Hi,
Thx for the help.
I'm already using the Firefox profile dir to initialize the CryptoManager:
CryptoManager.InitializationValues vals = new
CryptoManager.InitializationValues( profileDir );
CryptoManager.initialize(vals);
Cert8.db, key3.db and secmod.db files are already created there. Now,
how do I set the keystore and truststore to open with jss? The
JSS_SSLClient example uses java.security.* so I don't know how this is
any different from settings them via System.setProperty.
Regards,
Tadej Lasic
On 2/6/06, Glen Beasley <[EMAIL PROTECTED]> wrote:
> Tadej Lasic wrote:
> > Hi,
> >
> > I'm working on a signing API using JSS (latest v4.2.0.0), NSS v3.11
> > and NSPR v4.6.1 on Java v1.5.0_06.
> >
> > I want to connect to a trusted server via SSL for data signing, but
> > the connection always stops just before the CertificateVerify, so
> > after the final handshake Server write key.
> >
> > I have created a truststore with the ROOT CA for the provider and I'm
> > reading the pkcs12 keystore with the client CA. This seems to work ok,
> > the certificate is recognized and the trusted CA is added correctly
> > after reading the truststore.
> >
> >
> > System.setProperty("javax.net.ssl.trustStore","c:/truststore");
> >
> > System.setProperty("javax.net.ssl.trustStorePassword","123456");
> >
> > System.setProperty("javax.net.ssl.keyStore",
> > "c:/P-SP2-passworda.pfx");
> > System.setProperty("javax.net.ssl.keyStorePassword", "a");
> > System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
>
> For JSS does not make use of javax.net.ssl.trustStore or .ssl.keyStore.
>
> you need to create the NSS Data Bases and import your certificate into the
> the NSS DB.
>
> Since you are using JSS 4.2 take a look at the following examples in the
> test directory.
>
>
> http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java
> http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SSLServer.java
> http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java
>
> for import/export certificates from NSS data bases using pk12util:
>
> http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
>
>
>
>
>
> >
> > Now, for the data excange I'm using the Axis APIs (SOAP) and when I
> > tested the SSL connection using only Axis, it worked. But as soon as I
> > used JSS, things stoped working. Here's the stack trace.
> >
> > ---------------------------------------
> > Server write key:
> > 0000: A9 C3 FD 3C 8B 4B 15 4D AE B2 E7 10 AE 35 9C F3 ...<.K.M.....5..
> > ... no IV for cipher
> > %% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> > main, SEND TLSv1 ALERT: fatal, description = handshake_failure
> > Padded plaintext before ENCRYPTION: len = 18
> > 0000: 02 28 6C 89 07 29 9C 46 0A 6F 9B 90 3B 49 07 C5 .(l..).F.o..;I..
> > 0010: 94 E1 ..
> > main, WRITE: TLSv1 Alert, length = 18
> > [Raw write]: length = 23
> > 0000: 15 03 01 00 12 DE 1C B8 37 B8 52 F0 79 7F 95 53 ........7.R.y..S
> > 0010: 3D 1A 83 16 11 BA 78 =.....x
> > main, called closeSocket()
> > main, handling exception: javax.net.ssl.SSLHandshakeException: Error
> > signing certificate verify
> > main, called close()
> > main, called closeInternal(true)
> > Finalizer, called close()
> > Finalizer, called closeInternal(true)
> >
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <soapenv:Body
> > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Fault><:faultcode
> > xmlns=""/><:faultstring xmlns=""/><:detail xmlns=""><ns1:stackTrace
> > xmlns:ns1="http://xml.apache.org/axis/";>javax.net.ssl.SSLHandshakeException:
> > Error signing certificate verify
> > at
> > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
> > at
> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
> > at
> > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
> > at
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:608)
> > at
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
> > at
> > com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
> > at
> > com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
> > at
> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
> > at
> > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677)
> > at
> > com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
> > at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
> > at java.io.BufferedInputStream.read(BufferedInputStream.java:235)
> > at
> > org.apache.axis.transport.http.HTTPSender.readHeadersFromSocket(HTTPSender.java:583)
> > at
> > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:143)
> > at
> > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
> > at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
> > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
> > at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
> > at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
> > at org.apache.axis.client.Call.invoke(Call.java:2767)
> > at org.apache.axis.client.Call.invoke(Call.java:1870)
> > at
> > org.apache.axis.soap.SOAPConnectionImpl.call(SOAPConnectionImpl.java:90)
> > at
> > si.hermes.security.Collections.TimestampProviderImpl.CreateTimestamp(TimestampProviderImpl.java:232)
> > at
> > si.hermes.security.Collections.TimestampImpl.CreateTimestamp(TimestampImpl.java:57)
> > at
> > si.hermes.security.ESignDocTestTimestamp.testTimestampCreatePostarca(ESignDocTestTimestamp.java:286)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > at java.lang.reflect.Method.invoke(Method.java:585)
> > at junit.framework.TestCase.runTest(TestCase.java:154)
> > at junit.framework.TestCase.runBare(TestCase.java:127)
> > at junit.framework.TestResult$1.protect(TestResult.java:106)
> > at junit.framework.TestResult.runProtected(TestResult.java:124)
> > at junit.framework.TestResult.run(TestResult.java:109)
> > at junit.framework.TestCase.run(TestCase.java:118)
> > at junit.framework.TestSuite.runTest(TestSuite.java:208)
> > at junit.framework.TestSuite.run(TestSuite.java:203)
> > at junit.textui.TestRunner.doRun(TestRunner.java:116)
> > at junit.textui.TestRunner.doRun(TestRunner.java:109)
> > at junit.textui.TestRunner.run(TestRunner.java:72)
> > at junit.textui.TestRunner.run(TestRunner.java:57)
> > at
> > si.hermes.security.ESignDocTestTimestamp.main(ESignDocTestTimestamp.java:404)
> > Caused by: java.security.InvalidKeyException: Invalid key type:
> > org.mozilla.jss.pkcs11.PK11RSAPrivateKey
> > at
> > org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey(JSSCipherSpi.java:123)
> > at
> > org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:161)
> > at
> > org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:270)
> > at javax.crypto.Cipher.init(DashoA12275)
> > at
> > java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1205)
> > at java.security.Signature$Delegate.init(Signature.java:1079)
> > at
> > java.security.Signature$Delegate.chooseProvider(Signature.java:1036)
> > at
> > java.security.Signature$Delegate.engineInitSign(Signature.java:1109)
> > at java.security.Signature.initSign(Signature.java:503)
> > at
> > com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:108)
> > at
> > java.security.Signature$Delegate.engineInitSign(Signature.java:1107)
> > at java.security.Signature.initSign(Signature.java:503)
> > at
> > com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1002)
> > at
> > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:604)
> > ... 38 more</ns1:stackTrace><ns2:hostname
> > xmlns:ns2="http://xml.apache.org/axis/";>yukon</ns2:hostname></:detail></soapenv:Fault></soapenv:Body>
> > ---------------------------------------
> >
> > Any idea what might be wrong?
> >
> > Regards,
> > Tadej
>
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
