Java SSL handshake_failure if app built with jpackage
Question
I am using jpackage to distribute a java app on Mac and PC and I have a handshake_failure when it tries to load an image using https from certain sites. The code works fine if I run it from Eclipse or from the command line, both on Mac and PC, but not if run it as a packaged app. The problem goes away if I load an image from certain sites: https://st4.depositphotos.com , for example. This makes me think that the “problem sites” are not in the chain of trust.
But why should the chain of trust be different when running as a packaged app?
The same behaviour is seen using java 14.0.2 and 15. The following example uses OpenJDK Runtime Environment (build 15+36-1562).
Note that jpackage integrates a runtime into the app. This is a non-modular app (I show the jpackage options used below).
Debugging on the Mac and using the -Djavax.net.debug=all option, I looked for the trustStore being used by the packaged app. The printed path was invalid as it started with /Applications, rather than /Volumes, but apart from that it was ok. Maybe this was just a printing problem? Either way, I used -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts to force the packaged app to use the same trustStore as the JDK and this didn't improve matters.
Do you think that my code is buggy or is there a problem in jpackage? Many thanks for any help!
Here is the packaging command:
--verbose \
--type pkg \
--input HelloTest \
--name HelloTest \
--main-class HelloTest.HelloTest \
--main-jar HelloTest.jar \
--runtime-image target/java-runtime \
--java-options -Djavax.net.ssl.trustStore=/Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts \
--java-options -Djavax.net.debug=all \
--vendor "ACME Inc." \
--copyright "Copyright © 2019-20 ACME Inc." \
--mac-package-identifier com.acme.app \
--mac-package-name ACME
Here is the code:
public class HelloTest{
public static void main(String... args) throws IOException {
System.out.println("javax.net.ssl.trustStore = " + System.getProperty("javax.net.ssl.trustStore"));
JFrame f = new JFrame(); //creates jframe f
Dimension screenSize = Toolkit.getDefaultToolkit().getScreenSize(); //this is your screen size
int halfWidth = screenSize.width/2;
int halfHeight = screenSize.height/2;
ImageIcon img = new ImageIcon();
//OK: ... https://st4.depositphotos.com seems to be well trusted
// String urlName = "https://st4.depositphotos.com/36188500/38581/i/1600/depositphotos_385811360-stock-photo-woman-lingerie-dog-rose.jpg";
//KO: ... https://en.iconda.solutions is only trusted when code is run from Eclipse or the command line
String urlName = "https://en.iconda.solutions/wp-content/uploads/2020/07/getting_equipped.png";
JLabel lbl = new JLabel();
URL url;
try {
url = new URL(urlName);
HttpsURLConnection httpsConnection = (HttpsURLConnection)url.openConnection();
try {
/* The following works from Eclipse and from the command line, but not from an app with an integrated runtime
* that was produced using jpackage ... */
try {
img = new ImageIcon(ImageIO.read(httpsConnection.getInputStream())
.getScaledInstance(screenSize.width, screenSize.height, Image.SCALE_SMOOTH));
} catch(Exception e) {
System.out.println("went wrong #1 for " + urlName);
e.printStackTrace();
}
} catch(Exception e) {
System.out.println("went wrong #2 for " + urlName);
e.printStackTrace();
}
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
lbl.setIcon(img);
f.getContentPane().add(lbl); //puts label inside the jframe
f.setSize(halfWidth, halfHeight); // set frame size to half of screen ... but need to resize the image
int x = (screenSize.width - f.getSize().width)/2; //These two lines are the dimensions
int y = (screenSize.height - f.getSize().height)/2;//of the center of the screen
f.setLocation(x, y); //sets the location of the jframe
f.setVisible(true); //makes the jframe visible
}
}
And here are a few lines from the debug output:
$ /Applications/HelloTest.app/Contents/MacOS/HelloTest ; exit;
javax.net.ssl.trustStore = /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:05.852 CEST|null:-1|System property jdk.tls.client.cipherSuites is set to 'null'
…
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.130 CEST|null:-1|trustStore is: /Library/Java/JavaVirtualMachines/jdk-15.jdk/Contents/Home/lib/security/cacerts
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Wed Aug 12 02:19:32 CEST 2020
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.131 CEST|null:-1|Reload the trust store
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.283 CEST|null:-1|Reload trust certs
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.286 CEST|null:-1|Reloaded 91 trust certs
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.430 CEST|null:-1|adding as trusted certificates (
"certificate" : {
"version" : "v3",
"serial number" : "00 A6 8B 79 29 00 00 00 00 50 D0 91 F9",
"signature algorithm": "SHA384withECDSA",
"issuer" : "CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US",
…
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.445 CEST|null:-1|keyStore is :
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.445 CEST|null:-1|keyStore type is : pkcs12
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.445 CEST|null:-1|keyStore provider is :
javax.net.ssl|ALL|01|main|2020-09-17 07:27:06.445 CEST|null:-1|init keystore
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.446 CEST|null:-1|init keymanager of type SunX509
javax.net.ssl|ALL|01|main|2020-09-17 07:27:06.447 CEST|null:-1|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2020-09-17 07:27:06.449 CEST|null:-1|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2020-09-17 07:27:06.476 CEST|null:-1|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|WARNING|01|main|2020-09-17 07:27:06.478 CEST|null:-1|Signature algorithm, ed25519, not supported by JSSE
javax.net.ssl|WARNING|01|main|2020-09-17 07:27:06.479 CEST|null:-1|Signature algorithm, ed448, not supported by JSSE
javax.net.ssl|WARNING|01|main|2020-09-17 07:27:06.480 CEST|null:-1|No AlgorithmParameters for x25519 (
"throwable" : {
java.security.NoSuchAlgorithmException: Algorithm x25519 not available
at java.base/javax.crypto.KeyAgreement.getInstance(Unknown Source)
at java.base/sun.security.ssl.NamedGroup.<init>(Unknown Source)
…
javax.net.ssl|ERROR|01|main|2020-09-17 07:27:09.230 CEST|null:-1|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
Following the helpful comments on my question, here is an example packaging script that solves the issue:
detected_modules=`jdeps \
-q \
--ignore-missing-deps \
--print-module-deps \
--class-path "MyApp.jar:../sandbox/jars/*" \
-recursive MyApp.jar \
MyApp/MyApp.class`
echo "detected modules: ${detected_modules}"
manual_modules=jdk.crypto.cryptoki
echo "manual modules: ${manual_modules}"
rm -rf ../runtime
jlink \
--no-header-files \
--no-man-pages \
--compress=2 \
--strip-debug \
--add-modules "${detected_modules},${manual_modules}" \
--output ../runtime
jpackage \
--verbose \
--type pkg \
--input ../sandbox \
--dest ../output \
--name MyApp \
--app-version $1 \
--main-class MyApp.MyApp \
--main-jar MyApp.jar \
--runtime-image ../runtime \
--mac-package-name MyApp
1 answers
solution1
2 2020-09-17 10:15:51
Found this on the Interwebs. Same no such algorithm error from the looks of it.
java.security.NoSuchAlgorithmException: Algorithm x25519 not available
The solution from the link:
Need to add jdk.crypto.cryptoki to the --add-modules list in jlink.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.