Here's the server code I use, my keys/certs may be set up a little
differently from yours though, but this code supports client cert handshakes
using browser clients and curl clients. In this case, the CAs that sign the
client certs are stored in /etc/pki/ca.jks along with the CA that signed
that ewallet.p12 file. Unfortunately, I don't have any restlet client code
to send you, but you can try testing by setting up a client cert in Firefox.
static void setUpSSL(Context workingCtx)
{
System.setProperty('javax.net.ssl.trustStore','/etc/pki/ca.jks');
System.setProperty('javax.net.ssl.trustStorePassword',
System.getenv('TRUSTSTORE_PASS'));
workingCtx.getParameters().add("sslContextFactory",
"org.restlet.ext.ssl.PkixSslContextFactory");
workingCtx.getParameters().add("keystorePath",
"/etc/pki/wallets/${System.getenv('VIRTUAL_HOST')}/ewallet.p12");
workingCtx.getParameters().add("keystorePassword",
System.getenv('KEYSTORE_PASS'));
workingCtx.getParameters().add("keystoreType", "PKCS12");
workingCtx.getParameters().add("keyPassword",
System.getenv('KEY_PASS'));
workingCtx.getParameters().add("certAlgorithm", "SunX509");
}
On Wed, Dec 16, 2009 at 11:06 AM, <[email protected]> wrote:
> Hi,
>
> I'm trying to use the Simple HTTPS library to set up a HTTPS connection
> with mutual PKI authentication, after successful server-only authentication.
>
> For the server-only authentication, I created a JKS keystore and modified
> the client/server samples in
> src\org.restlet.example\org\restlet\example\book\restlet\ch11\{BasicHttpsServer.java,BasicHttpsClient.java}
> to load that store.
> The client GET request returned the 200 OK.
>
> For the mutual authentication, the BasicHttpsServer.java becomes:
>
> System.setProperty("javax.net.ssl.trustStore",
> keystoreFile.getAbsolutePath());
> System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
>
> // Component declaring only one HTTPS server connector.
> Component component = new Component();
> Server server = component.getServers().add(Protocol.HTTPS, 8182);
> component.getDefaultHost().attach("/helloWorld", restlet);
>
> // Update server's context with keystore parameters.
> server.getContext().getParameters().add("keystorePath",
> keystoreFile.getAbsolutePath());
> server.getContext().getParameters().add("keystorePassword",
> "changeit");
> server.getContext().getParameters().add("keyPassword", "server");
> server.getContext().getParameters().add("needClientAuthentication",
> "true");
>
>
> and the BasicHttpsClient.java becomes:
>
> System.setProperty("javax.net.ssl.trustStore",
> keystoreFile.getAbsolutePath());
> System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
>
> Component component = new Component();
> Client client = component.getClients().add(Protocol.HTTPS);
> client.getContext().getParameters().add("keystorePath",
> keystoreFile.getAbsolutePath());
> client.getContext().getParameters().add("keystorePassword",
> "changeit");
> client.getContext().getParameters().add("keyPassword", "server");
>
> which is very similar to the server. I used the same jks keystore file for
> both client and server to make sure they have the same CA. However, the
> client GET request returns this error status:
>
> Communication Error (1001) - Software caused connection abort: recv failed
>
> I also tried to load client side keystore with these:
>
> System.setProperty("javax.net.ssl.keyStore",
> keystoreFile.getAbsolutePath());
> System.setProperty("javax.net.ssl.keyStorePassword", "changeit");
>
> But I got an error status:
> Communication Error (1001) - Default SSL context init failed: Cannot
> recover key
>
> I suspect the client would not find the key from the keystore because Java
> does not provide such property "javax.net.ssl.keyPassword".
>
> Does anyone know what is wrong?
>
> For mutual authentication, how do I set up the trustStore on the server
> side, and how do I set up the keystore on the client side?
>
> Thanks a lot.
>
> Li
>
> ------------------------------------------------------
>
> http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2430830
>
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2430838
