On 13/07/2022 09:37, Christoph John wrote:
Hi Emmanuel,

thanks for your analysis. The filter that should catch the exception is added 
as last part in the chain. Could it be that the chain is not fully iterated 
somehow? Just guessing, I don't have enough MINA experience to make an educated 
guess. :)

This is what I'm going to check :-)

Stay tuned !

Cheers
Chris

Jul 13, 2022 06:38:00 Emmanuel Lécharny <elecha...@gmail.com>:

Here are some of my current findings.

For the (failing) test shouldFailWhenUsingBadClientCertificate, here are the 
traces we get:

juil. 13, 2022 6:28:42 AM org.apache.mina.filter.ssl.SSLHandlerG0 execute_task
GRAVE: SSLHandlerG0@ae273e3[mode=server, connected=false] task() - storing 
error {}
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: signature check failed
     at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
     at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
     at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
     at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
     at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
     at 
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
     at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
     at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
     at java.base/java.security.AccessController.doPrivileged(Native Method)
     at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
     at 
org.apache.mina.filter.ssl.SSLHandlerG0.execute_task(SSLHandlerG0.java:743)
     at 
org.apache.mina.filter.ssl.SSLHandlerG0.receive_loop(SSLHandlerG0.java:255)
     at org.apache.mina.filter.ssl.SSLHandlerG0.receive(SSLHandlerG0.java:162)
     at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:342)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
     at 
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
     at 
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
     at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
     at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
     at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
     at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: sun.security.validator.ValidatorException: PKIX path validation 
failed: java.security.cert.CertPathValidatorException: signature check failed
     at 
java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
     at 
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
     at java.base/sun.security.validator.Validator.validate(Validator.java:264)
     at 
java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
     at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233)
     at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:104)
     at 
quickfix.mina.ssl.X509TrustManagerWrapper.checkClientTrusted(X509TrustManagerWrapper.java:60)
     at 
java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:1517)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
     ... 31 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
     at 
java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
     at 
java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
     at 
java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
     at 
java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
     at 
java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
     at 
java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
     ... 39 more
Caused by: java.security.SignatureException: Signature does not match.
     at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:422)
     at 
java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
     at 
java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
     at 
java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
     ... 44 more

juil. 13, 2022 6:28:42 AM quickfix.mina.ssl.SSLCertificateTest$TestConnector$1 
exceptionCaught
INFOS: exceptionCaught
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: signature check failed
     at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
     at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
     at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
     at 
java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:700)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375)
     at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
     at 
java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
     at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
     at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
     at java.base/java.security.AccessController.doPrivileged(Native Method)
     at 
java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
     at 
org.apache.mina.filter.ssl.SSLHandlerG0.execute_task(SSLHandlerG0.java:743)
     at 
org.apache.mina.filter.ssl.SSLHandlerG0.receive_loop(SSLHandlerG0.java:255)
     at org.apache.mina.filter.ssl.SSLHandlerG0.receive(SSLHandlerG0.java:162)
     at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:342)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
     at 
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128)
     at 
org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650)
     at 
org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:643)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoProcessor.java:539)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor.access$1200(AbstractPollingIoProcessor.java:68)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1224)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.process(AbstractPollingIoProcessor.java:1213)
     at 
org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractPollingIoProcessor.java:683)
     at 
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
     at 
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
     at 
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
     at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: sun.security.validator.ValidatorException: PKIX path validation 
failed: java.security.cert.CertPathValidatorException: signature check failed
     at 
java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
     at 
java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
     at java.base/sun.security.validator.Validator.validate(Validator.java:264)
     at 
java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
     at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:233)
     at 
java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:104)
     at 
quickfix.mina.ssl.X509TrustManagerWrapper.checkClientTrusted(X509TrustManagerWrapper.java:60)
     at 
java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:1517)
     at 
java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682)
     ... 31 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
     at 
java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
     at 
java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
     at 
java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
     at 
java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
     at 
java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
     at 
java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
     ... 39 more
Caused by: java.security.SignatureException: Signature does not match.
     at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:422)
     at 
java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
     at 
java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
     at 
java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
     ... 44 more



As we can see, there is a log:
juil. 13, 2022 6:28:42 AM quickfix.mina.ssl.SSLCertificateTest$TestConnector$1 
exceptionCaught
INFOS: exceptionCaught
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: 
java.security.cert.CertPathValidatorException: signature check failed

saying that the client has actually received a rooted exception (here, the PKIX 
path validation failed).

OTOH, it seems that the connector does not properly handle this exception, ie 
the alert message is not propagated to the exceptionCaught handler on the 
client side.


That is the part to be investigated, IMO.

--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org

Reply via email to