R: clent authentication using a smard card
> -Messaggio originale- > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > Inviato: martedì 20 ottobre 2009 13.03 > A: 'Tomcat Users List' > Oggetto: RE: clent authentication using a smard card > > > -----Original Message- > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > > > > > > Ok. > > > > I made the same thing with IE and in the debug it says "null cert > > > > chain" > > > > during the client authentication handshake. > > > > Now I am confused... > > > > > > > > > > Lets step back and look. > > > > > > Can you provide the smart card and server certificate chain > > (no keys > > > please)? > > > > Hang on a second... > > The server certificate is an self signed certificate I made > > with keytool. > > The smart card certificate, instead, is a real one, I use to > > legally sign electronic documents; the issuer is an Italian CA. > > > > Do you expect the issuer of the smart card certificate to be > > the same as the server one? > > Not always. > > Lets take for example: > > > https://mail.pdinc.us <-PD Inc Public CA<-PD Inc Root CA > > and > > MySmartCard <- DOD EMAIL CA-15 <- DoD Root CA-2 > > The smime cert used on this email > > I can use my smart card to auth againstthe server. But the server must > know > about DoD Root CA-2. > Ok. In my case: https://localhost <- self signed certificate and Mysmartcard <- my certificate <- infocamere root CA And in my trusted certificates keystore there is infocamere root CA. Please find in attachment a signed text file you can read my cert info from. Thanks Marcello myfile.txt.p7m Description: S/MIME encrypted message - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
> -Messaggio originale- > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > Inviato: martedì 20 ottobre 2009 12.13 > A: 'Tomcat Users List' > Oggetto: RE: clent authentication using a smard card > > > > > > -----Original Message- > > From: Marcello Marangio [mailto:m.maran...@innova.puglia.it] > > Sent: Tuesday, October 20, 2009 5:10 > > To: 'Tomcat Users List' > > Subject: R: clent authentication using a smard card > > > > > > > > > -Messaggio originale- > > > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > > > Inviato: lunedì 19 ottobre 2009 20.21 > > > A: 'Tomcat Users List' > > > Oggetto: RE: clent authentication using a smard card > > > > > > > > > > > > > > > > > > > Do you have access to IE on windows for this? If you do, it will be > > > much quicker, and easier. > > > > > > I am just trying to get a baseline established, so I can > > plow throught > > > with my ten steps. > > > > > > > Ok. > > I made the same thing with IE and in the debug it says "null > > cert chain" > > during the client authentication handshake. > > Now I am confused... > > > > Lets step back and look. > > Can you provide the smart card and server certificate chain (no keys > please)? Hang on a second... The server certificate is an self signed certificate I made with keytool. The smart card certificate, instead, is a real one, I use to legally sign electronic documents; the issuer is an Italian CA. Do you expect the issuer of the smart card certificate to be the same as the server one? How can I print out the certificate chain? Thanks again M > > > M > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > - - > - Jason Pyeron PD Inc. http://www.pdinc.us - > - Principal Consultant 10 West 24th Street #100- > - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - > - - > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > This message is copyright PD Inc, subject to license 20080407P00. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
> -Messaggio originale- > Da: Jason Pyeron [mailto:jpye...@pdinc.us] > Inviato: lunedì 19 ottobre 2009 20.21 > A: 'Tomcat Users List' > Oggetto: RE: clent authentication using a smard card > > > > > > > Do you have access to IE on windows for this? If you do, it will be much > quicker, and easier. > > I am just trying to get a baseline established, so I can plow throught > with my > ten steps. > Ok. I made the same thing with IE and in the debug it says "null cert chain" during the client authentication handshake. Now I am confused... M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: clent authentication using a smard card
Hi Jason, tank for your answer. > > > > Hi all > > > > This is my very first message in the list. > > > > I am trying to use the ssl and client authentication feature > > in tomcat 6, using a pkcs11 compliant smart card reader and a > > real authentication smart card (Italian CNS). > > > > In the browser (firefox) I obtain a > > First, make sure your browser knows about the certificate and smart card > reader. > We have been having with recent firefox releases on this. The debuging > steps I > would take are 1) Use Windows / IE, if the server requires or requests a > client > cert it will pop up a selection window even if IE does not know how to > fulfil > the request. Thi will indicate if Tomcat is or is not requesting client > certs. > 2) Verify IE know about the smart card cert, user the certmgr.msc to see > if the > smartcard certificate is installed, as well as the trust chain. > 3) Verify IE prompts for the smartcard cert in the client cert popup > selection > dialog. > 4) Verify Tomcat <-> IE talk over SSL. > > > > It seems that firefox behaves: if the smartcard is in firefox asks the PIN of the smartcard. I am pretty sure it can read my smartcard, because I can use mod_ssl with Apache 2.2 and I can read the certificate's information with a perl routine. Furthermore, from the debug logs it is clear that there is an ssl handshaking going on. Any clue? Thanks M [CUT ] > > > > Is tomcat's behavoir correct or is it a bug? > > > > The above steps will allow a more quickly diagnosis. > > > > > > > Thanks a million > > > > Marcello > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
clent authentication using a smard card
Hi all This is my very first message in the list. I am trying to use the ssl and client authentication feature in tomcat 6, using a pkcs11 compliant smart card reader and a real authentication smart card (Italian CNS). In the browser (firefox) I obtain a ssl_error_certificate_unknown_alert or a ssl_error_bad_certificate_alert. SSL without client authentication works perfectly. This is my server configuration: tomcat.keystore contains the self signed x509 certificate I use to perform the server ssl handshake. cacerts contains the root certificate of my signature and non repudiation certificate contained in my smartcard. >From tomcat's log I obtained setting up JAVA_OPTS=-Djavax.net.debug=ssl,handshake I am sure that: 1) the root certificate is trusted (imported In cacerts with keytool -import -trustcacert .) adding as trusted cert: Subject: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT Algorithm: RSA; Serial number: 0x1 Valid from Wed Mar 24 16:48:50 CET 2004 until Thu Mar 24 16:47:52 CET 2016 2) The client certificate is taken from the smartcard and It's given to the server; furthermore, the issuer is exactly tue trusted one: *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=Marcello Marangio, DNQ=20071112354269, SERIALNUMBER=IT:MRNMCL70C21A662D, GIVENNAME=MARCELLO, SURNAME=MARAN GIO, O=NON PRESENTE, C=IT Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Validity: [From: Wed Nov 21 12:11:08 CET 2007, To: Sun Nov 21 01:00:00 CET 2010] Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del Sistema Camerale, SERIALNUMBER=02313821007, O=InfoCamere SCpA, C=IT SerialNumber: [131b58] 3) the browser (firefox) picks up the correct non repudiation certificate from the smartcard and sends it to the server: [9]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Non_repudiation ] The problem seems to be that tomcat is looking for the digital signature certificate and not the non_repudiation one. http-8443-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown http-8443-1, WRITE: TLSv1 Alert, length = 2 http-8443-1, called closeSocket() http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures Is tomcat's behavoir correct or is it a bug? Thanks a million Marcello
