我正在尝试使用客户端证书身份验证在Java中执行一些json / https rpc。我正在尝试使用Windows密钥库作为客户端证书并且它不起作用 - 服务器返回decrypt_error ssl警报。我可以在IE中使用相同的客户端证书来访问相同的服务器,因此我知道它不是证书本身的问题。如果我从其他来源拉取密钥,我也可以从java中执行此操作。服务器运行的是带有openssl 0.9.8g的Apache 2.2.8。我在mod_ssl配置中尝试了不同的密码,但它与所有这些密码都失败了。协议始终与TLSv1协商。我尝试了几个JRE 1.6版本,他们都有这个问题。我已经在一些地方看到过在互联网上提到这个错误,但没有解决方案。
特别是我看到了这些:
http://forums.oracle.com/forums/thread.jspa?threadID=1531706
http://www.java-forums.org/java-applets/24508-how-use-windows-keystore-establise-ssl-connection.html
我尝试使用javax.net.debug = all运行,但实际上我遇到了一个不同的错误 - 这看起来很奇怪。 附件是一个最小的测试用例,javax.net.debug = ssl和javax.net.debug的结尾=使用stacktraces的所有输出。如果有人想看到它们,我可以发布完整的日志。
这对我目前的项目非常重要,所以我们将不胜感激。
这是一个最小的测试用例:
import java.io.BufferedInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URL;
import java.security.KeyStore;
import java.util.Arrays;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
public class Minimal {
public static void main(String[] args) throws Exception {
SSLContext context = SSLContext.getInstance("SSL");
KeyManagerFactory keyFac = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance("WINDOWS-MY");
keyStore.load(null, null);
keyFac.init(keyStore, null);
TrustManagerFactory trustFac = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore trustStore = KeyStore.getInstance("WINDOWS-ROOT");
trustStore.load(null, null);
trustFac.init(trustStore);
context.init(keyFac.getKeyManagers(), trustFac.getTrustManagers(), null);
HttpsURLConnection conn = (HttpsURLConnection)new URL("https://<redacted>").openConnection();
conn.setRequestMethod("GET");
conn.setDoInput(true);
conn.setSSLSocketFactory(context.getSocketFactory());
int responseCode = conn.getResponseCode();
System.out.println("RESPONSE: " + responseCode);
InputStream response = null;
if(responseCode != 200) {
response = conn.getErrorStream();
} else {
response = conn.getInputStream();
}
Reader r = new InputStreamReader(new BufferedInputStream(response));
char[] buffer = new char[1024];
int read = 0;
while((read = r.read(buffer)) != -1) {
System.out.print(Arrays.copyOf(buffer, read));
}
System.out.println("DONE");
}
}
在Windows XP SP3上使用Oracle 1.6u26 32位JRE的debug = ssl输出:
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 4640
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 1F B7 3D E7 72 6D 23 39 7C B0 0F F0 26 8F ....=.rm#9....&.
0010: D6 24 FA D2 1C DE 43 94 4C 9C AA EA F1 4A 69 F1 .$....C.L....Ji.
0020: 62 20 5B CA 94 B8 CC 84 13 D5 1B 04 E5 51 A8 B7 b [..........Q..
CONNECTION KEYGEN:
Client Nonce:
0000: 4E 40 59 44 1A 4E 92 52 C3 BB 26 1F 08 A3 14 3F N@YD.N.R..&....?
0010: EB B9 CA 17 A1 DD B8 1D 89 C3 43 A8 E2 C6 D1 D0 ..........C.....
Server Nonce:
0000: 4E 40 59 44 9C D0 05 53 96 C1 50 3E 24 AA 38 DB N@YD...S..P>$.8.
0010: AE E7 55 F0 40 14 A4 85 4B BE 46 A5 7C 08 CB 2F ..U.@...K.F..../
Master Secret:
0000: 7F 32 A2 C4 35 8D CA C0 F7 05 B5 0B B0 38 F8 C6 .2..5........8..
0010: 0C DC 7E C1 79 FD 97 08 0A D7 B1 40 6E 73 CB 28 ....y......@ns.(
0020: 84 78 D2 87 A8 88 C8 C7 A0 8C A3 AB 29 6B 6D FC .x..........)km.
Client MAC write Secret:
0000: 96 90 FF F8 86 E0 AC E6 89 00 57 5A C6 23 94 EE ..........WZ.#..
