That getSSLContext function is used by another call where I do an
outgoing SSLSocket and may want to trust all certs, certs that are
self signed, etc. That was the reason for it. (At least I think...)
I tried adding the client.key to my keystore (after deleting it
first) and did the -trustcacerts...same effect. Its as if firefox
never sends the cert...?
I suspect if I made my own SSL client and tested, this would work
fine......
As for the cert generation, I didn't want to use a different CA for
testing, but I am aware of the benefit of doing so...only add one
cert to the keystore and you are done.
I will try and play with the jUnit tests tomorrow and see what I find
there. I suspect things will work as I don't think its an issue with
the code...but something that is keeping the browser from deciding to
send a cert.
I am doing the "serverSocket.setNeedClientAuth(true);" I am not
doing "want" as I really do need it. Doing want results in
success...but no cert was sent as it wasn't required.
Thanks,
Ben
On Sep 1, 2008, at 12:13 PM, Bruno Harbulot wrote:
Hi Ben,
You could try to add "-trustcacerts" in your "keytool -import" line.
I'm not sure why you create a "trustAllCert" array of TrustManagers
that trusts anything (I'd use that for very specific cases, and
your use-case doesn't seem to be one of them). If you don't want
client authentication, you can keep the default trust manager (i.e.
use null). It's the SSLSocketFactory (obtained from the SSLContext)
that needs to be configured for wanting/needing client-side
authentication. It's not clear from what you say whether you've
used "serverSocket.setWantClientAuthentication(true)" (or the same
with "need"). You'll need one of them if you want/need the client
to send its certificate.
In terms of certificate generation, rather than using two self-
signed certificates that are effectively independent, it might be
better two create your own CA and use it to sign certificates for
your host and for your client. You can find some examples for this
in the man page for "CA.pl". This shouldn't change much for such a
short test, but it's definitely more viable if you need to have
more than one client certificate.
There are some small examples in the jUnit tests for jSSLutils [1]
if you're interested. It also comes with test certificates for
"localhost", "testclient" as well as "testclient-r" to test the CRL
configuration. (All the passwords for these test keystores, PKCS#12
or JKS, are "testtest".)
I'm attempting what should be easy client certificate
authentication. Once authenticated, via the cert, I will then
present a login page for the rest of the authentication process.
Here is a code snippet:
ServerSocketFactory ssf = getSSLContext
("mykey.jks",keystorepass,keypass,"SSLv3",
needClientAuth).getServerSocketFactory();
SSLServerSocket serverSocket = (SSLServerSocket)
ssf.createServerSocket(serverPort,serverPort);
.
.
.
public SSLContext getSSLContext(String KEYSTORE, String
keystorepass, String keypass, String secureType, boolean
needClientAuth) throws Exception
{
String className = "com.sun.net.ssl.internal.ssl.Provider";
java.security.Provider provider = (java.security.Provider)
Thread.currentThread().getContextClassLoader().loadClass
(className).newInstance(); Security.addProvider(provider);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(new FileInputStream(KEYSTORE),
keystorepass.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance
(javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keystore, keypass.toCharArray());
TrustManager[] trustAllCerts = new TrustManager[]{ new
X509TrustManager() {
public java.security.cert.X509Certificate[]
getAcceptedIssuers() {return null;}
public void checkClientTrusted
(java.security.cert.X509Certificate[] certs, String authType) {}
public void checkServerTrusted
(java.security.cert.X509Certificate[] certs, String authType) {}
}};
SSLContext sslc = SSLContext.getInstance(secureType);
if (needClientAuth) sslc.init(kmf.getKeyManagers(), null,
new java.security.SecureRandom());
else sslc.init(kmf.getKeyManagers(), trustAllCerts, new
java.security.SecureRandom());
return sslc;
}
My keys were built using these commands.
keytool -genkey -keystore mykey.jks
openssl genrsa -out client.key
openssl req -new -x509 -days 365 -key client.key -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -
out client.p12
openssl x509 -inform PEM -outform DER -in client.crt -out client.x509
keytool -import -keystore mykey.jks -file client.x509 -alias client
The client.p12 was imported into firefox, and also into my
certificates in keychain.app.
However, neither safari, nor firefox can authenticate correctly
with the cert. I always get an exception trying to trust the cert
which should be trusted as I imported it in my keystore.
FireFox:
javax.net.ssl.SSLHandshakeException: null cert chain
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90
or Safari:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found
com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1
.
.
.
java.io.BufferedInputStream.read:277
java.io.FilterInputStream.read:90
Any ideas on what I am missing? I trust the server cert in the
browser, then the client cert presented appears to either be null,
or invalid.
Thanks,
Ben
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden
