jsse | 易学教程

java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer

阅读更多关于 java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer

问题 In working on a different problem (related to RMI), I upgraded the system's "security folder" with the "unlimited strength" policy files and now my applicaiton fails in a different way. I get a long stack dump, of which following bits appear pertinent: Exception in thread "main" java.lang.ExceptionInInitializerError [...crop...] Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:86) ... 17 more Caused by:

JSSE wrap creates two tls packets requiring two unwraps. Why?

阅读更多关于 JSSE wrap creates two tls packets requiring two unwraps. Why?

问题 I am inspecting the behavior of our java application with respect to jsse tls encryption and decryption with a connected openssl client. First I observed that when I call unwrap for client data, it always unwraps consuming 37 bytes and producing 0. The next unwrap consumes some bytes and produces some. At first I thought the client would wrap an empty array first. But then I discovered that the jsse code does the same, except it produces 1 byte instead of 0. So every call to a wrap consumes X

Is the cacerts file missing in ubuntu 15.10 and openjdk-8-jdk?

阅读更多关于 Is the cacerts file missing in ubuntu 15.10 and openjdk-8-jdk?

问题 I just installed Ubuntu 15.10 and their openjdk-8-jdk (by apt-get). Now I am missing the cacerts file. There is a link at the usual location: ls -l /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts lrwxrwxrwx 1 root root 27 Oct 22 01:47 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -> /etc/ssl/certs/java/cacerts but nothing at /etc/ssl/certs/java/cacerts: stat /etc/ssl/certs/java/cacerts stat: cannot stat ‘/etc/ssl/certs/java/cacerts’: No such file or directory 回答1: This

Programmatically Obtain KeyStore from PEM

阅读更多关于 Programmatically Obtain KeyStore from PEM

问题 How can one programmatically obtain a KeyStore from a PEM file containing both a certificate and a private key? I am attempting to provide a client certificate to a server in an HTTPS connection. I have confirmed that the client certificate works if I use openssl and keytool to obtain a jks file, which I load dynamically. I can even get it to work by dynamically reading in a p12 (PKCS12) file. I'm looking into using the PEMReader class from BouncyCastle, but I can't get past some errors. I'm

How to override the cipherlist sent to the server by Android when using HttpsURLConnection?

阅读更多关于 How to override the cipherlist sent to the server by Android when using HttpsURLConnection?

During TLS negotiation, clients send a list of supported ciphers to the server, the server picks one, and encryption starts. I want to change this cipherlist sent to the server by Android, when I'm using HttpsURLConnection for communication. I know that I can use setSSLSocketFactory on the HttpsURLConnection object to set it up to use a SSLSocketFactory . This is useful when I want to change the trustmanager etc used by the SSLSocket returned by the SSLSocketFactory . I know that in general this ciphersuite list can be edited using an SSLParameters object and passing it to SSlsocket or

How to get the java.security.PrivateKey object from RSA Privatekey.pem file?

阅读更多关于 How to get the java.security.PrivateKey object from RSA Privatekey.pem file?

问题 I have a RSA private key file (OCkey.pem). Using java i have to get the private key from this file. this key is generated using the below openssl command. Note : I can't change anything on this openssl command below. openssl> req -newkey rsa:1024 -sha1 -keyout OCkey.pem -out OCreq.pem -subj "/C=country/L=city/O=OC/OU=myLab/CN=OCserverName/" -config req.conf The certificate looks like below. /////////////////////////////////////////////////////////// bash-3.00$ less OCkey.pem -----BEGIN RSA

SSL Handshaking Using Self-Signed Certs and SSLEngine (JSSE)

阅读更多关于 SSL Handshaking Using Self-Signed Certs and SSLEngine (JSSE)

问题 I have been tasked to implement a custom/standalone Java webserver that can process SSL and non-SSL messages on the same port. I have implemented an NIO server and its working quite well for non-SSL requests. I am having a heck of a time with the SSL piece and could really use some guidance. Here's what I have done so far. In order to distinguish between SSL and non-SSL messages, I check the first byte of the inbound request to see if it is a SSL/TLS message. Example: byte a = read(buf); if

java - path to trustStore - set property doesn't work?

阅读更多关于 java - path to trustStore - set property doesn't work?

I've setup a self-signed certificate to test an ssl java connection - however, it is refusing to locate the java trustStore. I've saved copies of it in /Java/jre6/lib/security in addition to the folder where the classes are compiled to (im using netbeans) and also to /java/jre6/bin none of the above appears to work, because when i run the following - trustStore = null. public class ShowTrustStore { public static void main(String[] args) { System.setProperty("javax.net.ssl.keyStore", "keystore.jks"); System.setProperty("javax.net.ssl.trustStrore", "cacerts.jks"); System.setProperty("javax.net

Registering multiple keystores in JVM

阅读更多关于 Registering multiple keystores in JVM

I have two applications running in the same java virtual machine, and both use different keystores and truststores. A viable option would be use a single keystore and import all the other ones into the shared keystore (e.g. keytool -import), but it would really help my requirements if I could use separate keystores for separate applications running in the same jvm. I could set the keystore and truststores to be used as jvm parameters or system properties as follows: java -Djavax.net.ssl.keyStore=serverKeys -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=serverTrust -Djavax

Why does Java's SSLSocket send a version 2 client hello?

阅读更多关于 Why does Java's SSLSocket send a version 2 client hello?

The SSLSocket.getEnabledProtocols() method returns the following: [SSLv2Hello, SSLv3, TLSv1] . And indeed, when I call connect() and I have SSL debugging turned on, I see that a v2 client hello is used: main, WRITE: TLSv1 Handshake, length = 81 main, WRITE: SSLv2 client hello message, length = 110 But I have found two (admittedly old) references that say JSSE does not support SSL version 2: From Fundamental Networking in Java : 'SSLv2Hello' is a pseudo-protocol which allows Java to initiate the handshake with an SSLv2 'hello message'. This does not cause use of the SSLv2 protocol, which is not