{"id":6207,"date":"2014-04-13T22:40:33","date_gmt":"2014-04-13T22:40:33","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/04\/13\/java-https-with-client-verification-using-windows-keystore-collection-of-common-programming-errors\/"},"modified":"2014-04-13T22:40:33","modified_gmt":"2014-04-13T22:40:33","slug":"java-https-with-client-verification-using-windows-keystore-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/04\/13\/java-https-with-client-verification-using-windows-keystore-collection-of-common-programming-errors\/","title":{"rendered":"Java HTTPS with client verification using windows keystore-Collection of common programming errors"},"content":{"rendered":"<ul>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/5576e1b8564a77f052b004e46acbe19a?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nKen Allen<\/p>\n<p>I&#8217;m trying to do some json\/https rpc in Java with client certificate authentication. I&#8217;m trying to use the windows keystore for the client cert and it&#8217;s not working &#8211; the server returns a decrypt_error ssl alert. I can hit the same server with the same client cert in IE so I know it&#8217;s not a problem with the cert itself. I can also do it from java if I pull the key from a different source. The server is running Apache 2.2.8 with openssl 0.9.8g. I tried different ciphers in the mod_ssl config but it failed the same with all of them. The protocol always negotiates to TLSv1. I tried several JRE 1.6 versions and they all have this problem. I&#8217;ve seen mention of this error on the internet in a few places, but no solutions.<\/p>\n<p>In particular I saw these:<\/p>\n<p>http:\/\/forums.oracle.com\/forums\/thread.jspa?threadID=1531706<\/p>\n<p>http:\/\/www.java-forums.org\/java-applets\/24508-how-use-windows-keystore-establise-ssl-connection.html<\/p>\n<p>I tried running with javax.net.debug=all but I actually get a different error when I do &#8211; which seems odd. Attached is a minimal test case, and the end of the javax.net.debug=ssl and javax.net.debug=all output with stacktraces. I can probably post the full logs if someone wants to see them.<\/p>\n<p>This is really important to my current project so ANY help would be appreciated.<\/p>\n<p>Here&#8217;s a minimal test case:<\/p>\n<pre><code>import java.io.BufferedInputStream;\nimport java.io.InputStream;\nimport java.io.InputStreamReader;\nimport java.io.Reader;\nimport java.net.URL;\nimport java.security.KeyStore;\nimport java.util.Arrays;\nimport javax.net.ssl.HttpsURLConnection;\nimport javax.net.ssl.KeyManagerFactory;\nimport javax.net.ssl.SSLContext;\nimport javax.net.ssl.TrustManagerFactory;\n\npublic class Minimal {\n    public static void main(String[] args) throws Exception {\n        SSLContext context = SSLContext.getInstance(\"SSL\");\n        KeyManagerFactory keyFac = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());\n        KeyStore keyStore = KeyStore.getInstance(\"WINDOWS-MY\");\n        keyStore.load(null, null);\n        keyFac.init(keyStore, null);\n        TrustManagerFactory trustFac = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());\n        KeyStore trustStore = KeyStore.getInstance(\"WINDOWS-ROOT\");\n        trustStore.load(null, null);\n        trustFac.init(trustStore);\n        context.init(keyFac.getKeyManagers(), trustFac.getTrustManagers(), null);\n\n        HttpsURLConnection conn = (HttpsURLConnection)new URL(\"https:\/\/\").openConnection();\n        conn.setRequestMethod(\"GET\");\n        conn.setDoInput(true);\n        conn.setSSLSocketFactory(context.getSocketFactory());\n\n        int responseCode = conn.getResponseCode();\n        System.out.println(\"RESPONSE: \" + responseCode);\n        InputStream response = null;\n        if(responseCode != 200) {\n            response = conn.getErrorStream();\n        } else {\n            response = conn.getInputStream();\n        }\n        Reader r = new InputStreamReader(new BufferedInputStream(response));\n        char[] buffer = new char[1024];\n        int read = 0;\n        while((read = r.read(buffer)) != -1) {\n            System.out.print(Arrays.copyOf(buffer, read));\n        }\n        System.out.println(\"DONE\");\n    }\n}\n<\/code><\/pre>\n<p>And the debug=ssl output with the Oracle 1.6u26 32bit JRE on Windows XP SP3:<\/p>\n<pre><code>***\n*** ClientKeyExchange, RSA PreMasterSecret, TLSv1\nmain, WRITE: TLSv1 Handshake, length = 4640\nSESSION KEYGEN:\nPreMaster Secret:\n0000: 03 01 1F B7 3D E7 72 6D   23 39 7C B0 0F F0 26 8F  ....=.rm#9....&amp;.\n0010: D6 24 FA D2 1C DE 43 94   4C 9C AA EA F1 4A 69 F1  .$....C.L....Ji.\n0020: 62 20 5B CA 94 B8 CC 84   13 D5 1B 04 E5 51 A8 B7  b [..........Q..\nCONNECTION KEYGEN:\nClient Nonce:\n0000: 4E 40 59 44 1A 4E 92 52   C3 BB 26 1F 08 A3 14 3F  N@YD.N.R..&amp;....?\n0010: EB B9 CA 17 A1 DD B8 1D   89 C3 43 A8 E2 C6 D1 D0  ..........C.....\nServer Nonce:\n0000: 4E 40 59 44 9C D0 05 53   96 C1 50 3E 24 AA 38 DB  N@YD...S..P&gt;$.8.\n0010: AE E7 55 F0 40 14 A4 85   4B BE 46 A5 7C 08 CB 2F  ..U.@...K.F....\/\nMaster Secret:\n0000: 7F 32 A2 C4 35 8D CA C0   F7 05 B5 0B B0 38 F8 C6  .2..5........8..\n0010: 0C DC 7E C1 79 FD 97 08   0A D7 B1 40 6E 73 CB 28  ....y......@ns.(\n0020: 84 78 D2 87 A8 88 C8 C7   A0 8C A3 AB 29 6B 6D FC  .x..........)km.\nClient MAC write Secret:\n0000: 96 90 FF F8 86 E0 AC E6   89 00 57 5A C6 23 94 EE  ..........WZ.#..\n0010: AD 20 AB 5A                                        . .Z\nServer MAC write Secret:\n0000: AD C0 78 DC C8 96 BD E4   27 AD 7C 6D C8 AA C4 96  ..x.....'..m....\n0010: E3 03 46 25                                        ..F%\nClient write key:\n0000: 40 25 7F BD 82 B7 85 6F   74 B2 A4 D1 16 4A FB 9F  @%.....ot....J..\nServer write key:\n0000: 9F E5 5D 45 73 66 E0 11   9B 14 25 F5 80 A9 EB 2D  ..]Esf....%....-\nClient write IV:\n0000: 77 1E BE 62 7A EB 56 D9   C4 62 D9 B5 2D 1E 22 97  w..bz.V..b..-.\".\nServer write IV:\n0000: 7B 9F 0B AE 2E DF AF 7B   15 09 08 8C DE 13 0F 82  ................