[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication

Subject: Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication
From: Bruno Harbulot <email@hidden>
Date: Tue, 02 Sep 2008 09:41:36 +0100
Delivered-to: email@hidden
Delivered-to: email@hidden
User-agent: Thunderbird 2.0.0.16 (Macintosh/20080707)

Hi Ben,

What you've also done in your code, is that, when "needClientAuth" is true, you're using a null array of TrustManagers, that is, you're using the default trust material, so it will ask for client certificates issues by CAs in the default bundle. Whether-or-not you need or want client authentication should not be in your SSLContext builder. (I also suspect there might be a problem with "getAcceptedIssuers()" returning null in your example, but I haven't tried, so I'm not sure to be honest.)

If you want to use jSSLutils, I've implemented some wrappers that will let your server trust any client certificate:

X509SSLContextFactory sslContextFactory = new X509SSLContextFactory( ... keyStore ..., ... key password (char[] or String) ..., ... trustStore ...); sslContextFactory.setTrustManagerWrapper(new TrustAllClientsWrappingTrustManager.Wrapper()); SSLContext sslContext = sslContextFactory.buildSSLContext()); ... serverSocket.setNeedClientAuthentication(true); ...

(There's a slightly more complex example in org.jsslutils.sslcontext.test.TrustAllClientsServerTest) This should make your server accept any client certificate. Try it with Firefox first, since Safari is a bit capricious as to when it decides to present client certificates (although it might not be a problem if you use "need" rather than "want").

Trusting any client certificate (including self-signed) can have its applications, although quite limited. However, you mention that you're also using this to trust any server certificate when your application is the client that makes outgoing connections. This sounds actually like a rather bad idea, as this will make the connection prone to man-in-the-middle attacks (like anonymous cipher suites), which defeats the purpose of using SSL, unless perhaps you check the certificate "manually" before doing anything with the connection, but this seems a bit awkward and risky.


Best wishes,

Bruno.

Ben Spink wrote:

That getSSLContext function is used by another call where I do an outgoing SSLSocket and may want to trust all certs, certs that are self signed, etc. That was the reason for it. (At least I think...)

I tried adding the client.key to my keystore (after deleting it first) and did the -trustcacerts...same effect. Its as if firefox never sends the cert...?

I suspect if I made my own SSL client and tested, this would work fine......

As for the cert generation, I didn't want to use a different CA for testing, but I am aware of the benefit of doing so...only add one cert to the keystore and you are done.

I will try and play with the jUnit tests tomorrow and see what I find there. I suspect things will work as I don't think its an issue with the code...but something that is keeping the browser from deciding to send a cert.

I am doing the "serverSocket.setNeedClientAuth(true);" I am not doing "want" as I really do need it. Doing want results in success...but no cert was sent as it wasn't required.
Thanks,
Ben
On Sep 1, 2008, at 12:13 PM, Bruno Harbulot wrote:

There are some small examples in the jUnit tests for jSSLutils [1] if you're interested. It also comes with test certificates for "localhost", "testclient" as well as "testclient-r" to test the CRL configuration. (All the passwords for these test keystores, PKCS#12 or JKS, are "testtest".)
Best wishes,
Bruno.
[1] http://www.jsslutils.org/
Ben Spink wrote:
I'm attempting what should be easy client certificate authentication. Once authenticated, via the cert, I will then present a login page for the rest of the authentication process. Here is a code snippet: ServerSocketFactory ssf = getSSLContext("mykey.jks",keystorepass,keypass,"SSLv3", needClientAuth).getServerSocketFactory(); SSLServerSocket serverSocket = (SSLServerSocket) ssf.createServerSocket(serverPort,serverPort); . . . public SSLContext getSSLContext(String KEYSTORE, String keystorepass, String keypass, String secureType, boolean needClientAuth) throws Exception { String className = "com.sun.net.ssl.internal.ssl.Provider"; java.security.Provider provider = (java.security.Provider) Thread.currentThread().getContextClassLoader().loadClass(className).newInstance(); Security.addProvider(provider); KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream(KEYSTORE), keystorepass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()); kmf.init(keystore, keypass.toCharArray()); TrustManager[] trustAllCerts = new TrustManager[]{ new X509TrustManager() { public java.security.cert.X509Certificate[] getAcceptedIssuers() {return null;} public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {} public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {} }}; SSLContext sslc = SSLContext.getInstance(secureType); if (needClientAuth) sslc.init(kmf.getKeyManagers(), null, new java.security.SecureRandom()); else sslc.init(kmf.getKeyManagers(), trustAllCerts, new java.security.SecureRandom()); return sslc; } My keys were built using these commands. keytool -genkey -keystore mykey.jks openssl genrsa -out client.key openssl req -new -x509 -days 365 -key client.key -out client.crt openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 openssl x509 -inform PEM -outform DER -in client.crt -out client.x509 keytool -import -keystore mykey.jks -file client.x509 -alias client The client.p12 was imported into firefox, and also into my certificates in keychain.app. However, neither safari, nor firefox can authenticate correctly with the cert. I always get an exception trying to trust the cert which should be trusted as I imported it in my keystore. FireFox: javax.net.ssl.SSLHandshakeException: null cert chain com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1 . . . java.io.BufferedInputStream.read:277 java.io.FilterInputStream.read:90 or Safari: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a:-1 . . . java.io.BufferedInputStream.read:277 java.io.FilterInputStream.read:90 Any ideas on what I am missing? I trust the server cert in the browser, then the client cert presented appears to either be null, or invalid. Thanks, Ben

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden

Follow-Ups:
- Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication
  - From: "Ben Spink" <email@hidden>

References:
	>Keytool, openssl, SSLServerSocket, Client Certificate Authentication (From: Ben Spink <email@hidden>)
	>Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication (From: Bruno Harbulot <email@hidden>)
	>Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication (From: Ben Spink <email@hidden>)

Prev by Date: Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication
Next by Date: RE: JarBundler / Ant - output unknown....
Previous by thread: Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication
Next by thread: Re: Keytool, openssl, SSLServerSocket, Client Certificate Authentication
Index(es):
- Date
- Thread

Home