如何解决JAVA SSL无效的证书验证签名
我正在使用:
- openJDK 15
- 带有嵌入式underwow的springboot 2.3.4
我不认为该问题与springboot有关,但与我的一些错误有关。更确切地说,我正在使用此openJDK版本:
openjdk version "15" 2020-09-15
OpenJDK Runtime Environment (build 15+36-1562)
OpenJDK 64-Bit Server VM (build 15+36-1562,mixed mode,sharing)
这是我需要的:我需要具有弹簧安全性的x.509。为了建立良好的信任库,我编写了一个代码,可以连接[here] [1]解析XML并创建信任库文件
然后我以这种方式配置了我的弹簧靴:
server.ssl.trust-store=myTrustLocation/myTrustJks.jks
server.ssl.trust-store-password=myTrustPwd
server.ssl.trust-store-type=PKCS12
server.ssl.client-auth=need
server.ssl.enabled=true
#ssl ciphers
#server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256,INCLUDE_ANY_OTHER_Ones_YOU_NEED_TO_SUPPORT
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2,TLSv1.3
在我看来,信任库已正确加载(如果我使用了错误的名称,则应用程序将无法启动)。
现在,我有一个x509客户端证书和一个通过USB连接到笔记本电脑的设备。客户证书由Actalis提供,有效期至2021年。
当我尝试连接到我的spring boot应用程序时,它也要求我提供证书。我将其发送到APP,但是openJDK并抱怨有关证书签名的验证。通过使用-Djavax.net.debug=all启动应用程序,我出现此错误:
javax.net.ssl|DEBUG|2C|XNIO-1 task-1|2020-10-22 17:38:05.147 CEST|CertificateMessage.java:1161|Consuming client Certificate handshake message (
"Certificate": {
"certificate_request_context": "","certificate_list": [
{
.............................
}
]
)
javax.net.ssl|DEBUG|2C|XNIO-1 task-1|2020-10-22 17:38:05.163 CEST|x509trustmanagerImpl.java:301|Found trusted certificate (
"certificate" : {
[
.......
]}
)
javax.net.ssl|ERROR|2C|XNIO-1 task-1|2020-10-22 17:38:05.165 CEST|TransportContext.java:361|Fatal (HANDSHAKE_FAILURE): Invalid CertificateVerify signature (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Invalid CertificateVerify signature
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
at java.base/sun.security.ssl.CertificateVerify$T13CertificateVerifyMessage.<init>(CertificateVerify.java:1009)
at java.base/sun.security.ssl.CertificateVerify$T13CertificateVerifyConsumer.consume(CertificateVerify.java:1160)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1107)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2415)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
at java.base/java.lang.Thread.run(Thread.java:832)}
)
javax.net.ssl|ALL|2C|XNIO-1 task-1|2020-10-22 17:38:05.166 CEST|SSLSessionImpl.java:1224|Invalidated session: Session(1603381082397|TLS_AES_256_GCM_SHA384)
javax.net.ssl|WARNING|24|XNIO-1 I/O-5|2020-10-22 17:38:05.166 CEST|SSLEngineOutputRecord.java:173|outbound has closed,ignore outbound application data
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.166 CEST|SSLEngineOutputRecord.java:510|WRITE: TLS13 alert,length = 2
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.167 CEST|SSLCipher.java:2063|Plaintext before ENCRYPTION (
0000: 02 28 15 00 00 00 00 00 00 00 00 00 00 00 00 00 .(..............
0010: 00 00 00 ...
)
javax.net.ssl|DEBUG|24|XNIO-1 I/O-5|2020-10-22 17:38:05.167 CEST|SSLEngineOutputRecord.java:528|Raw write (
0000: 17 03 03 00 23 C4 F6 89 E4 E1 58 81 C6 99 7D AE ....#.....X.....
0010: 8B 65 BA 49 1F 6F 57 28 73 F1 08 47 21 80 33 0F .e.I.oW(s..G!.3.
