3 Replies Latest reply: Nov 20, 2008 7:23 PM by 843811 RSS

    sunmscapi provider ssl error.

    843811
      Hi:

      My java program connect to a ssl site.but if run failed.the server need client auth. I install the cacert in my ROOT certificate store and install the client cert in my MY certificate store.

      My program :

      import java.io.BufferedReader;
      import java.io.BufferedWriter;
      import java.io.FileInputStream;
      import java.io.FileOutputStream;
      import java.io.InputStreamReader;
      import java.io.OutputStreamWriter;
      import java.io.PrintWriter;
      import java.net.Socket;
      import java.net.URL;
      import java.net.URLConnection;
      import java.security.KeyStore;
      import java.security.Security;

      import javax.net.ssl.KeyManagerFactory;
      import javax.net.ssl.SSLContext;
      import javax.net.ssl.SSLSocket;
      import javax.net.ssl.SSLSocketFactory;
      import javax.net.ssl.TrustManagerFactory;

      //import cn.com.infosec.jce.provider.InfosecProvider;


      public class TestSSL {

           /**
           * @param args
           */
           public static void main(String[] args) {

      //          try{
      //          Security.addProvider(new InfosecProvider() );
                //Security.getProvider("SunMSCAPI").setProperty("Signature.NONEwithRSA", "sun.security.mscapi.RSASignature$SHA1");

                try{
                KeyManagerFactory kmf = null;
                TrustManagerFactory tmf = null;
                
                KeyStore ksKeys = KeyStore.getInstance("Windows-MY","SunMSCAPI");
                ksKeys.load(null,null );
                

      //          KeyStore ksKeys = KeyStore.getInstance("PKCS12","INFOSEC");
      //          ksKeys.load( new FileInputStream("f:/tmp/rcert/p12_PrintableString_PrintableString.pfx") ,"1".toCharArray() );
                
                
                
                kmf =
                KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                kmf.init(ksKeys, null);
                

                KeyStore ksTrust = KeyStore.getInstance("Windows-ROOT","SunMSCAPI");
                ksTrust.load(null,null);
                tmf =
                TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                tmf.init(ksTrust);
                SSLContext sslContext = SSLContext.getInstance("TLS");
                
                System.out.println("tmf=" + tmf );
                System.out.println("kmf=" + kmf );          
                sslContext.init(
                          kmf.getKeyManagers(), tmf.getTrustManagers(), null);

                SSLSocketFactory factory = null;
                factory = sslContext.getSocketFactory();
      //          System.setProperty("java.protocol.handler.pkgs",
      //          "com.sun.net.ssl.internal.www.protocol");
      //          
      //          URL urlc = new URL("https://192.168.0.168:443");
                
                
                SSLSocket s = (SSLSocket)factory.createSocket("192.168.0.101", 4439);
      //          
                s.setUseClientMode(true);
      //          
      //          
      //          
                BufferedWriter writer = new BufferedWriter( new OutputStreamWriter(s.getOutputStream()) );
                writer.write("GET / HTTP/1.1\r\n");
                writer.write("host: 192.168.0.101:4439\r\n");
                writer.write("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n");
                writer.write("Accept-Language: zh-cn\r\n");
                writer.write("Accept-Encoding: gzip, deflate\r\n");
                writer.write("If-Modified-Since: Mon, 28 Jan 2008 22:39:34 GMT\r\n");
                writer.write("If-None-Match: W/\"8144-1201559974000\"\r\n");
                writer.write("User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n");
                writer.write("Connection: Keep-Alive\r\n");
                
                
                writer.write( "\r\n" );
                writer.write( "\r\n" );
           
                
                
                writer.flush();
                
                
      //          BufferedReader bin = new BufferedReader(new InputStreamReader( urlc.openStream() ));
                BufferedReader bin = new BufferedReader(new InputStreamReader( s.getInputStream() ));
           System.out.println("----------ReadLine Start");
           String fromServer = null;
      //          while((fromServer = bin.readLine()) != null) {
      //               System.out.println(fromServer);
      //          }
                //Thread.sleep(1200);
                int c;
                StringBuffer sbuf = new StringBuffer();
                while((c = bin.read()) != -1) {
                     sbuf.append((char)c);
      //               System.out.println("Sbuf.append..." + String.valueOf(c));
                }
                System.out.println("From Server:" + sbuf.toString());
      //          }catch (Exception e) {
      //               PrintWriter pr = new PrintWriter( new FileOutputStream("d:/exc.txt") );
      //               e.printStackTrace(pr);
      //               pr.close();
      //               
      //          }
                
                }catch(Exception ex){
                     
                     System.out.println( ex.getMessage() );
                     ex.printStackTrace();
                }
                
                
                
                
                
      //          tmf.init(ksTrust);
                
                
                

           }

      }


      after run this program,it display:

      import java.io.BufferedReader;
      import java.io.BufferedWriter;
      import java.io.FileInputStream;
      import java.io.FileOutputStream;
      import java.io.InputStreamReader;
      import java.io.OutputStreamWriter;
      import java.io.PrintWriter;
      import java.net.Socket;
      import java.net.URL;
      import java.net.URLConnection;
      import java.security.KeyStore;
      import java.security.Security;

      import javax.net.ssl.KeyManagerFactory;
      import javax.net.ssl.SSLContext;
      import javax.net.ssl.SSLSocket;
      import javax.net.ssl.SSLSocketFactory;
      import javax.net.ssl.TrustManagerFactory;

      //import cn.com.infosec.jce.provider.InfosecProvider;


      public class TestSSL {

           /**
           * @param args
           */
           public static void main(String[] args) {

