Java APNS Certificate Error with “DerInputStream.getLength(): lengthTag=109, too big.”

Question

When I try to using java APNS to send the push notification to iOS, I got this error message:

com.notnoop.exceptions.InvalidSSLConfig: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I already try converting the certificate to Personal Information Exchange (.p12) also getting the same error. Anyone know to problem and how to resolve it?

Here are my java code:

ApnsService service =
    APNS.newService()
   .withCert("src/net/notification/ck.jks", "******")
   .withSandboxDestination()
   .build();

String payload = APNS.newPayload().alertBody(record.getSendMsg()).build();
String token = record.getToken();
service.push(token, payload);

Thanks.

Answer 1

I had the same problem but my solution will help you only if you are using maven.

Maven resource filtering (that let's you include variables in your resource files) can mess up your binaries - and certificates are especially sensitive to modification.

In general, binary content shouldn't be filtered. But I couldn't just simply disable resource filtering because I have some .properties files that include variables. So the solution was to exclude .p12 files from filtering.

<build>
    [...]
    <resources>
        <resource>
            <directory>src/main/resources</directory>
            <filtering>true</filtering>
            <excludes>
                <exclude>**/*.p12</exclude>
            </excludes>
        </resource>
        <resource>
            <directory>src/main/resources</directory>
            <filtering>false</filtering>
            <includes>
                <include>**/*.p12</include>
            </includes>
        </resource>
    </resources>
    [...]
</build>

More about maven resource filtering: http://maven.apache.org/plugins/maven-resources-plugin/examples/filter.html

Answer 2

This occurs because the system thinks you are trying to read a different type of keystore and not JKS. You will need to specify that the file is JKS or convert it to the other format.

I see that you have already tried converting to .p12. If you did this correctly, perhaps there is some other default format. I recommend finding out how to specify JKS instead.

Answer 3

If you use maven, this is probably occurring because of the Maven filtering in your whole resources folder. I've tried Zsolt Safrany solution above and did not work. However, reading the documentation he shared, I've found this:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-resources-plugin</artifactId>
  <version>3.0.1</version>
  <configuration>
    <nonFilteredFileExtensions>
      <nonFilteredFileExtension>p12</nonFilteredFileExtension>
    </nonFilteredFileExtensions>
  </configuration>
</plugin>

Which excludes binary extensions (or any extension you want) from being filtered.

Answer 4

I had this problem and figured out the problem is the truststore.p12 is actually in JKS or corrupted.

The keytool command to test the truststore for PKCS12 compliance is:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12
keytool error: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.

I was able to correct this by doing forced JKS to PKCS12 conversion.

With the following instruction:

 keytool.exe -importkeystore -srckeystore truststore.jks  -destkeystore truststore1.p12 -srcstoretype JKS -deststoretype PKCS12

Than successful test would provide something like:

keytool.exe -keystore truststore.p12 -storepass passwordText -list -storetype pkcs12


Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 3 entries

certificates-4, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): CF:E3:01:1F:A3:30:C5:B1:B9:2B:C5:28:1B:8C:66:71:EA:B8:67:0D
certificates-3, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 62:52:DC:40:F7:11:43:A2:2F:DE:9E:F7:34:8E:06:42:51:B1:81:18
certificates-2, 9 Jul, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): FA:5F:98:E8:02:2E:81:05:DB:DF:24:48:65:6A:E5:76:C1:31:CB:28

Answer 5

In my case I found that something accidentally changed javax.net.ssl.trustStore system property. SSL debug property -Djavax.net.debug=ssl:trustmanager helped me a lot with investigation.

Answer 6

Delete keystoreType line

I don't know WHY this works. But if I have this line in myserver.xml`..

keystoreType="PKCS12"

...then Tomcat will NOT start and give me the DerInputStream.getLength(): lengthTag=109, too big error instead.

But if I DELETE that line then Tomcat will start nicely. No idea why that works. Feels dirty.