\n*** CertificateVerify\nmain, WRITE: TLSv1 Handshake, length = 288\nmain, WRITE: TLSv1 Change Cipher Spec, length = 32\n*** Finished\nverify_data:  { 12, 12, 219, 182, 15, 237, 101, 233, 209, 171, 52, 158 }\n***\nmain, WRITE: TLSv1 Handshake, length = 48\nmain, READ: TLSv1 Alert, length = 32\nmain, RECV TLSv1 ALERT:  fatal, decrypt_error\n%% Invalidated:  [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]\nmain, called closeSocket()\nmain, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error\nmain, called close()\nmain, called closeInternal(true)\nException in thread \"main\" javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error\n        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)\n        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)\n        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1720)\n        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954)\n        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:755)\n        at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)\n        at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)\n        at java.io.BufferedInputStream.read1(BufferedInputStream.java:258)\n        at java.io.BufferedInputStream.read(BufferedInputStream.java:317)\n        at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687)\n        at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)\n        at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)\n        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)\n        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:379)\n        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:318)\n        at Minimal.main(Minimal.java:33)\n<\/code><\/pre>\n<p>And the debug=all output with the Oracle 1.6u26 32bit JRE on Windows XP SP3:<\/p>\n<pre><code>*** CertificateVerify\n[write] MD5 and SHA1 hashes:  len = 262\n0000: 0F 00 01 02 01 00 54 BD   E6 C5 44 96 71 2B EF FC  ......T...D.q+..\n0010: 6E 0B D6 26 79 32 F1 23   AC 35 9C CE FD C6 A5 44  n..&amp;y2.#.5.....D\n0020: F7 F1 C9 4C 48 0F AA EC   26 62 8F F8 50 3B FE 55  ...LH...&amp;b..P;.U\n0030: 99 07 6D EC F9 42 60 B8   DF 8C 54 94 F6 2C B7 A8  ..m..B`...T..,..\n0040: 16 C5 75 18 99 7E 3D 89   29 A2 46 5C 3E 49 33 F5  ..u...=.).F\\&gt;I3.\n0050: C6 B0 82 B1 1D 74 42 2A   D5 8F E7 6C 13 75 F9 93  .....tB*...l.u..\n0060: CD 21 10 D1 52 39 DD 00   95 C5 28 E6 84 66 75 DB  .!..R9....(..fu.\n0070: D3 53 A1 F6 CF D1 0B EC   6C 2E F2 32 FB 2E 87 49  .S......l..2...I\n0080: 8A 11 E0 EA 2F E4 A3 AF   49 09 86 0B DF 6D 8A BB  ....\/...I....m..\n0090: 0C 51 1B 9A 16 6D DA EF   F5 C0 25 09 4F 17 35 84  .Q...m....%.O.5.\n00A0: DC 15 FE 2A 17 F0 AD 9F   F5 4C 26 AA DE 54 97 97  ...*.....L&amp;..T..\n00B0: EB 6F 07 ED 86 0A 62 B2   33 ED 2E DB 98 C0 A9 D3  .o....b.3.......\n00C0: 6A B2 1D EE E8 D4 F9 73   F1 EE 76 0D 2E 2A F0 D0  j......s..v..*..\n00D0: 32 35 4A F8 4F E6 E3 C5   D3 29 3F AF 27 5E 3E 09  25J.O....)?.'^&gt;.\n00E0: 1C 4A E5 4B 0C E2 92 77   91 F1 31 73 18 10 0F 8A  .J.K...w..1s....\n00F0: 53 87 54 73 A0 64 92 4E   21 40 25 9E EB D7 9C 68  S.Ts.d.N!@%....h\n0100: 75 59 3C 12 A6 AE                                  uYI3.\n0050: C6 B0 82 B1 1D 74 42 2A   D5 8F E7 6C 13 75 F9 93  .....tB*...l.u..