Hi all
This is my very first message in the list.
I am trying to use the ssl and client authentication feature in tomcat 6,
using a pkcs11 compliant smart card reader and a real authentication smart
card (Italian CNS).
In the browser (firefox) I obtain a ssl_error_certificate_unknown_alert or a
ssl_error_bad_certificate_alert.
SSL without client authentication works perfectly.
This is my server configuration:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="C:\apache-tomcat-6.0.20\conf\tomcat.keystore"
keystorePass="tomcat" keyAlias="tomcat"
truststoreFile ="C:\apache-tomcat-6.0.20\conf\cacerts"
truststorePass="changeit"/>
tomcat.keystore contains the self signed x509 certificate I use to perform
the server ssl handshake.
cacerts contains the root certificate of my signature and non repudiation
certificate contained in my smartcard.
>From tomcat's log I obtained setting up
JAVA_OPTS=-Djavax.net.debug=ssl,handshake I am sure that:
1) the root certificate is trusted (imported In cacerts with keytool
-import -trustcacert .)
adding as trusted cert:
Subject: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del
Sistema Camerale, SERIALNUMBER=02313821007,
O=InfoCamere SCpA, C=IT
Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del
Sistema Camerale, SERIALNUMBER=02313821007,
O=InfoCamere SCpA, C=IT
Algorithm: RSA; Serial number: 0x1
Valid from Wed Mar 24 16:48:50 CET 2004 until Thu Mar 24 16:47:52 CET 2016
2) The client certificate is taken from the smartcard and It's given
to the server; furthermore, the issuer is exactly tue trusted one:
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=Marcello Marangio, DNQ=20071112354269,
SERIALNUMBER=IT:MRNMCL70C21A662D, GIVENNAME=MARCELLO, SURNAME=MARAN
GIO, O=NON PRESENTE, C=IT
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Validity: [From: Wed Nov 21 12:11:08 CET 2007,
To: Sun Nov 21 01:00:00 CET 2010]
Issuer: CN=InfoCamere Firma Qualificata, OU=Certificatore Accreditato del
Sistema Camerale, SERIALNUMBER=02313821007,
O=InfoCamere SCpA, C=IT
SerialNumber: [ 131b58]
3) the browser (firefox) picks up the correct non repudiation
certificate from the smartcard and sends it to the server:
[9]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Non_repudiation
]
The problem seems to be that tomcat is looking for the digital signature
certificate and not the non_repudiation one.
http-8443-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-8443-1, WRITE: TLSv1 Alert, length = 2
http-8443-1, called closeSocket()
http-8443-1, handling exception: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: KeyUsage does not allow digital
signatures
Is tomcat's behavoir correct or is it a bug?
Thanks a million
Marcello
