1

I'm trying to create a SSL connection with certificates loaded from two files (.p12 and .p7b).
I have tried the following code to load the .p12 file

char []passwKey = "1234567".toCharArray();
        KeyStore ts = KeyStore.getInstance("PKCS12");
        ts.load(new FileInputStream("/home/user/Desktop/file.p12"), passwKey);
        KeyManagerFactory tmf = KeyManagerFactory.getInstance("SunX509");
        tmf.init(ts,passwKey);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(tmf.getKeyManagers(), null, null);
        SSLSocketFactory factory =sslContext.getSocketFactory();
        HttpsURLConnection.setDefaultSSLSocketFactory(factory);
        SSLSocket socket = (SSLSocket) factory.createSocket("www.host.com", 8883); // Create the ServerSocket
        String[] suites = socket.getSupportedCipherSuites();
        socket.setEnabledCipherSuites(suites);
        socket.startHandshake();

but i receive exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I believe that I must create a .jks file form the .p12 and .p7b files (that contains the whole CA chain), but i'm a noob at this and I have no idea how to do that. Examples that I found were based on a single file/certificate.

UPDATE:

I used the certification files to create a single keystore (i believe i only needed the .p12 file) but with no luck. So I accessed the site directly and I exported the certificate as .pem and added it to a keystore. In my debug information I now receive "ServerHello" but at the end, I still get 

handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I tried several solutions, for ex. Java client certificates over HTTPS/SSL or Getting javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Error with the certificate from the .p12 file received and the one exported from browser but none of them work...

UPDATE 2:

I tried this: https://stackoverflow.com/a/11908693/1215791 and managed to get to ServerHelloDone (and Found Trusted Certificate ...).

But, what i'm trying to do now is login with a SOAP request and i get this:

com.sun.xml.internal.messaging.saaj.soap.MessageImpl identifyContentType
SEVERE: SAAJ0537: Invalid Content-Type. Could be an error message instead of a SOAP message
Exception in thread "main" com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Invalid Content-Type:text/html. Is this an error message instead of a SOAP response?
    at com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnection.call(HttpSOAPConnection.java:148)
    at SoapT.login(SoapT.java:241)
    at SoapT.main(SoapT.java:75)

I believe that is not a problem with the attached certificates, but an error when creating the soap request or an error (html) for the server.

Community
  • 1
  • 1
Andrei F
  • 4,205
  • 9
  • 35
  • 66
  • I use this site as a reference of keytools command for managing keystores https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html. You need to import in a brand new keystore the whole cert chain and the client certificate. – BigMike Apr 09 '13 at 08:54
  • You can edit and convert key stores easily using the Java GUI program Portecle: http://portecle.sourceforge.net/ – Robert Apr 09 '13 at 09:48
  • Yes, i tried that, but i get an error: Could not open ....p12 as a keystore (and the password is correct). So, I converted the files in .cer files (the .p7b contained 3 certificate entries) and i created a new keystore file. I imported all 4 files into the keystore (with custom aliases) and saved it as mykeystore.jks. I haven't tried it yet. I'm searching for a java solution to use .jks, but honestly... "I have no ideea what i'm doing..." :) – Andrei F Apr 09 '13 at 10:47

1 Answers1

1

Try not-yet-commons-ssl.

Very easy to use SSL-Library. Create an SSLClient and add Trust material

Example from Webpage:

Client Example:

SSLClient client = new SSLClient();

// Let's trust usual "cacerts" that come with Java.  Plus, let's also trust a self-signed cert
// we know of.  We have some additional certs to trust inside a java keystore file.
client.addTrustMaterial( TrustMaterial.DEFAULT );
client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) );
client.addTrustMaterial( new KeyMaterial( "/path/to/keystore.jks", "changeit".toCharArray() ) );

// To be different, let's allow for expired certificates (not recommended).
client.setCheckHostname( true );  // default setting is "true" for SSLClient
client.setCheckExpiry( false );   // default setting is "true" for SSLClient
client.setCheckCRL( true );       // default setting is "true" for SSLClient

// Let's load a client certificate (max: 1 per SSLClient instance).
client.setKeyMaterial( new KeyMaterial( "/path/to/client.pfx", "secret".toCharArray() ) );
SSLSocket s = (SSLSocket) client.createSocket( "www.cucbc.com", 443 );
MaPePeR
  • 931
  • 9
  • 18
  • I noticed the .pem, .jks, .pfx files in your example. My problem is that i cannot manage to get there: ie. creating those files form my files .p12 and .p7b (i opened this one in windows and it contains 3 certificate entries). So how do i get to the format that i need ? – Andrei F Apr 09 '13 at 09:18
  • it **should** just work with these file types. p12 for sure, not so sure with p7b, give it a try. Also you can convert a .p7b to a .cer with `openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer` wich then will work with not-yet-commons-ssl. [How to convert Certificates](http://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/) – MaPePeR Apr 09 '13 at 09:28
  • I tried that command and i got an error message (unable to load PKCS7 object). So I used Windows to open that file and I exported those 3 entries to part1.cer, part2.cer, part3.cer. I also read that i need the whole CA chain so probably i need to use the .p12 file (that I also converted to .cer) and those 3 part .cer files. I have no ideea how to use them, to obtain a .jks file... – Andrei F Apr 09 '13 at 10:33