Hello Glen,
I tried to look into the source of classes where these exceptions were
thrown.
One interesting thing I observed is, JSSCipherSpi expects Public Key
only in "WRAP_MODE". But JCE_RSACipher is calling it in "ENCRYPT_MODE"
in which JSS expects a secret key. Since the passed key not a secret
key, it is trying to import the secret key out of this key and it says
"invalid key type".
Pre master secret is encrypted using the public key according to the
TLS RFC,
7.4.7.1. RSA encrypted premaster secret message
Meaning of this message:
If RSA is being used for key agreement and authentication, the
client generates a 48-byte premaster secret, encrypts it using
the public key from the server's certificate or the temporary
RSA
key provided in a server key exchange message, and sends the
result in an encrypted premaster secret message. This structure
is a variant of the client key exchange message, not a message
in
itself.
So, is it looks like a problem between JCE_RSACipher and JSSCipherSpi.
Or Am I missing anything here.
Thanks,
Sreedhar
On Apr 2, 5:38 pm, ksreedha...@gmail.com wrote:
> Thanks Glen. Yes it works with the default provider. tstclnt fails
> with the error Issuer certificate is invalid.
>
> When I used with option -o (Override bad server cert), it works fine.
> The certificate wes used is a Self signed certificate. So, probably
> tstclnt didn't like it.
>
> One more thing is, OpenSSL based c client is able to communicate with
> server successfully.
>
> Thanks,
> Sreedhar
>
> On Apr 2, 4:52 pm, Glen Beasley <glen.beas...@sun.com> wrote:
>
>
>
> > hi,
>
> > can you successfully connect to your server using JSSE with it's
> > default provider? meaning
> > not using mozilla-JSS as the provider?
>
> > I know you have used ssltap can you use NSS tool tstclnt?
>
> > tstclnt -h <hostname> -p <port> -d <your nss cert db dir> -v -2 -3 -c v
>
> > If you want full client auth specify your cert nickname with -n <your
> > cert nickname>
>
> > If the JSSE works with the default provider, and tstclnt works then open
> > a bug on JSS with steps to recreate issue.
>
> > -glen
>
> > ksreedha...@gmail.com wrote:
> > > Thanks Nelson for the reply.
>
> > > Jss version is 4.2.5
> > > JRE version is 1.6
> > > NSS vesion is 3.11.4
>
> > > See my comments inline.
> > > On Apr 1, 8:45 pm, Nelson B Bolyard <nel...@bolyard.me> wrote:
>
> > >> ksreedha...@gmail.com wrote, On 2009-04-01 17:54:
>
> > >>> Hello,
>
> > >>> I am [using] Mozilla-JSS as the provider in my Java application which
> > >>> is a SSL client connecting to OpenSSL based SSL Server.
>
> > >> You haven't reported version information, such as:
> > >> - version of JDK/JRE
> > >> - version of JSS
> > >> - version of NSS
> > >> It's possible that you have a version mismatch of some sort.
>
> > >>> I am using the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA" and we are
> > >>> using TLSv1.0 as the SSL protocol.
>
> > >>> I get this exception when I try to connect to the server. Server has a
> > >>> self signed RSA based certificate.
>
> > >> I have rearranged the stack below, so that it appears as one continuous
> > >> stack, with the first (or "root cause") exception at the top.
>
> > >>> I thought premaster secret key is generated by the Client and encrypt
> > >>> using the public key of the certificate so that Server will decrypt
> > >>> using
> > >>> its private key.
>
> > >> That's correct for the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA".
>
> > >>> Can some one tell me what I am missing here and what this exception
> > >>> means?
>
> > >> The first exception reported in this stack, namely:
>
> > >>> java.security.InvalidKeyException: Invalid key type:
> > >>> org.mozilla.jss.pkcs11.PK11RSAPublicKey
>
> > >> says that the failure occurred when trying to encrypt the pre-master
> > >> secret
> > >> with the RSA public key. The exception reports that the key it was
> > >> given as
> > >> the pre-master secret, to be encrypted with the server's RSA public key,
> > >> was
> > >> actually not a pre-master secret, but rather was an RSA public key.
>
> > > But the premaster secret key is generated internally right?
>
> > >> The code that threw the first exception may be seen at
>
> > >>>http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/jss/org/...
> > >>> at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey
> > >>> (JSSCipherSpi.java:123)
> > >>> at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit
> > >>> (JSSCipherSpi.java:161)
> > >>> at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit
> > >>> (JSSCipherSpi.java:270)
> > >>> at javax.crypto.Cipher.init(DashoA13*..)
> > >>> at com.sun.net.ssl.internal.ssl.JCE_RSACipher.encryptInit
> > >>> (RSACipher.java:76)
> > >>> at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init>
> > >>> (PreMasterSecret.java:83)
>
> > >> Consequently, it was unable to create an RSA-encrypted pre-master secret
> > >> (also know as the "RSA pre-master secret"), and this is what the second
> > >> exception is complaining about.
>
> > >>> (which caused) javax.net.ssl.SSLKeyException: RSA premaster secret error
> > >>> at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init>
> > >>> (PreMasterSecret.java:86)
> > >>> at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone
> > >>> (ClientHandshaker.java:439)
> > >>> at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage
> > >>> (ClientHandshaker.java:132)
> > >>> at com.sun.net.ssl.internal.ssl.Handshaker.process_record
> > >>> (Handshaker.java:334)
> > >>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord
> > >>> (SSLSocketImpl.java:805)
> > >>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake
> > >>> (SSLSocketImpl.java:1046)
> > >>> at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake
> > >>> (SSLSocketImpl.java:1059)
> > >>> at com.fhp.ems.main.TestSecurity_SSL.testSSL
> > >>> (TestSecurity_SSL.java:218)
> > >>> at com.fhp.ems.main.TestSecurity_SSL.main (TestSecurity_SSL.java:69)
>
> > >> Maybe Glen can tell us more about diagnosing this failure.
>
> > smime.p7s
> > 6KViewDownload- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
