Проблема с КриптоПро и GOST
Из java кода не удается становить рукопожатие со страницей. При этом из браузеров Яндекс и Хромиум Гост, та же страница открывается без проблем.
Java код и стектрейс под катом
Security.setProperty("ssl.SocketFactory.provider", "ru.CryptoPro.ssl.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "ru.CryptoPro.ssl.SSLServerSocketFactoryImpl");
Security.setProperty("ssl.KeyManagerFactory.algorithm", "GostX509");
Security.setProperty("ssl.TrustManagerFactory.algorithm", "GostX509");
// Отключение проверки цепочек сертификатов
String cipherSuites2 = "TLS_CIPHER_2012,TLS_CIPHER_2001";
System.setProperty("https.cipherSuites",cipherSuites2);
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2,SSLv3");
System.setProperty("com.sun.security.enableCRLDP", "true");
System.setProperty("com.ibm.security.enableCRLDP", "true");
System.setProperty("tls_prohibit_disabled_validation", "false");
System.setProperty("javax.net.ssl.trustStore",trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
// Клиентский сертификат
KeyStore ks = KeyStore.getInstance("HDImageStore", "JCP");
ks.load(new FileInputStream(keyStorePath), keyStorePassword.toCharArray());
// Корневые сертификаты УЦ
KeyStore kst = KeyStore.getInstance("HDImageStore", "JCP");
kst.load(new FileInputStream(trustStorePath), trustStorePassword.toCharArray());
// Менеджер хранилища.
TrustManagerFactory tmf = TrustManagerFactory.getInstance("GostX509");
tmf.init(kst);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("GostX509");
kmf.init(ks, null);
//SSL Контекст
SSLContext sc = getSSLContext(kmf,tmf,cipherSuites2.split(","),contextName);
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), SecureRandom.getInstance("CPRandom", "JCP"));
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
HttpClient httpClient = null;
URL url = new URL(baseUri + uri);
try {
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
con.setRequestMethod("GET");
con.setConnectTimeout(10000);
CookieHandler.setDefault(new CookieManager());
con.connect();
System.out.println("Connected: " + con);
} catch (Exception ex) {
ex.printStackTrace();
throw new Exception("Ошибка соединения",ex);
}
Вот стектрейс:
Caused by: javax.net.ssl.SSLHandshakeException: ru.CryptoPro.ssl.pc_4.cl_5: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at ru.CryptoPro.ssl.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.s(Unknown Source)
at ru.CryptoPro.ssl.cl_59.s(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.n(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.n(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.b(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.b(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
Сильно смущает тот факт, что из браузера всё открывается. Значит, по идее всех сертификатов хватает?
Upd. Добавил сертификаты, теперь другой эксепшен получаю:
Caused by: javax.net.ssl.SSLHandshakeException: ru.CryptoPro.ssl.pc_4.cl_5: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at ru.CryptoPro.ssl.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.s(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.n(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.b(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at ru.ets.http.HttpContext.loginCertificate(HttpContext.java:606)
... 18 more
Caused by: ru.CryptoPro.ssl.pc_4.cl_5: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at ru.CryptoPro.ssl.pc_4.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.pc_4.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.pc_4.cl_4.b(Unknown Source)
at ru.CryptoPro.ssl.cl_121.a(Unknown Source)
at ru.CryptoPro.ssl.cl_121.a(Unknown Source)
at ru.CryptoPro.ssl.cl_121.checkServerTrusted(Unknown Source)
... 30 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at ru.CryptoPro.reprov.CPCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
... 36 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 42 more
Java код и стектрейс под катом
Security.setProperty("ssl.SocketFactory.provider", "ru.CryptoPro.ssl.SSLSocketFactoryImpl");
Security.setProperty("ssl.ServerSocketFactory.provider", "ru.CryptoPro.ssl.SSLServerSocketFactoryImpl");
Security.setProperty("ssl.KeyManagerFactory.algorithm", "GostX509");
Security.setProperty("ssl.TrustManagerFactory.algorithm", "GostX509");
// Отключение проверки цепочек сертификатов
String cipherSuites2 = "TLS_CIPHER_2012,TLS_CIPHER_2001";
System.setProperty("https.cipherSuites",cipherSuites2);
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2,SSLv3");
System.setProperty("com.sun.security.enableCRLDP", "true");
System.setProperty("com.ibm.security.enableCRLDP", "true");
System.setProperty("tls_prohibit_disabled_validation", "false");
System.setProperty("javax.net.ssl.trustStore",trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
// Клиентский сертификат
KeyStore ks = KeyStore.getInstance("HDImageStore", "JCP");
ks.load(new FileInputStream(keyStorePath), keyStorePassword.toCharArray());
// Корневые сертификаты УЦ
KeyStore kst = KeyStore.getInstance("HDImageStore", "JCP");
kst.load(new FileInputStream(trustStorePath), trustStorePassword.toCharArray());
// Менеджер хранилища.
TrustManagerFactory tmf = TrustManagerFactory.getInstance("GostX509");
tmf.init(kst);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("GostX509");
kmf.init(ks, null);
//SSL Контекст
SSLContext sc = getSSLContext(kmf,tmf,cipherSuites2.split(","),contextName);
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), SecureRandom.getInstance("CPRandom", "JCP"));
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
HttpClient httpClient = null;
URL url = new URL(baseUri + uri);
try {
HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
con.setRequestMethod("GET");
con.setConnectTimeout(10000);
CookieHandler.setDefault(new CookieManager());
con.connect();
System.out.println("Connected: " + con);
} catch (Exception ex) {
ex.printStackTrace();
throw new Exception("Ошибка соединения",ex);
}
Вот стектрейс:
Caused by: javax.net.ssl.SSLHandshakeException: ru.CryptoPro.ssl.pc_4.cl_5: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at ru.CryptoPro.ssl.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.s(Unknown Source)
at ru.CryptoPro.ssl.cl_59.s(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.n(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.n(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.b(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.b(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
Сильно смущает тот факт, что из браузера всё открывается. Значит, по идее всех сертификатов хватает?
Upd. Добавил сертификаты, теперь другой эксепшен получаю:
Caused by: javax.net.ssl.SSLHandshakeException: ru.CryptoPro.ssl.pc_4.cl_5: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at ru.CryptoPro.ssl.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_16.a(Unknown Source)
at ru.CryptoPro.ssl.cl_59.s(Unknown Source)
at ru.CryptoPro.ssl.cl_59.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.a(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.n(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.b(Unknown Source)
at ru.CryptoPro.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at ru.ets.http.HttpContext.loginCertificate(HttpContext.java:606)
... 18 more
Caused by: ru.CryptoPro.ssl.pc_4.cl_5: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
at ru.CryptoPro.ssl.pc_4.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.pc_4.cl_2.a(Unknown Source)
at ru.CryptoPro.ssl.pc_4.cl_4.b(Unknown Source)
at ru.CryptoPro.ssl.cl_121.a(Unknown Source)
at ru.CryptoPro.ssl.cl_121.a(Unknown Source)
at ru.CryptoPro.ssl.cl_121.checkServerTrusted(Unknown Source)
... 30 more
Caused by: java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at ru.CryptoPro.reprov.CPCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
... 36 more
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 42 more