"Failed set trust point in ssl context" when using SSL communication


E

emukang

hello,

I am now developing a client and server system which needs SSL support.
As this system is developed by microsoft j++, so I can only use the SSL
package which support jdk1.1.

Now I only found that oracle has a solution for SSL which support
jkd1.1(SUN's jsse package only support from jdk1.2). It described the
method and sample code in Oracle Advanced Security Administrator's
Guide Release 2 (9.2)
(http://web.urz.uni-heidelberg.de/Un...racle.doc.816/network.816/a76932/appf_ora.htm)

I tried it, but met "Failed set trust point in ssl context" when using
SSL communication.

I think the problem is in initCredential() of server side. I used
keytool to generate a self signed certificate, and use addTrustedCert()
to add the certificate. But it always report error.

There is also another method which named setWallet to import a wallet
file generated by oracle wallet manager. I also tried this, but when I
tried to use oracle wallet manager to export wallet, it always report
"wallet must have at least one certificate to export".

So would you please help me to solve this problem? Thank you very much.

Below is the source code, to compile and run it, you need
javax-ssl-1_1.jar and jssl-1_1.jar in your classpath, and njssl9.dll in
your PATH enviroment. If you installed oracle in your machine, then
these 3 files can get from \\oracle\ora92\bin and \\oracle\ora92\jlib.

---------------------------------------------------------------------------------------------------------------------
Server compile running command
---------------------------------------------------------------------------------------------------------------------
D:\project\test>javac -classpath
"C:\javax-ssl-1_1.jar;C:jssl-1_1.jar;." SecureHelloServer.java

D:\project\test>java -classpath "C:\javax-ssl-1_1.jar;C:jssl-1_1.jar;."
SecureHelloServer
Wating for client...
IO exception caught:
java.io.IOException: javax.net.ssl.SSLException: Failed set trust point
in ssl c
ontext
at
oracle.security.ssl.OracleSSLSocketImpl.startHandshake(OracleSSLSocke
tImpl.java)
at
oracle.security.ssl.OracleSSLServerSocketImpl.accept(OracleSSLServerS
ocketImpl.java)
at SecureHelloServer.main(SecureHelloServer.java:109)

---------------------------------------------------------------------------------------------------------------------
Client compile & running command
---------------------------------------------------------------------------------------------------------------------
D:\project\test>javac -classpath
"C:\javax-ssl-1_1.jar;C:jssl-1_1.jar;." SecureHelloClient.java
D:\project\test>java -classpath "C:\javax-ssl-1_1.jar;C:jssl-1_1.jar;."
SecureHelloClient
Connection aborted by peer: socket write error
IO exception caught:
java.io.IOException: javax.net.ssl.SSLException: SSL handshake failed:
SSLConnec
tionClosedGraceful
at
oracle.security.ssl.OracleSSLSocketImpl.startHandshake(OracleSSLSocke
tImpl.java)
at SecureHelloClient.main(SecureHelloClient.java:62)

---------------------------------------------------------------------------------------------------------------------
Server source code
---------------------------------------------------------------------------------------------------------------------
// SecureHelloServer.java

import java.net.*;
import java.io.*;
import java.util.*;
import java.lang.*;

import javax.net.*;
import javax.net.ssl.*;

import javax.security.cert.X509Certificate;
import oracle.security.ssl.OracleSSLServerSocketFactoryImpl;
import oracle.security.ssl.OracleSSLServerSocketFactory;
import oracle.security.ssl.OracleSSLProtocolVersion;
import oracle.security.ssl.OracleSSLCredential;


public class SecureHelloServer
{

private static byte[] getBytesFromFile(File file) throws
IOException {
InputStream is = new FileInputStream(file);

// Get the size of the file
long length = file.length();

// You cannot create an array using a long type.
// It needs to be an int type.
// Before converting to an int type, check
// to ensure that file is not larger than Integer.MAX_VALUE.
if (length > Integer.MAX_VALUE) {
// File is too large
}

// Create the byte array to hold the data
byte[] bytes = new byte[(int)length];

// Read in the bytes
int offset = 0;
int numRead = 0;
while (offset < bytes.length
&& (numRead=is.read(bytes, offset, bytes.length-offset)) >= 0) {
offset += numRead;
}

