握手失敗客戶端密鑰交換，使用證書鏈

Question

我嘗試使用Java建立到Web服務的雙向TSL連接，我已經獲得了帶有私鑰和3個證書的證書鏈的pfx證書。 這是使用spring框架的java代碼：

    @Bean
public Client weatherClient(Jaxb2Marshaller marshaller) throws Exception {
    Client client = new Client();
    client.setDefaultUri(".....");
    client.setMarshaller(marshaller);
    client.setUnmarshaller(marshaller);

    KeyStore ks = KeyStore.getInstance("PKCS12");
    ks.load(keyStore.getInputStream(), keyStorePassword.toCharArray());

    LOGGER.info("Loaded keystore: " + keyStore.getURI().toString());
    System.out.println("Loaded keystore: " + keyStore.getURI().toString());

    keyStore.getInputStream().close();


    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());//KeyManagerFactory.getDefaultAlgorithm()
    keyManagerFactory.init(ks, keyStorePassword.toCharArray());

    KeyStore ts = KeyStore.getInstance("PKCS12");
    ts.load(trustStore.getInputStream(), trustStorePassword.toCharArray());//
    LOGGER.info("Loaded trustStore: " + trustStore.getURI().toString());
    System.out.println("Loaded trustStore: " + trustStore.getURI().toString());

    trustStore.getInputStream().close();

    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(ts);

    HttpsUrlConnectionMessageSender messageSender = new HttpsUrlConnectionMessageSender();
    messageSender.setKeyManagers(keyManagerFactory.getKeyManagers());
    messageSender.setTrustManagers(trustManagerFactory.getTrustManagers()); 
    client.setMessageSender(messageSender);
    return client;
}

到目前為止，我得到了一個ClientHello和一個發送證書的ServerHello，我得到了一個Found的可信證書。 然后有一個證書請求，找不到任何證書

*** CertificateRequest 
Cert Types: RSA, DSS 
Cert Authorities:
<CN=Thawte SSL CA, O="Thawte, Inc.", C=US>
....
....
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client  authentication
*** Certificate chain
<Empty>
***

我已將證書單獨添加到lib / security / cacerts中。 似乎第一次證書交換發生在cacerts密鑰庫中，因為如果這是唯一添加證書的地方，我會得到相同的行為。 看起來請求正在尋找證書鏈但無法找到它，即使我已經作為帶有私鑰和證書鏈的pkcs12導入到KeyStore對象中。 任何幫助，將不勝感激

UPDATE

我在ClientKeyExchange之后得到握手失敗我認為這是由於上述警告，但我可能錯了。

*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 269
SESSION KEYGEN:
PreMaster Secret:
....
....
0000: B0 E2 38 5E 40 4E 7C C5                            ..8^@N..
Server write IV:
0000: 44 40 45 E1 82 45 15 9B                            D@E..E..
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 109, 220, 225, 98, 98, 233, 48, 215, 61, 50, 58, 207 }
***
main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]

UPDATE

如果我將密鑰庫添加為變量-Djavax.net.ssl.keyStore=但是如果不將密鑰庫添加為變量，則相互身份驗證有效，我得到以下內容。 找到代碼中指定的密鑰庫和信任庫，並在調試中顯示證書鏈和信任庫

***
found key for : devcert
chain [0] = [
[
  Version: V3 ......

***
adding as trusted cert:
  Subject: 

然后顯示空密鑰庫，JVM cacerts用作可信證書。

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=ubuntu

然后有一個服務器hello *** ServerHello，TLSv1，為其找到證書

    ***
    Found trusted certificate:
but the Certificate Request does find a matching certificate as above, unless it is added as a variable 
*** CertificateRequest 
Cert Types: RSA, DSS 
Cert Authorities:
<CN=Thawte SSL CA, O="Thawte, Inc.", C=US>
....
....
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client  authentication
*** Certificate chain
<Empty>
***

將密鑰庫添加為變量-Djavax.net.ssl.keyStore=

*** ServerHelloDone
matching alias: devcert
*** Certificate chain
chain [0] = [
[
  Version: V3

我想從程序代碼中使用密鑰庫和信任庫，因為希望能夠在以后動態地更改它

Answer 1

你不應該被賦予了私鑰。 這已經是一個重大的安全漏洞。 實際問題是CertificateRequest未由CertificateRequest消息中提到的CA簽名，或者它不是其中提到的類型。