RE: Client HTTPS Invalid keystore format
Hello Jerome, hello Bruno I've regenerating the keystore and the .jks using your advice to set localhost instead of serveurX. I also added the org.restlet.ext.net in the path and now it works perfectly! Thanks a lot Bruno and Jerome! Kind regards Laurent Garrigues -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2386743
RE: Client HTTPS Invalid keystore format
Hi Bruno, I've just checked in some enhancements to the StreamClientHelper class to make it more robust regarding presence of key and trust store. Especially, we don't try anymore to init a key store if we don't have the key password which is mandatory. I've attached the latest version in SVN trunk and my minimal test client. Best regards, Jerome Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -Message d'origine- De : news [mailto:n...@ger.gmane.org] De la part de Bruno Harbulot Envoyé : vendredi 21 août 2009 19:26 À : discuss@restlet.tigris.org Objet : Re: Client HTTPS Invalid keystore format Hi Laurent, Laurent Garrigues wrote: keytool -genkey -v -alias serverX -dname CN=serverX,OU=IT,O=JPC,C=GB -keypass password -keystore serverX.jks -storepass password -keyalg RSA -sigalg MD5withRSA -keysize 2048 -validity 3650 I'd suggest using SHA1withRSA instead of MD5withRSA, since there have been known exploits against MD5. Just to clarify for the rest of your experiment, since you're testing using localhost, the DN must be something like CN=localhost, keytool -export -v -alias serverX -file serverX.cer -keystore serverX.jks -storepass password sudo keytool -delete -alias serverX -file serverX.cer -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -storepass changeit sudo keytool -import -alias serverX -file serverX.cer -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -storepass changeit ** On my server I have this line for configuring the https : *** System.setProperty(javax.net.ssl.trustStore,/usr/lib/jvm/java-6-sun/jre/l ib/security/cacerts); System.setProperty(javax.net.ssl.trustStorePassword,changeit); You don't really need these lines above, since they are the default values. In addition, unless you're planning to use client-certificate authentication, you don't really need to configure the trust store on the server side. Server server = component.getServers().add(Protocol.HTTPS, 8283); SeriesParameter parameters = server.getContext().getParameters(); /* Requis pour l'HTTPS */ parameters.add(sslContextFactory,org.restlet.ext.ssl.PkixSslContextFactor y); Unless you're planning to use client-certificate authentication, the DefaultSslContextFactory should be sufficient: parameters.add(sslContextFactory,org.restlet.util.DefaultSslContextFactor y); (or com.noelios.restlet with Restlet 1.x). parameters.add(keystorePath, /home/laurent/Bureau/serverX.jks); parameters.add(keystorePassword, password); parameters.add(keyPassword, password); parameters.add(keystoreType, JKS); * On the client side, I suspect you might have found a bug in org.restlet.engine.http.StreamClientHelper. It seems to be expecting a keystore file in ~/.keystore by default, which you probably don't need anyway (unless using client-cert auth). If you have such a file, I'd try to move it out of the way to see if it makes a difference (although I'd expect that not finding the file would make the StreamClientHelper throw a FileNotFoundException). Alternatively, I'd use another connector than the StreamClientHelper if you can: do you have either org.restlet.ext.net or org.restlet.ext.httpclient (with their dependencies) on your classpath? Best wishes, Bruno. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=23860 72 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2386469 StreamClientHelper.java Description: Binary data HttpsClient.java Description: Binary data
RE: Re: Client HTTPS Invalid keystore format
Hi bruno, First thanks for your response, I create my files on my Desktop, using the command given on http://wiki.restlet.org/docs_2.0/13-restlet/27-restlet/46-restlet/213-restlet.html so my commands were (on laur...@laurent-desktop:~/Bureau) : * keytool -genkey -v -alias serverX -dname CN=serverX,OU=IT,O=JPC,C=GB -keypass password -keystore serverX.jks -storepass password -keyalg RSA -sigalg MD5withRSA -keysize 2048 -validity 3650 keytool -export -v -alias serverX -file serverX.cer -keystore serverX.jks -storepass password sudo keytool -delete -alias serverX -file serverX.cer -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -storepass changeit sudo keytool -import -alias serverX -file serverX.cer -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -storepass changeit ** On my server I have this line for configuring the https : *** System.setProperty(javax.net.ssl.trustStore,/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts); System.setProperty(javax.net.ssl.trustStorePassword,changeit); Server server = component.getServers().add(Protocol.HTTPS, 8283); SeriesParameter parameters = server.getContext().getParameters(); /* Requis pour l'HTTPS */ parameters.add(sslContextFactory,org.restlet.ext.ssl.PkixSslContextFactory); parameters.add(keystorePath, /home/laurent/Bureau/serverX.jks); parameters.add(keystorePassword, password); parameters.add(keyPassword, password); parameters.add(keystoreType, JKS); * I have not configuring anything more ( but I am a beginner in Restlet and in security, such generating certificat or using SSL protocol) Thanks by advance for your help. Kind regards Laurent Garrigues -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2386027
Re: Client HTTPS Invalid keystore format
Hi Laurent, Laurent Garrigues wrote: keytool -genkey -v -alias serverX -dname CN=serverX,OU=IT,O=JPC,C=GB -keypass password -keystore serverX.jks -storepass password -keyalg RSA -sigalg MD5withRSA -keysize 2048 -validity 3650 I'd suggest using SHA1withRSA instead of MD5withRSA, since there have been known exploits against MD5. Just to clarify for the rest of your experiment, since you're testing using localhost, the DN must be something like CN=localhost, keytool -export -v -alias serverX -file serverX.cer -keystore serverX.jks -storepass password sudo keytool -delete -alias serverX -file serverX.cer -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -storepass changeit sudo keytool -import -alias serverX -file serverX.cer -keystore /usr/lib/jvm/java-6-sun/jre/lib/security/cacerts -storepass changeit ** On my server I have this line for configuring the https : *** System.setProperty(javax.net.ssl.trustStore,/usr/lib/jvm/java-6-sun/jre/lib/security/cacerts); System.setProperty(javax.net.ssl.trustStorePassword,changeit); You don't really need these lines above, since they are the default values. In addition, unless you're planning to use client-certificate authentication, you don't really need to configure the trust store on the server side. Server server = component.getServers().add(Protocol.HTTPS, 8283); SeriesParameter parameters = server.getContext().getParameters(); /* Requis pour l'HTTPS */ parameters.add(sslContextFactory,org.restlet.ext.ssl.PkixSslContextFactory); Unless you're planning to use client-certificate authentication, the DefaultSslContextFactory should be sufficient: parameters.add(sslContextFactory,org.restlet.util.DefaultSslContextFactory); (or com.noelios.restlet with Restlet 1.x). parameters.add(keystorePath, /home/laurent/Bureau/serverX.jks); parameters.add(keystorePassword, password); parameters.add(keyPassword, password); parameters.add(keystoreType, JKS); * On the client side, I suspect you might have found a bug in org.restlet.engine.http.StreamClientHelper. It seems to be expecting a keystore file in ~/.keystore by default, which you probably don't need anyway (unless using client-cert auth). If you have such a file, I'd try to move it out of the way to see if it makes a difference (although I'd expect that not finding the file would make the StreamClientHelper throw a FileNotFoundException). Alternatively, I'd use another connector than the StreamClientHelper if you can: do you have either org.restlet.ext.net or org.restlet.ext.httpclient (with their dependencies) on your classpath? Best wishes, Bruno. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2386072
Client HTTPS Invalid keystore format
hello, I'm using restlet 2.0 and I've issues with the HTTPS for my client application. I'm testing on a localhost, so my client and my server are on the same computer. The aim of my application is to put some information into a database. When I launch my client application I get the following error : java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at org.restlet.engine.http.StreamClientHelper.createSecureSocketFactory(StreamC lientHelper.java:187) at org.restlet.engine.http.StreamClientHelper.createSocketFactory(StreamClientH elper.java:258) at org.restlet.engine.http.StreamClientHelper.create(StreamClientHelper.java:15 3) at org.restlet.engine.http.HttpClientAdapter.toSpecific(HttpClientAdapter.java: 522) at org.restlet.engine.http.HttpClientHelper.handle(HttpClientHelper.java:106) at org.restlet.Client.handle(Client.java:223) at