Question

我正在使用：

openJDK 15
带有嵌入式underwow的springboot 2.3.4

我不认为该问题与springboot有关，但与我的一些错误有关。更确切地说，我正在使用此openJDK版本：

openjdk version "15" 2020-09-15
OpenJDK Runtime Environment (build 15+36-1562)
OpenJDK 64-Bit Server VM (build 15+36-1562, mixed mode, sharing)

这是我需要的：我需要具有弹簧安全性的x.509。为了建立良好的信任库，我编写了一个代码，可以连接[here] [1]解析XML并创建信任库文件

然后我以这种方式配置了我的弹簧靴：

server.ssl.trust-store=myTrustLocation/myTrustJks.jks
server.ssl.trust-store-password=myTrustPwd
server.ssl.trust-store-type=PKCS12
server.ssl.client-auth=need
server.ssl.enabled=true
#ssl ciphers
#server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2,TLSv1.3

在我看来，信任库已正确加载（如果我使用了错误的名称，则应用程序将无法启动）。

现在，我有一个x509客户端证书和一个通过USB连接到笔记本电脑的设备。客户证书由Actalis提供，有效期至2021年。

当我尝试连接到我的spring boot应用程序时，它也要求我提供证书。我将其发送到APP，但是openJDK并抱怨有关证书签名的验证。通过使用-Djavax.net.debug=all启动应用程序，我出现此错误：

javax.net.ssl|DEBUG|2C|XNIO-1 task-1|2020-10-22 17:38:05.147 CEST|CertificateMessage.java:1161|Consuming client Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [
  {
  .............................
  }
  ]
)
javax.net.ssl|DEBUG|2C|XNIO-1 task-1|2020-10-22 17:38:05.163 CEST|X509TrustManagerImpl.java:301|Found trusted certificate (
  "certificate" : {
    [
      .......
    ]}
)
javax.net.ssl|ERROR|2C|XNIO-1 task-1|2020-10-22 17:38:05.165 CEST|TransportContext.java:361|Fatal (HANDSHAKE_FAILURE): Invalid CertificateVerify signature (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Invalid CertificateVerify signature
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
    at java.base/sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.<init>(CertificateVerify.java:1009)
    at java.base/sun.security.ssl.CertificateVerify$T13CertificateVerifyConsumer.consume(CertificateVerify.java:1160)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199)
    at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1107)
    at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2415)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
    at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
    at java.base/java.lang.Thread.run(Thread.java:832)}

)
javax.net.ssl|ALL|2C|XNIO-1 task-1|2020-10-22 17:38:05.166 CEST|SSLSessionImpl.java:1224|Invalidated session:  Session(1603381082397|TLS_AES_256_GCM_SHA384)
javax.net.ssl|WARNING|24|XNIO-1 I/O-5|2020-10-22 17:38:05.166 CEST|SSLEngineOutputRecord.java:173|outbound has closed, ignore outbound application data
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.166 CEST|SSLEngineOutputRecord.java:510|WRITE: TLS13 alert, length = 2
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.167 CEST|SSLCipher.java:2063|Plaintext before ENCRYPTION (
  0000: 02 28 15 00 00 00 00 00   00 00 00 00 00 00 00 00  .(..............
  0010: 00 00 00                                           ...
)
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.167 CEST|SSLEngineOutputRecord.java:528|Raw write (
  0000: 17 03 03 00 23 C4 F6 89   E4 E1 58 81 C6 99 7D AE  ....#.....X.....
  0010: 8B 65 BA 49 1F 6F 57 28   73 F1 08 47 21 80 33 0F  .e.I.oW(s..G!.3.
  0020: CF FF 65 2A 2D 16 93 99                            ..e*-...
)

我不明白为什么在服务器端我无法验证证书签名。

有人可以给我小费吗？

谢谢

安吉洛 [1]：https://eidas.agid.gov.it/TL/TSL-IT.xml

更新

我通过删除TLSv1.3解决了该问题；所以现在我的春季启动配置文件是：

server.ssl.trust-store=myTrustLocation/myTrustJks.jks
server.ssl.trust-store-password=myTrustPwd
server.ssl.trust-store-type=PKCS12
server.ssl.client-auth=need
server.ssl.enabled=true
#ssl ciphers
#server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2

请求现在到达Spring Security org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter，但未找到名称为javax.servlet.request.X509Certificate的请求参数。

这些都是我在请求中找到的所有请求参数和标头：

2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER VALUE org.springframework.web.context.request.async.WebAsyncManager@5d2019a3
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.header.HeaderWriterFilter@40d63d7e.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY __spring_security_scpf_applied VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.key_size VALUE 256
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.http.HttpServletResponse VALUE org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterResponse@479cfa9
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY characterEncodingFilter.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY webMvcMetricsFilter.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.FilterChainProxy.APPLIED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY _csrf VALUE SaveOnAccessCsrfToken [delegate=org.springframework.security.web.csrf.DefaultCsrfToken@7be2014]
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.cipher_suite VALUE TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter$TimingContext VALUE org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter$TimingContext@10e6a38
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.ssl_session_id VALUE [45, 69, -121, -113, 43, -28, 65, -68, 113, 77, 78, 5, -13, -54, 110, -77, -14, -70, -2, 107, 112, 46, 93, -31, -101, -97, -103, 121, 34, 71, 86, -13]
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.csrf.CsrfFilter@3cabd235.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY formContentFilter.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY requestContextFilter.FILTERED VALUE true
2020-10-22 19:35:59,725 24752 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.csrf.CsrfToken VALUE SaveOnAccessCsrfToken [delegate=org.springframework.security.web.csrf.DefaultCsrfToken@7be2014]
2020-10-22 19:35:59,736 24763 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Cookie HEAD VALUE JSESSIONID=9bxOO7wIleO0zohbZ3V5X-WX5ydAJHtsP74LicCx
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept HEAD VALUE text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Cache-Control HEAD VALUE max-age=0
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Upgrade-Insecure-Requests HEAD VALUE 1
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME User-Agent HEAD VALUE Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Connection HEAD VALUE keep-alive
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Host HEAD VALUE eid-tls-svil.regione.puglia.it:8443
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept-Language HEAD VALUE en-US,en;q=0.5
2020-10-22 19:35:59,739 24766 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept-Encoding HEAD VALUE gzip, deflate, br

有人可以建议我为什么吗？

谢谢

天使

第二次更新

我试图将嵌入式服务器从underwow更改为tomcat，现在它可以正常工作，而不会在spring配置中影响其他任何东西。因此，基本上，在我看来，客户端证书没有发送到Spring Security。

我想念什么吗？

JAVA SSL无效的证书验证签名

0 个答案: