握手失败客户端密钥交换,使用证书链
[英]Handshake failure Client Key Exchange, using a certificate chain
问题描述
I am try to establish a 2 way TSL connection to a web service using Java, I have been given a pfx certificate with a private key and a certificate chain of 3 certificates. 
我尝试使用Java建立到Web服务的双向TSL连接,我已经获得了带有私钥和3个证书的证书链的pfx证书。 Here is the java code using spring framework: 这是使用spring框架的java代码:
@Bean
public Client weatherClient(Jaxb2Marshaller marshaller) throws Exception {
Client client = new Client();
client.setDefaultUri(".....");
client.setMarshaller(marshaller);
client.setUnmarshaller(marshaller);
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(keyStore.getInputStream(), keyStorePassword.toCharArray());
LOGGER.info("Loaded keystore: " + keyStore.getURI().toString());
System.out.println("Loaded keystore: " + keyStore.getURI().toString());
keyStore.getInputStream().close();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());//KeyManagerFactory.getDefaultAlgorithm()
keyManagerFactory.init(ks, keyStorePassword.toCharArray());
KeyStore ts = KeyStore.getInstance("PKCS12");
ts.load(trustStore.getInputStream(), trustStorePassword.toCharArray());//
LOGGER.info("Loaded trustStore: " + trustStore.getURI().toString());
System.out.println("Loaded trustStore: " + trustStore.getURI().toString());
trustStore.getInputStream().close();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(ts);
HttpsUrlConnectionMessageSender messageSender = new HttpsUrlConnectionMessageSender();
messageSender.setKeyManagers(keyManagerFactory.getKeyManagers());
messageSender.setTrustManagers(trustManagerFactory.getTrustManagers());
client.setMessageSender(messageSender);
return client;
}
So far I get a ClientHello and and a ServerHello which sends a certificate, and I get a Found trusted certificate. 到目前为止,我得到了一个ClientHello和一个发送证书的ServerHello,我得到了一个Found的可信证书。 Then there is a certificate request which doesn't find any certificates 然后有一个证书请求,找不到任何证书
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=Thawte SSL CA, O="Thawte, Inc.", C=US>
....
....
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
I have added the certificates individually into the lib/security/cacerts. 我已将证书单独添加到lib / security / cacerts中。 It seems that the first certificate exchange happens from cacerts keystore, as I get the same behaviour if that is the only place that the certificate is added. 似乎第一次证书交换发生在cacerts密钥库中,因为如果这是唯一添加证书的地方,我会得到相同的行为。 It seems that the request is looking for the certificate chain but is unable to find it, even though I have imported into the KeyStore object as a pkcs12 with a private key and a certificate chain. 看起来请求正在寻找证书链但无法找到它,即使我已经作为带有私钥和证书链的pkcs12导入到KeyStore对象中。 Any help would be appreciated 任何帮助,将不胜感激
UPDATE UPDATE
I am getting a handshake failure after ClientKeyExchange I presumed it was due to the above warning but I might be wrong about that. 我在ClientKeyExchange之后得到握手失败我认为这是由于上述警告,但我可能错了。
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
....
....
0000: B0 E2 38 5E 40 4E 7C C5 ..8^@N..
Server write IV:
0000: 44 40 45 E1 82 45 15 9B D@E..E..
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 109, 220, 225, 98, 98, 233, 48, 215, 61, 50, 58, 207 }
***
main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
UPDATE UPDATE
The mutual authentication works if I add the keystore as a variable -Djavax.net.ssl.keyStore= but with out adding the key store as a variable I get the following. 如果我将密钥库添加为变量-Djavax.net.ssl.keyStore=但是如果不将密钥库添加为变量,则相互身份验证有效,我得到以下内容。 The key store and trust store specified in the code are found and the certificate chain and trust store are shown in the debug 找到代码中指定的密钥库和信任库,并在调试中显示证书链和信任库
***
found key for : devcert
chain [0] = [
[
Version: V3 ......
***
adding as trusted cert:
Subject:
Then an empty keystore is shown and JVM cacerts are used as trusted certificates. 然后显示空密钥库,JVM cacerts用作可信证书。
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=ubuntu
Then there is a server hello *** ServerHello, TLSv1 which for which a certificate is found 然后有一个服务器hello *** ServerHello,TLSv1,为其找到证书
***
Found trusted certificate:
but the Certificate Request does find a matching certificate as above, unless it is added as a variable
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=Thawte SSL CA, O="Thawte, Inc.", C=US>
....
....
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
Behaviour with the keystore added as a varible -Djavax.net.ssl.keyStore= 将密钥库添加为变量-Djavax.net.ssl.keyStore=
*** ServerHelloDone
matching alias: devcert
*** Certificate chain
chain [0] = [
[
Version: V3
I am wanting to use the keystore and truststore from the program code, as want to be able to look at dynamically changing it later 我想从程序代码中使用密钥库和信任库,因为希望能够在以后动态地更改它
1 个解决方案
解决方案1
1 2016-12-07 10:03:12
You should not have been given a private key. 你不应该被赋予了私钥。 This is already a major security breach. 这已经是一个重大的安全漏洞。 The actual problem is that the certficate is either not signed by the CAs mentioned in the CertificateRequest message or that it isn't of a type mentioned in it. 实际问题是CertificateRequest未由CertificateRequest消息中提到的CA签名,或者它不是其中提到的类型。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.