Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SSL connection, KeyManager and TrustManager

843811Feb 5 2003 — edited Feb 7 2003
Hello everyone,

I am trying to established an SSL connection to a OC4J Server. The server is correctly configured, as the communications using Internet Explorer goes well.

I am using JDK 1.3.1_06 with JSSE 1.0.3 and OC4J 9.0.3.

But now I have a stand-alone java program that sends SOAP messages to the ssl port in the server using JAXM. When I send the message, I received the following exception:

javax.net.ssl.SSLException: untrusted server cert chain

The following I tried was to connect using a socket to test the handshacking. I received the same exception.

I am using a KeyStore dinamically generated with the PKCS12 certificate of the cliente that is requesting the service, and a TrustStore dinamically generated with the CA certificate for both the client and the server. I am also tries to use the default cacerts file with this certificate imported in.

The KeyManager is initialized in this way:

----- KeyManager start -----
[...]
java.security.KeyStore ks = java.security.KeyStore.getInstance
("pkcs12", "SunJSSE");
ks.load(new FileInputStream(file),pass.toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance ("SunX509", "SunJSSE");
kmf.init(ks, pass.toCharArray());

KeyManager[] km = (KeyManager[])kmf.getKeyManagers();
[...]
----- KeyManager end -----

The TrustManager is initialized in this way:

----- TrustManager start -----
[...]
FileInputStream fis = new FileInputStream(file);
java.io.DataInputStream dis = new java.io.DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
java.io.ByteArrayInputStream bais =
new java.io.ByteArrayInputStream(bytes);

java.security.cert.CertificateFactory cf = java.security.cert.CertificateFactory.getInstance("X.509");

java.security.cert.X509Certificate caCert =
(java.security.cert.X509Certificate)
cf.generateCertificate(bais);

java.security.KeyStore ksCA =
java.security.KeyStore.getInstance("pkcs12", "SunJSSE");
ksCA.load(null, null);
ksCA.setCertificateEntry("trustedCA", caCert);

TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509", "SunJSSE");
tmf.init(ksCA);

TrustManager[] tm = (TrustManager[])tmf.getTrustManagers();
[...]
----- TrustManager end -----

And finally, this is the way I create the ssl connection:

----- main start -----
[...]
// loads the jsse provider
System.setProperty("java.protocol.handler.pkgs",
"com.sun.net.ssl.internal.www.protocol");
java.security.Security.addProvider(
new com.sun.net.ssl.internal.ssl.Provider());

// keymanager
com.sun.net.ssl.KeyManager[] km = getKeyManager(args[0], args[1]);

// trustmanager
com.sun.net.ssl.TrustManager[] tm = getTrustManager(args[2]);

// ssl context configuration
com.sun.net.ssl.SSLContext ctx =
com.sun.net.ssl.SSLContext.getInstance("SSL");

ctx.init(km, tm, null);

com.sun.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(
ctx.getSocketFactory());

// url
URL url = new URL(
"https", my_ip
my_port, a_page,
new com.sun.net.ssl.internal.www.protocol.https.Handler());

// connection
com.sun.net.ssl.HttpsURLConnection conn =
(com.sun.net.ssl.HttpsURLConnection)url.openConnection();
conn.connect();
[...]
----- main end -----

This is the full exception trace:

javax.net.ssl.SSLException: untrusted server cert chain
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(DashoA6275)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.OutputStream.write(OutputStream.java:56)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.doConnect(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.NetworkClient.openServer(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.l(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpClient.<init>(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.<init>(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsClient.a(DashoA6275)
at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnection.connect(DashoA6275)
at pruebas.SSLClient.main(SSLClient.java)

Has anyone some idea of what is happening. Thanks in advance,

Jorge Hidalgo
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 7 2003
Added on Feb 5 2003
#java-secure-socket-extension-jsse
1 comment
636 views