Thanks again for the help. I'll try converting the cert stores as you suggested.
But what keeps bugging me is this - can I still use the Axis SOAP for SSL server-client communication? All the mentioned examples use jss SSLSocket (handshake listener,...), but I need XML based communication because of the singing procedures. All of the API is based on it and I wouldn't like to rewrite it. Regards, Tadej On 2/8/06, Sandeep Konchady <[EMAIL PROTECTED]> wrote: > Hi Tadej, > > JSS does not support keystore in the way JSSE supports. You will have > to convert from one format to another to use it. If you already have a > keystore in JKS format, then you need to write a JSSE program to convert it > into PKCS#12 format. Now, if you want to import this into the NSS database, > you will have to use the "certutil" tool. For details on certutil, please > refer to > http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html. > If you have your cert in NSS DB, which is in PKCS#11 format, you will need > to convert it into PKCS#12 for JSSE to understand. This also can be done > using certutil tool. > > You may want to also look at the following files: > > [1] GenerateTestCert.java : > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/GenerateTestCert.java > [2] JSS_SSLClient.java : > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java > [3] all.pl : > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/all.pl > > GenerateTestCert.java is used to generate a test certificate in PKCS#11 > format. This is then converted into PKCS#12 format using the command which > you can find in all.pl : > pk12util -o exportfile -n certname [-d certdir] [-P dbprefix] > [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] > [-v] > > This converted keystore can be used by JSSE. What you are looking for is > the reverse of this order. > pk12util -i importfile [-d certdir] [-P dbprefix] [-h tokenname] > [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw] > [-v] > Once you've imported your keystore to NSS DB, you will be able to access it > as described in JSS_SSLClient.java. > > Thanks, > Sandeep > > Tadej Lasic wrote: > Hi, > > Thx for the help. > > I'm already using the Firefox profile dir to initialize the CryptoManager: > > CryptoManager.InitializationValues vals = new > CryptoManager.InitializationValues( profileDir ); > CryptoManager.initialize(vals); > > Cert8.db, key3.db and secmod.db files are already created there. Now, > how do I set the keystore and truststore to open with jss? The > JSS_SSLClient example uses java.security.* so I don't know how this is > any different from settings them via System.setProperty. > > Regards, > Tadej Lasic > > On 2/6/06, Glen Beasley <[EMAIL PROTECTED]> wrote: > > > Tadej Lasic wrote: > > > Hi, > > I'm working on a signing API using JSS (latest v4.2.0.0), NSS v3.11 > and NSPR v4.6.1 on Java v1.5.0_06. > > I want to connect to a trusted server via SSL for data signing, but > the connection always stops just before the CertificateVerify, so > after the final handshake Server write key. > > I have created a truststore with the ROOT CA for the provider and I'm > reading the pkcs12 keystore with the client CA. This seems to work ok, > the certificate is recognized and the trusted CA is added correctly > after reading the truststore. > > System.setProperty("javax.net.ssl.trustStore","c:/truststore"); > System.setProperty("javax.net.ssl.trustStorePassword","123456"); > > System.setProperty("javax.net.ssl.keyStore", "c:/P-SP2-passworda.pfx"); > System.setProperty("javax.net.ssl.keyStorePassword", "a"); > System.setProperty("javax.net.ssl.keyStoreType", "pkcs12"); > > For JSS does not make use of javax.net.ssl.trustStore or .ssl.keyStore. > > you need to create the NSS Data Bases and import your certificate into the > the NSS DB. > > Since you are using JSS 4.2 take a look at the following examples in the > test directory. > > > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/SetupDBs.java > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSS_SSLServer.java > http://lxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java > > for import/export certificates from NSS data bases using pk12util: > > http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html > > > > > > > > Now, for the data excange I'm using the Axis APIs (SOAP) and when I > tested the SSL connection using only Axis, it worked. But as soon as I > used JSS, things stoped working. Here's the stack trace. > > --------------------------------------- > Server write key: > 0000: A9 C3 FD 3C 8B 4B 15 4D AE B2 E7 10 AE 35 9C F3 ...