javax.net.ssl.SSLHandshakeException: Error signing certificate verify

JDK Bug System | Webbug Group | 2 years ago
tip
Your exception is missing from the Samebug knowledge base.
Here are the best solutions we found on the Internet.
Click on the to mark the helpful solution and get rewards for you help.
  1. 0

    FULL PRODUCT VERSION : java version "1.8.0_31" Java(TM) SE Runtime Environment (build 1.8.0_31-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode) ADDITIONAL OS VERSION INFORMATION : Linux sentinel-dev-25 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux A DESCRIPTION OF THE PROBLEM : Cannot load cacerts in java8 when FIPS is enabled. I was able to load the same in jre7u72 builds. It shouldnt be a cacerts issue since i copied the java7 cacerts to java8 and the problem still remains. Suspecting the changes to sunpkcs11 in java8 to cause this. Following exception is seen while loading cacerts using a test tool. The same works fine in Exception in thread "main" java.lang.RuntimeException: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:96) at sun.security.util.ECUtil.decodeX509ECPublicKey(ECUtil.java:102) at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:170) at java.security.KeyFactory.generatePublic(KeyFactory.java:334) at sun.security.x509.X509Key.buildX509Key(X509Key.java:223) at sun.security.x509.X509Key.parse(X509Key.java:170) at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:747) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1433) at TestKeyStoreFIPS.main(TestKeyStoreFIPS.java:46) Caused by: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.jca.GetInstance.getService(GetInstance.java:83) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.KeyFactory.getInstance(KeyFactory.java:211) at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:94) REGRESSION. Last worked in version 7u76 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : Setup and NSS DB: 1. export LD_LIBRARY_PATH=/usr/lib64 2. mkdir /tmp/fips/nssdb 3. modutil -create -dbdir nssdb/ 4. modutil -fips true -dbdir nssdb 5. modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir nssdb (provide a complex password like password1!) Run the testcase provided to load cacerts. First run it using java7 and then run with java8 /tmp/java7/bin/java -Dnss.lib=/usr/lib64 -Dnss.db=/tmp/fips/nssdb -Djavax.net.ssl.keyStorePassword=password1! TestKeyStoreFIPS /tmp/jre8/lib/security/cacerts changeit /tmp/java8/jbin/ava -Dnss.lib=/usr/lib64 -Dnss.db=/tmp/fips/nssdb -Djavax.net.ssl.keyStorePassword=password1! TestKeyStoreFIPS /tmp/jre8/lib/security/cacerts changeit EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - The list of all certificates in ca certs. While running the tool, output should be following. FIPS test success digicertassuredidrootca : X.509 trustcenterclass2caii : X.509 thawtepremiumserverca : X.509 swisssignplatinumg2ca : X.509 swisssignsilverg2ca : X.509 thawteserverca : X.509 equifaxsecureebusinessca1 : X.509 .... ACTUAL - FIPS test success Exception in thread "main" java.lang.RuntimeException: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:96) at sun.security.util.ECUtil.decodeX509ECPublicKey(ECUtil.java:102) at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:170) at java.security.KeyFactory.generatePublic(KeyFactory.java:334) at sun.security.x509.X509Key.buildX509Key(X509Key.java:223) at sun.security.x509.X509Key.parse(X509Key.java:170) at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:747) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1433) at TestKeyStoreFIPS.main(TestKeyStoreFIPS.java:46) Caused by: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.jca.GetInstance.getService(GetInstance.java:83) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.KeyFactory.getInstance(KeyFactory.java:211) at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:94) ... 16 more ERROR MESSAGES/STACK TRACES THAT OCCUR : FIPS test success Exception in thread "main" java.lang.RuntimeException: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:96) at sun.security.util.ECUtil.decodeX509ECPublicKey(ECUtil.java:102) at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:170) at java.security.KeyFactory.generatePublic(KeyFactory.java:334) at sun.security.x509.X509Key.buildX509Key(X509Key.java:223) at sun.security.x509.X509Key.parse(X509Key.java:170) at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:747) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1433) at TestKeyStoreFIPS.main(TestKeyStoreFIPS.java:46) Caused by: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.jca.GetInstance.getService(GetInstance.java:83) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.KeyFactory.getInstance(KeyFactory.java:211) at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:94) ... 16 more REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FileInputStream; import java.io.IOException; import java.security.KeyStore; import java.security.Provider; import java.security.Security; import java.util.ArrayList; import java.util.Enumeration; import java.util.List; import java.util.Map; import java.util.Properties; import java.util.logging.Level; import java.util.logging.Logger; import sun.security.provider.Sun; import sun.security.rsa.SunRsaSign; public class TestKeyStoreFIPS { public static final String NSS_LIB_DIR_PROP = "nss.lib"; public static final String NSS_DB_DIR_PROP = "nss.db"; public static final String SUN_JSSE = "SunJSSE"; public static List<String> disabledAlgs = new ArrayList<String>(); public static final String CONFIG = "config/configuration.properties"; private static final Logger logger = Logger.getLogger(TestKeyStoreFIPS.class.getName()); /** * @param args */ public static void main(String[] args) throws Exception{ if(args.length != 2){ System.out.println("Usage eg: java -Dnss.lib=/usr/lib64 -Dnss.db=/tmp/fips/nssdb -Djavax.net.ssl.keyStorePassword=password1! TestKeyStoreFIPS /tmp/jre8/lib/security/cacerts changeit"); System.exit(1); } enablePkcs11Jsse(System.getProperty(NSS_LIB_DIR_PROP), System.getProperty(NSS_DB_DIR_PROP)); testFips(); String file = args[0]; char[] keystorePassword = args[1].toCharArray(); FileInputStream keystoreStream = new FileInputStream(file); KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(keystoreStream, keystorePassword); Enumeration<String> aliases = keyStore.aliases(); while(aliases.hasMoreElements()){ String alias = aliases.nextElement(); System.out.println(alias + " : " + keyStore.getCertificate(alias).getType()); } } private static void testFips(){ String keyPass = System.getProperty("javax.net.ssl.keyStorePassword"); KeyStore store; try { store = KeyStore.getInstance("PKCS11"); if (keyPass != null) { store.load(null, keyPass.toCharArray()); } else { store.load(null, null); } System.out.println("FIPS test success"); } catch (Throwable e) { e.printStackTrace(); store = null; System.out.println("FIPS test failed"); } } /** * Configures a PKCS11 based provider and replace the existing JSSE provider * with one configured against the newly added PKCS11 based provider. */ public static void enablePkcs11Jsse( String libDir, String dbDir) throws Exception { removeAllProviders(); Provider nss = getNSSFIPSProvider( libDir, dbDir); removeDisabledAlgos(nss); Security.insertProviderAt(nss, 1); Provider sunJsse = new com.sun.net.ssl.internal.ssl.Provider(nss); removeDisabledAlgos(sunJsse); Security.insertProviderAt(sunJsse,2); Sun sun = new Sun(); removeDisabledAlgos(sun); Security.insertProviderAt(sun,3); SunRsaSign sunrsa = new SunRsaSign(); removeDisabledAlgos(sunrsa); Security.insertProviderAt(sunrsa,4); } /** * Loads and returns an instance of the NSS provider in FIPS mode * * @return * @throws IOException */ private static Provider getNSSFIPSProvider( String libDir, String dbDir) throws Exception { if(libDir == null || dbDir == null) { throw new Exception(NSS_LIB_DIR_PROP + " or " + NSS_DB_DIR_PROP + " not set."); } Properties props = new Properties(); props.put("name", "NSSfips"); props.put("nssLibraryDirectory", libDir); props.put("nssSecmodDirectory", dbDir); props.put("nssModule", "fips"); props.put("nssDbMode", "readWrite"); return createProvider(props); } private static Provider createProvider(Properties props) throws IOException { ByteArrayOutputStream out = new ByteArrayOutputStream(); props.store(out, null); ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray()); Provider ret = new sun.security.pkcs11.SunPKCS11(in); if (logger.isLoggable(Level.FINE)) { // Log all of the registered services for (Map.Entry<Object, Object> entry : ret.entrySet()) { logger.log(Level.FINE, "{0} = {1}", new Object[]{entry.getKey(), entry.getValue()}); } } return ret; } /** * Remove all default providers except Sun and SunRsaSign */ private static void removeAllProviders(){ Provider[] providers = Security.getProviders(); for(Provider prov : providers){ Security.removeProvider(prov.getName()); } } /** * Remove invalid algorithms * @param provider */ private static void removeDisabledAlgos(Provider provider){ for(String alg : disabledAlgs){ if(provider.getProperty(alg) != null){ logger.info("Removing algorithm " + alg + " from provider " + provider); provider.remove(alg); } } } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Replace cacerts with a dummy keystore.