      //          try{
      //          Security.addProvider(new InfosecProvider() );
                //Security.getProvider("SunMSCAPI").setProperty("Signature.NONEwithRSA", "sun.security.mscapi.RSASignature$SHA1");

                try{
                KeyManagerFactory kmf = null;
                TrustManagerFactory tmf = null;
                
                KeyStore ksKeys = KeyStore.getInstance("Windows-MY","SunMSCAPI");
                ksKeys.load(null,null );
                

      //          KeyStore ksKeys = KeyStore.getInstance("PKCS12","INFOSEC");
      //          ksKeys.load( new FileInputStream("f:/tmp/rcert/p12_PrintableString_PrintableString.pfx") ,"1".toCharArray() );
                
                
                
                kmf =
                KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                kmf.init(ksKeys, null);
                

                KeyStore ksTrust = KeyStore.getInstance("Windows-ROOT","SunMSCAPI");
                ksTrust.load(null,null);
                tmf =
                TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                tmf.init(ksTrust);
                SSLContext sslContext = SSLContext.getInstance("TLS");
                
                System.out.println("tmf=" + tmf );
                System.out.println("kmf=" + kmf );          
                sslContext.init(
                          kmf.getKeyManagers(), tmf.getTrustManagers(), null);

                SSLSocketFactory factory = null;
                factory = sslContext.getSocketFactory();
      //          System.setProperty("java.protocol.handler.pkgs",
      //          "com.sun.net.ssl.internal.www.protocol");
      //          
      //          URL urlc = new URL("https://192.168.0.168:443");
                
                
                SSLSocket s = (SSLSocket)factory.createSocket("192.168.0.101", 4439);
      //          
                s.setUseClientMode(true);
      //          
      //          
      //          
                BufferedWriter writer = new BufferedWriter( new OutputStreamWriter(s.getOutputStream()) );
                writer.write("GET / HTTP/1.1\r\n");
                writer.write("host: 192.168.0.101:4439\r\n");
                writer.write("Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\n");
                writer.write("Accept-Language: zh-cn\r\n");
                writer.write("Accept-Encoding: gzip, deflate\r\n");
                writer.write("If-Modified-Since: Mon, 28 Jan 2008 22:39:34 GMT\r\n");
                writer.write("If-None-Match: W/\"8144-1201559974000\"\r\n");
                writer.write("User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n");
                writer.write("Connection: Keep-Alive\r\n");
                
                
                writer.write( "\r\n" );
                writer.write( "\r\n" );
           
                
                
                writer.flush();
                
                
      //          BufferedReader bin = new BufferedReader(new InputStreamReader( urlc.openStream() ));
                BufferedReader bin = new BufferedReader(new InputStreamReader( s.getInputStream() ));
           System.out.println("----------ReadLine Start");
           String fromServer = null;
      //          while((fromServer = bin.readLine()) != null) {
      //               System.out.println(fromServer);
      //          }
                //Thread.sleep(1200);
                int c;
                StringBuffer sbuf = new StringBuffer();
                while((c = bin.read()) != -1) {
                     sbuf.append((char)c);
      //               System.out.println("Sbuf.append..." + String.valueOf(c));
                }
                System.out.println("From Server:" + sbuf.toString());
      //          }catch (Exception e) {
      //               PrintWriter pr = new PrintWriter( new FileOutputStream("d:/exc.txt") );
      //               e.printStackTrace(pr);
      //               pr.close();
      //               
      //          }
                
                }catch(Exception ex){
                     
                     System.out.println( ex.getMessage() );
                     ex.printStackTrace();
                }
                
                
                
                
                
      //          tmf.init(ksTrust);
                
                
                

           }

      }
      after run:
      tmf=javax.net.ssl.TrustManagerFactory@9fef6f
      kmf=javax.net.ssl.KeyManagerFactory@209f4e
      Received fatal alert: decrypt_error
      javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error
           at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
           at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
           at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
           at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
           at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:202)
           at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:272)
           at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:276)
           at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:122)
           at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:212)
           at java.io.BufferedWriter.flush(BufferedWriter.java:236)
           at TestSSL.main(TestSSL.java:95)
        • 1. Re: sunmscapi provider ssl error.
          843811
          {color:#3366ff}Hi,
          As per my understanding,
          Server must have the certificate and the the trust certificate must be on client side.

          if they match then only the handshake happens between the client and server.

          as i see there is no problem with your code, the problem is with your client certificate.{color}
          {color:#3366ff}i implemented the same with the client and server using the SUNMSCAPI certificate store.

          and one important thing, for the client side the certificate should be in "Windows_ROOT" certificate..
          just check where you placed the certificate.i surmise you have the certificate in "Windows-MY" store.{color}

          • 2. Re: sunmscapi provider ssl error.
            EJP
            Server must have the certificate and the the trust certificate must be on client side.
            No. The server must have a private key and a signed certificate matching it. The client must have the signed certificate or that of one of its signers.
            if they match then only the handshake happens between the client and server.
            No. The server sends its certificate, which the client checks against its truststore. If the client doesn't trust the server cert, the handshake fails. They don't have to 'match', and this process happens during the handshake, not before it.

            The problem is a decrypt_error. This can happen during the handshake for several reasons, including failure to verify the signature on the incoming certificate.It is sounding as though the server's certificate isn't valid.
            • 3. Re: sunmscapi provider ssl error.
              843811
              thanks for your replies. My server certificate is configured correctly and my client certificate is install to my system(PKCS12).

              Can I email your the certificates about this problem?include the server certificate and the client certificate,the ca certificate?