2

I have java application that receive proxy settings.

  1. I exported der certificate from Burp Suite

  2. Imported this certificate to the java keystore with keytool:

    keytool -import -trustcacerts -file ~/cacert_7.der -alias BURPSUITE -keystore /home/dmitriy/Test/java/lib/security/cacerts -storepass

  3. Then check adding:

    keytool -keystore /home/dmitriy/Test/java/lib/security/cacerts -list -storepass 

burp, 03.05.2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 0A:3E:E0:C0:73:E6:0E:D9:5C:8F:0A:CC:31:E1:33:37:55:2A:85:BF

  4. Run my application

    java -jar Chameleon.jar -Djavax.net.ssl.trustStore=/home/dmitriy/Test/java/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=***

But I still receive an error:

sun.security.validator.ValidatorException: No trusted certificate found

I import this certificate to the browser and it works fine, but I have problem with java file.

java -version java version "1.8.0_131" Java(TM) SE Runtime Environment (build 1.8.0_131-b11) Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

Trying with Fiddler and receive next error:

The server (host.com) presented a certificate that did not validate, due to RemoteCertificateChainErrors.

0 - PartialChain

ISSUER: CN=RapidSSL SHA256 CA, O=GeoTrust Inc., C=US

Update:

When run with parametr: -Djavax.net.debug=all

adding as trusted cert:
  Subject: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Issuer:  OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
  Algorithm: RSA; Serial number: 0x1be715
  Valid from Wed Jan 01 09:00:00 EET 2014 until Fri May 30 10:00:00 EEST 2031

adding as trusted cert:
  Subject: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
  Issuer:  CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
  Algorithm: RSA; Serial number: 0x236d1
  Valid from Sat Feb 20 00:45:05 EET 2010 until Wed Feb 19 00:45:05 EET 2020

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Trying to regenerate certificate with option “Use custom protocols and ciphers” but certificate still not trusted:

Owner: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger
Issuer: CN=PortSwigger CA, OU=PortSwigger CA, O=PortSwigger, L=PortSwigger, ST=PortSwigger, C=PortSwigger
Serial number: 536e02a9
Valid from: Sat May 10 13:42:49 EEST 2014 until: Mon May 10 13:42:49 EEST 2038
Certificate fingerprints:
     MD5:  FC:8B:C8:A1:9E:92:08:33:F2:0B:34:F1:48:85:D0:BB
     SHA1: 21:C3:01:1C:9E:7C:06:92:2E:A9:B7:38:12:3B:3D:8E:FA:39:72:17
     SHA256: 36:EE:79:A9:7A:5E:4E:E5:4C:8B:5E:AD:6B:9C:2F:A8:EA:63:A6:65:44:9E:4B:20:5E:DE:EA:37:32:FB:C5:96
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D1 92 05 BB 78 6B 76 71   64 92 E2 F9 9A C8 81 CA  ....xkvqd.......
0010: E1 71 BF 81                                        .q..
]
]

Update 2:

Problem was with trustcacerts, this file was inside jar archive. So I get this file from jar import my cert and then move it back and application start.

user2264941
  • 407
  • 1
  • 8
  • 23
  • Do you have more then one certificate in that store? I remember that I once had problems with the order while doing an Apache configuration. That "No trusted certificate" implies that he has a problem to identify it inside his truststore. Maybe really check if you maybe made a mistake in the path or access to the store, you may don't get an expection but the store in the code would be null so he cannot find the burp cert in there. – Marco May 03 '18 at 14:49
  • I recreate this keystore, and adding only one certificate - result is the same. – user2264941 May 03 '18 at 15:04
  • mh then the problem is maybe in the jar itself. Give it a try in debug mode if the store really is != null and if your cert is actually used in your ssl connection. If the Burp certificate is correct you can test by installing it in a browser, but I suppose this should work. Can you post a sample on how the store is used inside the jar? – Marco May 03 '18 at 15:13
  • unfortunately I don't know. In Burp Suite I got message "The client failed to negotiate an SSL connection to test.dot.com:443: Received fatal alert: certificate_unknown", so Burp realy receive request. – user2264941 May 03 '18 at 15:22
  • In browser all works fine with this certificate. – user2264941 May 03 '18 at 15:22
  • Ok then its a problem with the jar, I gave some sample code in the answer maybe you can see what is missing. This sample works for sure I had something running like this. – Marco May 03 '18 at 15:25
  • What the problem it can be with jar file? Certificate it is java part not jar file. – user2264941 May 05 '18 at 08:35

2 Answers2

0

Here is some example code I can give you for how I used it a while ago. This is actually a more complex case because we used conduit to have two trust/key stores at the same time.

private void intitializeTransportSecurity() throws ClientException{
    if (StringUtils.isNotEmpty(clientConfiguration.getTransportCertKeystore())) {
        final Client client = ClientProxy.getClient(this.port);
        final HTTPConduit httpConduit = (HTTPConduit) client.getConduit();
        TLSClientParameters parameters = new TLSClientParameters();
        parameters.setSSLSocketFactory(createSSLContext().getSocketFactory());
        httpConduit.setTlsClientParameters(parameters);
        HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
        httpConduit.setClient(httpClientPolicy);
    }
}
private SSLContext createSSLContext() throws ClientException{
 try {
//Server
    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
    trustStore.load(WsClient.class.getClassLoader().getResourceAsStream("certs/webserver.jks"), 
    KEYSTORE_PASSWORD.toCharArray());

//client
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    InputStream is = WsClient.class.getClassLoader().getResourceAsStream(clientConfiguration.getTransportCertKeystore());
    keyStore.load(is,  clientConfiguration.getTransportKeyStorePassword().toCharArray());
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(trustStore);
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    kmf.init(keyStore, clientConfiguration.getTransportKeyStorePassword().toCharArray());
    SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
    sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
return sslContext;
} catch (final KeyStoreException | NoSuchAlgorithmException | IOException | CertificateException | UnrecoverableKeyException | KeyManagementException e) {
        throw new ClientException(e.getMessage(),e);
    }
}
Marco
  • 160
  • 2
  • 10
0

It looks like you've followed the correct procedure, as detailed in this post:

However, your java arguments are in the wrong order. Your command to run the application should look something like:

java -Djavax.net.ssl.trustStore=/home/dmitriy/Test/java/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=* -jar Chameleon.jar

PortSwigger
  • 277
  • 1
  • 8