I am trying to connect a Java client to a non-Java server via GRPC-SSL. I am able to connect to the server when not using SSL. When I try to create the ManagedChannel using a SSL context (using the provided pem file), I get the exception below (same pem file works with a NodeJS client).
ManagedChannel channel = NettyChannelBuilder.forAddress("localhost", 10010)
.sslContext(GrpcSslContexts.forClient().trustManager(new File("./test/myprivkey.pem")).build())
.build();
Exception from trustManager call:
Exception in thread "main" java.lang.IllegalArgumentException: File does not contain valid certificates: /Users/continue/IdeaProjects/git/test/build/resources/main/keys/myprivkey.pem
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:162)
at com.test.io.grpc.test.client.Connection.getSslContext(Connection.java:65)
at com.test.io.grpc.test.client.Connection.getSecure(Connection.java:41)
at com.test.io.grpc.mgcs.client.TestClient.<init>(TestClient.java:36)
at com.test.io.grpc.test.client.TestClient.main(TestClient.java:89)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:147)
Caused by: java.security.cert.CertificateException: found no certificates in input stream
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:98)
at io.netty.handler.ssl.PemReader.readCertificates(PemReader.java:64)
at io.netty.handler.ssl.SslContext.toX509Certificates(SslContext.java:999)
at io.netty.handler.ssl.SslContextBuilder.trustManager(SslContextBuilder.java:160)
build.gradle relevant section
compile 'io.netty:netty-tcnative-boringssl-static:1.1.33.Fork26'
Any ideas what might be causing the issue or how to troubleshoot this further?
I was reading the wrong file as the certificate file for building the SslContext. Replacing the incorrect input with the right certificate file fixed the issue.
If your cert is from DNSSimple I found I needed to do
openssl pkcs8 -topk8 -nocrypt -in original.key -out new_key.key.pcks8
To convert the format of the key. :(
Related
I was trying to deploy Signal Server according to the guidelines here.
Link
Everything was success in the build part. But when i run the service using this command
java -jar service/target/TextSecureServer-3.21.jar server service/config/config.yml
I am getting below errors.
INFO [2020-09-10 04:52:48,319] io.dropwizard.server.DefaultServerFactory: Registering jersey handler with root path prefix: /
INFO [2020-09-10 04:52:48,320] io.dropwizard.server.DefaultServerFactory: Registering admin handler with root path prefix: /
org.bouncycastle.openssl.PEMException: problem parsing cert: java.security.cert.CertificateException: java.lang.IllegalArgumentException: unknown object in factory: org.bouncycastle.asn1.DERUnknownTag
at org.bouncycastle.openssl.PEMReader$X509CertificateParser.parseObject(Unknown Source)
at org.bouncycastle.openssl.PEMReader.readObject(Unknown Source)
at org.whispersystems.textsecuregcm.push.RetryingApnsClient.initializeCertificate(RetryingApnsClient.java:76)
at org.whispersystems.textsecuregcm.push.RetryingApnsClient.<init>(RetryingApnsClient.java:49)
at org.whispersystems.textsecuregcm.push.APNSender.<init>(APNSender.java:70)
at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:246)
at org.whispersystems.textsecuregcm.WhisperServerService.run(WhisperServerService.java:151)
at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:44)
at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:87)
at io.dropwizard.cli.Cli.run(Cli.java:78)
at io.dropwizard.Application.run(Application.java:94)
at org.whispersystems.textsecuregcm.WhisperServerService.main(WhisperServerService.java:406)
Caused by: java.security.cert.CertificateException: java.lang.IllegalArgumentException: unknown object in factory: org.bouncycastle.asn1.DERUnknownTag
at org.bouncycastle.jce.provider.JDKX509CertificateFactory.engineGenerateCertificate(Unknown Source)
at java.base/java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355)
... 12 more
Caused by: java.lang.IllegalArgumentException: unknown object in factory: org.bouncycastle.asn1.DERUnknownTag
at org.bouncycastle.asn1.x509.AlgorithmIdentifier.getInstance(Unknown Source)
at org.bouncycastle.asn1.x509.TBSCertificateStructure.<init>(Unknown Source)
at org.bouncycastle.asn1.x509.TBSCertificateStructure.getInstance(Unknown Source)
at org.bouncycastle.asn1.x509.X509CertificateStructure.<init>(Unknown Source)
at org.bouncycastle.asn1.x509.X509CertificateStructure.getInstance(Unknown Source)
at org.bouncycastle.jce.provider.JDKX509CertificateFactory.readDERCertificate(Unknown Source)
... 14 more
Anyone know the exact issue here ?
Also i didnt change serverSecret & serverPublic under zkConfig. (I dont know how to get these). What it does mean by * # zkgroup config, run using your build jar * as in the documentation ?
Problem solved. This exception came due to improper PEM format of reading cerKey file. Anyhow current crtKey form is PEM only, but it need a extended form of PEM.
i used below command to generate it.
openssl rsa -in cert.key -outform PEM -out cert.key
Then all above errors were disappeared.