0020: CF FF 65 2A 2D 16 93 99 ..e*-...
)
我不明白为什么在服务器端我无法验证证书签名。
有人可以给我小费吗?
谢谢
安吉洛 [1]:https://eidas.agid.gov.it/TL/TSL-IT.xml
更新
我通过删除TLSv1.3解决了该问题;所以现在我的春季启动配置文件是:
server.ssl.trust-store=myTrustLocation/myTrustJks.jks
server.ssl.trust-store-password=myTrustPwd
server.ssl.trust-store-type=PKCS12
server.ssl.client-auth=need
server.ssl.enabled=true
#ssl ciphers
#server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256,INCLUDE_ANY_OTHER_Ones_YOU_NEED_TO_SUPPORT
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2
请求现在到达Spring Security org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter,但未找到名称为javax.servlet.request.X509Certificate的请求参数。
这些都是我在请求中找到的所有请求参数和标头:
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.web.context.request.async.WebAsyncManager.WEB_ASYNC_MANAGER VALUE org.springframework.web.context.request.async.WebAsyncManager@5d2019a3
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.header.HeaderWriterFilter@40d63d7e.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY __spring_security_scpf_applied VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.key_size VALUE 256
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.http.HttpServletResponse VALUE org.springframework.security.web.header.HeaderWriterFilter$HeaderWriterResponse@479cfa9
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY characterEncodingFilter.FILTERED VALUE true
2020-10-22 19:35:59,723 24750 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY webMvcmetricsFilter.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.FilterChainProxy.APPLIED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY _csrf VALUE SaveOnAccessCsrftoken [delegate=org.springframework.security.web.csrf.DefaultCsrftoken@7be2014]
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.cipher_suite VALUE TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.boot.actuate.metrics.web.servlet.WebMvcmetricsFilter$TimingContext VALUE org.springframework.boot.actuate.metrics.web.servlet.WebMvcmetricsFilter$TimingContext@10e6a38
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY javax.servlet.request.ssl_session_id VALUE [45,69,-121,-113,43,-28,65,-68,113,77,78,5,-13,-54,110,-77,-14,-70,-2,107,112,46,93,-31,-101,-97,-103,121,34,71,86,-13]
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.csrf.CsrfFilter@3cabd235.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY formContentFilter.FILTERED VALUE true
2020-10-22 19:35:59,724 24751 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY requestContextFilter.FILTERED VALUE true
2020-10-22 19:35:59,725 24752 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - ATTR KEY org.springframework.security.web.csrf.Csrftoken VALUE SaveOnAccessCsrftoken [delegate=org.springframework.security.web.csrf.DefaultCsrftoken@7be2014]
2020-10-22 19:35:59,736 24763 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Cookie HEAD VALUE JSESSIONID=9bxOO7wIleO0zohbZ3V5X-WX5ydAJHtsP74LicCx
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept HEAD VALUE text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Cache-Control HEAD VALUE max-age=0
2020-10-22 19:35:59,737 24764 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Upgrade-Insecure-Requests HEAD VALUE 1
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME User-Agent HEAD VALUE Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Connection HEAD VALUE keep-alive
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Host HEAD VALUE eid-tls-svil.regione.puglia.it:8443
2020-10-22 19:35:59,738 24765 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept-Language HEAD VALUE en-US,en;q=0.5
2020-10-22 19:35:59,739 24766 [XNIO-1 task-1] TRACE i.e.t.e.e.x.f.EidX509AuthenticationFilter - HEAD NAME Accept-Encoding HEAD VALUE gzip,deflate,br
有人可以建议我为什么吗?
谢谢
天使
第二次更新
我试图将嵌入式服务器从underwow更改为tomcat,现在它可以正常工作,而不会在spring配置中影响其他任何东西。 因此,基本上,在我看来,客户端证书没有发送到Spring Security。
我想念什么吗?
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。