Hi Emmanuel, thanks for your analysis. The filter that should catch the exception is added as last part in the chain. Could it be that the chain is not fully iterated somehow? Just guessing, I don't have enough MINA experience to make an educated guess. :)
Cheers Chris Jul 13, 2022 06:38:00 Emmanuel Lécharny <[email protected]>: > Here are some of my current findings. > > For the (failing) test shouldFailWhenUsingBadClientCertificate, here are the > traces we get: > > juil. 13, 2022 6:28:42 AM org.apache.mina.filter.ssl.SSLHandlerG0 execute_task > GRAVE: SSLHandlerG0@ae273e3[mode=server, connected=false] task() - storing > error {} > javax.net.ssl.SSLHandshakeException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: signature check failed > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375) > at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) > at > java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) > at > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) > at > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) > at > org.apache.mina.filter.ssl.SSLHandlerG0.execute_task(SSLHandlerG0.java:743) > at > org.apache.mina.filter.ssl.SSLHandlerG0.receive_loop(SSLHandlerG0.java:255) > at org.apache.mina.filter.ssl.SSLHandlerG0.receive(SSLHandlerG0.java:162) > at > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:342) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) > at > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) > at > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683) > at > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at java.base/java.lang.Thread.run(Thread.java:829) > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: java.security.cert.CertPathValidatorException: signature check failed > at > java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369) > at > java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) > at java.base/sun.security.validator.Validator.validate(Validator.java:264) > at > java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) > at > java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233) > at > java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:104) > at > quickfix.mina.ssl.X509TrustManagerWrapper.checkClientTrusted(X509TrustManagerWrapper.java:60) > at > java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:1517) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682) > ... 31 more > Caused by: java.security.cert.CertPathValidatorException: signature check > failed > at > java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) > at > java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) > at > java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) > at > java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83) > at > java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) > at > java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364) > ... 39 more > Caused by: java.security.SignatureException: Signature does not match. > at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:422) > at > java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166) > at > java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) > at > java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) > ... 44 more > > juil. 13, 2022 6:28:42 AM > quickfix.mina.ssl.SSLCertificateTest$TestConnector$1 exceptionCaught > INFOS: exceptionCaught > javax.net.ssl.SSLHandshakeException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: signature check failed > at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292) > at > java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375) > at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) > at > java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) > at > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) > at > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) > at > org.apache.mina.filter.ssl.SSLHandlerG0.execute_task(SSLHandlerG0.java:743) > at > org.apache.mina.filter.ssl.SSLHandlerG0.receive_loop(SSLHandlerG0.java:255) > at org.apache.mina.filter.ssl.SSLHandlerG0.receive(SSLHandlerG0.java:162) > at > org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:342) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) > at > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) > at > org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) > at > org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213) > at > org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683) > at > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64) > at > java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) > at > java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at java.base/java.lang.Thread.run(Thread.java:829) > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: java.security.cert.CertPathValidatorException: signature check failed > at > java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369) > at > java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) > at java.base/sun.security.validator.Validator.validate(Validator.java:264) > at > java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) > at > java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233) > at > java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:104) > at > quickfix.mina.ssl.X509TrustManagerWrapper.checkClientTrusted(X509TrustManagerWrapper.java:60) > at > java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:1517) > at > java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682) > ... 31 more > Caused by: java.security.cert.CertPathValidatorException: signature check > failed > at > java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) > at > java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224) > at > java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144) > at > java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83) > at > java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) > at > java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364) > ... 39 more > Caused by: java.security.SignatureException: Signature does not match. > at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:422) > at > java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166) > at > java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) > at > java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) > ... 44 more > > > > As we can see, there is a log: > juil. 13, 2022 6:28:42 AM > quickfix.mina.ssl.SSLCertificateTest$TestConnector$1 exceptionCaught > INFOS: exceptionCaught > javax.net.ssl.SSLHandshakeException: PKIX path validation failed: > java.security.cert.CertPathValidatorException: signature check failed > > saying that the client has actually received a rooted exception (here, the > PKIX path validation failed). > > OTOH, it seems that the connector does not properly handle this exception, ie > the alert message is not propagated to the exceptionCaught handler on the > client side. > > > That is the part to be investigated, IMO. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
