hello, I created https://bugzilla.mozilla.org/show_bug.cgi?id=487325
for an immediate work around you can choose to use JSS's own SSL classes, instead
of the JSSE. -glen ksreedha...@gmail.com wrote:
Hello Glen, I tried to look into the source of classes where these exceptions were thrown. One interesting thing I observed is, JSSCipherSpi expects Public Key only in "WRAP_MODE". But JCE_RSACipher is calling it in "ENCRYPT_MODE" in which JSS expects a secret key. Since the passed key not a secret key, it is trying to import the secret key out of this key and it says "invalid key type". Pre master secret is encrypted using the public key according to the TLS RFC, 7.4.7.1. RSA encrypted premaster secret message Meaning of this message: If RSA is being used for key agreement and authentication, the client generates a 48-byte premaster secret, encrypts it using the public key from the server's certificate or the temporary RSA key provided in a server key exchange message, and sends the result in an encrypted premaster secret message. This structure is a variant of the client key exchange message, not a message in itself. So, is it looks like a problem between JCE_RSACipher and JSSCipherSpi. Or Am I missing anything here. Thanks, Sreedhar On Apr 2, 5:38 pm, ksreedha...@gmail.com wrote:Thanks Glen. Yes it works with the default provider. tstclnt fails with the error Issuer certificate is invalid. When I used with option -o (Override bad server cert), it works fine. The certificate wes used is a Self signed certificate. So, probably tstclnt didn't like it. One more thing is, OpenSSL based c client is able to communicate with server successfully. Thanks, Sreedhar On Apr 2, 4:52 pm, Glen Beasley <glen.beas...@sun.com> wrote:hi,can you successfully connect to your server using JSSE with it'sdefault provider? meaning not using mozilla-JSS as the provider?I know you have used ssltap can you use NSS tool tstclnt? tstclnt -h <hostname> -p <port> -d <your nss cert db dir> -v -2 -3 -c v If you want full client auth specify your cert nickname with -n <yourcert nickname>If the JSSE works with the default provider, and tstclnt works then opena bug on JSS with steps to recreate issue.-glen ksreedha...@gmail.com wrote:Thanks Nelson for the reply.Jss version is 4.2.5JRE version is 1.6 NSS vesion is 3.11.4See my comments inline.On Apr 1, 8:45 pm, Nelson B Bolyard <nel...@bolyard.me> wrote:ksreedha...@gmail.com wrote, On 2009-04-01 17:54:Hello,I am [using] Mozilla-JSS as the provider in my Java application whichis a SSL client connecting to OpenSSL based SSL Server.You haven't reported version information, such as: - version of JDK/JRE - version of JSS - version of NSS It's possible that you have a version mismatch of some sort.I am using the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA" and we are using TLSv1.0 as the SSL protocol.I get this exception when I try to connect to the server. Server has aself signed RSA based certificate.I have rearranged the stack below, so that it appears as one continuous stack, with the first (or "root cause") exception at the top.I thought premaster secret key is generated by the Client and encrypt using the public key of the certificate so that Server will decrypt using its private key.That's correct for the cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA".Can some one tell me what I am missing here and what this exception means?The first exception reported in this stack, namely:java.security.InvalidKeyException: Invalid key type: org.mozilla.jss.pkcs11.PK11RSAPublicKeysays that the failure occurred when trying to encrypt the pre-master secret with the RSA public key. The exception reports that the key it was given as the pre-master secret, to be encrypted with the server's RSA public key, was actually not a pre-master secret, but rather was an RSA public key.But the premaster secret key is generated internally right?The code that threw the first exception may be seen athttp://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/jss/org/... at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.importKey (JSSCipherSpi.java:123) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit (JSSCipherSpi.java:161) at org.mozilla.jss.provider.javax.crypto.JSSCipherSpi.engineInit (JSSCipherSpi.java:270) at javax.crypto.Cipher.init(DashoA13*..) at com.sun.net.ssl.internal.ssl.JCE_RSACipher.encryptInit (RSACipher.java:76) at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init> (PreMasterSecret.java:83)Consequently, it was unable to create an RSA-encrypted pre-master secret (also know as the "RSA pre-master secret"), and this is what the second exception is complaining about.(which caused) javax.net.ssl.SSLKeyException: RSA premaster secret error at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init> (PreMasterSecret.java:86) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone (ClientHandshaker.java:439) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage (ClientHandshaker.java:132) at com.sun.net.ssl.internal.ssl.Handshaker.process_record (Handshaker.java:334) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord (SSLSocketImpl.java:805) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake (SSLSocketImpl.java:1046) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake (SSLSocketImpl.java:1059) at com.fhp.ems.main.TestSecurity_SSL.testSSL (TestSecurity_SSL.java:218) at com.fhp.ems.main.TestSecurity_SSL.main (TestSecurity_SSL.java:69)Maybe Glen can tell us more about diagnosing this failure.smime.p7s 6KViewDownload- Hide quoted text -- Show quoted text -- Hide quoted text -- Show quoted text -
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
