java.security.cert.CertPathValidatorException:签名检查失败客户端

时间:2017-11-20 19:59:14

标签: java ssl certificate keystore truststore

我正在尝试使用SSL将我的Java消息服务(JMS)Apache Qpid 0.11.1客户端链接到代理服务器(QPID JMS Broker 6.1.4)。我收到“签名检查失败”错误。

密钥库/信任库/证书已经双向完成并上传到客户端/服务器:

    -- CREATE KEYSTORE in current directory for client
keytool -genkey -keyalg RSA -keysize 2048 -validity 365 -sigalg SHA256withRSA -alias mdbbu -keystore MDBBU.jks -storepass MDBBUPWD -keypass MDBBUPWD -dname CN=MDBBU

-- EXPORT CERTIFICATE FOR UPLOAD
keytool -export -rfc -alias mdbbu -file MDBBU.cer -keystore MDBBU.jks

-- CREATE KEYSTORE in current directory for Server
keytool -genkey -keyalg RSA -keysize 2048 -validity 365 -sigalg SHA256withRSA -alias qpid -keystore QPID.jks -storepass QPIDPWD -keypass QPIDPWD -dname CN=QPID

-- EXPORT CERTIFICATE FOR UPLOAD
keytool -export -rfc -alias qpid -file QPID.cer -keystore QPID.jks

-- CREATE TRUSTSTORE FOR CLIENT
keytool -import -file QPID.cer -alias qpid -keystore MDBBUTRUSTSTORE

-- CREATE TRUSTSTORE FOR SERVER
keytool -import -file MDBBU.cer -alias mdbbu -keystore QPIDTRUSTSTORE

-- ADD QPID certificate to Java CACERT 
keytool -import -alias QPID -keystore ../../etc/pki/ca-trust/extracted/java/cacerts -file QPID.cer -storepass changeit

我还将SSL指定为:

Djavax.net.ssl.trustStore=[...]qpid.conf/keystore/MDBBUTRUSTSTORE -Djavax.net.ssl.trustStorePassword=changeit

我得到的错误如下(来自SSL调试):

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1511206004 bytes = { 69, 198, 205, 186, 121, 194, 64, 133, 34, 237, 39, 73, 145, 23, 174, 30, 20, 28, 252, 52, 167, 74, 5, 166, 61, 6, 127, 242 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
[write] MD5 and SHA1 hashes:  len = 207
0000: 01 00 00 CB 03 03 5A 13   2C 74 45 C6 CD BA 79 C2  ......Z.,tE...y.

[some more date of same type]
...
[some more date of same type]

00C0: 03 04 01 03 03 03 01 02   03 02 01 02 02 01 01     ...............
nioEventLoopGroup-15-1, WRITE: TLSv1.2 Handshake, length = 207
[Raw write]: length = 212
0000: 16 03 03 00 CF 01 00 00   CB 03 03 5A 13 2C 74 45  ...........Z.,tE

[some more date of same type]
...
[some more date of same type]

00C0: 05 03 05 01 04 03 04 01   03 03 03 01 02 03 02 01  ................
00D0: 02 02 01 01                                        ....
[Raw read]: length = 5
0000: 16 03 03 04 88                                     .....
[Raw read]: length = 1160
0000: 02 00 00 4D 03 03 5A 13   2C 74 AC 9B 2D F9 FA 59  ...M..Z.,t..-..Y
0010: BB C7 45 A0 9F ED B5 3F   7D 05 D4 83 D3 36 FE 4C  ..E....?.....6.L
0020: F0 B6 CB 87 86 F9 20 5A   13 2C 74 B9 A3 88 97 6E  ...... Z.,t....n

[some more date of same type]
.....
[some more date of same type]

nioEventLoopGroup-15-1, READ: TLSv1.2 Handshake, length = 1160
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1511206004 bytes = { 172, 155, 45, 249, 250, 89, 187, 199, 69, 160, 159, 237, 181, 63, 125, 5, 212, 131, 211, 54, 254, 76, 240, 182, 203, 135, 134, 249 }
Session ID:  {90, 19, 44, 116, 185, 163, 136, 151, 110, 50, 63, 177, 133, 218, 234, 231, 137, 97, 39, 29, 23, 216, 182, 65, 42, 165, 18, 173, 201, 44, 18, 160}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-13, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[read] MD5 and SHA1 hashes:  len = 81
0000: 02 00 00 4D 03 03 5A 13   2C 74 AC 9B 2D F9 FA 59  ...M..Z.,t..-..Y
0010: BB C7 45 A0 9F ED B5 3F   7D 05 D4 83 D3 36 FE 4C  ..E....?.....6.L
0020: F0 B6 CB 87 86 F9 20 5A   13 2C 74 B9 A3 88 97 6E  ...... Z.,t....n
0030: 32 3F B1 85 DA EA E7 89   61 27 1D 17 D8 B6 41 2A  2?......a'....A*
0040: A5 12 AD C9 2C 12 A0 C0   27 00 00 05 FF 01 00 01  ....,...'.......
0050: 00                                                 .
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=Qpid
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 17838898949194272763895904858029226742114411817633075440405824167496480878348219699071565266078743537513078586324053239358525649068739492259769179774376050243276494306041626152510770477107599166026312713480244773516248270063435812230147814274925586413575881169761140524134516039035163897980173923048645022578386644259910551912486834492258399033030846089211424992068118178712060197808521227471448918782773290447418660595134969271364486398667411290097082667956825083588193700666666652215335564892445838118728747305105358975738471545453493561867895848599405458487626990687846267295266248036139124227410954876752876840907
  public exponent: 65537
  Validity: [From: Thu Nov 16 18:25:12 CET 2017,
               To: Fri Nov 16 18:25:12 CET 2018]
  Issuer: CN=Qpid
  SerialNumber: [    2c24541a]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  DNSName: <Instance name>.sys.net
  IPAddress: some IP 
  IPAddress: some IP 
  IPAddress: some IP 
]

]
  Algorithm: [SHA256withRSA]
  Signature:

  [...] Signature stuff [....]

]
***
nioEventLoopGroup-15-1, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
%% Invalidated:  [Session-13, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
nioEventLoopGroup-15-1, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
nioEventLoopGroup-15-1, WRITE: TLSv1.2 Alert, length = 2
nioEventLoopGroup-15-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
nioEventLoopGroup-15-1, called closeOutbound()
nioEventLoopGroup-15-1, closeOutboundInternal()
nioEventLoopGroup-15-1, called closeInbound()
nioEventLoopGroup-15-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
nioEventLoopGroup-15-1, called closeOutbound()
nioEventLoopGroup-15-1, closeOutboundInternal()
nioEventLoopGroup-15-1, called closeInbound()
nioEventLoopGroup-15-1, closeInboundInternal()

我必须遗漏一些错误:

nioEventLoopGroup-15-1, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?

对我来说似乎有点奇怪。我不确定我的证书是否设置错误或者还有别的东西。任何帮助将不胜感激。

P.S。很抱歉,如果问题似乎与Stackoverflow指南不一致,但这是我的第一篇文章。 : - )

0 个答案:

没有答案