I did enter the above command but i got this error
Can't open cert.key for reading, No such file or directory
140021811573184:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('cert.key','r')
140021811573184:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load Private Key
and I did everything I could I generated all kind of certificate I could find on Internet but no change in result. could you please tell me what to do it's so important to me. thanks alot
On Jmeter, I'm trying to hit an API with https protocol, and encountering the infamous SSLHandshakeException.
Response code:Non HTTP response code: javax.net.ssl.SSLHandshakeException
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints...
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: RSASSA-PSS
Using Java (32 bit) jre 1.8, Jmeter 5.3 on Win7 Enterprise edition.
Server Certificate details:
Version: V3
Signature Algorithm: RSASSA-PSS
From other questions on Stackoverflow, tried these but didn't help:
Commented out jdk.certpath.disabledAlgorithms and jdk.tls.disabledAlgorithms in java.security file.
Have imported the certificate from the server to Java keystore.
I am writing a program for work and I have been stumped on this issue for almost a week now. The program keeps throwing the same exception no matter what I do.
I have looked up every known resource and every question related to this problem and every attempt and suggestion has failed. According to 90% of posts I've come across, it says that I should use keytool to add the certificate to my keystore. This is what I have attempted:
keytool -import -alias abc -file ~/Downloads/\*.gcsip.nl #=> gcsip.nl is the certificate I downloaded from the browser.
It asked me for a password, I added it, and my app still doesn't work when I run it. I looked into "How to import certificates into Eclipse project" and they recommended that I do the same command. I have never dealt with Java certificates before, but it's been a true absolute nightmare.
The weird part was that the app was working perfectly fine one day, and when I came into work, this exception started happening. I literally changed nothing.
I've also looked into the other Caused by: exceptions including Invalid keystore format and have had no luck solving that either. Honestly, even after reading the Oracle docs throughly, I still have no idea what a keystore is, does, and is supposed to look like.
I am just looking for someone who's had experience with this issue who can elaborate (like I'm 5) on how keystore works and how I can fix it. Any help is extremely appreciated.
I should note that I am not very Java savvy.
Here's my StackTrace:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:255)
at sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:409)
at sun.net.NetworkClient.doConnect(NetworkClient.java:162)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1104)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:998)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at GCollect.authorize(GCollect.java:102)
at TestCase.main(TestCase.java:20)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at java.security.Provider$Service.newInstance(Provider.java:1617)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
at javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:332)
at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:289)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:85)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:62)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:57)
at java.net.URL.openConnection(URL.java:972)
at GCollect.authorize(GCollect.java:100)
... 1 more
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:226)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultTrustManager(SSLContextImpl.java:767)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:733)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at java.security.Provider$Service.newInstance(Provider.java:1595)
... 13 more
I am getting below excpetion in jdk1.6.But same it's working JDK1.7 version onwards.
So is this problem with JDK1.6 version?
java.security.cert.CertPathValidatorException: java.io.IOException: Bad encoding in X509 Certificate
at sun.security.provider.certpath.OCSP.check(OCSP.java:219)
at sun.security.provider.certpath.OCSP.check(OCSP.java:85)
at com.strutsrecipes.antbuild.business.PIOCSPValidation.generateCertificatePath(PIOCSPValidation.java:67)
at com.strutsrecipes.antbuild.actions.LoginSearchAction.execute(LoginSearchAction.java:21)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:480)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
I'm executing the W3C CSS validator jar from the command line, built from the latest-available source. Exceptions are raised when the jar requests some HTTPS urls.
Some HTTPS urls are fine, others are not. Of those that cause exceptions to be raised of which I am aware (just one), the SSL cert appears to be fine when requesting the relevant URL in Chrome.
I call the CSS validator as follows:
java -jar css-validator.jar "https://example.com/"
And get the following error output:
javax.net.ssl.SSLException: Server key
at sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1274)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1032)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at org.w3c.css.util.HTTPURL.getConnection(HTTPURL.java:257)
at org.w3c.css.util.HTTPURL.getConnection(HTTPURL.java:312)
at org.w3c.css.css.DocumentParser.<init>(DocumentParser.java:124)
at org.w3c.css.css.CssValidator.main(CssValidator.java:154)
Caused by: java.security.spec.InvalidKeySpecException: Could not create EC public key
at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:169)
at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1057)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:218)
... 13 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
at sun.security.pkcs11.P11ECKeyFactory.generatePublic(P11ECKeyFactory.java:233)
at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:164)
... 16 more
I'd ideally like to ignore absolutely all such SSL errors that could be raised when executing this jar from the command line using something along the lines of:
java -ignore-all-of-these-ssl-errors-please -jar css-validator.jar "https://example.com/"
Clearly ignore-all-of-these-ssl-errors-please is not a valid command line flag.
Is there a flag that will do this?
Not possible. It's that way for a reason, and that reason is to prevent you from writing code that someone else implicitly trusts to ensure that the SSL session is secure and genuine. The reason it works in Chrome and not from Java is that Java comes with a very sparse set of root CAs.
The only way around this if you don't control the code is to add the necessary CA certificates to the local keystore. I believe you can export Chrome's CAs in a form you can import into the keystore.