[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl]cu|| PKCS12 client certificate



Hello,

looks like as if the key used for signing the CertificateVerify message
does not correspond to the public key contained in the certificate.
If you have exported the PKCS#12 file from MSIE or Netscape and
if it contains more than one certificate, you may try to "reorder"
the cert chain before accessing the client cert at index 0.
(PKCS#12 files exported from MSIE or Netscape usually contain
the end user cert at index n-1).

Regards,
Dieter Bratko

-----Ursprungliche Nachricht-----
Von: iaik-ssl-owner@iaik.at [mailto:iaik-ssl-owner@iaik.at]Im Auftrag
von Ranadhir Nag
Gesendet: Freitag, 12. April 2002 09:16
An: iaik-ssl@iaik.at
Betreff: [iaik-ssl]cu|| PKCS12 client certificate


I am facing a vexing problem in presenting a PKCS12 certificate 
(exported through netscape browser) to the SSLServer sample through a 
java client applicatiom.Though the request is successful when the 
certificate is presented from a browser,the server throws a 'bad 
certificate' error when the certificate is presented through the client 
application,and the  handshake fails.I also noticed that the    bit-size 
of the certificate when presented through the two media (browser and 
client application)are    different.The code sample is

           PKCS12 pk = new PKCS12( fis );

          pk.decrypt(password);

          System.out.println(pk.getKeyBag().getPrivateKey());

          PrivateKey private_key = pk.getKeyBag().getPrivateKey();

          System.out.println(pk);

          iaik.pkcs.pkcs12.CertificateBag[] bg = 
pk.getCertificateBags();

          System.out.println("------------");

          System.out.println(bg[0]);

          System.out.println("---------------" + bg.length);

          System.out.println(bg[0].getCertificate());

          X509Certificate[] ctf = new X509Certificate[1];

          ctf[0] = (X509Certificate)bg[0].getCertificate();
          CertificateBag[] cb;
          cb = pk.getCertificateBags();
          X509Certificate[] cert;
          cert = CertificateBag.getCertificates(cb);

           SSLClientContext contxt=new SSLClientContext();
           contxt.setChainVerifier(cv);
           contxt.addClientCredentials(cert, private_key);

           ((HttpsURLConnection)con).setSSLContext(contxt);
           con.setRequestMethod(httpMethod);
           con.setDoOutput(true);
           con.setDoInput(true);
The error footprint on the server is:
ssl_debug(1): Sending server_hello handshake message.
ssl_debug(1): Selecting CipherSuite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
ssl_debug(1): Selecting CompressionMethod: NULL
ssl_debug(1): Sending certificate handshake message with server 
certificate...
ssl_debug(1): Sending certificate_request handshake message...
ssl_debug(1): Sending server_hello_done handshake message...
ssl_debug(1): Received certificate handshake message with client 
certificate.
ssl_debug(1): Client sent a 512 bit RSA certificate, chain has 2 
elements.
ssl_debug(1): Received client_key_exchange handshake message.
ssl_debug(1): Received certificate_verify handshake message.
ssl_debug(1): Sending alert: Alert Fatal: bad certificate
ssl_debug(1): Shutting down SSL layer...
ssl_debug(1): SSLException while handshaking: Certificate verify message 
signature error!
An exception occured:
iaik.security.ssl.SSLException: Certificate verify message signature 
error!
        at iaik.security.ssl.f.c(Unknown Source)
        at iaik.security.ssl.f.a(Unknown Source)
        at iaik.security.ssl.r.d(Unknown Source)
        at iaik.security.ssl.SSLTransport.startHandshake(Unknown Source)
        at iaik.security.ssl.SSLTransport.getOutputStream(Unknown 
Source)
        at iaik.security.ssl.SSLSocket.getOutputStream(Unknown Source)
        at demo.basic.SSLServer.main0(SSLServer.java:99)
        at demo.basic.SSLServer.main(SSLServer.java:149)

 
Can anyone suggest a solution?  thanks a lot in advance

Ranadhir Nag
Wipro Technologies,
Electronic City,Bangalore
# 8520408 -5366



--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl