Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication

Hi Ben,


You could try to add "-trustcacerts" in your "keytool -import" line.

I'm not sure why you create a "trustAllCert" array of TrustManagers that trusts anything (I'd use that for very specific cases, and your use-case doesn't seem to be one of them). If you don't want client authentication, you can keep the default trust manager (i.e. use null). It's the SSLSocketFactory (obtained from the SSLContext) that needs to be configured for wanting/needing client-side authentication. It's not clear from what you say whether you've used "serverSocket.setWantClientAuthentication(true)" (or the same with "need"). You'll need one of them if you want/need the client to send its certificate.

In terms of certificate generation, rather than using two self-signed certificates that are effectively independent, it might be better two create your own CA and use it to sign certificates for your host and for your client. You can find some examples for this in the man page for "CA.pl". This shouldn't change much for such a short test, but it's definitely more viable if you need to have more than one client certificate.

There are some small examples in the jUnit tests for jSSLutils [1] if you're interested. It also comes with test certificates for "localhost", "testclient" as well as "testclient-r" to test the CRL configuration. (All the passwords for these test keystores, PKCS#12 or JKS, are "testtest".)


Best wishes,

Bruno.


[1] http://www.jsslutils.org/


Ben Spink wrote:
I'm attempting what should be easy client certificate authentication. Once authenticated, via the cert, I will then present a login page for the rest of the authentication process.

Here is a code snippet:

ServerSocketFactory ssf = getSSLContext("mykey.jks",keystorepass,keypass,"SSLv3", needClientAuth).getServerSocketFactory();
SSLServerSocket serverSocket = (SSLServerSocket) ssf.createServerSocket(serverPort,serverPort);
.
.
.

public SSLContext getSSLContext(String KEYSTORE, String keystorepass, String keypass, String secureType, boolean needClientAuth) throws Exception
{
String className = "com.sun.net.ssl.internal.ssl.Provider";
java.security.Provider provider = (java.security.Provider) Thread.currentThread().getContextClassLoader().loadClass(className).newInstance(); 

        Security.addProvider(provider);

KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(KEYSTORE), keystorepass.toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()); 

        kmf.init(keystore, keypass.toCharArray());

TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {return null;}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
}};

SSLContext sslc = SSLContext.getInstance(secureType);
if (needClientAuth) sslc.init(kmf.getKeyManagers(), null, new java.security.SecureRandom());
else sslc.init(kmf.getKeyManagers(), trustAllCerts, new java.security.SecureRandom());
return sslc;
}

My keys were built using these commands.

keytool -genkey -keystore mykey.jks

openssl genrsa -out client.key

openssl req -new -x509 -days 365 -key client.key -out client.crt

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

openssl x509 -inform PEM -outform DER -in client.crt -out client.x509

keytool -import -keystore mykey.jks -file client.x509 -alias client


The client.p12 was imported into firefox, and also into my certificates in keychain.app.

However, neither safari, nor firefox can authenticate correctly with the cert. I always get an exception trying to trust the cert which should be trusted as I imported it in my keystore.

FireFox:
javax.net.ssl.SSLHandshakeException: null cert chain
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90


or Safari:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90



Any ideas on what I am missing? I trust the server cert in the browser, then the client cert presented appears to either be null, or invalid.

Thanks,
Ben

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden
References: 
 >Keytool, openssl, SSLServerSocket, Client Certificate Authentication (From: Ben Spink <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.