    JDK Bug System | 2 years ago | Webbug Group
    javax.net.ssl.SSLHandshakeException: Error signing certificate verify
  2. 0

    FULL PRODUCT VERSION : java version "1.8.0_31" Java(TM) SE Runtime Environment (build 1.8.0_31-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode) ADDITIONAL OS VERSION INFORMATION : Linux sentinel-dev-25 2.6.32.12-0.7-default #1 SMP 2010-05-20 11:14:20 +0200 x86_64 x86_64 x86_64 GNU/Linux A DESCRIPTION OF THE PROBLEM : Cannot load cacerts in java8 when FIPS is enabled. I was able to load the same in jre7u72 builds. It shouldnt be a cacerts issue since i copied the java7 cacerts to java8 and the problem still remains. Suspecting the changes to sunpkcs11 in java8 to cause this. Following exception is seen while loading cacerts using a test tool. The same works fine in Exception in thread "main" java.lang.RuntimeException: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:96) at sun.security.util.ECUtil.decodeX509ECPublicKey(ECUtil.java:102) at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:170) at java.security.KeyFactory.generatePublic(KeyFactory.java:334) at sun.security.x509.X509Key.buildX509Key(X509Key.java:223) at sun.security.x509.X509Key.parse(X509Key.java:170) at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:747) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1433) at TestKeyStoreFIPS.main(TestKeyStoreFIPS.java:46) Caused by: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.jca.GetInstance.getService(GetInstance.java:83) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.KeyFactory.getInstance(KeyFactory.java:211) at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:94) REGRESSION. Last worked in version 7u76 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : Setup and NSS DB: 1. export LD_LIBRARY_PATH=/usr/lib64 2. mkdir /tmp/fips/nssdb 3. modutil -create -dbdir nssdb/ 4. modutil -fips true -dbdir nssdb 5. modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir nssdb (provide a complex password like password1!) Run the testcase provided to load cacerts. First run it using java7 and then run with java8 /tmp/java7/bin/java -Dnss.lib=/usr/lib64 -Dnss.db=/tmp/fips/nssdb -Djavax.net.ssl.keyStorePassword=password1! TestKeyStoreFIPS /tmp/jre8/lib/security/cacerts changeit /tmp/java8/jbin/ava -Dnss.lib=/usr/lib64 -Dnss.db=/tmp/fips/nssdb -Djavax.net.ssl.keyStorePassword=password1! TestKeyStoreFIPS /tmp/jre8/lib/security/cacerts changeit EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - The list of all certificates in ca certs. While running the tool, output should be following. FIPS test success digicertassuredidrootca : X.509 trustcenterclass2caii : X.509 thawtepremiumserverca : X.509 swisssignplatinumg2ca : X.509 swisssignsilverg2ca : X.509 thawteserverca : X.509 equifaxsecureebusinessca1 : X.509 .... ACTUAL - FIPS test success Exception in thread "main" java.lang.RuntimeException: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:96) at sun.security.util.ECUtil.decodeX509ECPublicKey(ECUtil.java:102) at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:170) at java.security.KeyFactory.generatePublic(KeyFactory.java:334) at sun.security.x509.X509Key.buildX509Key(X509Key.java:223) at sun.security.x509.X509Key.parse(X509Key.java:170) at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:747) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1433) at TestKeyStoreFIPS.main(TestKeyStoreFIPS.java:46) Caused by: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.jca.GetInstance.getService(GetInstance.java:83) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.KeyFactory.getInstance(KeyFactory.java:211) at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:94) ... 16 more ERROR MESSAGES/STACK TRACES THAT OCCUR : FIPS test success Exception in thread "main" java.lang.RuntimeException: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:96) at sun.security.util.ECUtil.decodeX509ECPublicKey(ECUtil.java:102) at sun.security.pkcs11.P11ECKeyFactory.engineGeneratePublic(P11ECKeyFactory.java:170) at java.security.KeyFactory.generatePublic(KeyFactory.java:334) at sun.security.x509.X509Key.buildX509Key(X509Key.java:223) at sun.security.x509.X509Key.parse(X509Key.java:170) at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:667) at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:167) at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:195) at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99) at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:747) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55) at java.security.KeyStore.load(KeyStore.java:1433) at TestKeyStoreFIPS.main(TestKeyStoreFIPS.java:46) Caused by: java.security.NoSuchProviderException: no such provider: SunEC at sun.security.jca.GetInstance.getService(GetInstance.java:83) at sun.security.jca.GetInstance.getInstance(GetInstance.java:206) at java.security.KeyFactory.getInstance(KeyFactory.java:211) at sun.security.util.ECUtil.getKeyFactory(ECUtil.java:94) ... 