Сбой согласования JDK11 TLS v1.2 при использовании NSS-Fips с SunPKCS11 java.security.InvalidKeyException: ни один из установленных провайдеров не поддерживает ключ - PullRequest
Новая
       30

Сбой согласования JDK11 TLS v1.2 при использовании NSS-Fips с SunPKCS11 java.security.InvalidKeyException: ни один из установленных провайдеров не поддерживает ключ

1 голос
/ 16 апреля 2019

При обновлении Java 8 до Java 11 - SSL TLSv1.2. Рукопожатие завершается со следующей ошибкой при использовании SunPKCS11 и NSS с включенным FIPS. Согласование SSL работает при использовании TLSv1.1 или при использовании Java 8.

javax.net.ssl ​​| ОШИБКА | 41 | https-jsse-nio-xxxx.xxx-8443-exec-10 | 2019-04-16 10: 08: 23.496 EDT | TransportContext.java: 312 | Fatal ( INTERNAL_ERROR): неподдерживаемый алгоритм подписи: rsa_pss_rsae_sha256 ( "бросаемый": { java.security.InvalidKeyException: ни один из установленных провайдеров не поддерживает этот ключ: sun.security.pkcs11.P11Key $ P11PrivateKey

Прилагается вывод с использованием -Djavax.net.debug = ssl: handshake 

javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.468 EDT|ClientHello.java:809|Consuming ClientHello handshake message (
        "ClientHello": {
          "client version"      : "TLSv1.2",
          "random"              : "AF 54 0F C4 94 E5 62 8D B4 A9 8D 2E 84 21 2D D0 B0 17 5A BB BB AD 9C B4 3C 66 0B 5A 4F 90 06 64",
          "session id"          : "",
          "cipher suites"       : "[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C)]",
          "compression methods" : "00",
          "extensions"          : [
            "server_name (0)": {
              type=host_name (0), value=autotestsw.initia.com
            },
            "renegotiation_info (65,281)": {
              "renegotiated connection": [<no renegotiated connection>]
            },
            "supported_groups (10)": {
              "versions": [x25519, secp256r1, secp384r1, secp521r1]
            },
            "ec_point_formats (11)": {
              "formats": [uncompressed]
            },
            "signature_algorithms (13)": {
              "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ecdsa_sha1, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, rsa_pkcs1_sha1, dsa_sha256, dsa_sha384, dsa_sha512, dsa_sha1]
            }
          ]
        }
        )

javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.468 EDT|SSLExtensions.java:170|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.469 EDT|ClientHello.java:839|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.469 EDT|ServerNameExtension.java:327|no server name matchers, ignore server name indication
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.469 EDT|SSLExtensions.java:189|Consumed extension: server_name
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.470 EDT|SSLExtensions.java:170|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.470 EDT|SSLExtensions.java:170|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.470 EDT|SSLExtensions.java:189|Consumed extension: supported_groups
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.470 EDT|SSLExtensions.java:189|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.471 EDT|SSLExtensions.java:189|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.471 EDT|SSLExtensions.java:170|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.472 EDT|SSLExtensions.java:170|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.472 EDT|SSLExtensions.java:170|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.473 EDT|SSLExtensions.java:189|Consumed extension: renegotiation_info
javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.474 EDT|SSLExtensions.java:212|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.474 EDT|SSLExtensions.java:204|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.474 EDT|SSLExtensions.java:204|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.475 EDT|SSLExtensions.java:212|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.475 EDT|SSLExtensions.java:212|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.476 EDT|SignatureScheme.java:379|Unsupported signature scheme: dsa_sha384
javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.476 EDT|SignatureScheme.java:379|Unsupported signature scheme: dsa_sha512
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.476 EDT|SSLExtensions.java:221|Populated with extension: signature_algorithms
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.477 EDT|SSLExtensions.java:204|Ignore unavailable extension: signature_algorithms_cert
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.477 EDT|SSLExtensions.java:204|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.477 EDT|SSLExtensions.java:204|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.477 EDT|SSLExtensions.java:204|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.478 EDT|SSLExtensions.java:204|Ignore unavailable extension: supported_versions
javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.478 EDT|SSLExtensions.java:212|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.488 EDT|ServerHello.java:439|use cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.489 EDT|StatusResponseManager.java:763|Staping disabled or is a resumed session
javax.net.ssl|ALL|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.489 EDT|ServerNameExtension.java:450|No expected server name indication response
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.490 EDT|SSLExtensions.java:257|Ignore, context unavailable extension: server_name
javax.net.ssl|ALL|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.490 EDT|MaxFragExtension.java:296|Ignore unavailable max_fragment_length extension
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.490 EDT|SSLExtensions.java:257|Ignore, context unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.490 EDT|SSLExtensions.java:257|Ignore, context unavailable extension: status_request
javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.491 EDT|SSLExtensions.java:243|Ignore, no extension producer defined: ec_point_formats
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.491 EDT|AlpnExtension.java:365|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.491 EDT|SSLExtensions.java:257|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.492 EDT|SSLExtensions.java:257|Ignore, context unavailable extension: status_request_v2
javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.492 EDT|SSLExtensions.java:257|Ignore, context unavailable extension: extended_master_secret


    javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.492 EDT|ServerHello.java:364|Produced ServerHello handshake message (
        "ServerHello": {
          "server version"      : "TLSv1.2",
          "random"      : "A1 25 47 B4 A9 F7 DB 96 3B 59 84 EB 36 32 76 51 B5 49 11 B5 DC 41 46 25 68 AC 59 95 65 C3 B8 DA",
          "session id"  : "E9 3F 42 FB C9 84 A2 55 FA DD 15 7E AD E7 08 86 BC 80 EC C1 F4 2C 64 69 E2 55 DA 0D 60 CA F5 13",
          "cipher suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
          "compression methods" : "00",
          "extensions"          : [
            "renegotiation_info (65,281)": {
              "renegotiated connection": [<no renegotiated connection>]
            }
          ]
        }
        )

    javax.net.ssl|DEBUG|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.495 EDT|CertificateMessage.java:262|Produced server Certificate handshake message (
    "Certificates": [
      "certificate" : {
        "version"            : "v3",
        "serial number"      : "10 02",
        "signature algorithm": "SHA256withRSA",
        "issuer"             : "CN= i2git Intermediate CA, OU= Certificate Authority, O=initia, ST=Virginia, C=US",
        "not before"         : "2019-04-12 15:34:43.000 EDT",
        "not  after"         : "2024-04-10 15:34:43.000 EDT",
        "subject"            : "CN=autotestsw1.initia.com",
        "subject public key" : "RSA",
        "extensions"         : [
          {
            ObjectId: 2.16.840.1.113730.1.13 Criticality=false
          },
          {
            ObjectId: 2.5.29.35 Criticality=false
            AuthorityKeyIdentifier [
            KeyIdentifier [
            0000: 88 A9 E4 46 43 35 8B 10   D7 AF B5 D1 11 EA 06 5A  ...FC5.........Z
            0010: F9 C5 E9 27                                        ...'
            ]
            [CN= i2git Root CA, OU= Certificate Authority, O=initia, ST=Virginia, C=US]
            SerialNumber: [    1000]
            ]
          },
          {
            ObjectId: 2.5.29.19 Criticality=false
            BasicConstraints:[
              CA:false
              PathLen: undefined
            ]
          },
          {
            ObjectId: 2.5.29.37 Criticality=false
            ExtendedKeyUsages [
              serverAuth
            ]
          },
          {
            ObjectId: 2.5.29.15 Criticality=true
            KeyUsage [
              DigitalSignature
              Key_Encipherment
            ]
          },
          {
            ObjectId: 2.16.840.1.113730.1.1 Criticality=false
            NetscapeCertType [
               SSL server
            ]
          },
          {
            ObjectId: 2.5.29.17 Criticality=false
            SubjectAlternativeName [
              DNSName: autotestsw1-rel.initia.com
            ]
          },
          {
            ObjectId: 2.5.29.14 Criticality=false
            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: FF D4 21 56 12 F3 F4 DF   DD A0 B4 FF D5 8C 46 A2  ..!V..........F.
            0010: 2D 04 E7 96                                        -...
            ]
            ]
          }
        ]},
      "certificate" : {
        "version"            : "v3",
        "serial number"      : "10 00",
        "signature algorithm": "SHA256withRSA",
        "issuer"             : "CN= i2git Root CA, OU= Certificate Authority, O=initia, ST=Virginia, C=US",
        "not before"         : "2019-04-12 11:55:21.000 EDT",
        "not  after"         : "2029-04-09 11:55:21.000 EDT",
        "subject"            : "CN= i2git Intermediate CA, OU= Certificate Authority, O=initia, ST=Virginia, C=US",
