Hi all, I've got a strange trouble with the connection establishment through the SSL, namely with the certificates validation. I wrote the code (placed in an applet) that establishes HTTPS-connection to the remote server (JBoss AS 4.2.2 with the Tomcat 5.0 as the servlet container and BCE as the security provider) and uses JRE Client Authentication keystore (trusted.clientcerts by default) of type JKS to obtain and select appropriate user's (client's) self-signed certificate for the authentication to server (search conducts by required user ID as the cert's subject and our company as the issuer). For this purpose I've implemented own TrustManager and KeyManager, which returns required certificate and its chain, fetched from the keystore. All works fine. But I stayed happy not for a long time :) As the second episode I've received requirement from my PM to use browser's keystore, not Java (in fact, it is really more simple for the end-user - he/she doesn't need to add one's certificate to the both browser's and JRE's keystore), and troubles started again... All looks clear for the Mozilla with its JSS (http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/keystores.html), but at first I've tried to access IE certificate store. As I understood from this article: http://java.sun.com/developer/technicalArticles/J2SE/security/ - I can access MS Windows keystore through the "Windows-MY" keystore. All seems like OK with loading this store: I can found required certificate, obtain its chain and use them. But it is not works... At first I received javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate many times. I've compared certificate and whole chain (2 certificates actually :)), obtained from the JKS and from the Windows-MY - they are completely identical! Today I've got more surprises: after multiple tries of connecting to the server I began to receive this: java.net.SocketException: Software caused connection abort: recv failed. I've googled and found this thread, namely this ejp's message: http://forums.sun.com/thread.jspa?messageID=4282425#4282425 , made a little rewiev of my code and understood that I've haven't call disconnect() method of the HttpsURLConnection :). I fixed it, but it not helps...
Actually the current situation: I have the code that establishes HTTPS connection using the certificates obtained from the keystore. When I put Windows-MY keystore - I receiving the java.net.SocketException: Software caused connection abort: recv failed, put JKS - and all works fine... Both cert chains are identical... Debug messages in wrong and right case:
Wrong case ("Windows-MY"):
***
found key for : myId
chain [0] = [
[
Version: V3
Subject: CN=myId
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 100100558335722640375148272613510813684516335391271450974932134483814519041376492420505427723652420602126657710902541048325822746663386549041238581815121811184210629169690112371470412273454109960956726413821054668533507439315032385138662875423569120441411093888511878746385774457595008930370036910580730779351
public exponent: 65537
Validity: [From: Thu Aug 20 19:56:04 EEST 2009,
To: Fri Aug 20 19:56:04 EEST 2010]
Issuer: C=USA, OU=Our Unit, O=Our Company., CN=Our Product
SerialNumber: [ 4a8d8024]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
S/MIME
Object Signing
SSL CA
S/MIME CA
Object Signing CA]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DA 5B CB F5 3A 52 F8 47 57 CD 47 51 F8 22 61 DA .[..:R.GW.GQ."a.
0010: 89 25 EC 05 .%..
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 16 9B 49 4A 9E 27 40 44 F4 F0 96 53 EE 63 B0 F2 ..IJ.'@D...S.c..
0010: CB 65 BB AC .e..
]
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [MD5withRSA]
Signature:
0000: 04 E6 2D 36 89 BF A7 E5 32 4C D2 E6 CE E7 FE 28 ..-6....2L.....(
0010: 31 B3 85 82 28 CE 57 0F DC F5 73 D7 D6 9B 14 E5 1...(.W...s.....
0020: B0 C7 65 29 C2 6C 67 DA D3 C0 41 06 D4 53 A2 00 ..e).lg...A..S..
0030: C0 58 41 ED F1 80 EC 72 29 30 4F 6B CB A1 4A B3 .XA....r)0Ok..J.
0040: 8D 67 62 2A A9 03 2E C7 6E E9 2F C2 7E 99 A6 33 .gb*....n./....3
0050: AE 20 D8 F9 80 93 66 06 92 61 CF 87 2F 2D F4 3F . ....f..a../-.?
0060: 85 26 D5 5D BC BD C9 AD A7 A8 71 2F 93 5A 89 FA .&.]......q/.Z..
0070: D5 A4 87 56 FA 4D A4 7D 3E 4E E7 DD 96 DF 1C BB ...V.M..>N......
]
chain [1] = [
[
Version: V1
Subject: C=USA, OU=Our Unit, O=Our Company., CN=Our Product
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 124211972202043644652705917155020746162427734602106557489523055757348951143948814340022752284643344661618455055378925813084787744222818266427797689063310600661435996406669718460608161290293556468644548900912339269968437049019273574876757832324552690165264568213424585509516273046185111871276284615324348899729
public exponent: 65537
Validity: [From: Mon Feb 16 14:48:12 EET 2009,
To: Tue Feb 16 14:48:12 EET 2010]
Issuer: C=USA, OU=Our Unit, O=Our Company., CN=Our Product
SerialNumber: [ 4999608c]
]
Algorithm: [MD5withRSA]
Signature:
0000: 3A 7E EE 85 AF 93 ED 34 0A B5 87 68 E7 6E A0 62 :......4...h.n.b
0010: AB 29 1A C5 43 3D A6 F6 CC DB 77 4D 77 F6 41 2D .)..C=....wMw.A-
0020: AE 4F 5E 36 BC 76 AD C4 4D 99 F1 76 DF 99 E9 EE .O^6.v..M..v....
0030: E1 8B 59 2E FC 64 2F 79 F0 24 06 24 13 C4 25 D9 ..Y..d/y.$.$..%.
0040: 63 8A A4 82 2E 63 45 9A EE C6 F8 17 CC 47 21 07 c....cE......G!.
0050: 21 6F 80 6B 04 33 12 35 EE E6 69 A1 AC 53 49 AE !o.k.3.5..i..SI.
0060: A1 F4 FE 7D 94 27 88 FB 8A 8B 95 0F 76 62 9B 13 .....'......vb..
0070: B0 70 12 60 1F E2 1E 59 2A AE 9E B3 E1 A4 2A 98 .p.`...Y*.....*.
]
***
trigger seeding of SecureRandom
done seeding SecureRandom
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files\Java\jdk1.6.0_16\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 11:36:00 EEST 2006 until Sat Oct 25 11:36:00 EEST 2036