Tadej Lasic wrote:
Hi,I'm working on a signing API using JSS (latest v4.2.0.0), NSS v3.11 and NSPR v4.6.1 on Java v1.5.0_06. I want to connect to a trusted server via SSL for data signing, but the connection always stops just before the CertificateVerify, so after the final handshake Server write key. I have created a truststore with the ROOT CA for the provider and I'm reading the pkcs12 keystore with the client CA. This seems to work ok, the certificate is recognized and the trusted CA is added correctly after reading the truststore. System.setProperty("javax.net.ssl.trustStore","c:/truststore"); System.setProperty("javax.net.ssl.trustStorePassword","123456"); System.setProperty("javax.net.ssl.keyStore", "c:/P-SP2-passworda.pfx"); System.setProperty("javax.net.ssl.keyStorePassword", "a"); System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
For JSS does not make use of javax.net.ssl.trustStore or .ssl.keyStore. you need to create the NSS Data Bases and import your certificate into the the NSS DB. Since you are using JSS 4.2 take a look at the following examples in the test directory. http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SSLServer.java http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java for import/export certificates from NSS data bases using pk12util: http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
Now, for the data excange I'm using the Axis APIs (SOAP) and when I tested the SSL connection using only Axis, it worked. But as soon as I used JSS, things stoped working. Here's the stack trace. --------------------------------------- Server write key: 0000: A9 C3 FD 3C 8B 4B 15 4D AE B2 E7 10 AE 35 9C F3 ...<.K.M.....5.. ... no IV for cipher %% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5] main, SEND TLSv1 ALERT: fatal, description = handshake_failure Padded plaintext before ENCRYPTION: len = 18 0000: 02 28 6C 89 07 29 9C 46 0A 6F 9B 90 3B 49 07 C5 .(l..).F.o..;I.. 0010: 94 E1 .. main, WRITE: TLSv1 Alert, length = 18 [Raw write]: length = 23 0000: 15 03 01 00 12 DE 1C B8 37 B8 52 F0 79 7F 95 53 ........7.R.y..S 0010: 3D 1A 83 16 11 BA 78 =.....x main, called closeSocket() main, handling exception: javax.net.ssl.SSLHandshakeException: Error signing certificate verify main, called close() main, called closeInternal(true) Finalizer, called close() Finalizer, called closeInternal(true) <?xml version="1.0" encoding="UTF-8"?> <soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Fault><:faultcode xmlns=""/><:faultstring xmlns=""/><:detail xmlns=""><ns1:stackTrace xmlns:ns1="http://xml.apache.org/axis/";>javax.net.ssl.SSLHandshakeException: Error signing certificate verify at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:608) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read(BufferedInputStream.java:235) at org.apache.axis.transport.http.HTTPSender.readHeadersFromSocket(HTTPSender.java:583) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:143) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:1870) at org.apache.axis.soap.SOAPConnectionImpl.call(SOAPConnectionImpl.java:90) at si.hermes.security.Collections.TimestampProviderImpl.CreateTimestamp(TimestampProviderImpl.java:232) at si.hermes.security.Collections.TimestampImpl.CreateTimestamp(TimestampImpl.java:57) at si.hermes.security.ESignDocTestTimestamp.testTimestampCreatePostarca(ESignDocTestTimestamp.java:286) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at junit.framework.TestCase.runTest(TestCase.java:154) at junit.framework.TestCase.runBare(TestCase.java:127) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:118) at junit.framework.TestSuite.runTest(TestSuite.java:208) at junit.framework.TestSuite.run(TestSuite.java:203) at junit.textui.TestRunner.doRun(TestRunner.java:116) at junit.textui.TestRunner.doRun(TestRunner.java:109) at junit.textui.TestRunner.run(TestRunner.java:72) at junit.textui.TestRunner.run(TestRunner.java:57) at si.hermes.security.ESignDocTestTimestamp.main(ESignDocTestTimestamp.java:404) Caused by: java.security.InvalidKeyException: Invalid key type: org.mozilla.jss.pkcs11.PK11RSAPrivateKey at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey(JSSCipherSpi.java:123) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:161) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:270) at javax.crypto.Cipher.init(DashoA12275) at java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1205) at java.security.Signature$Delegate.init(Signature.java:1079) at java.security.Signature$Delegate.chooseProvider(Signature.java:1036) at java.security.Signature$Delegate.engineInitSign(Signature.java:1109) at java.security.Signature.initSign(Signature.java:503) at com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:108) at java.security.Signature$Delegate.engineInitSign(Signature.java:1107) at java.security.Signature.initSign(Signature.java:503) at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1002) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:604) ... 38 more</ns1:stackTrace><ns2:hostname xmlns:ns2="http://xml.apache.org/axis/";>yukon</ns2:hostname></:detail></soapenv:Fault></soapenv:Body> --------------------------------------- Any idea what might be wrong? Regards, Tadej
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