0010: AD 20 AB 5A . .Z
Server MAC write Secret:
0000: AD C0 78 DC C8 96 BD E4 27 AD 7C 6D C8 AA C4 96 ..x.....'..m....
0010: E3 03 46 25 ..F%
Client write key:
0000: 40 25 7F BD 82 B7 85 6F 74 B2 A4 D1 16 4A FB 9F @%.....ot....J..
Server write key:
0000: 9F E5 5D 45 73 66 E0 11 9B 14 25 F5 80 A9 EB 2D ..]Esf....%....-
Client write IV:
0000: 77 1E BE 62 7A EB 56 D9 C4 62 D9 B5 2D 1E 22 97 w..bz.V..b..-.".
Server write IV:
0000: 7B 9F 0B AE 2E DF AF 7B 15 09 08 8C DE 13 0F 82 ................
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 288
main, WRITE: TLSv1 Change Cipher Spec, length = 32
*** Finished
verify_data: { 12, 12, 219, 182, 15, 237, 101, 233, 209, 171, 52, 158 }
***
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Alert, length = 32
main, RECV TLSv1 ALERT: fatal, decrypt_error
%% Invalidated: [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
main, called close()
main, called closeInternal(true)
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:755)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:379)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:318)
at Minimal.main(Minimal.java:33)
在Windows XP SP3上使用Oracle 1.6u26 32位JRE调试=所有输出:
*** CertificateVerify
[write] MD5 and SHA1 hashes: len = 262
0000: 0F 00 01 02 01 00 54 BD E6 C5 44 96 71 2B EF FC ......T...D.q+..
0010: 6E 0B D6 26 79 32 F1 23 AC 35 9C CE FD C6 A5 44 n..&y2.#.5.....D
0020: F7 F1 C9 4C 48 0F AA EC 26 62 8F F8 50 3B FE 55 ...LH...&b..P;.U
0030: 99 07 6D EC F9 42 60 B8 DF 8C 54 94 F6 2C B7 A8 ..m..B`...T..,..
0040: 16 C5 75 18 99 7E 3D 89 29 A2 46 5C 3E 49 33 F5 ..u...=.).F\>I3.
0050: C6 B0 82 B1 1D 74 42 2A D5 8F E7 6C 13 75 F9 93 .....tB*...l.u..
0060: CD 21 10 D1 52 39 DD 00 95 C5 28 E6 84 66 75 DB .!..R9....(..fu.
0070: D3 53 A1 F6 CF D1 0B EC 6C 2E F2 32 FB 2E 87 49 .S......l..2...I
0080: 8A 11 E0 EA 2F E4 A3 AF 49 09 86 0B DF 6D 8A BB ..../...I....m..
0090: 0C 51 1B 9A 16 6D DA EF F5 C0 25 09 4F 17 35 84 .Q...m....%.O.5.
00A0: DC 15 FE 2A 17 F0 AD 9F F5 4C 26 AA DE 54 97 97 ...*.....L&..T..
00B0: EB 6F 07 ED 86 0A 62 B2 33 ED 2E DB 98 C0 A9 D3 .o....b.3.......
00C0: 6A B2 1D EE E8 D4 F9 73 F1 EE 76 0D 2E 2A F0 D0 j......s..v..*..
00D0: 32 35 4A F8 4F E6 E3 C5 D3 29 3F AF 27 5E 3E 09 25J.O....)?.'^>.
00E0: 1C 4A E5 4B 0C E2 92 77 91 F1 31 73 18 10 0F 8A .J.K...w..1s....
00F0: 53 87 54 73 A0 64 92 4E 21 40 25 9E EB D7 9C 68 S.Ts.d.N!@%....h
0100: 75 59 3C 12 A6 AE uY<...
Padded plaintext before ENCRYPTION: len = 288
0000: 0F 00 01 02 01 00 54 BD E6 C5 44 96 71 2B EF FC ......T...D.q+..
0010: 6E 0B D6 26 79 32 F1 23 AC 35 9C CE FD C6 A5 44 n..&y2.#.5.....D
0020: F7 F1 C9 4C 48 0F AA EC 26 62 8F F8 50 3B FE 55 ...LH...&b..P;.U
0030: 99 07 6D EC F9 42 60 B8 DF 8C 54 94 F6 2C B7 A8 ..m..B`...T..,..
0040: 16 C5 75 18 99 7E 3D 89 29 A2 46 5C 3E 49 33 F5 ..u...=.).F\>I3.
0050: C6 B0 82 B1 1D 74 42 2A D5 8F E7 6C 13 75 F9 93 .....tB*...l.u..
0060: CD 21 10 D1 52 39 DD 00 95 C5 28 E6 84 66 75 DB .!..R9....(..fu.
0070: D3 53 A1 F6 CF D1 0B EC 6C 2E F2 32 FB 2E 87 49 .S......l..2...I
0080: 8A 11 E0 EA 2F E4 A3 AF 49 09 86 0B DF 6D 8A BB ..../...I....m..
0090: 0C 51 1B 9A 16 6D DA EF F5 C0 25 09 4F 17 35 84 .Q...m....%.O.5.
00A0: DC 15 FE 2A 17 F0 AD 9F F5 4C 26 AA DE 54 97 97 ...*.....L&..T..
00B0: EB 6F 07 ED 86 0A 62 B2 33 ED 2E DB 98 C0 A9 D3 .o....b.3.......
00C0: 6A B2 1D EE E8 D4 F9 73 F1 EE 76 0D 2E 2A F0 D0 j......s..v..*..
00D0: 32 35 4A F8 4F E6 E3 C5 D3 29 3F AF 27 5E 3E 09 25J.O....)?.'^>.
00E0: 1C 4A E5 4B 0C E2 92 77 91 F1 31 73 18 10 0F 8A .J.K...w..1s....
00F0: 53 87 54 73 A0 64 92 4E 21 40 25 9E EB D7 9C 68 S.Ts.d.N!@%....h
0100: 75 59 3C 12 A6 AE 04 99 63 17 2C 0F 57 FC DD 48 uY<.....c.,.W..H
0110: 06 79 E9 2F 98 C1 B0 89 E1 16 05 05 05 05 05 05 .y./............
main, WRITE: TLSv1 Handshake, length = 288
[Raw write]: length = 293
0000: 16 03 01 01 20 E4 75 8F 10 01 30 6F DB C9 9A 45 .... .u...0o...E
0010: FE 5A 30 38 1D BC 44 DD 9F 4E CF 1A AB 16 75 0B .Z08..D..N....u.
0020: 94 7C 59 EB 5B 51 D0 72 7F FC 6D 64 BC F1 A4 3C ..Y.[Q.r..md...<
0030: A1 AD 77 55 82 D9 42 FE 2B 01 E7 E4 C1 03 8D 53 ..wU..B.+......S
0040: 4E B6 4E 3E 9F AA B4 CB 14 12 36 11 FF 14 DD BD N.N>......6.....
0050: 8F D0 BF 3D 11 58 CE 17 6A 80 6F F8 A8 0C 17 0D ...=.X..j.o.....
0060: 6C 41 02 AB 96 03 91 60 C9 54 76 44 E2 17 A1 D5 lA.....`.TvD....
0070: 07 7A 26 16 3E 94 88 0C BC E9 BE E9 91 A7 60 DC .z&.>.........`.
0080: D5 1C DD 85 DB F8 7A 52 5E 09 F2 38 B9 29 7D 08 ......zR^..8.)..
0090: 14 00 C0 D2 5E 72 4F 85 5A C0 E0 C1 33 58 C0 CD ....^rO.Z...3X..
00A0: 13 B6 1A AC 9B 86 2A 00 81 55 94 0B 19 81 89 45 ......*..U.....E
00B0: 42 A0 12 E9 4E 15 2C E7 92 A5 6F D5 F7 31 74 42 B...N.,...o..1tB
00C0: 8E 2B 50 2F 46 A6 46 DF E4 F4 F1 32 FD 40 0D C9 .+P/F.F....2.@..
00D0: 3A 0B 26 F0 2B 0A 58 FD A3 DC E7 30 3A 98 EB A8 :.&.+.X....0:...
00E0: BB 7C A2 FA DF 7E 9C 61 96 6F F9 A7 02 19 43 91 .......a.o....C.
00F0: 0B 1C C4 4E 73 8F A5 CA C5 CF D3 71 86 26 A1 EE ...Ns......q.&..
0100: 2A B1 DE 1B BE 7A E8 1B 04 91 62 DD 9A C9 F2 72 *....z....b....r
0110: D6 A4 AC 13 83 CE 60 28 E7 D4 97 54 1E 31 E2 E3 ......`(...T.1..
0120: 75 3B 5E 57 81 u;^W.