<.K.M.....5.. > ... no IV for cipher > %% Invalidated: [Session-1, SSL_RSA_WITH_RC4_128_MD5] > main, SEND TLSv1 ALERT: fatal, description = handshake_failure > Padded plaintext before ENCRYPTION: len = 18 > 0000: 02 28 6C 89 07 29 9C 46 0A 6F 9B 90 3B 49 07 C5 .(l..).F.o..;I.. > 0010: 94 E1 .. > main, WRITE: TLSv1 Alert, length = 18 > [Raw write]: length = 23 > 0000: 15 03 01 00 12 DE 1C B8 37 B8 52 F0 79 7F 95 53 ........7.R.y..S > 0010: 3D 1A 83 16 11 BA 78 =.....x > main, called closeSocket() > main, handling exception: > javax.net.ssl.SSLHandshakeException: Error > signing certificate verify > main, called close() > main, called closeInternal(true) > Finalizer, called close() > Finalizer, called closeInternal(true) > > > <?xml version="1.0" encoding="UTF-8"?> > <soapenv:Body > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";><soapenv:Fault><:faultcode > xmlns=""/><:faultstring xmlns=""/><:detail xmlns=""><ns1:stackTrace > xmlns:ns1="http://xml.apache.org/axis/";>javax.net.ssl.SSLHandshakeException: > Error signing certificate verify > at > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) > at > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:608) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:160) > at > com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) > at > com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:677) > at > com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) > at > java.io.BufferedInputStream.fill(BufferedInputStream.java:218) > at > java.io.BufferedInputStream.read(BufferedInputStream.java:235) > at > org.apache.axis.transport.http.HTTPSender.readHeadersFromSocket(HTTPSender.java:583) > at > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:143) > at > org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) > at > org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) > at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) > at > org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) > at > org.apache.axis.client.Call.invokeEngine(Call.java:2784) > at org.apache.axis.client.Call.invoke(Call.java:2767) > at org.apache.axis.client.Call.invoke(Call.java:1870) > at > org.apache.axis.soap.SOAPConnectionImpl.call(SOAPConnectionImpl.java:90) > at > si.hermes.security.Collections.TimestampProviderImpl.CreateTimestamp(TimestampProviderImpl.java:232) > at > si.hermes.security.Collections.TimestampImpl.CreateTimestamp(TimestampImpl.java:57) > at > si.hermes.security.ESignDocTestTimestamp.testTimestampCreatePostarca(ESignDocTestTimestamp.java:286) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:585) > at junit.framework.TestCase.runTest(TestCase.java:154) > at junit.framework.TestCase.runBare(TestCase.java:127) > at > junit.framework.TestResult$1.protect(TestResult.java:106) > at > junit.framework.TestResult.runProtected(TestResult.java:124) > at junit.framework.TestResult.run(TestResult.java:109) > at junit.framework.TestCase.run(TestCase.java:118) > at junit.framework.TestSuite.runTest(TestSuite.java:208) > at junit.framework.TestSuite.run(TestSuite.java:203) > at junit.textui.TestRunner.doRun(TestRunner.java:116) > at junit.textui.TestRunner.doRun(TestRunner.java:109) > at junit.textui.TestRunner.run(TestRunner.java:72) > at junit.textui.TestRunner.run(TestRunner.java:57) > at > si.hermes.security.ESignDocTestTimestamp.main(ESignDocTestTimestamp.java:404) > Caused by: java.security.InvalidKeyException: Invalid key > type: > org.mozilla.jss.pkcs11.PK11RSAPrivateKey > at > org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey(JSSCipherSpi.java:123) > at > org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:161) > at > org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit(JSSCipherSpi.java:270) > at javax.crypto.Cipher.init(DashoA12275) > at > java.security.Signature$CipherAdapter.engineInitSign(Signature.java:1205) > at > java.security.Signature$Delegate.init(Signature.java:1079) > at > java.security.Signature$Delegate.chooseProvider(Signature.java:1036) > at > java.security.Signature$Delegate.engineInitSign(Signature.java:1109) > at java.security.Signature.initSign(Signature.java:503) > at > com.sun.net.ssl.internal.ssl.RSASignature.engineInitSign(RSASignature.java:108) > at > java.security.Signature$Delegate.engineInitSign(Signature.java:1107) > at java.security.Signature.initSign(Signature.java:503) > at > com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1002) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:604) > ... 38 more</ns1:stackTrace><ns2:hostname > xmlns:ns2="http://xml.apache.org/axis/";>yukon</ns2:hostname></:detail></soapenv:Fault></soapenv:Body> > --------------------------------------- > > Any idea what might be wrong? > > Regards, > Tadej _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
