我正在尝试授权在JRockit 6上运行的旧JBoss 5使用Let's Encrypt证书访问CAS服务器。
问题是 JDK6 不支持 Let's encrypt ,所以我将根证书添加到cacerts文件中。
现在的问题是JDK 6不理解这么大的键(java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)),所以我试图切换到Bouncy Castle JCE/JCA,方法是将bcprov-jdk15on-1.61.jar&bctls-jdk15on-1.61.jar添加到$JAVA_HOME/jre/lib/ext文件夹中,并将org.bouncycastle.jce.provider.BouncyCastleProvider&org.bouncycastle.jsse.provider.BouncyCastleJsseProvider添加为$JAVA_HOME/jre/lib/security/java.security文件中的第一个安全提供程序,如此部分解释。
java.lang.ArrayIndexOutOfBoundsException: 64后,我从SunX509切换到X.509java.security文件中ssl.KeyManagerFactory.algorithm键的值。
现在我有以下错误(我认为与 Oracle 论坛上的这个线程相同):
java.security.NoSuchAlgorithmException: Algorithm ECDH not available
javax.crypto.KeyAgreement.getInstance(DashoA13*..)
org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyAgreement(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.calculateKeyAgreement(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDomain.calculateECDHAgreement(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JceTlsECDH.calculateSecret(Unknown Source)
org.bouncycastle.tls.TlsECDHEKeyExchange.generatePreMasterSecret(Unknown Source)
org.bouncycastle.tls.TlsProtocol.establishMasterSecret(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source)
org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
但是通过查看org.bouncycastle.jcajce.provider.asymmetric.EC的来源,这样的密钥协议应该由org.bouncycastle.jce.provider.BouncyCastleProvider正确设置。
但实际上,由于它是创建https客户端时使用的org.bouncycastle.jsse.provider.BouncyCastleJsseProvider,因此该提供程序不会注册此算法,并且我不知道该怎么做。
有人知道如何解决这个问题吗?
我还试图将这些罐子声明为我的战争的依赖项,并像这样明确地实例化它们:
static {
org.bouncycastle.jce.provider.BouncyCastleProvider bcp = new org.bouncycastle.jce.provider.BouncyCastleProvider();
java.security.Security.insertProviderAt(bcp, 1);
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider bcjp = new org.bouncycastle.jsse.provider.BouncyCastleJsseProvider(bcp);
java.security.Security.insertProviderAt(bcjp, 1);
}
但是,我有这个堆栈似乎与 JBoss 中的一个问题有关:
java.lang.SecurityException: JCE cannot authenticate the provider BC
javax.crypto.Cipher.getInstance(DashoA13*..)
org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
Caused by: java.util.jar.JarException: Cannot parse jar:file:/opt/jboss-5.1.0.GA/server/default/deploy/myapp.war/WEB-INF/lib/bcprov-jdk15on-1.61.jar!/
javax.crypto.SunJCE_c.a(DashoA13*..)
javax.crypto.SunJCE_b.b(DashoA13*..)
javax.crypto.SunJCE_b.a(DashoA13*..)
javax.crypto.Cipher.getInstance(DashoA13*..)
org.bouncycastle.jcajce.util.ProviderJcaJceHelper.createCipher(Unknown Source)
org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto.hasEncryptionAlgorithm(Unknown Source)
org.bouncycastle.tls.TlsUtils.isSupportedCipherSuite(Unknown Source)
org.bouncycastle.tls.TlsUtils.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.jsse.provider.ProvTlsClient.getSupportedCipherSuites(Unknown Source)
org.bouncycastle.tls.AbstractTlsClient.init(Unknown Source)
org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:167)
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1031)
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:216)
以防万一,我已经在BouncyCastle GitHub上打开了问题#514。
您所看到的与BouncyCastle JCE提供程序未注册一致。因此,对ECDH协议的搜索在JCE搜索路径中找不到它。
若要动态注册提供程序,只需将以下行添加到代码中即可
Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());
根据 BouncyCastle 规范第 6.1 节和测试示例代码 BouncyCastle JSSE 测试代码
我怀疑您没有正确启动环境
这个问题在 https://github.com/bcgit/bc-java/issues/514 年由 anthony-o 解决,因为它是由重新打包问题引起的。
但是,该解决方案对我不起作用,因为我的充气罐没有重新包装成阴影/脂肪罐
这是我解决问题的方法:https://stackoverflow.com/a/59845413/497378
(我不确定发布指向另一个堆栈溢出问题答案的链接的礼仪,因此如果不合适,请删除)
java.lang.SecurityException: JCE cannot authenticate the provider BC
我得到同样的错误(JAR 直接来自 Maven,没有重新打包),我认为是因为从 BC 1.61 版本开始,JAR 使用更新的签名算法(或根证书)进行签名Java 6 无法验证。
通过将BC降级到1.60,我设法连接到启用了SNI的TLS服务器(Java 6通常无法访问)。我使用了以下 Maven 依赖项:
<dependency groupId="org.bouncycastle" artifactId="bctls-jdk15on" version="1.60"/>