        "subject public key" : "RSA",
        "extensions"         : [
          {
            ObjectId: 2.5.29.35 Criticality=false
            AuthorityKeyIdentifier [
            KeyIdentifier [
            0000: C5 A6 7D 48 E4 2E 7D E1   8D 28 E6 F9 28 BC 00 01  ...H.....(..(...
            0010: 10 7E E6 62                                        ...b
            ]
            ]
          },
          {
            ObjectId: 2.5.29.19 Criticality=true
            BasicConstraints:[
              CA:true
              PathLen:0
            ]
          },
          {
            ObjectId: 2.5.29.15 Criticality=true
            KeyUsage [
              DigitalSignature
              Key_CertSign
              Crl_Sign
            ]
          },
          {
            ObjectId: 2.5.29.14 Criticality=false
            SubjectKeyIdentifier [
            KeyIdentifier [
            0000: 88 A9 E4 46 43 35 8B 10   D7 AF B5 D1 11 EA 06 5A  ...FC5.........Z
            0010: F9 C5 E9 27                                        ...'
            ]
            ]
          }
        ]}
    ]
    )

javax.net.ssl|ERROR|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.496 EDT|TransportContext.java:312|Fatal (INTERNAL_ERROR): Unsupported signature algorithm: rsa_pss_rsae_sha256 (
        "throwable" : {
          java.security.InvalidKeyException: No installed provider supports this key: sun.security.pkcs11.P11Key$P11PrivateKey
                at java.base/java.security.Signature$Delegate.chooseProvider(Signature.java:1163)
                at java.base/java.security.Signature$Delegate.engineInitSign(Signature.java:1204)
                at java.base/java.security.Signature.initSign(Signature.java:546)
                at java.base/sun.security.ssl.SignatureScheme.getSignature(SignatureScheme.java:473)
                at java.base/sun.security.ssl.ECDHServerKeyExchange$ECDHServerKeyExchangeMessage.<init>(ECDHServerKeyExchange.java:155)
                at java.base/sun.security.ssl.ECDHServerKeyExchange$ECDHServerKeyExchangeProducer.produce(ECDHServerKeyExchange.java:499)
                at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1102)
                at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:854)
                at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813)
                at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
                at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:441)
                at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074)
                at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
                at java.base/java.security.AccessController.doPrivileged(AccessController.java:688)
                at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008)
                at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:423)
                at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
                at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:238)
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1392)
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
                at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.base/java.lang.Thread.run(Thread.java:835)}

)

javax.net.ssl|WARNING|41|https-jsse-nio-x.x.xx.xxx-8443-exec-10|2019-04-16 10:08:23.497 EDT|SSLEngineOutputRecord.java:168|outbound has closed, ignore outbound application data
javax.net.ssl|WARNING|40|https-jsse-nio-x.x.xx.xxx-8443-exec-9|2019-04-16 10:08:23.501 EDT|SSLEngineOutputRecord.java:168|outbound has closed, ignore outbound application data
...