jjzjj

java - 客户端 ECC SSL 证书包含 "unknown named curve"

coder 2024-03-14 原文

问题前提: 我在一个现有的库中工作,该库在远程服务器上使用 SSL 和 netty 框架。我遇到了 SSL/TLS 握手错误。错误如下:

javax.net.ssl.SSLProtocolException: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1345) ~[na:1.7.0_79]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519) ~[na:1.7.0_79]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:799) ~[na:1.7.0_79]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767) ~[na:1.7.0_79]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.7.0_79]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:982) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:908) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:854) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:130) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at java.lang.Thread.run(Thread.java:745) ~[na:1.7.0_79]
Caused by: javax.net.ssl.SSLProtocolException: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:451) ~[na:1.7.0_79]
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:222) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:841) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:839) ~[na:1.7.0_79]
    at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1273) ~[na:1.7.0_79]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1015) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:927) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    ... 14 common frames omitted
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171) ~[na:1.7.0_79]
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1781) ~[na:1.7.0_79]
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196) ~[na:1.7.0_79]
    at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:97) ~[na:1.7.0_79]
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) ~[na:1.7.0_79]
    at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:449) ~[na:1.7.0_79]
    ... 22 common frames omitted
Caused by: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.ec.ECParameters.decodeParameters(ECParameters.java:197) ~[na:1.7.0_79]
    at sun.security.ec.ECParameters.engineInit(ECParameters.java:319) ~[na:1.7.0_79]
    at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[na:1.7.0_79]
    at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:139) ~[na:1.7.0_79]
    at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[na:1.7.0_79]
    at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:382) ~[na:1.7.0_79]
    at sun.security.x509.X509Key.parse(X509Key.java:168) ~[na:1.7.0_79]
    at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) ~[na:1.7.0_79]
    at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705) ~[na:1.7.0_79]
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169) ~[na:1.7.0_79]
    ... 27 common frames omitted

现在,这是我尝试解决手头问题的方法。此远程服务器需要客户端身份验证,并且该证书是使用椭圆曲线的证书(使用具有不同公钥算法和签名算法的客户端证书不会导致错误,这意味着客户端证书在这里有问题)。我跑了

openssl x509 -in <client_cert> -text -noout

The client certificate is as follows:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3585039615565000225 (0x31c09e8937746e21)
    Signature Algorithm: ecdsa-with-SHA1
        Issuer: <ISSUER>
        Validity
            Not Before: Dec  1 23:01:26 2014 GMT
            Not After : Nov 26 23:01:26 2034 GMT
        Subject: 1.3.6.1.4.1.41387.1.1=18B43000004C627B
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (192 bit)
                pub:
                    04:dc:ca:07:76:de:28:91:b8:94:16:08:12:01:85:
                    24:a5:a5:5e:48:84:aa:2b:f8:3a:fa:87:f1:30:70:
                    f3:7b:01:68:6a:f6:29:56:c7:17:60:71:fe:b7:c0:
                    d1:d5:1c:ad
                ASN1 OID: prime192v1
                NIST CURVE: P-192
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                <SUBJECT KEY IDENTIFIER>
            X509v3 Authority Key Identifier:
                keyid: <KEY ID>

    Signature Algorithm: ecdsa-with-SHA1
         <SIGNATURE GOES HERE>

这给我的印象是 JDK SSL 库无法识别 NIST P-192 曲线。我运行的JDK版本是1.7.0_79。我不知道如何继续解决这个问题。有什么想法吗?

最佳答案

这可能与加密问题有关,而不是 SSL 问题。您是否尝试过使用 unlimited strength jurisdiction policy files

关于java - 客户端 ECC SSL 证书包含 "unknown named curve",我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30603680/

ampunknownjavasecuritynettysslopenjdkelliptic-curve

有关java - 客户端 ECC SSL 证书包含 "unknown named curve"的更多相关文章

  1. ruby-on-rails - rails : "missing partial" when calling 'render' in RSpec test - 2

    我正在尝试测试是否存在表单。我是Rails新手。我的new.html.erb_spec.rb文件的内容是:require'spec_helper'describe"messages/new.html.erb"doit"shouldrendertheform"dorender'/messages/new.html.erb'reponse.shouldhave_form_putting_to(@message)with_submit_buttonendendView本身,new.html.erb,有代码:当我运行rspec时,它失败了:1)messages/new.html.erbshou

  2. ruby-on-rails - 由于 "wkhtmltopdf",PDFKIT 显然无法正常工作 - 2

    我在从html页面生成PDF时遇到问题。我正在使用PDFkit。在安装它的过程中,我注意到我需要wkhtmltopdf。所以我也安装了它。我做了PDFkit的文档所说的一切......现在我在尝试加载PDF时遇到了这个错误。这里是错误:commandfailed:"/usr/local/bin/wkhtmltopdf""--margin-right""0.75in""--page-size""Letter""--margin-top""0.75in""--margin-bottom""0.75in""--encoding""UTF-8""--margin-left""0.75in""-

