Hi Tadej,
JSS does not support keystore in the way JSSE supports. You will
have to convert from one format to another to use it. If you already
have a keystore in JKS format, then you need to write a JSSE program to
convert it into PKCS#12 format. Now, if you want to import this into
the NSS database, you will have to use the "certutil" tool. For details
on certutil, please refer to
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html.
If you have your cert in NSS DB, which is in PKCS#11 format, you will
need to convert it into PKCS#12 for JSSE to understand. This also can
be done using certutil tool.
You may want to also look at the following files:
[1] GenerateTestCert.java :
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/GenerateTestCert.java
[2] JSS_SSLClient.java :
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java
[3] all.pl :
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl
GenerateTestCert.java is used to generate a test certificate in PKCS#11
format. This is then converted into PKCS#12 format using the command
which you can find in all.pl :
pk12util -o exportfile -n certname [-d certdir] [-P dbprefix]
[-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
[-v]
This converted keystore can be used by JSSE. What you are looking for
is the reverse of this order.
pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname]
[-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]
[-v]
Once you've imported your keystore to NSS DB, you will be able to
access it as described in JSS_SSLClient.java.
Thanks,
Sandeep
Tadej Lasic wrote:
Hi,
Thx for the help.
I'm already using the Firefox profile dir to initialize the CryptoManager:
CryptoManager.InitializationValues vals = new
CryptoManager.InitializationValues( profileDir );
CryptoManager.initialize(vals);
Cert8.db, key3.db and secmod.db files are already created there. Now,
how do I set the keystore and truststore to open with jss? The
JSS_SSLClient example uses java.security.* so I don't know how this is
any different from settings them via System.setProperty.
Regards,
Tadej Lasic
On 2/6/06, Glen Beasley <[EMAIL PROTECTED]> wrote:
Tadej Lasic wrote:
Hi,
I'm working on a signing API using JSS (latest v4.2.0.0), NSS v3.11
and NSPR v4.6.1 on Java v1.5.0_06.
I want to connect to a trusted server via SSL for data signing, but
the connection always stops just before the CertificateVerify, so
after the final handshake Server write key.
I have created a truststore with the ROOT CA for the provider and I'm
reading the pkcs12 keystore with the client CA. This seems to work ok,
the certificate is recognized and the trusted CA is added correctly
after reading the truststore.
System.setProperty("javax.net.ssl.trustStore","c:/truststore");
System.setProperty("javax.net.ssl.trustStorePassword","123456");
System.setProperty("javax.net.ssl.keyStore", "c:/P-SP2-passworda.pfx");
System.setProperty("javax.net.ssl.keyStorePassword", "a");
System.setProperty("javax.net.ssl.keyStoreType", "pkcs12");
For JSS does not make use of javax.net.ssl.trustStore or .ssl.keyStore.
you need to create the NSS Data Bases and import your certificate into the
the NSS DB.
Since you are using JSS 4.2 take a look at the following examples in the
test directory.
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SSLServer.java
http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java
for import/export certificates from NSS data bases using pk12util:
http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html
Now, for the data excange I'm using the Axis APIs (SOAP) and when I
tested the SSL connection using only Axis, it worked. But as soon as I
used JSS, things stoped working. Here's the stack trace.
---------------------------------------
Server write key:
0000: A9 C3 FD 3C 8B 4B 15 4D AE B2 E7 10 AE 35 9C F3 ...<.K.M.....5..
... no IV for cipher
%% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
main, SEND TLSv1 ALERT: fatal, description = handshake_failure
Padded plaintext before ENCRYPTION: len = 18
0000: 02 28 6C 89 07 29 9C 46 0A 6F 9B 90 3B 49 07 C5 .(l..).F.o..;I..
0010: 94 E1 ..
main, WRITE: TLSv1 Alert, length = 18
[Raw write]: length = 23
0000: 15 03 01 00 12 DE 1C B8 37 B8 52 F0 79 7F 95 53 ........7.R.y..S
0010: 3D 1A 83 16 11 BA 78 =.....x
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Error
signing certificate verify
main, called close()
main, called closeInternal(true)
Finalizer, called close()
Finalizer, called closeInternal(true)
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Body xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Fault><:faultcode
xmlns=""/><:faultstring xmlns=""/><:detail xmlns=""><ns1:stackTrace
xmlns:ns1="http://xml.apache.org/axis/">javax.net.ssl.SSLHandshakeException:
Error signing certificate verify
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:608)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:235)
at org.apache.axis.transport.http.HTTPSender.readHeadersFromSocket(HTTPSender.java:583)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:143)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165)
at org.apache.axis.client.Call.invokeEngine(Call.java:2784)
at org.apache.axis.client.Call.invoke(Call.java:2767)
at org.apache.axis.client.Call.invoke(Call.java:1870)
at org.apache.axis.soap.SOAPConnectionImpl.call(SOAPConnectionImpl.java:90)
at si.hermes.security.Collections.TimestampProviderImpl.CreateTimestamp(TimestampProviderImpl.java:232)
at si.hermes.security.Collections.TimestampImpl.CreateTimestamp(TimestampImpl.java:57)
at si.hermes.security.ESignDocTestTimestamp.testTimestampCreatePostarca(ESignDocTestTimestamp.java:286)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at junit.framework.TestCase.runTest(TestCase.java:154)
at junit.framework.TestCase.runBare(TestCase.java:127)
at junit.framework.TestResult$1.protect(TestResult.java:106)
at junit.framework.TestResult.runProtected(TestResult.java:124)
at junit.framework.TestResult.run(TestResult.java:109)
at junit.framework.TestCase.run(TestCase.java:118)
at junit.framework.TestSuite.runTest(TestSuite.java:208)
at junit.framework.TestSuite.run(TestSuite.java:203)
at junit.textui.TestRunner.doRun(TestRunner.java:116)
at junit.textui.TestRunner.doRun(TestRunner.java:109)
at junit.textui.TestRunner.run(TestRunner.java:72)
at junit.textui.TestRunner.run(TestRunner.java:57)
at si.hermes.security.ESignDocTestTimestamp.main(ESignDocTestTimestamp.java:404)
Caused by: java.security.InvalidKeyException: Invalid key type:
org.mozilla.jss.pkcs11.PK11RSAPrivateKey
at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey(JSSCipherSpi.java:123)
at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:161)
at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:270)
at javax.crypto.Cipher.init(DashoA12275)
at java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1205)
at java.security.Signature$Delegate.init(Signature.java:1079)
at java.security.Signature$Delegate.chooseProvider(Signature.java:1036)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1109)
at java.security.Signature.initSign(Signature.java:503)
at com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:108)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1107)
at java.security.Signature.initSign(Signature.java:503)
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1002)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:604)
... 38 more</ns1:stackTrace><ns2:hostname
xmlns:ns2="http://xml.apache.org/axis/">yukon</ns2:hostname></:detail></soapenv:Fault></soapenv:Body>
---------------------------------------
Any idea what might be wrong?
Regards,
Tadej
|
