Java APNS Certificate Error with “DerInputStream.getLength(): lengthTag=109, too big.”

问题

When I try to using java APNS to send the push notification to iOS, I got this error message:

com.notnoop.exceptions.InvalidSSLConfig: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I already try converting the certificate to Personal Information Exchange (.p12) also getting the same error. Anyone know to problem and how to resolve it?

Here are my java code:

ApnsService service =
    APNS.newService()
   .withCert("src/net/notification/ck.jks", "******")
   .withSandboxDestination()
   .build();

String payload = APNS.newPayload().alertBody(record.getSendMsg()).build();
String token = record.getToken();
service.push(token, payload);

Thanks.

回答1:

I had the same problem but my solution will help you only if you are using maven.

Maven resource filtering (that let's you include variables in your resource files) can mess up your binaries - and certificates are especially sensitive to modification.

In general, binary content shouldn't be filtered. But I couldn't just simply disable resource filtering because I have some .properties files that include variables. So the solution was to exclude .p12 files from filtering.

<build>
    [...]
    <resources>
        <resource>
            <directory>src/main/resources</directory>
            <filtering>true</filtering>
            <excludes>
                <exclude>**/*.p12</exclude>
            </excludes>
        </resource>
        <resource>
            <directory>src/main/resources</directory>
            <filtering>false</filtering>
            <includes>
                <include>**/*.p12</include>
            </includes>
        </resource>
    </resources>
    [...]
</build>

More about maven resource filtering: http://maven.apache.org/plugins/maven-resources-plugin/examples/filter.html

回答2:

This occurs because the system thinks you are trying to read a different type of keystore and not JKS. You will need to specify that the file is JKS or convert it to the other format.

I see that you have already tried converting to .p12. If you did this correctly, perhaps there is some other default format. I recommend finding out how to specify JKS instead.

回答3:

If you use maven, this is probably occurring because of the Maven filtering in your whole resources folder. I've tried Zsolt Safrany solution above and did not work. However, reading the documentation he shared, I've found this:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-resources-plugin</artifactId>
  <version>3.0.1</version>
  <configuration>
    <nonFilteredFileExtensions>
      <nonFilteredFileExtension>p12</nonFilteredFileExtension>
    </nonFilteredFileExtensions>
  </configuration>
</plugin>

Which excludes binary extensions (or any extension you want) from being filtered.

回答4:

I had this problem and figured out the problem is the truststore.p12 is actually in JKS or corrupted.

The keytool command to test the truststore for PKCS12 compliance is:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12
keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I was able to correct this by doing forced JKS to PKCS12 conversion.

With the following instruction:

 keytool.exe -importkeystore -srckeystore truststore.jks  -destkeystore truststore1.p12 -srcstoretype JKS -deststoretype PKCS12

Than successful test would provide something like:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12


Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 3 entries

certificates-4, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): CF:E3:01:1F:A3:30:C5:B1:B9:2B:C5:28:1B:8C:66:71:EA:B8:67:0D
certificates-3, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
certificates-2, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): FA:5F:98:E8:02:2E:81:05:DB:DF:24:48:65:6A:E5:76:C1:31:CB:28

回答5:

In my case I found that something accidentally changed javax.net.ssl.trustStore system property. SSL debug property -Djavax.net.debug=ssl:trustmanager helped me a lot with investigation.

回答6:

Delete keystoreType line

I don't know WHY this works. But if I have this line in myserver.xml`..

keystoreType="PKCS12"

...then Tomcat will NOT start and give me the DerInputStream.getLength(): lengthTag=109, too big error instead.

But if I DELETE that line then Tomcat will start nicely. No idea why that works. Feels dirty.

来源：https://stackoverflow.com/questions/23126282/java-apns-certificate-error-with-derinputstream-getlength-lengthtag-109-too