// Ensure all the bytes have been read in
if (offset < bytes.length) {
throw new IOException("Could not completely read file
"+file.getName());
}

// Close the input stream and return bytes
is.close();
return bytes;
}

public static void main(String[] args)
{
// We will use Oracle implementation here
java.util.Properties prop = System.getProperties();
prop.put("SSLServerSocketFactoryImplClass",

"oracle.security.ssl.OracleSSLServerSocketFactoryImpl");
try
{
// Get the default socket factory
OracleSSLServerSocketFactory sslSrvSocketFactory
=
(OracleSSLServerSocketFactory)SSLServerSocketFactory.getDefault();

// Set the SSL protocol version

sslSrvSocketFactory.setSSLProtocolVersion(OracleSSLProtocolVersion.SSL_Version_3_0);

// Create the ssl credential object
OracleSSLCredential sslCredObj = new
OracleSSLCredential();

sslCredObj.addTrustedCert(getBytesFromFile(new
File("C:\\certificate\\serverTrust")));

// If you are using Oracle's wallet, certdb.txt, you
can use setWallet as follows:
//sslCredObj.setWallet("C:\\certificate\\certdb.txt",
"servicedesk123");

// If you are not using Oracle Wallet Manager, see the
SecureHelloClient
// program example.

// Add ssl credential to the ssl context
sslSrvSocketFactory.setSSLCredentials(sslCredObj);

// Create the server socket
SSLServerSocket sslSrvSocket =

(SSLServerSocket)sslSrvSocketFactory.createServerSocket(8443);

// Print the available ciphers
String [] ciphers =
sslSrvSocket.getSupportedCipherSuites() ;

// Select the ciphers you want and put it.
// Here we will put all available ciphers.
// You can also set particular cipher suite.
// Construct a cipher list and in a string array and
// pass it to setEnabledCipherSuites.
sslSrvSocket.setEnabledCipherSuites(ciphers);

// We are creating ssl server socket, so set the mode
to false.
sslSrvSocket.setUseClientMode(false);

// If you want do client side authentication then set
it to true.
// We won't do client side authintication here.
sslSrvSocket.setNeedClientAuth(false);


System.out.println("Wating for client...");
// Now accept a client connection
Socket pSocket = sslSrvSocket.accept();

if (sslSrvSocket.getNeedClientAuth() == true)
{
System.out.println("Printing client
information:");
X509Certificate[] peerCerts
=

((javax.net.ssl.SSLSocket)pSocket).getSession().getPeerCertificateChain();

if (peerCerts != null)
{
for(int i =0; i < peerCerts.length; i++)
{
System.out.println("Peer Certificate
["+i+"] Information:");
System.out.println("- Subject: " +
peerCerts.getSubjectDN().getName());
System.out.println("- Issuer: " +
peerCerts.getIssuerDN().getName());
System.out.println("- Version: " +
peerCerts.getVersion());
System.out.println("- Start Time: " +
peerCerts.getNotBefore().toString());
System.out.println("- End Time: " +
peerCerts.getNotAfter().toString());
System.out.println("- Signature
Algorithm: " +
peerCerts.getSigAlgName());
System.out.println("- Serial Number: " +
peerCerts.getSerialNumber());

}
}
else
System.out.println("Failed to get peer
certificates");
}

// Now do data exchange with client
OutputStream out = pSocket.getOutputStream();
InputStream in = pSocket.getInputStream();

String inputLine, outputLine;
byte [] msg = new byte[1024];

int readLen = in.read(msg, 0, msg.length);
if(readLen>0)
{
inputLine = new String(msg, 0, readLen);
if(inputLine.startsWith("HELLO"))
{
outputLine = "Hello !! Current Server Time: "
+ new Date().toString();
outputLine.getBytes();
out.write(outputLine.getBytes());
}
System.out.println("Client Message: " + inputLine
);
}
else
System.out.println("Can't read data from client");

// Close all sockets and streams
out.close();
in.close();
pSocket.close();
sslSrvSocket.close();
}
catch(SSLException e)
{
System.out.println("SSL exception caught:");
e.printStackTrace();
}
catch(IOException e)
{
System.out.println("IO exception caught:");
e.printStackTrace();
}
catch(Exception e)
{
System.out.println("Exception caught:");
e.printStackTrace();
}
}
}

