[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: Re: [dev-crypto] TLS with Netty is not working
From: Rogan Dawes <rogan () dawes ! za ! net>
Date: 2017-10-24 5:41:00
Message-ID: CAOYdKdjEsEx6vFcakLuL5MCYbJ2oA4TcSRjn_-B7L-i1bZDCFA () mail ! gmail ! com
[Download RAW message or body]
My apologies, re-reading your email, there was a workaround, by creating
the KeyManagerFactory myself.
Sorry for the noise.
I'm still curious as to how you got my example code to work, though, in the
absence of the SecureRandom instance passed to SSLContext.init()?
SSLContext ctx = sslContextProvider == null ?
SSLContext.getInstance(PROTOCOL)
: SSLContext.getInstance(PROTOCOL, sslContextProvider);
ctx.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory == null ? null :
trustManagerFactory.getTrustManagers(),
null);
Thanks!
Rogan
On Tue, Oct 24, 2017 at 7:26 AM Rogan Dawes <rogan@dawes.za.net> wrote:
> Hi Peter,
>
> It seems like your response to me was routed to /dev/null somehow.
>
> Can you explain what it is about the standard KeyManagerFactory that
> BCJSSE doesn't like?
>
> The Netty API has a limited interface for their SslContextBuilder, when it
> comes to providing key material:
>
> forServer(File keyCertChainFile, File keyFile)
> forServer(File keyCertChainFile, File keyFile, String keyPassword)
> forServer(InputStream keyCertChainInputStream, InputStream keyInputStream)
> forServer(InputStream keyCertChainInputStream, InputStream keyInputStream,
> String keyPassword)
> forServer(KeyManagerFactory keyManagerFactory)
> forServer(PrivateKey key, String keyPassword, X509Certificate...
> keyCertChain)
> forServer(PrivateKey key, X509Certificate... keyCertChain)
>
> For my purposes, I want to use a very specific keypair from a JKS
> keystore, so I initialise the SslContextBuilder with that PrivateKey and
> X509Certificate[] directly. Is there a workaround that doesn't require
> modifying the global Security property?
>
> Also, I realised that my attempts to provide a SSCCEE failed, because I
> had modified/replaced some of the Netty classes in my own project, because
> they were initialising the SslContext with a null SecureRandom, which
> results in a NoSuchAlgorithmException being thrown ("unable to create
> TlsCrypto: DEFAULT SecureRandom not available"). So I'm really curious as
> to how you managed to get my example working without that modification?
>
> Regards,
>
> Rogan
>
>
> On Sun, Oct 22, 2017 at 12:56:29PM +0700, Peter Dettman wrote:
> > Hi Mashar,
> >
> > Please refer to my reply from last week:
> > http://bouncycastle.org/devmailarchive/msg15444.html
> >
> > In short, BCJSSE server currently works only with BCJSSE "PKIX"
> > KeyManagerFactory, so you probably just need to specify the provider
> > explicitly here:
> >
> > KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX",
> "BCJSSE");
> >
> > The original code may work if you modify your java.security
> configuration:
> >
> > ssl.KeyManagerFactory.algorithm=PKIX
> >
> > Regards,
> > Pete Dettman
> >
> > Please refer to my reply to
> > On 19/10/17 8:19 pm, Mashar Yazici wrote:
> > > Can anybody help me on the problem?
