簡體   English   中英

Java:具有自簽名證書的SSL客戶端身份驗證

[英]Java: SSL Clientside Authentication with self-signed certificates

我正在嘗試從通過Internet通信的Java客戶端/服務器應用程序保護連接。 我的想法是使用帶有自簽名證書和客戶端身份驗證的SSL套接字。 我做了以下事情:

  • 服務器:包含新自簽名證書的密鑰庫。 keytool -genkey -kelalg RSA ...
  • 客戶端:包含新自簽名證書的密鑰庫。 keytool -genkey -kelalg RSA ...
  • 服務器:包含導出的客戶端證書的Truststore(來自上面的項目符號)。 keytool -export導出客戶端證書和keytool -import -v -trustcacerts將其導入服務器的信任庫
  • 客戶端:包含導出的服務器證書的Truststore(來自第一個項目符號點)。 keytool -export導出服務器證書和keytool -import -v -trustcacerts將其導入客戶端的信任庫

信任和密鑰庫正確連接到服務器/客戶端。 我可以看到正在加載的證書(SSL調試信息)。 但整件事情都行不通。 在SSL握手期間,我收到以下錯誤(SSL調試信息):

main, WRITE: TLSv1 Handshake, length = 897
main, READ: TLSv1 Handshake, length = 141
*** Certificate chain
***
main, SEND TLSv1 ALERT:  fatal, description = bad_certificate
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException: null cert chain
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source)
    at sslsocket.Server.getClientDistinguishedName(Server.java:86)
    at sslsocket.Server.main(Server.java:37)

當我禁用客戶端身份驗證時,它可以正常運行。

我真的很感激一些幫助。 非常感謝你!

您可以在下面找到服務器的完整但匿名的輸出:

Initializing SSL
***
found key for : server
chain [0] = [
[
  Version: V3
  Subject: CN=xxxxxx Server, OU=communication, O=xxxxxx, L=Zuerich, ST=ZH, C=CH
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 9487726xxxxxx15617628447913191
  public exponent: 65537
  Validity: [From: Thu Dec 09 17:04:05 CET 2010,
               To: Wed Jul 03 18:04:05 CEST 2109]
  Issuer: CN=xxxxxx Server, OU=communication, O=xxxxxx, L=Zuerich, ST=ZH, C=CH
  SerialNumber: [    4dxxxxxx5]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 6F 06 1D EA E9 DC 5B 5D   EC EB 33 D4 47 01 94 1A  o.....[]..3.G...
xxxxxx
0070: 99 78 C4 31 5F 84 8F 7B   C1 2F 10 A1 9F 50 72 A1  .x.1_..../...Pr.

]
***
adding as trusted cert:
  Subject: CN=xxxxxx Client, OU=communication, O=xxxxxx, L=Zuerich, ST=ZH, C=CH
  Issuer:  CN=xxxxxx Client, OU=communication, O=xxxxxx, L=Zuerich, ST=ZH, C=CH
  Algorithm: RSA; Serial number: 0x4xxxxxx0
  Valid from Thu Dec 09 17:06:56 CET 2010 until Wed Jul 03 18:06:56 CEST 2109

trigger seeding of SecureRandom
done seeding SecureRandom
Opening socket
Waiting for clients...
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
matching alias: server
main, called closeSocket()
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
[read] MD5 and SHA1 hashes:  len = 3
0000: 01 03 01                                           ...
[read] MD5 and SHA1 hashes:  len = 98
0000: 00 3C 00 00 00 20 00 00   04 01 00 80 00 00 05 00  .<... ..........
xxxxxx
0060: 26 51                                              &Q
main, READ:  SSL v2, contentType = Handshake, translated length = 75
*** ClientHello, TLSv1
RandomCookie:  GMT: 1292088238 bytes = { 223,xxxxxx, 81 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
***
%% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie:  GMT: 1292088238 bytes = { 222,xxxxxx, 241 }
Session ID:  {77,xxxxxx, 235}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=xxxxxx Server, OU=communication, O=xxxxxx, L=Zuerich, ST=ZH, C=CH
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 1024 bits
  modulus: 948772xxxxxx17628447913191
  public exponent: 65537
  Validity: [From: Thu Dec 09 17:04:05 CET 2010,
               To: Wed Jul 03 18:04:05 CEST 2109]
  Issuer: CN=xxxxxx Server, OU=communication, O=xxxxxx, L=Zuerich, ST=ZH, C=CH
  SerialNumber: [    4d00fdf5]

]
  Algorithm: [SHA1withRSA]
  Signature:
0000: 6F 06 1D EA E9 DC 5B 5D   EC EB 33 D4 47 01 94 1A  o.....[]..3.G...
xxxxxx
0070: 99 78 C4 31 5F 84 8F 7B   C1 2F 10 A1 9F 50 72 A1  .x.1_..../...Pr.

]
***
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=xxxxxx Client, OU=communication, O=xxxxxx, L=Zuerich, ST=ZH, C=CH>
*** ServerHelloDone
[write] MD5 and SHA1 hashes:  len = 897
0000: 02 00 00 4D 03 01 4D 04   B4 AE DE E4 AF 62 FA 48  ...M..M......b.H
0xxxxxx
0380: 00                                                 .
main, WRITE: TLSv1 Handshake, length = 897
main, READ: TLSv1 Handshake, length = 141
*** Certificate chain
***
main, SEND TLSv1 ALERT:  fatal, description = bad_certificate
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
main, IOException in getSession():  javax.net.ssl.SSLHandshakeException: null cert chain
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source)
    at sslsocket.Server.getClientDistinguishedName(Server.java:86)
    at sslsocket.Server.main(Server.java:37)

第一個SSL跟蹤似乎是第二個跟蹤的一部分,顯示在服務器上。 請確認。

第二條跟蹤顯示服務器要求簽署由'CN = xxxxxx客戶端,OU =通信,O = xxxxxx,L = Zuerich,ST = ZH,C = CH'簽署的RSA或DSS證書,並且客戶端通過發送空證書鏈。 這只能意味着客戶端的密鑰庫中沒有這樣的證書,或者客戶端沒有使用正確的密鑰庫。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM