Re: mod_jk & Client SSL Certificates

Thu, 22 Oct 2009 15:58:21 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

On 10/22/2009 5:26 PM, Christopher Schultz wrote:
> ...did the trick. I now see an ASCII-formatted certificate dumped into
> my wtf.log file (yay!) and I get a ClassCastException in my JSP, which
> means that the request attribute is definitely not null!

Okay, I'm getting the client certificate okay in my code, now. I'd like
to validate that client cert against one I explicitly load off the disk
(so that, for instance, I'm not accepting client certs signed by
well-known CAs but that aren't appropriate for my purposes).

I can't, for the life of me, figure out how to load the CA certificate
off the disk!

I have two files:
  ca.crt     (PEM-format, used for Apache httpd configuration)
  ca.crt.p12 (PKCS12 format, no/blank password)

I've tried:

  Certificate caCert =
CertificateFactory.getInstance("X.509").generateCertificate(new
FileInputStream("/path/to/ca.crt.p12"));

...which throws:

java.security.cert.CertificateParsingException: signed fields invalid
        at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1695)
        at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:179)
        at
sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:90)
        at
java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:271)

I'm unclear as to whether this indicates that I have a badly-formatted
file, or that I'm not correctly passing-in a password to load this file.

I have also tried:

  KeyStore keystore = KeyStore.getInstance("PKCS12");
  keystore.load(new FileInputStream("/path/to/ca.crt.p12"), (char[])null);

This appears to load the KeyStore, but the "alias" for the certificate
(as reported by KeyStore.aliases()) keeps changing, and is just a number
(like "5" or whatever). No matter what I do with the KeyStore, I always
end up with a null CA certificate, and therefore calling
clientCert.verify(caCert.getPublicKey()) always fails. :(

I feel like a complete idiot, here. Can someone help me load a
certificate (or even a public key) from a file?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrg42YACgkQ9CaO5/Lv0PA9bwCgoEFp0YxWnJB28y2dpZN90x65
uv0AoL8zPzutjivsPUZt8zlLrpkdTVWA
=EXN0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to