> > >
> > > I am trying to provide TLS service with netty 4.1.16 by using bouncy
> > > castle fips providers which are bc-fips-1.0.0 and bctls-fips-1.0.0
> > > Actually It is working on windows environment
> > > but I have not been able to run it on redhat linux with following
> properties
> > >
> > > OS configuration:
> > > OS runs fips enabled mode
> > > Red Hat Enterprise Linux Server release 6.7 (Santiago)
> > > Linux 2.6.32-696.6.3.el6.x86_64 #1 SMP Fri Jun 30 13:24:18 EDT 2017
> > > x86_64 x86_64 x86_64 GNU/Linux
> > >
> > > I observered on linux that while jvm is running up, sslContext takes
> > > time to load
> > > The problem is that client which is chrome sends client hello but
> > > server does not get back
> > >
> > >
> > > Here is the related part of my code:
> > >
> > > KeyStore ks = KeyStore.getInstance("PKCS12", "BCFIPS");
> > > FileInputStream fin = new FileInputStream(keyStoreFilePath);
> > > ks.load(fin, keyStoreFilePassword.toCharArray());
> > > KeyManagerFactory kmf =
> > > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
> > > kmf.init(ks, keyStoreFilePassword.toCharArray());
> > >
> > > sslContext =
> SslContextBuilder.forServer(kmf).sslContextProvider(Security.getProvider("BCJSSE"))
> > > .build();
> > > I add sslContext into netty with following line
> > >
> > > ch.pipeline().addLast( sslContext.newHandler(ch.alloc()));
> > >
> > >
> > >
> > >
> > >
> > > java.security
> > >
> > > security.provider.1=sun.security.provider.Sun
> > > security.provider.2=sun.security.rsa.SunRsaSign
> > > security.provider.3=sun.security.ec.SunEC
> > >
> security.provider.4=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
> > > security.provider.5=com.sun.net.ssl.internal.ssl.Provider
> > > security.provider.6=com.sun.crypto.provider.SunJCE
> > > security.provider.7=sun.security.jgss.SunProvider
> > > security.provider.8=com.sun.security.sasl.Provider
> > > security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> > > security.provider.10=sun.security.smartcardio.SunPCSC
> > >
> security.provider.11=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
> > >
> >
> >
>
[Attachment #3 (text/html)]
<div dir="ltr">My apologies, re-reading your email, there was a workaround, by \
creating the KeyManagerFactory myself.<div><br></div><div>Sorry for the \
noise.</div><div><br></div><div>I'm still curious as to how you got my example \
code to work, though, in the absence of the SecureRandom instance passed to \
SSLContext.init()?</div><div><br></div><div>
<p class="inbox-inbox-p1"><span class="inbox-inbox-Apple-converted-space"> \
</span>SSLContext <span class="inbox-inbox-s1">ctx</span> = <span \
class="inbox-inbox-s1">sslContextProvider</span> == <span \
class="inbox-inbox-s2">null</span> ? SSLContext.getInstance(<span \
class="inbox-inbox-s3">PROTOCOL</span>)</p> <p class="inbox-inbox-p1"><span \
class="inbox-inbox-Apple-converted-space"> </span>: \
SSLContext.getInstance(<span class="inbox-inbox-s3">PROTOCOL</span>, <span \
class="inbox-inbox-s1">sslContextProvider</span>);</p> <p \
class="inbox-inbox-p1"><span class="inbox-inbox-Apple-converted-space"> \
</span><span class="inbox-inbox-s1">ctx</span>.init(<span \
class="inbox-inbox-s1">keyManagerFactory</span>.getKeyManagers(),</p> <p \
class="inbox-inbox-p1"><span class="inbox-inbox-Apple-converted-space"> \
</span><span class="inbox-inbox-s1">trustManagerFactory</span> == <span \
class="inbox-inbox-s2">null</span> ? <span class="inbox-inbox-s2">null</span> : <span \
class="inbox-inbox-s1">trustManagerFactory</span>.getTrustManagers(),</p> <p \
class="inbox-inbox-p1"><span class="inbox-inbox-Apple-converted-space"> \
</span><span class="inbox-inbox-s2">null</span>);</p><p \
class="inbox-inbox-p1"><br></p><p class="inbox-inbox-p1">Thanks!</p><p \
class="inbox-inbox-p1">Rogan</p><p \
class="inbox-inbox-p1"><br></p></div></div><br><div class="gmail_quote"><div \
dir="ltr">On Tue, Oct 24, 2017 at 7:26 AM Rogan Dawes <<a \
href="mailto:rogan@dawes.za.net">rogan@dawes.za.net</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Peter,<br> <br>
It seems like your response to me was routed to /dev/null somehow.<br>
<br>
Can you explain what it is about the standard KeyManagerFactory that BCJSSE \
doesn't like?<br> <br>
The Netty API has a limited interface for their SslContextBuilder, when it comes to \
providing key material:<br> <br>
forServer(File keyCertChainFile, File keyFile)<br>