Padded plaintext before ENCRYPTION: len = 32
0000: 01 20 0B 27 DC 48 23 03 1A D7 9A F6 2A BB 8F B8 . .'.H#.....*...
0010: 4D 6E 8A F0 ED 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A 0A Mn..............
main, WRITE: TLSv1 Change Cipher Spec, length = 32
[Raw write]: length = 37
0000: 14 03 01 00 20 6C 2C F0 99 F6 91 70 68 9B 4C 51 .... l,....ph.LQ
0010: CC 9E 82 87 22 7C 84 FB FB A6 7F 12 F7 E1 3C 19 ....".........<.
0020: 4E 5E F6 39 A5 N^.9.
*** Finished
verify_data: { 187, 117, 145, 153, 138, 130, 177, 134, 30, 54, 197, 207 }
***
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C BB 75 91 99 8A 82 B1 86 1E 36 C5 CF .....u.......6..
Padded plaintext before ENCRYPTION: len = 48
0000: 14 00 00 0C BB 75 91 99 8A 82 B1 86 1E 36 C5 CF .....u.......6..
0010: 39 22 A0 F8 21 7B 7B 06 B2 AD 63 73 B7 47 74 E2 9"..!.....cs.Gt.
0020: 10 18 AC 34 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B 0B ...4............
main, WRITE: TLSv1 Handshake, length = 48
main, waiting for close_notify or alert: state 3
main, Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
%% Invalidated: [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Padded plaintext before ENCRYPTION: len = 32
0000: 02 0A 09 D5 63 69 0E 9D 6F AF AC 53 23 31 63 94 ....ci..o..S#1c.
0010: 6D 94 94 D4 E4 AB 09 09 09 09 09 09 09 09 09 09 m...............
main, WRITE: TLSv1 Alert, length = 32
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
main, called close()
main, called closeInternal(true)
Exception in thread "main" java.net.SocketException: Software caused connection
abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1493)
at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:689)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:985)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:904)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:238)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:755)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
at java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:379)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:318)
at com.scytale.cards.session.Minimal.main(Minimal.java:33)
答案 0 :(得分:3)
我扎根于javaws,发现一个不太可怕的解决方案,而不是启动另一个进程。 您需要将JRE中的deploy.jar添加到类路径中。请注意,这使用私有sun / oracle apis,因此可能会发生变化。这对我的项目来说是一个可接受的风险,可能不适合你的风险,所以请记住这一点。
首先,将以下内容添加到程序的初始化中:
Class providerClass = Class.forName("com.sun.deploy.security.MSCryptoProvider", true, ClassLoader.getSystemClassLoader());
Provider provider = (Provider)providerClass.newInstance();
Security.insertProviderAt(provider, Security.getProviders().length + 1);
com.sun.deploy.config.Config.getInstance().loadDeployNativeLib();
其余代码与问题中的相同,但使用WIExplorerMy作为密钥库名称而不是WINDOWS-MY。这应该就是你需要做的一切。
请记住,这只是选择第一个适用的证书,因此您可能需要实现X509KeyManager,将所有操作委派给keyFac.getKeyManagers中的一个,除了chooseClientAlias。
答案 1 :(得分:0)
我遇到了完全相同的问题,最后我使用了Java Web Start。
从您的应用中删除SSL上下文逻辑。你不需要它。
完成您的应用并导出可执行jar。
为自己创建一个自签名证书(不用于生产用途 当然,使用Java keytool实用程序:
prompt> keytool -genkey -keystore mykeystore -alias somealias (you will have to fill out some info)
prompt> keytool -selfcert -alias somealias -keystore mykeystore
签署您的jar文件:
prompt> jarsigner -keystore mykeystore path_to_jar_file alias_to_sign_with
最后,设置您的用户将启动的jnlp文件(通过双击或通过浏览器,或通过shell和等待函数中的命令行(通过javaws执行)从您的主机应用程序启动)。
以下是jnlp文件示例:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp codebase="file:///path_to_your_jnlp_file_directory" href="some_jnlpfile.jnlp">
<information>
<title>The Title of Your App</title>
<vendor>The Vendor Name</vendor>
</information>
<resources>
<jar href="the_codebase_relative_path_to_your_jar/somejar.jar"/>
</resources>
<application-desc main-class="mypackage.MyClass"/>
<security>
<all-permissions/>
</security>
</jnlp>
现在您可以启动jnlp并允许Java Web Start处理SSL功能,包括提示用户输入证书和/或PIN。