I am looking for some help solving a mutual authentication problem.
I am using:
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Client VM (build 1.6.0_01-b06, mixed mode, sharing)
I am trying to open a secure socket to a Microsoft IIS server.
I always get a 403.7 from the IIS server
NOTE: when I run this i get a message "localCerts was NULL!" from my HandshakeCompletedListener
I have all the proper certificates in the keystore, and the IIS server is requesting a certificate, but it appears I am not sending it.
Sorry for the length of the code, it has many debug statements
import java.io.*;
import java.net.*;
import javax.net.*;
import javax.net.ssl.*;
import java.security.*;
public class SSLTunnel implements javax.net.ssl.HandshakeCompletedListener {
private StringBuffer dbg = null;
private String getProperty(String h){
//STUB
}
private void dump(String m){
//STUB
}
public SSLTunnel(String URL, String host, int port)throws IOException{
dbg = new StringBuffer();
getSecureInputStream(URL, host, port);
}
public StringBuffer getOutput(){ return this.dbg;}
public void handshakeCompleted(HandshakeCompletedEvent event){
dump("HANDSHAKE COMPLETE");
dump("CipherSuite=" + event.getCipherSuite() + "\n");
java.security.cert.Certificate[] localCerts = event.getLocalCertificates();
if(localCerts != null){
for(int x = 0; x < localCerts.length; x++){
java.security.cert.Certificate local = localCerts[x];
dump("localCerts[" + x + "] " + local.toString() + "\n");
}
}else{
dump("localCerts was NULL!\n");
}
java.security.cert.Certificate[] peerCerts = null;
try{
peerCerts = event.getPeerCertificates();
}catch(javax.net.ssl.SSLPeerUnverifiedException uv){
dump("SSLPeerUnverifiedException: " + uv);
}
if(peerCerts != null){
for(int x = 0; x < peerCerts.length; x++){
java.security.cert.Certificate peer = peerCerts[x];
dump("peerCert[" + x + "] " + peer.toString() + "\n");
}
}
javax.security.cert.X509Certificate[] peer509 = null;
try{
peer509 = event.getPeerCertificateChain();
}catch(javax.net.ssl.SSLPeerUnverifiedException uv){
dump("SSLPeerUnverifiedException: " + uv);
}
if(peer509 != null){
for(int x = 0; x < peer509.length; x++){
javax.security.cert.X509Certificate p509 = peer509[x];
dump("peer509[" + x + "] " + p509.toString() + "\n");
}
}
SSLSession mySession = event.getSession();
SSLSocket sok = event.getSocket();
dump("need client auth=" + sok.getNeedClientAuth() + "\n");
dump("use client auth=" + sok.getUseClientMode() + "\n");
dump("want client auth=" + sok.getWantClientAuth() + "\n");
}
private void getSecureInputStream(String URL, String host, int port) throws IOException{
String ksf = getProperty("keystorefile");
String psf = getProperty("pfxfile");
String tsf = getProperty("truststorefile");
String keyPass = getProperty("keypasswd");
String proto = getProperty("wsb.ma.proto");
dump("BEGIN_SIS URL=(" + URL + "), host=(" + host + "), port=(" + port + ")");
System.setProperty("javax.net.debug", "all");
System.setProperty("javax.net.ssl.trustStore", tsf);
System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); //FIXME
System.setProperty("javax.net.ssl.keyStore", psf);
System.setProperty("javax.net.ssl.keyStorePassword", keyPass);
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
TrustManager[] trustAllCerts =
new TrustManager[]{
new X509TrustManager(){
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
dump("getAcceptedIssuers()");
return new java.security.cert.X509Certificate[0];
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
dump("checkClientTrusted: authType=" + authType);
if(certs != null){
dump("checkClientTrusted: " + certs.length + " certs found");
for(int x = 0; x < certs.length; x++){
java.security.cert.X509Certificate tmp = certs[x];