forServer(File keyCertChainFile, File keyFile, String keyPassword)<br>
forServer(InputStream keyCertChainInputStream, InputStream keyInputStream)<br>
forServer(InputStream keyCertChainInputStream, InputStream keyInputStream, String \
keyPassword)<br> forServer(KeyManagerFactory keyManagerFactory)<br>
forServer(PrivateKey key, String keyPassword, X509Certificate... keyCertChain)<br>
forServer(PrivateKey key, X509Certificate... keyCertChain)<br>
<br>
For my purposes, I want to use a very specific keypair from a JKS keystore, so I \
initialise the SslContextBuilder with that PrivateKey and X509Certificate[] directly. \
Is there a workaround that doesn't require modifying the global Security \
property?<div><br></div><div>Also, I realised that my attempts to provide a SSCCEE \
failed, because I had modified/replaced some of the Netty classes in my own project, \
because they were initialising the SslContext with a null SecureRandom, which results \
in a NoSuchAlgorithmException being thrown ("unable to create TlsCrypto: DEFAULT \
SecureRandom not available"). So I'm really curious as to how you managed to \
get my example working without that \
modification?</div><div><br></div><div>Regards,</div><div><br></div><div>Rogan</div></div><div \
dir="ltr"><div><br></div>
<div>
<br>
On Sun, Oct 22, 2017 at 12:56:29PM +0700, Peter Dettman wrote:<br>
> Hi Mashar,<br>
><br>
> Please refer to my reply from last week:<br>
> <a href="http://bouncycastle.org/devmailarchive/msg15444.html" \
rel="noreferrer" target="_blank">http://bouncycastle.org/devmailarchive/msg15444.html</a><br>
><br>
> In short, BCJSSE server currently works only with BCJSSE "PKIX"<br>
> KeyManagerFactory, so you probably just need to specify the provider<br>
> explicitly here:<br>
><br>
> KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX", \
"BCJSSE");<br> ><br>
> The original code may work if you modify your java.security configuration:<br>
><br>
> ssl.KeyManagerFactory.algorithm=PKIX<br>
><br>
> Regards,<br>
> Pete Dettman<br>
><br>
> Please refer to my reply to<br>
> On 19/10/17 8:19 pm, Mashar Yazici wrote:<br>
> > Can anybody help me on the problem?<br>
> ><br>
> > I am trying to provide TLS service with netty 4.1.16 by using bouncy<br>
> > castle fips providers which are bc-fips-1.0.0 and bctls-fips-1.0.0<br>
> > Actually It is working on windows environment<br>
> > but I have not been able to run it on redhat linux with following \
properties<br> > ><br>
> > OS configuration:<br>
> > OS runs fips enabled mode<br>
> > Red Hat Enterprise Linux Server release 6.7 (Santiago)<br>
> > Linux 2.6.32-696.6.3.el6.x86_64 #1 SMP Fri Jun 30 13:24:18 EDT 2017<br>
> > x86_64 x86_64 x86_64 GNU/Linux<br>
> ><br>
> > I observered on linux that while jvm is running up, sslContext takes<br>
> > time to load<br>
> > The problem is that client which is chrome sends client hello but<br>
> > server does not get back<br>
> ><br>
> ><br>
> > Here is the related part of my code:<br>
> ><br>
> > KeyStore ks = KeyStore.getInstance("PKCS12", \
"BCFIPS");<br> > > FileInputStream fin = new \
FileInputStream(keyStoreFilePath);<br> > > ks.load(fin, \
keyStoreFilePassword.toCharArray());<br> > > KeyManagerFactory kmf =<br>
> > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());<br>
> > kmf.init(ks, keyStoreFilePassword.toCharArray());<br>
> ><br>
> > sslContext = \
SslContextBuilder.forServer(kmf).sslContextProvider(Security.getProvider("BCJSSE"))<br>
> > \
.build();<br> > > I add sslContext into netty with following line<br>
> ><br>
> > ch.pipeline().addLast( sslContext.newHandler(ch.alloc()));<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > java.security<br>
> ><br>
> > security.provider.1=sun.security.provider.Sun<br>
> > security.provider.2=sun.security.rsa.SunRsaSign<br>
> > security.provider.3=sun.security.ec.SunEC<br>
> > security.provider.4=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider<br>
> > security.provider.5=com.sun.net.ssl.internal.ssl.Provider<br>
> > security.provider.6=com.sun.crypto.provider.SunJCE<br>
> > security.provider.7=sun.security.jgss.SunProvider<br>
> > security.provider.8=com.sun.security.sasl.Provider<br>
> > security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI<br>
> > security.provider.10=sun.security.smartcardio.SunPCSC<br>
> > security.provider.11=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider<br>
> ><br>
><br>
><br>
</div></div></blockquote></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic