Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Keytool, openssl, SSLServerSocket, Client Certificate Authentication

I'm attempting what should be easy client certificate authentication. Once authenticated, via the cert, I will then present a login page for the rest of the authentication process.

Here is a code snippet:

ServerSocketFactory ssf = getSSLContext ("mykey.jks",keystorepass,keypass,"SSLv3", needClientAuth).getServerSocketFactory();
SSLServerSocket serverSocket = (SSLServerSocket) ssf.createServerSocket(serverPort,serverPort);
.
.
.

public SSLContext getSSLContext(String KEYSTORE, String keystorepass, String keypass, String secureType, boolean needClientAuth) throws Exception
{
String className = "com.sun.net.ssl.internal.ssl.Provider";
java.security.Provider provider = (java.security.Provider) Thread.currentThread().getContextClassLoader().loadClass (className).newInstance();
Security.addProvider(provider);

KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(KEYSTORE), keystorepass.toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance (javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keystore, keypass.toCharArray());

TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {return null;}
public void checkClientTrusted(java.security.cert.X509Certificate [] certs, String authType) {}
public void checkServerTrusted(java.security.cert.X509Certificate [] certs, String authType) {}
}};

SSLContext sslc = SSLContext.getInstance(secureType);
if (needClientAuth) sslc.init(kmf.getKeyManagers(), null, new java.security.SecureRandom());
else sslc.init(kmf.getKeyManagers(), trustAllCerts, new java.security.SecureRandom());
return sslc;
}

My keys were built using these commands.

keytool -genkey -keystore mykey.jks

openssl genrsa -out client.key

openssl req -new -x509 -days 365 -key client.key -out client.crt

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

openssl x509 -inform PEM -outform DER -in client.crt -out client.x509

keytool -import -keystore mykey.jks -file client.x509 -alias client


The client.p12 was imported into firefox, and also into my certificates in keychain.app.

However, neither safari, nor firefox can authenticate correctly with the cert. I always get an exception trying to trust the cert which should be trusted as I imported it in my keystore.

FireFox:
javax.net.ssl.SSLHandshakeException: null cert chain
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90


or Safari:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90



Any ideas on what I am missing? I trust the server cert in the browser, then the client cert presented appears to either be null, or invalid.

Thanks,
Ben
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.