dump("checkClientTrusted: cert(" + x + ")=" + tmp.toString());
}
}
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
dump("checkServerTrusted: authType=" + authType);
if(certs != null){
dump("checkServerTrusted: " + certs.length + " certs found");
for(int x = 0; x < certs.length; x++){
java.security.cert.X509Certificate tmp = certs[x];
dump("checkServerTrusted: cert(" + x + ")=" + tmp.toString());
}
}
}
}
};
KeyStore ks = null;
try{
ks = KeyStore.getInstance("JKS", "SUN");
ks.load(new FileInputStream(ksf), keyPass.toCharArray());
java.util.Enumeration eee = ks.aliases();
while (eee.hasMoreElements()) {
String a = (String)eee.nextElement ();
dump("Key STORE alias=" + a + "\n");
java.security.cert.Certificate mox = ks.getCertificate(a);
if(mox == null){
dump("certificate=null\n");
}else{
dump("certificate=" + mox.toString() + "\n");
}
java.security.cert.Certificate moxs [] = ks.getCertificateChain(a);
if (moxs == null){
dump("certificate chain=null\n");
}else{
for (int i=0; i<moxs.length; i++)
dump("certificate chain [" + i + "]=" + moxs .toString() + "\n");
}
java.security.Key kox = ks.getKey(a, keyPass.toCharArray ());
if(kox == null){
dump("key=null\n");
}else{
dump("key=" + kox.toString() + "\n");
}
}
}catch(Exception e){
dump("KeyStore Exception: " + e);
}
KeyManagerFactory kmf = null;
try {
String defAlgo = KeyManagerFactory.getDefaultAlgorithm();
dump("defaultAlgo=" + defAlgo);
kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, keyPass.toCharArray());
} catch (NoSuchAlgorithmException e2) {
dump("NoSuchAlgorithm" + e2);
} catch (UnrecoverableKeyException e) {
dump("UnrecoverableKeyException" + e);
} catch (KeyStoreException e) {
dump("KeyStoreException" + e);
}
KeyManager[] km = kmf.getKeyManagers();
KeyStore ts = null;
try{
ts = KeyStore.getInstance("JKS");
ts.load(new FileInputStream(tsf), "changeit".toCharArray());
java.util.Enumeration eee = ts.aliases();
while (eee.hasMoreElements()) {
String a = (String)eee.nextElement ();
dump("TRUST STORE=" + a + "\n");
}
}catch(Exception e){
dump("TrustStore Exception" + e);
}
TrustManagerFactory tmf = null;
try {
String defAlgo = TrustManagerFactory.getDefaultAlgorithm();
dump("defaultAlgo=" + defAlgo);
tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
} catch (Exception e) {
dump("TrustManager Exception " + e);
}
TrustManager[] tm = tmf.getTrustManagers();
SSLContext sc = null;
try {
sc = SSLContext.getInstance(proto);
sc.init(km, tm, new java.security.SecureRandom());
} catch (Exception e) {
dump("SSLContextException " + e);
}
SSLSocketFactory socketFactory = sc.getSocketFactory();
SSLSocket socket = (SSLSocket)socketFactory.createSocket(host, port);
socket.addHandshakeCompletedListener(this);
socket.setUseClientMode(true);
dump("START HANDSHAKE");
socket.startHandshake();
String[] enabledCiphers = socket.getEnabledCipherSuites();
if(enabledCiphers != null){
for(int x = 0; x < enabledCiphers.length; x++){
String ec = enabledCiphers[x];
dump("Enabled Cipher: " + ec);
}
}
String[] enabledProtocols = socket.getEnabledProtocols();
if(enabledProtocols != null){
for(int x = 0; x < enabledProtocols.length; x++){
String ec = enabledProtocols[x];
dump("Enabled Protocols: " + ec);
}
}
PrintWriter out = new PrintWriter(new BufferedWriter(new OutputStreamWriter(socket.getOutputStream())));
out.println("GET " + URL + " HTTP/1.0");
out.println();
out.flush();
if (out.checkError()) throw new IOException("SSLSocketClient: java.io.PrintWriter error");
BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
String inputLine;
while ((inputLine = in.readLine()) != null){
dbg.append(inputLine + "\n");
}
in.close();
out.close();
socket.close();
}
}
Edited by: myep07 on Oct 9, 2007 3:47 PM