  3. ruby - 检查 "command"的输出应该包含 NilClass 的意外崩溃 - 2

    为了将Cucumber用于命令行脚本,我按照提供的说明安装了arubagem。它在我的Gemfile中,我可以验证是否安装了正确的版本并且我已经包含了require'aruba/cucumber'在'features/env.rb'中为了确保它能正常工作,我写了以下场景:@announceScenario:Testingcucumber/arubaGivenablankslateThentheoutputfrom"ls-la"shouldcontain"drw"假设事情应该失败。它确实失败了,但失败的原因是错误的:@announceScenario:Testingcucumber/ar

  4. java - 等价于 Java 中的 Ruby Hash - 2

    我真的很习惯使用Ruby编写以下代码:my_hash={}my_hash['test']=1Java中对应的数据结构是什么? 最佳答案 HashMapmap=newHashMap();map.put("test",1);我假设? 关于java-等价于Java中的RubyHash,我们在StackOverflow上找到一个类似的问题: https://stackoverflow.com/questions/22737685/

  5. ruby-on-rails - 迷你测试错误 : "NameError: uninitialized constant" - 2

    我遵循MichaelHartl的“RubyonRails教程:学习Web开发”,并创建了检查用户名和电子邮件长度有效性的测试(名称最多50个字符,电子邮件最多255个字符)。test/helpers/application_helper_test.rb的内容是:require'test_helper'classApplicationHelperTest在运行bundleexecraketest时,所有测试都通过了,但我看到以下消息在最后被标记为错误:ERROR["test_full_title_helper",ApplicationHelperTest,1.820016791]test

  6. ruby - 检查字符串是否包含散列中的任何键并返回它包含的键的值 - 2

    我有一个包含多个键的散列和一个字符串,该字符串不包含散列中的任何键或包含一个键。h={"k1"=>"v1","k2"=>"v2","k3"=>"v3"}s="thisisanexamplestringthatmightoccurwithakeysomewhereinthestringk1(withspecialcharacterslike(^&*$#@!^&&*))"检查s是否包含h中的任何键的最佳方法是什么,如果包含,则返回它包含的键的值?例如,对于上面的h和s的例子,输出应该是v1。编辑:只有字符串是用户定义的。哈希将始终相同。 最佳答案

  7. ruby-on-rails - 相关表上的范围为 "WHERE ... LIKE" - 2

    我正在尝试从Postgresql表(table1)中获取数据,该表由另一个相关表(property)的字段(table2)过滤。在纯SQL中,我会这样编写查询:SELECT*FROMtable1JOINtable2USING(table2_id)WHEREtable2.propertyLIKE'query%'这工作正常:scope:my_scope,->(query){includes(:table2).where("table2.property":query)}但我真正需要的是使用LIKE运算符进行过滤,而不是严格相等。然而,这是行不通的:scope:my_scope,->(que

  8. 使用 ACL 调用 upload_file 时出现 Ruby S3 "Access Denied"错误 - 2

    我正在尝试编写一个将文件上传到AWS并公开该文件的Ruby脚本。我做了以下事情:s3=Aws::S3::Resource.new(credentials:Aws::Credentials.new(KEY,SECRET),region:'us-west-2')obj=s3.bucket('stg-db').object('key')obj.upload_file(filename)这似乎工作正常,除了该文件不是公开可用的,而且我无法获得它的公共(public)URL。但是当我登录到S3时,我可以正常查看我的文件。为了使其公开可用,我将最后一行更改为obj.upload_file(file

  9. ruby - 安装 Ruby 时遇到问题(无法下载资源 "readline--patch") - 2

    当我尝试安装Ruby时遇到此错误。我试过查看this和this但无济于事➜~brewinstallrubyWarning:YouareusingOSX10.12.Wedonotprovidesupportforthispre-releaseversion.Youmayencounterbuildfailuresorotherbreakages.Pleasecreatepull-requestsinsteadoffilingissues.==>Installingdependenciesforruby:readline,libyaml,makedepend==>Installingrub

  10. java - 从 JRuby 调用 Java 类的问题 - 2

    我正在尝试使用boilerpipe来自JRuby。我看过guide从JRuby调用Java,并成功地将它与另一个Java包一起使用,但无法弄清楚为什么同样的东西不能用于boilerpipe。我正在尝试基本上从JRuby中执行与此Java等效的操作:URLurl=newURL("http://www.example.com/some-location/index.html");Stringtext=ArticleExtractor.INSTANCE.getText(url);在JRuby中试过这个:require'java'url=java.net.URL.new("http://www

随机推荐