Oracle Database Free

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

ORA-05765: failed to access certificate

TomislavAug 10 2023

Hi,
i'm using prepared Oracle VirtualBox VM with 23c Free.
I'm trying to learn about blockchain tables and now I got stuck with trying to calculate signed blockchain table digest.

As per documentation it should be done by using following code:

DECLARE
   l_signed_bytes           BLOB:=EMPTY_BLOB();
   l_signed_row_array       SYS.ORABCTAB_ROW_ARRAY_T;
   l_certificate_guid       RAW(2000) := '028EEC4E44D00A8CE063010000C7E0AF';
   l_signature              RAW(2000);
BEGIN
   l_signature := DBMS_BLOCKCHAIN_TABLE.GET_SIGNED_BLOCKCHAIN_DIGEST 
	(schema_name             => 'HROUG2023'
	,table_name              => 'TRANSACTION_LEDGER'
	,signed_bytes            => l_signed_bytes
	,signed_rows_indexes     => l_signed_row_array
	,schema_certificate_guid => l_certificate_guid
	,signature_algo          => dbms_blockchain_table.SIGN_ALGO_RSA_SHA2_512);
	
	insert into bc_signed_digests
	(creation_date
	,signed_digest
	,signed_bytes
	)
	values
	(sysdate
	,to_blob(l_signature)
	,l_signed_bytes);

   DBMS_OUTPUT.PUT_LINE('Certificate GUID = ' || l_certificate_guid);
   DBMS_OUTPUT.PUT_LINE('Signature length = ' || UTL_RAW.LENGTH(l_signature));
   DBMS_OUTPUT.PUT_LINE('Number of chains = ' || l_signed_row_array.count);
   DBMS_OUTPUT.PUT_LINE('Signature content buffer length = ' || DBMS_LOB.GETLENGTH(l_signed_bytes));
END;

But when I try to run this I get following error:

ORA-05787: blockchain table's signed digest operation failed for table HROUG2023.TRANSACTION_LEDGER ORA-05765: failed to access certificate 028EEC4E44D00A8CE063010000C7E0AF 
ORA-28759: failure to open file 
ORA-06512: at "SYS.DBMS_BLOCKCHAIN_TABLE", line 1898 
ORA-06512: at "SYS.DBMS_BLOCKCHAIN_TABLE", line 1995 
ORA-06512: at "SYS.DBMS_BLOCKCHAIN_TABLE", line 2011 
ORA-06512: at line 7 Error at Line: 7 Column: 0

Before doing that I created the certificate and added it to database:

openssl req \
-newkey rsa:2048 -nodes -sha512 \
-x509 -days 3650 \
-outform der \
-keyout /home/oracle/my_wallet/bc_signing_key.der \
-out /home/oracle/my_wallet/bc_signing_certificate.der \
-subj "/C=HR/ST=Paris/L=PSG/O=HROUG2023/OU=assec/CN=User/emailAddress=user@assec.com"

DECLARE
    file       BFILE;
    buffer     BLOB;
    amount     NUMBER := 32767;
    cert_id  RAW(16);
BEGIN
    file := BFILENAME('BC_CERT_DIR', 'bc_signing_certificate.der');
    DBMS_LOB.FILEOPEN(file);
    DBMS_LOB.READ(file, amount, 1, buffer);
    DBMS_LOB.FILECLOSE(file);
    DBMS_USER_CERTS.ADD_CERTIFICATE(buffer, cert_id); 
    DBMS_OUTPUT.PUT_LINE('Certificate ID = ' || cert_id);
END;

Considering this is pluggable database I tried setting WALLET_ROOT and keystore configuration to FILE as SYS on CDB:

ALTER SYSTEM SET WALLET_ROOT = '/opt/oracle/product/23c/dbhomeFree/admin/FREE' SCOPE=SPFILE;
ALTER SYSTEM SET TDE_CONFIGURATION="KEYSTORE_CONFIGURATION=FILE" SCOPE=BOTH SID='*';

I got my PDB GUID:

SELECT pdb_name, guid 
FROM dba_pdbs;

And I created following folder structure within WALLET_ROOT:

/opt/oracle/product/23c/dbhomeFree/admin/FREE/F87259FB7D3C3519E0530100007F5D4C/bctable

and copied there PKI and certificate

as per documentation

that states:

Usage Notes

Database computes the signature on signed_bytes using PKI private key of blockchain table owner.

The certificate of blockchain table owner must be added to database using DBMS_USER_CERTS.ADD_CERTIFICATE().

The PKI private key and certificate of blockchain table owner must exist in a wallet located under **<WALLET_ROOT>/bctable/** directory for a non-container database.

The PKI private key and certificate of blockchain table owner must exist in a wallet located under <WALLET_ROOT>/pdb_guid/bctable/ directory for a container database.

A blockchain table digest created by the GET_SIGNED_BLOCKCHAIN_DIGEST function has table information specific to a pluggable database. Such a digest can be used only in the pluggable database in which the digest was created and only for the table that was used to create the digest. For DBMS_BLOCKCHAIN_TABLE.VERIFY_TABLE_BLOCKCHAIN, these requirements mean that both blockchain table digests must have been generated in the current pluggable database for the same blockchain table.

For example, suppose you create a digest for a blockchain table in pluggable database A, use Data Pump to export the blockchain table, and use Data Pump to import the blockchain table into pluggable database B. The blockchain table digest created in pluggable database A cannot be used in pluggable database B. You need to create a new blockchain table digest in pluggable database B.

Note:

The bctable subdirectory is the name of a database component that uses wallets. It is not the name of a blockchain table.

And when I call procedure to get signed digest I get that error.

I guess that somehow I need some additional step configuring wallet for PDB to be used by that procedure.

Unfortunately package body is wrapped and I cannot see how is procedure trying to access to certificate.

Does anyone has any idea?

This post has been answered by gsalem-Oracle on Aug 11 2023

Jump to Answer

Added on Aug 10 2023

4 comments

93 views