Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: local policy)
From: "Jason Pyeron" <jpyeron@pdinc.us>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
References: <AE1BA4922554412DA80D3B6B6A2C229D@csata.tno.it>
Subject: RE: clent authentication using a smard card
Date: Mon, 19 Oct 2009 08:41:56 -0400
Organization: PD Inc
Message-ID: <0A38EF81B91C4A7AB0EBD793D18127EA@phoenix>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <AE1BA4922554412DA80D3B6B6A2C229D@csata.tno.it>
Thread-Index: AcpQt9Z+bJ260/7RS/KTBcySw6dZmAAAKe+g


> -----Original Message-----
> From: Marcello Marangio [mailto:m.marangio@innova.puglia.it] 
> Sent: Monday, October 19, 2009 8:30
> To: users@tomcat.apache.org
> Subject: clent authentication using a smard card
> 
> Hi all
> 
> This is my very first message in the list.
> 
> I am trying to use the ssl and client authentication feature 
> in tomcat 6, using a pkcs11 compliant smart card reader and a 
> real authentication smart card (Italian CNS). 
> 
> In the browser (firefox) I obtain a 

First, make sure your browser knows about the certificate and smart card reader.
We have been having with recent firefox releases on this. The debuging steps I
would take are 1) Use Windows / IE, if the server requires or requests a client
cert it will pop up a selection window even if IE does not know how to fulfil
the request. Thi will indicate if Tomcat is or is not requesting client certs.
2) Verify IE know about the smart card cert, user the certmgr.msc to see if the
smartcard certificate is installed, as well as the trust chain.
3) Verify IE prompts for the smartcard cert in the client cert popup selection
dialog.
4) Verify Tomcat <-> IE talk over SSL.


> ssl_error_certificate_unknown_alert or a 
> ssl_error_bad_certificate_alert.
> 
>  
> 
> SSL without client authentication works perfectly.
> 
>  
> 
> This is my server configuration:
> 
>  
> 
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> 
>                maxThreads="150" scheme="https" secure="true"
> 
>                clientAuth="true" sslProtocol="TLS" 
> 
>                
> keystoreFile="C:\apache-tomcat-6.0.20\conf\tomcat.keystore"
> 
> keystorePass="tomcat" keyAlias="tomcat" 
> 
> truststoreFile ="C:\apache-tomcat-6.0.20\conf\cacerts"
> 
> truststorePass="changeit"/>
> 
>  
> 
> tomcat.keystore contains the self signed x509 certificate I 
> use to perform the server ssl handshake.
> 
> cacerts contains the root certificate of my signature and non 
> repudiation certificate contained in my smartcard.
> 
>  
> 
> >From tomcat's log I obtained setting up
> JAVA_OPTS=-Djavax.net.debug=ssl,handshake I am sure that:
> 
> 1)       the root certificate is trusted (imported In cacerts 
> with keytool
> -import -trustcacert .)
> 
>  
> 
> adding as trusted cert:
> 
>   Subject: CN=InfoCamere Firma Qualificata, OU=Certificatore 
> Accreditato del Sistema Camerale, SERIALNUMBER=02313821007,
> 
>  O=InfoCamere SCpA, C=IT
> 
>   Issuer:  CN=InfoCamere Firma Qualificata, OU=Certificatore 
> Accreditato del Sistema Camerale, SERIALNUMBER=02313821007,
> 
>  O=InfoCamere SCpA, C=IT
> 
>   Algorithm: RSA; Serial number: 0x1
> 
>   Valid from Wed Mar 24 16:48:50 CET 2004 until Thu Mar 24 
> 16:47:52 CET 2016
> 
>  
> 
> 2)       The client certificate is taken from the smartcard 
> and It's given
> to the server; furthermore, the issuer is exactly tue trusted one:
> 
>  
> 
> *** Certificate chain
> 
> chain [0] = [
> 
> [
> 
>   Version: V3
> 
>   Subject: CN=Marcello Marangio, DNQ=20071112354269, 
> SERIALNUMBER=IT:MRNMCL70C21A662D, GIVENNAME=MARCELLO, SURNAME=MARAN
> 
> GIO, O=NON PRESENTE, C=IT
> 
>   Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
> 
>   Validity: [From: Wed Nov 21 12:11:08 CET 2007,
> 
>                To: Sun Nov 21 01:00:00 CET 2010]
> 
>   Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore 
> Accreditato del Sistema Camerale, SERIALNUMBER=02313821007,
> 
> O=InfoCamere SCpA, C=IT
> 
>   SerialNumber: [    131b58]
> 
>  
> 
> 3)       the browser (firefox) picks up the correct non repudiation
> certificate from the smartcard and sends it to the server:
> 
>  
> 
> [9]: ObjectId: 2.5.29.15 Criticality=true
> 
> KeyUsage [
> 
>   Non_repudiation
> 
> ]
> 
>                
> 
>  
> 
> The problem seems to be that tomcat is looking for the 
> digital signature certificate and not the non_repudiation one.
> 
>  
> 
> http-8443-1, SEND TLSv1 ALERT:  fatal, description = 
> certificate_unknown
> 
> http-8443-1, WRITE: TLSv1 Alert, length = 2
> 
> http-8443-1, called closeSocket()
> 
> http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: KeyUsage does not 
> allow digital signatures
> 
>  
> 
> Is tomcat's behavoir correct or is it a bug?
> 

The above steps will allow a more quickly diagnosis.

>  
> 
> Thanks a million
> 
> Marcello
> 
>  
> 
> 


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org