我的SSL客户端(Java)不是';t通过双向SSL握手将证书发送回服务器
在Windows7上运行的Java1.7应用程序中,我尝试使用服务器进行双向SSL(智能卡令牌通过openSC提供我的客户端证书)。客户端正在验证服务器的证书,但是客户端没有响应服务器的证书请求。我相信这是因为客户机无法将我的证书链接到服务器请求的证书之一(即使存在这样的链接) 以下是服务器证书请求和客户端空响应的SSL调试:我的SSL客户端(Java)不是';t通过双向SSL握手将证书发送回服务器,java,ssl,ssl-certificate,keystore,two-way,Java,Ssl,Ssl Certificate,Keystore,Two Way,在Windows7上运行的Java1.7应用程序中,我尝试使用服务器进行双向SSL(智能卡令牌通过openSC提供我的客户端证书)。客户端正在验证服务器的证书,但是客户端没有响应服务器的证书请求。我相信这是因为客户机无法将我的证书链接到服务器请求的证书之一(即使存在这样的链接) 以下是服务器证书请求和客户端空响应的SSL调试: *** CertificateRequest Cert Types: RSA, DSS, ECDSA Cert Authorities: <CN=c4isuite-
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<CN=c4isuite-SDNI-DC02-CA, DC=c4isuite, DC=local>
<CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US>
...
*** ServerHelloDone
*** Certificate chain
***
所以问题是,为什么客户端不能为响应创建证书链?以下是相关代码:
// Create the keyStore from the SmartCard certs
Provider provider = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(provider);
keyStore = KeyStore.getInstance("PKCS11", "SunPKCS11-SCR3310test");
char[] pin = PIN.toCharArray();
keyStore.load(null, pin);
// Init the trustmanager
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
// Create the client key manager
LOG.info("Installing keystore with pin");
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(clientKeyStore, clientKeyPassword.toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
// Init SSL context
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
URL url = new URL(urlString);
URLConnection connection = url.openConnection();
if (connection instanceof HttpsURLConnection) {
LOG.info("Connection is HTTPS");
((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
}
// Send the request.
connection.connect();
InputStreamReader in = new InputStreamReader((InputStream) connection.getContent());
...
我得到的错误是服务器返回403。很可能是因为客户端没有向其发送客户端证书。即使看起来您只是将服务器发送的CA列表的一部分复制到了这个问题中,我假设
CN=DOD CA-30,OU=PKI,OU=DOD,O=U.S.Government,C=US
不在这个列表中
链中似乎缺少的是此证书(您稍后会提到):
将证书导入客户端的信任库对客户端发送的证书绝对没有影响。客户端证书(及其私钥)需要在客户端密钥库中设置。此外,如果要发送客户机证书链(如果服务器在其列表中不提供此中间CA证书,则此处需要此证书链),则需要将完整链与该证书条目相关联。仅将其他证书放入密钥库是不够的
要解决此问题,您应该使用客户端证书链配置密钥存储条目。这可以按照中所述完成。但是,这可能是一个通过PKCS 11访问的硬件令牌,这一事实可能会使这一点变得更复杂(可能卡附带了另一个证书管理工具,可能独立于Java)。因为我知道需要使用哪个证书来验证服务器,我可以通过扩展X509ExtendedKeyManager并重写chooseClientAlias()方法以始终返回该证书的别名来强制客户端发送该特定证书。代码:
public class MyX509KeyManager extends X509ExtendedKeyManager
{
X509KeyManager defaultKeyManager;
public MyX509KeyManager(X509KeyManager inKeyManager) {
defaultKeyManager = inKeyManager;
}
public String chooseEngineClientAlias(String[] keyType,
Principal[] issuers, SSLEngine engine) {
return "<Alias of my cert>";
}
@Override
public String chooseClientAlias(String[] strings, Principal[] prncpls, Socket socket) {
return "<Alias of my cert>";
}
@Override
public String[] getClientAliases(String string, Principal[] prncpls) {
return defaultKeyManager.getClientAliases(string, prncpls);
}
@Override
public String[] getServerAliases(String string, Principal[] prncpls) {
return defaultKeyManager.getServerAliases(string, prncpls);
}
...
感谢您在客户端上直接设置我,而不是使用信任存储来查找完整的证书链。由于证书来自智能卡,因此很难或不可能修改证书。我确实设法以另一种方式解决了这个问题,我在下面详细介绍了这一问题的答案,以便处于相同情况下的任何其他人都可以得到答案。这对于让客户端发送此证书是有意义的,但是,如果服务器缺少用于构建链以进行验证的中间证书,则几乎肯定会出现问题。(这仅在服务器知道中间证书但不在证书请求消息中发送其名称的情况下有效,这是可能的。)您还可以覆盖
getCertificateCain
以手动将此证书添加到链中。正确,这是假设服务器确实有完整的证书链可用。
// Create the keyStore from the SmartCard certs
Provider provider = new sun.security.pkcs11.SunPKCS11(configName);
Security.addProvider(provider);
keyStore = KeyStore.getInstance("PKCS11", "SunPKCS11-SCR3310test");
char[] pin = PIN.toCharArray();
keyStore.load(null, pin);
// Init the trustmanager
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
// Create the client key manager
LOG.info("Installing keystore with pin");
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(clientKeyStore, clientKeyPassword.toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
// Init SSL context
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
URL url = new URL(urlString);
URLConnection connection = url.openConnection();
if (connection instanceof HttpsURLConnection) {
LOG.info("Connection is HTTPS");
((HttpsURLConnection) connection).setSSLSocketFactory(socketFactory);
}
// Send the request.
connection.connect();
InputStreamReader in = new InputStreamReader((InputStream) connection.getContent());
...
Subject: CN=DOD CA-30, OU=PKI, OU=DoD, O=U.S. Government, C=US
Issuer: CN=DoD Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US
Algorithm: RSA; Serial number: 0x1b5
Valid from Thu Sep 08 10:59:24 CDT 2011 until Fri Sep 08 10:59:24 CDT 2017
public class MyX509KeyManager extends X509ExtendedKeyManager
{
X509KeyManager defaultKeyManager;
public MyX509KeyManager(X509KeyManager inKeyManager) {
defaultKeyManager = inKeyManager;
}
public String chooseEngineClientAlias(String[] keyType,
Principal[] issuers, SSLEngine engine) {
return "<Alias of my cert>";
}
@Override
public String chooseClientAlias(String[] strings, Principal[] prncpls, Socket socket) {
return "<Alias of my cert>";
}
@Override
public String[] getClientAliases(String string, Principal[] prncpls) {
return defaultKeyManager.getClientAliases(string, prncpls);
}
@Override
public String[] getServerAliases(String string, Principal[] prncpls) {
return defaultKeyManager.getServerAliases(string, prncpls);
}
...
// clientKeyStore is initialized elsewhere from the SmartCard
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(clientKeyStore, clientKeyPassword.toCharArray());
MyX509KeyManager customKeyManager = new MyX509KeyManager((X509KeyManager) keyManagerFactory.getKeyManagers()[0]);
sslContext.init(new KeyManager[] {customKeyManager}, tmf.getTrustManagers(), null);