\n0060: CD 21 10 D1 52 39 DD 00   95 C5 28 E6 84 66 75 DB  .!..R9....(..fu.\n0070: D3 53 A1 F6 CF D1 0B EC   6C 2E F2 32 FB 2E 87 49  .S......l..2...I\n0080: 8A 11 E0 EA 2F E4 A3 AF   49 09 86 0B DF 6D 8A BB  ....\/...I....m..\n0090: 0C 51 1B 9A 16 6D DA EF   F5 C0 25 09 4F 17 35 84  .Q...m....%.O.5.\n00A0: DC 15 FE 2A 17 F0 AD 9F   F5 4C 26 AA DE 54 97 97  ...*.....L&amp;..T..\n00B0: EB 6F 07 ED 86 0A 62 B2   33 ED 2E DB 98 C0 A9 D3  .o....b.3.......\n00C0: 6A B2 1D EE E8 D4 F9 73   F1 EE 76 0D 2E 2A F0 D0  j......s..v..*..\n00D0: 32 35 4A F8 4F E6 E3 C5   D3 29 3F AF 27 5E 3E 09  25J.O....)?.'^&gt;.\n00E0: 1C 4A E5 4B 0C E2 92 77   91 F1 31 73 18 10 0F 8A  .J.K...w..1s....\n00F0: 53 87 54 73 A0 64 92 4E   21 40 25 9E EB D7 9C 68  S.Ts.d.N!@%....h\n0100: 75 59 3C 12 A6 AE 04 99   63 17 2C 0F 57 FC DD 48  uY......6.....\n0050: 8F D0 BF 3D 11 58 CE 17   6A 80 6F F8 A8 0C 17 0D  ...=.X..j.o.....\n0060: 6C 41 02 AB 96 03 91 60   C9 54 76 44 E2 17 A1 D5  lA.....`.TvD....\n0070: 07 7A 26 16 3E 94 88 0C   BC E9 BE E9 91 A7 60 DC  .z&amp;.&gt;.........`.\n0080: D5 1C DD 85 DB F8 7A 52   5E 09 F2 38 B9 29 7D 08  ......zR^..8.)..\n0090: 14 00 C0 D2 5E 72 4F 85   5A C0 E0 C1 33 58 C0 CD  ....^rO.Z...3X..\n00A0: 13 B6 1A AC 9B 86 2A 00   81 55 94 0B 19 81 89 45  ......*..U.....E\n00B0: 42 A0 12 E9 4E 15 2C E7   92 A5 6F D5 F7 31 74 42  B...N.,...o..1tB\n00C0: 8E 2B 50 2F 46 A6 46 DF   E4 F4 F1 32 FD 40 0D C9  .+P\/F.F....2.@..\n00D0: 3A 0B 26 F0 2B 0A 58 FD   A3 DC E7 30 3A 98 EB A8  :.&amp;.+.X....0:...\n00E0: BB 7C A2 FA DF 7E 9C 61   96 6F F9 A7 02 19 43 91  .......a.o....C.\n00F0: 0B 1C C4 4E 73 8F A5 CA   C5 CF D3 71 86 26 A1 EE  ...Ns......q.&amp;..\n0100: 2A B1 DE 1B BE 7A E8 1B   04 91 62 DD 9A C9 F2 72  *....z....b....r\n0110: D6 A4 AC 13 83 CE 60 28   E7 D4 97 54 1E 31 E2 E3  ......`(...T.1..\n0120: 75 3B 5E 57 81                                     u;^W.\nPadded plaintext before ENCRYPTION:  len = 32\n0000: 01 20 0B 27 DC 48 23 03   1A D7 9A F6 2A BB 8F B8  . .'.H#.....*...\n0010: 4D 6E 8A F0 ED 0A 0A 0A   0A 0A 0A 0A 0A 0A 0A 0A  Mn..............\nmain, WRITE: TLSv1 Change Cipher Spec, length = 32\n[Raw write]: length = 37\n0000: 14 03 01 00 20 6C 2C F0   99 F6 91 70 68 9B 4C 51  .... l,....ph.LQ\n0010: CC 9E 82 87 22 7C 84 FB   FB A6 7F 12 F7 E1 3C 19  ....\".........<\/code><\/pre>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Ken Allen I&#8217;m trying to do some json\/https rpc in Java with client certificate authentication. I&#8217;m trying to use the windows keystore for the client cert and it&#8217;s not working &#8211; the server returns a decrypt_error ssl alert. I can hit the same server with the same client cert in IE so I know it&#8217;s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6207","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=6207"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6207\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=6207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=6207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=6207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}