16 more REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.FileInputStream; import java.io.IOException; import java.security.KeyStore; import java.security.Provider; import java.security.Security; import java.util.ArrayList; import java.util.Enumeration; import java.util.List; import java.util.Map; import java.util.Properties; import java.util.logging.Level; import java.util.logging.Logger; import sun.security.provider.Sun; import sun.security.rsa.SunRsaSign; public class TestKeyStoreFIPS { public static final String NSS_LIB_DIR_PROP = "nss.lib"; public static final String NSS_DB_DIR_PROP = "nss.db"; public static final String SUN_JSSE = "SunJSSE"; public static List<String> disabledAlgs = new ArrayList<String>(); public static final String CONFIG = "config/configuration.properties"; private static final Logger logger = Logger.getLogger(TestKeyStoreFIPS.class.getName()); /** * @param args */ public static void main(String[] args) throws Exception{ if(args.length != 2){ System.out.println("Usage eg: java -Dnss.lib=/usr/lib64 -Dnss.db=/tmp/fips/nssdb -Djavax.net.ssl.keyStorePassword=password1! TestKeyStoreFIPS /tmp/jre8/lib/security/cacerts changeit"); System.exit(1); } enablePkcs11Jsse(System.getProperty(NSS_LIB_DIR_PROP), System.getProperty(NSS_DB_DIR_PROP)); testFips(); String file = args[0]; char[] keystorePassword = args[1].toCharArray(); FileInputStream keystoreStream = new FileInputStream(file); KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(keystoreStream, keystorePassword); Enumeration<String> aliases = keyStore.aliases(); while(aliases.hasMoreElements()){ String alias = aliases.nextElement(); System.out.println(alias + " : " + keyStore.getCertificate(alias).getType()); } } private static void testFips(){ String keyPass = System.getProperty("javax.net.ssl.keyStorePassword"); KeyStore store; try { store = KeyStore.getInstance("PKCS11"); if (keyPass != null) { store.load(null, keyPass.toCharArray()); } else { store.load(null, null); } System.out.println("FIPS test success"); } catch (Throwable e) { e.printStackTrace(); store = null; System.out.println("FIPS test failed"); } } /** * Configures a PKCS11 based provider and replace the existing JSSE provider * with one configured against the newly added PKCS11 based provider. */ public static void enablePkcs11Jsse( String libDir, String dbDir) throws Exception { removeAllProviders(); Provider nss = getNSSFIPSProvider( libDir, dbDir); removeDisabledAlgos(nss); Security.insertProviderAt(nss, 1); Provider sunJsse = new com.sun.net.ssl.internal.ssl.Provider(nss); removeDisabledAlgos(sunJsse); Security.insertProviderAt(sunJsse,2); Sun sun = new Sun(); removeDisabledAlgos(sun); Security.insertProviderAt(sun,3); SunRsaSign sunrsa = new SunRsaSign(); removeDisabledAlgos(sunrsa); Security.insertProviderAt(sunrsa,4); } /** * Loads and returns an instance of the NSS provider in FIPS mode * * @return * @throws IOException */ private static Provider getNSSFIPSProvider( String libDir, String dbDir) throws Exception { if(libDir == null || dbDir == null) { throw new Exception(NSS_LIB_DIR_PROP + " or " + NSS_DB_DIR_PROP + " not set."); } Properties props = new Properties(); props.put("name", "NSSfips"); props.put("nssLibraryDirectory", libDir); props.put("nssSecmodDirectory", dbDir); props.put("nssModule", "fips"); props.put("nssDbMode", "readWrite"); return createProvider(props); } private static Provider createProvider(Properties props) throws IOException { ByteArrayOutputStream out = new ByteArrayOutputStream(); props.store(out, null); ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray()); Provider ret = new sun.security.pkcs11.SunPKCS11(in); if (logger.isLoggable(Level.FINE)) { // Log all of the registered services for (Map.Entry<Object, Object> entry : ret.entrySet()) { logger.log(Level.FINE, "{0} = {1}", new Object[]{entry.getKey(), entry.getValue()}); } } return ret; } /** * Remove all default providers except Sun and SunRsaSign */ private static void removeAllProviders(){ Provider[] providers = Security.getProviders(); for(Provider prov : providers){ Security.removeProvider(prov.getName()); } } /** * Remove invalid algorithms * @param provider */ private static void removeDisabledAlgos(Provider provider){ for(String alg : disabledAlgs){ if(provider.getProperty(alg) != null){ logger.info("Removing algorithm " + alg + " from provider " + provider); provider.remove(alg); } } } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Replace cacerts with a dummy keystore.

