Answer 1

Just got this error today...by accident I looked at my .p12 file when doing a git diff in my code repository and I think that somehow tampered with the cert.

I deleted the .p12 locally and copied it in fresh and didn't get the error when rerunning a test against the third party api that requires the .p12 cert.

So you might need to just copy that .p12 file in fresh to get around this error because that file has possibly been tampered with by accident.

Answer 2

I resolved my issue by rebuilding project. That would imply that some binaries were built with different versions of dependencies and it caused this error, which is kind of my understanding of @Fatih answer.

Answer 3

Try these settings below in ur pom.xml. Exclude p12,pem,jks or the orther kind of certification file from maven-resource-plugin process

# insert into <build>/<resources>  label

<resource>
        <directory>src/main/resources</directory>
        <includes>
          <include>**/*.p12</include>
          <include>**/*.pem</include>
          <include>**/*.jks</include>
        </includes>
        <filtering>false</filtering>
</resource>

# also insert these configs into <build>/<plugins>  label
# replace ${maven-resources-plugin.version} & ${maven-filtering.version} to the version ur used
<plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-resources-plugin</artifactId>
          <version>${maven-resources-plugin.version}</version>
          <configuration>
            <nonFilteredFileExtensions>
              <nonFilteredFileExtension>pem</nonFilteredFileExtension>
              <nonFilteredFileExtension>p12</nonFilteredFileExtension>
              <nonFilteredFileExtension>jks</nonFilteredFileExtension>
            </nonFilteredFileExtensions>
          </configuration>
          <dependencies>
            <dependency>
              <groupId>org.apache.maven.shared</groupId>
              <artifactId>maven-filtering</artifactId>
              <version>${maven-filtering.version}</version>
            </dependency>
          </dependencies>
</plugin>

Answer 4

This error can also occur if you use a different binary file.

Answer 5

I found the problem, there was a resource filter plugin in my pom.xml destroyed the key file. I had to exclude the key file from resource filter plugin.