相互SSL-使用Java作为客户端时的客户端证书链为空

时间:2018-11-02 07:20:54

标签: java ssl curl mutual-authentication

我们正在使用Java客户端(openJDK 1.8.0)来调用需要相互认证的api。为此,我们使用Java标准JKS文件作为密钥库和信任库(包含trustcerts和Identity certs / privatekey的相同文件)。我们用来测试的示例Java如下::: 

KeyStore clientKeyStore = KeyStore.getInstance("JKS");
            clientKeyStore.load(new FileInputStream("./client.keystore"),
                    password.toCharArray());

            // create a client connection manager to use in creating httpclients
            PoolingHttpClientConnectionManager mgr = new PoolingHttpClientConnectionManager();


            SSLContext sslContext = SSLContextBuilder.create()
                    .loadKeyMaterial(clientKeyStore, password.toCharArray())
                    .loadTrustMaterial(clientKeyStore, null).build();

            // create the client based on the manager, and use it to make the call
            CloseableHttpClient httpClient = HttpClientBuilder.create()
                    .setConnectionManager(mgr)
                    .setSslcontext(sslContext)
                    .setSSLHostnameVerifier(new NoopHostnameVerifier())
                    .build();


            HttpPost httppost = new HttpPost("https://someUrl");

            String params = "";
            StringEntity param = new StringEntity(params);
            httppost.setEntity(param);
            System.out.println("Sending request...............");
            HttpResponse response = httpClient.execute(httppost);

在SSL握手过程中,作为“ serverhello”的最后一步,服务器正在通过发出“ certificaterequest”来请求客户端的身份-请在下面的请求中找到:: 

    *** CertificateRequest
Cert Types: RSA, ECDSA, DSS
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, SHA256withDSA, SHA256withECDSA, SHA224withRSA, SHA224withDSA, SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Intermediate CA, OU=ourCA.com, O=ourCA Inc, C=US>

此后,我们在下面的行中看到java的keyManager无法找到使用相同签名者签名的任何内容。 

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***

我们已经验证了密钥库中存在该证书及其有效证书(通过在Windows框中打开该证书,如果证书无效,则该证书不会打开)。因此我们的密钥库有一个链:myIdentity >>由中间CA签名>>由根CA签名

我们尝试过的一些事情(没有任何运气)是:

  • 尝试覆盖keystoremanager以返回硬编码别名,即keystore.jks中证书的别名。
  • 尝试将身份证书和CA证书拆分为两个单独的文件,即单独的keystore.jks和truststore.jks

值得分享的是,如果我们使用cURL,则相同的连接性会很好地工作。如果使用cURL,我们必须显式传递客户端证书作为参数(cURL没有密钥库的概念),并且我们使用的是Linux默认密钥库(/etc/pki/tls/certs/ca-bundle.crt)

curl -vvv GET https://api.someone.com/some/path -E /home/certificates/client.test.pem --key /home/certificates/client.test.key

我不确定还有哪些其他细节可以增加价值,但是我很乐意分享所有需要的细节(除了我的私钥:-P之外)

1 个答案:

答案 0 :(得分:0)

我遇到了与您描述的相同的问题。 我遇到的问题是我使用以下命令在Java中加载了密钥库:

System.setProperty("javax.net.ssl.keyStore", "/path/key.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "pass");

当服务器请求ClientCertificate时,得到的全部是:

*** CertificateRequest 
Cert Types: RSA, DSS Supported Signature Algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, Unknown (hash:0x4,signature:0x2), SHA224withRSA, SHA224withECDSA, Unknown (hash:0x3,signature:0x2), SHA1withRSA, SHA1withECDSA, SHA1withDSA 
Cert Authorities: 
<CN=HB Internal Issuing CA, DC=domainx, DC=hb, DC=bis>
*** ServerHelloDone 
Warning: no suitable certificate found - continuing without client authentication

为此的解决方案是按照以下描述的不同方式加载密钥库: Java SSLHandshakeException "no cipher suites in common"

基本上,我所做的是更改我创建SSLContext的方式:

发件人:

System.setProperty("javax.net.ssl.keyStore", "/path/key.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "pass");

System.setProperty("javax.net.ssl.trustStore", "/path/trust.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

SSLContext c = SSLContext.getInstance("TLSv1.2");
c.init(null, null, null);

收件人:

// instantiate a KeyStore with type JKS
KeyStore ks = KeyStore.getInstance("JKS");

// load the contents of the KeyStore
final char[] keyPasswd = "pass".toCharArray();
ks.load(new FileInputStream("/path/key.jks"), keyPasswd);

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

keyManagerFactory.init(ks, keyPasswd);

SSLContext c = SSLContext.getInstance("TLSv1.2");
c.init(keyManagerFactory.getKeyManagers(), null, null);

然后的结果是:

*** CertificateRequest
Cert Types: RSA, DSS
Supported Signature Algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, Unknown (hash:0x4, signature:0x2), SHA224withRSA, SHA224withECDSA, Unknown (hash:0x3, signature:0x2), SHA1withRSA, SHA1withECDSA, SHA1withDSA
Cert Authorities:
<CN=HB Internal Issuing CA, DC=domainx, DC=hb, DC=bis>
*** ServerHelloDone
matching alias: ibmwebspheremq01
相关问题
最新问题