org.restlet.resource.ClientResource.handle(ClientResource.java:583) at org.restlet.resource.ClientResource.handle(ClientResource.java:558) at org.restlet.resource.ClientResource.get(ClientResource.java:392) at client.ClientMain.main(ClientMain.java:96) I've re-generate the jks file but the error is still there. I've tried to use the application in a browser (after implementing a get method) and I didn't get the error, put when I tried the get in the client, the error is back again. Have I missed something in the https configuration of my client? Please find below the details of my client application: public class ClientMain { @SuppressWarnings(unchecked) public static void main(String[] args) throws IOException, ResourceException { ClientResource itemsResource = new ClientResource( https://localhost:8283/items;); itemsResource.setChallengeResponse(ChallengeScheme.HTTP_BASIC, root, root); /*partie facture*/ JSONObject json = new JSONObject(); json.put(Client_id, 80); json.put(Denomination, rien du tout); /*Partie sous facture*/ String[][] lignes_factures = new String[1][4]; lignes_factures[0][0] = Facture 1; lignes_factures[0][1] = Achat de croquettes; lignes_factures[0][2] = 60; lignes_factures[0][3] = 600; json.put(lignes_associées, lignes_factures); /*Representation r = */ itemsResource.post(getRepresentation(json)); } @SuppressWarnings(unchecked) public static Representation getRepresentation(JSONObject json) { Representation rep = new JsonRepresentation(json); return rep; } } Thanks by advance for your help. Kind regards, Laurent Garrigues -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2385623
Re: Client HTTPS Invalid keystore format
Hi Laurent, Where do you put this file and/or where do you configure it (are you passing it via system properties)? It might not be using the file you want. I suspect that, if you haven't configured anything more, it would be using the cacerts file provided with your JRE. Best wishes, Bruno. webp...@tigris.org wrote: hello, I'm using restlet 2.0 and I've issues with the HTTPS for my client application. I'm testing on a localhost, so my client and my server are on the same computer. The aim of my application is to put some information into a database. When I launch my client application I get the following error : java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38) at java.security.KeyStore.load(KeyStore.java:1185) at org.restlet.engine.http.StreamClientHelper.createSecureSocketFactory(StreamC lientHelper.java:187) at org.restlet.engine.http.StreamClientHelper.createSocketFactory(StreamClientH elper.java:258) at org.restlet.engine.http.StreamClientHelper.create(StreamClientHelper.java:15 3) at org.restlet.engine.http.HttpClientAdapter.toSpecific(HttpClientAdapter.java: 522) at org.restlet.engine.http.HttpClientHelper.handle(HttpClientHelper.java:106) at org.restlet.Client.handle(Client.java:223) at org.restlet.resource.ClientResource.handle(ClientResource.java:583) at org.restlet.resource.ClientResource.handle(ClientResource.java:558) at org.restlet.resource.ClientResource.get(ClientResource.java:392) at client.ClientMain.main(ClientMain.java:96) I've re-generate the jks file but the error is still there. I've tried to use the application in a browser (after implementing a get method) and I didn't get the error, put when I tried the get in the client, the error is back again. Have I missed something in the https configuration of my client? Please find below the details of my client application: public class ClientMain { @SuppressWarnings(unchecked) public static void main(String[] args) throws IOException, ResourceException { ClientResource itemsResource = new ClientResource( https://localhost:8283/items;); itemsResource.setChallengeResponse(ChallengeScheme.HTTP_BASIC, root, root); /*partie facture*/ JSONObject json = new JSONObject(); json.put(Client_id, 80); json.put(Denomination, rien du tout); /*Partie sous facture*/ String[][] lignes_factures = new String[1][4]; lignes_factures[0][0] = Facture 1; lignes_factures[0][1] = Achat de croquettes; lignes_factures[0][2] = 60; lignes_factures[0][3] = 600; json.put(lignes_associées, lignes_factures); /*Representation r = */ itemsResource.post(getRepresentation(json)); } @SuppressWarnings(unchecked) public static Representation getRepresentation(JSONObject json) { Representation rep = new JsonRepresentation(json); return rep; } } Thanks by advance for your help. Kind regards, Laurent Garrigues -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2385623 -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447dsMessageId=2385709