tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Rome <jamesr...@gmail.com>
Subject SSL ErrorOCSP error
Date Mon, 17 Oct 2005 23:31:37 GMT
Alas, No extra debugging information appeared for me with the
-Djavax.net.debug=ssl:handshake. 

I still get
WARN http-8443-Processor25 gov.sensornet.security.X509Realm - Check OCSP Credentials: CertPathValidatorException:
java.security.cert.CertPathValidatorException: javax.net.ssl.SSLException: java.lang.RuntimeException:
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter
must be non-empty

What I am trying to do is to create a custom Realm that checks a user's PKI certificate for
revocation. I have looked at the Tomcat (5.5) source, and so far as I can tell, Tomcat's certificate
realms only check that the certificate was signed by a trusted CA and is valid today.

With some code from Sun, I can properly check OCSP revocation in a servlet filter. But when
I try to move the same code to a custom Realm, I get the above error.

The code is as follows:

	// ---------------------------------------------------------------------
	// METHOD: enableOSCP() -
	/***************************************************************************
	 * Enable OCSP certificate checking. This initializes the appropriate
	 * parameters to enable OCSP.
	 */
	private void enableOCSP() {
		TrustAnchor caAnchor = new TrustAnchor(CACert, null);
		Set<TrustAnchor> trustedCertsSet = new HashSet<TrustAnchor>();
		trustedCertsSet.add(caAnchor);
		// init cert store
		Set<X509Certificate> certSet = new HashSet<X509Certificate>();
		certSet.add(OCSPCert);
		try {
			CertStoreParameters storeParams = new CollectionCertStoreParameters(
					certSet);
			CertStore store = CertStore.getInstance("Collection", storeParams);
			// init PKIX parameters
			params = new PKIXParameters(trustedCertsSet);
			params.addCertStore(store);
			params.setRevocationEnabled(true);
			System.setProperty("javax.net.ssl.trustStoreType", "JKS");
			System.setProperty("javax.net.ssl.trustStore",
					"/usr/share/jboss/Certificates/cacerts");
			System.setProperty("javax.net.ssl.trustStorePassword","mypassword");			
			// enable OCSP
			java.security.Security.setProperty("ocsp.enable", "true");
			java.security.Security.setProperty("ocsp.responderURL", OCSPURL);
			java.security.Security.setProperty("ocsp.responderCertSubjectName",
					OCSPCert.getSubjectX500Principal().getName());
			log.debug("ocsp.responder=" + 
					java.security.Security.getProperty("ocsp.responderCertSubjectName"));
		} catch (Exception ex) {
			log.warn("Error enabling OCSP: " + ex);
		}
	}


Then in X509Realm.authenticate(), I do:

   // --------------------------------------------------------- Public Methods

    /**
     * Return the Principal associated with the specified chain of X509
     * client certificates.  If there is none, return <code>null</code>.
     *
     * @param certs Array of client certificates, with the first one in
     *  the array being the certificate of the client itself.
     */
    public Principal authenticate(X509Certificate certs[]) {
       	System.out.println("In Certificate authenticate");
       log.debug("In authenticate");
        if ((certs == null) || (certs.length < 1))
            return (null);

       // Check the validity of each certificate in the chain
        if (log.isDebugEnabled())
            log.debug("Authenticating client certificate chain");
        if (validate) {
            for (int i = 0; i < certs.length; i++) {
                if (log.isDebugEnabled())
                    log.debug(" Checking validity for '" +
                        certs[i].getSubjectDN().getName() + "'");
                try {
                    certs[i].checkValidity();
                } catch (CertificateExpiredException cee) {
         			log.warn(STATUS_EXPIRED);
        			return (null);
        		} catch (CertificateNotYetValidException cnyve) {
          			log.warn(STATUS_NOT_YET_VALID);
        			return (null);
        		}
            }
    		// Verify that we signed the presented certificate
//            log.debug(CAPubKey.toString());
            log.debug("UserDN=" + certs[0].getSubjectDN());
    		try {
    			certs[0].verify(CAPubKey);
    		} catch (CertificateException ce) {
     			log.warn(STATUS_BAD_ENCODING);
    			return (null);
    		} catch (NoSuchAlgorithmException nsa) {
     			log.warn(STATUS_NSA);
    			return (null);
    		} catch (InvalidKeyException ivk) {
    			log.warn(STATUS_INVALID_KEY);
    			return (null);
    		} catch (NoSuchProviderException nsp) {
    			log.warn(STATUS_NSP);
    			return (null);
    		} catch (SignatureException se) {
     			log.warn(STATUS_BAD_SIGNATURE);
    			return (null);
    		}
    		// Passed verification test.
    		// Now check to see if it was revoked
    		// Check the OCSP server for revocation
   		enableOCSP();
			  log.debug("ocsp.responderURL=" + 
					  Security.getProperty("ocsp.responderURL"));
			  log.debug("ocsp.responderCertSubjectName=" +
					  Security.getProperty("ocsp.responderCertSubjectName"));
    		log.debug("Start params " + this.toString() +"\n" +params.toString());
    		log.debug("End params");
    		try {
    			CertPath cp = null;
    			Vector<X509Certificate> vcerts = new Vector<X509Certificate>();
    			vcerts.add(certs[0]);
    			// init cert path
    			CertificateFactory cf = CertificateFactory.getInstance("X509");
    			cp = (CertPath) cf.generateCertPath(vcerts);
log.debug("CertPath=" + cp.toString());
log.debug(params.getTrustAnchors().toString());
Iterator it = params.getCertStores().iterator();
while(it.hasNext()) {
	log.debug("CertStore=" + it.next().toString());
}
    			CertPathValidator cpv = CertPathValidator.getInstance("PKIX");
    			PKIXCertPathValidatorResult cpv_result 
    			  = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
log.debug("cpv_result=" + cpv_result.toString());    			
    			X509Certificate trustedCert = (X509Certificate) cpv_result
    					.getTrustAnchor().getTrustedCert();

    			if (trustedCert == null) {
    				log.warn("Trusted Cert = NULL");
    			}
    		} catch (CertPathValidatorException e) {
    			CertPath cp = e.getCertPath();
    			int ind = e.getIndex();
    			log.warn("Check OCSP Credentials: CertPathValidatorException: " + e);
    			log.warn("Cert Path=" + cp.toString() + " index=" + ind);
    			return (null);
    		} catch (CertificateException e) {
    			log.warn("CertificateException: " + e);
     			return (null);
    		} catch (NoSuchAlgorithmException e) {
    			log.warn("NoSuchAlgorithmException: " + e);
     			return (null);
    		} catch (InvalidAlgorithmParameterException e) {
    			log.warn("InvalidAlgorithmParameterException: " + e);
    			return (null);
    		}
        }	// End of validate


        // Check the existence of the client Principal in our database
        Principal subject = certs[0].getSubjectDN();
        return (subject);

    }

I print out the PKIX parameters, and my CA certufucate is in there. So what can be different
about running this in a Tomcat Realm vs a Tomcat filter?

Thanks,
Jim

------------------------------
You want to put this in the Java tab under Java Options.

Best regards

Robert.

-----Original Message-----
From: James Rome [mailto:jamesrome@gmail.com]
Sent: 17 October 2005 16:00
To: tomcat-user@jakarta.apache.org
Subject: SSL Error : Please HELP


I tried putting 
start -Djavax.net.debug=ssl:handshake
in the Windows 5.5 GUI startup tab under arguments and Tomcat will not start

How does one get this to work?

Jim


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message