    JDK Bug System | 2 years ago | Webbug Group
    javax.net.ssl.SSLHandshakeException: Error signing certificate verify
  3. 0

    jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java test fails with following errors: ** Failed TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 in TLSv1.2 mode with ECDSA client authentication** ** Failed TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 in TLSv1.2 mode** ** Failed TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 in TLSv1.2 mode with DSA client authentication** ** Failed TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 in TLSv1.2 mode with RSA client authentication** STDERR: javax.net.ssl.SSLException: Received fatal alert: unexpected_message at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at java.io.OutputStream.write(OutputStream.java:75) at CipherTest$Client.sendRequest(CipherTest.java:378) at JSSEClient.runTest(JSSEClient.java:57) at CipherTest$Client.run(CipherTest.java:365) at java.lang.Thread.run(Thread.java:745) javax.net.ssl.SSLException: Error generating ECDH server key exchange at sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1344) at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:902) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at sun.security.ssl.AppInputStream.read(AppInputStream.java:71) at CipherTest$Server.handleRequest(CipherTest.java:77) at JSSEServer$1.run(JSSEServer.java:64) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs.PKCS8Key at java.security.Signature$Delegate.chooseProvider(Signature.java:1135) at java.security.Signature$Delegate.engineInitSign(Signature.java:1176) at java.security.Signature.initSign(Signature.java:527) at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1032) at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:898) The failure was observed on linux_2.6, but it may be irrelevant due to randomness nature of the failure. Full jtr log is attached.

    JDK Bug System | 8 months ago | Aleksej Efimov
    javax.net.ssl.SSLException: Error generating ECDH server key exchange
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    0005544: Use "EC" not "ECDSA" - MantisBT

    freenetproject.org | 9 months ago
    java.security.InvalidKeyException: can't recognise key type in ECDSA based signer at org.bouncycastle.jcajce.provider.asymmetric.ec.SignatureSpi.engineInitSign(Unknown Source)
  6. 0

    iText - SunPKC11 Exception when signing PDF

    nabble.com | 6 months ago
    java.security.InvalidKeyException: Private keys must be instance of RSAPrivate(Crt)Key or have PKCS#8 encoding

    7 unregistered visitors
    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. java.security.InvalidKeyException

      No installed provider supports this key: sun.security.pkcs.PKCS8Key

      at java.security.Signature$Delegate.chooseProvider()
    2. Java RT
      Signature.initSign
      1. java.security.Signature$Delegate.chooseProvider(Signature.java:1143)
      2. java.security.Signature$Delegate.engineInitSign(Signature.java:1193)
      3. java.security.Signature.initSign(Signature.java:550)
      3 frames
    3. Java JSSE
      ClientHandshaker.serverHelloDone
      1. sun.security.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1966)
      2. sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1188)
      2 frames