全局任务是使客户端使用USB令牌进行身份验证,并建立与Java服务器的TLS / SSL连接。但服务器响应"证书验证消息签名错误"每次。
我们决定尝试使用令牌签名并验证邮件。而且......它失败了!使用令牌的私钥签名的消息不会由其自己的公钥验证。我很沮丧。有人遇到过这样的麻烦吗?
这是服务器的堆栈跟踪:
Exception on read(write) data from socket:
javax.net.ssl.SSLHandshakeException: certificate verify message signature error
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1731)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:231)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientCertificateVerify(ServerHandshaker.java:1165)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:220)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:925)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181) ...
为了测试签名/验证我在数字签名上更改了Oracle's tutorial以使用PKCS11令牌。以下是generator和verifier。