---------------------------------------------------------------------------------------------------------------------
Client source code
---------------------------------------------------------------------------------------------------------------------
// SecureHelloClient.java
import java.net.*;
import java.io.*;
import java.util.*;

import javax.net.ssl.*;

import javax.security.cert.X509Certificate;
import oracle.security.ssl.OracleSSLCredential;
import oracle.security.ssl.OracleSSLSocketFactory;
import oracle.security.ssl.OracleSSLProtocolVersion;
import oracle.security.ssl.OracleSSLSession;

public class SecureHelloClient
{
public static void main(String argv[])
{
String hostName = "localhost";

//if(argv.length != 0)
// String hostName = argv[0];

// Set the SSLSocketFactoryImpl class as follows:
java.util.Properties prop = System.getProperties();
prop.put("SSLSocketFactoryImplClass",
"oracle.security.ssl.OracleSSLSocketFactoryImpl");

try
{
// Get the default socket factory
OracleSSLSocketFactory sSocFactory
=
(OracleSSLSocketFactory)SSLSocketFactory.getDefault();


sSocFactory.setSSLProtocolVersion(OracleSSLProtocolVersion.SSL_Version_3_0);

OracleSSLCredential sslCredObj = new
OracleSSLCredential();

// Set the certificate chain and private key if the
// server requires client authentication
//sslCredObj.addCertChain(caCert)
//sslCredObj.addCertchain(userCert)
//sslCredObj.setPrivateKey(userPvtKey, userPassword)

// Populate credential object
//sslCredObj.addTrustedCert(trustedCert);
sSocFactory.setSSLCredentials(sslCredObj);

// Create the socket using factory
SSLSocket jsslSoc =
(SSLSocket)sSocFactory.createSocket(hostName,
8443);

String [] ciphers = jsslSoc.getSupportedCipherSuites()
;

// Select the ciphers you want and put them.
// Here we will put all availabel ciphers
jsslSoc.setEnabledCipherSuites(ciphers);

// We are creating socket in client mode
jsslSoc.setUseClientMode(true);

// Do SSL handshake
jsslSoc.startHandshake();

// Print negotiated cipher
System.out.println("Negotiated Cipher Suite: "
+jsslSoc.getSession().getCipherSuite());

System.out.println("");
X509Certificate[] peerCerts
=
((javax.net.ssl.SSLSocket)jsslSoc).getSession().getPeerCertificateChain();

if (peerCerts != null)
{
System.out.println("Printing server
information:");
for(int i =0; i < peerCerts.length; i++)
{
System.out.println("Peer Certificate
["+i+"] Information:");
System.out.println("- Subject: " +
peerCerts.getSubjectDN().getName());
System.out.println("- Issuer: " +
peerCerts.getIssuerDN().getName());
System.out.println("- Version: " +
peerCerts.getVersion());
System.out.println("- Start Time: " +
peerCerts.getNotBefore().toString());
System.out.println("- End Time: " +
peerCerts.getNotAfter().toString());
System.out.println("- Signature Algorithm: "
+ peerCerts.getSigAlgName());

System.out.println("- Serial Number: " +
peerCerts.getSerialNumber());
}
}
else
System.out.println("Failed to get peer
certificates");

// Now do data exchange with client
OutputStream out = jsslSoc.getOutputStream();
InputStream in = jsslSoc.getInputStream();

String inputLine, outputLine;
byte [] msg = new byte[1024];

outputLine = "HELLO";
out.write(outputLine.getBytes());
int readLen = in.read(msg, 0, msg.length);
if(readLen > 0)
{
inputLine = new String(msg, 0, readLen);
System.out.println("");
System.out.println("Server Message:");
System.out.println(inputLine );
}
else
System.out.println("Can't read data from client");

// Close all sockets and streams
out.close();
in.close();
jsslSoc.close();
}
catch(SSLException e)
{
System.out.println("SSL exception caught:");
e.printStackTrace();
}
catch(IOException e)
{
System.out.println("IO exception caught:");
e.printStackTrace();
}
catch(Exception e)
{
System.out.println("Exception caught:");
e.printStackTrace();
}
}
}
 
Ad

Advertisements


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top