java.security.SignatureException: Signature does not match

java security tomcat7 keytool

Solution 1:

I finally found the problem: The SignatureException does not indicate that the issuer is unknown to the client. In that case a CertPathBuilderException would be thrown.

The SignatureException was actually caused by not having the self-signed certificate imported as trusted certificate which must be done by the additional parameter -trustcacerts.

To answer the question why someone should want to trust a self signed certificate: The server is used for test purposes for automated client tests connecting to the server over HTTPS.

Solution 2:

The Signature does not match error is the symptom that the server identity is unknown to the client, ie the client truststore does not have the server certificate.

Create the server certificate and add it to a keystore:

keytool -genkey -noprompt -alias "$alias" -dname "CN=$dname_cn, OU=$dname_ou, O=$dname_o, L=$dname_l, S=$dname_s, C=$dname_c" -keystore "$keystore" -storepass "$storepass" -keypass "$keypass"

and export it for the client into a truststore:

keytool -export -alias "$alias" -storepass "$storepass" -file "$alias".cer -keystore "$keystore"

If you want 2-way SSL then you have to repeat this twice, inverting, they both must know each other.

Now the tricky part is to build an SSLContext correctly and configure your client and server with it.

In Grizzly I do:

SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator();

// set up security context
sslContextConfigurator.setKeyStoreFile(configuration.getKeystore()); // contains the server keypair
sslContextConfigurator.setKeyStorePass(configuration.getKeystorePassword());
sslContextConfigurator.setKeyStoreType(configuration.getKeystoreType());
sslContextConfigurator.setKeyPass(configuration.getKeystoreKeypass());
sslContextConfigurator.setTrustStoreFile(configuration.getTruststore()); // contains the list of trusted certificates
sslContextConfigurator.setTrustStorePass(configuration.getTruststorePassword());
sslContextConfigurator.setTrustStoreType(configuration.getTruststoreType());
if (!sslContextConfigurator.validateConfiguration(true))
    throw new Exception("Invalid SSL configuration");

For advanced debugging do not forget System.setProperty("javax.net.debug", "all");

Solution 3:

-keypass password

Get rid of this parameter. The mechanism that supports javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword doesn't support key passwords, only keystore passwords.

Related

asyncio.sleep required after cancelling tasks?
No instance(s) of type variable(s) U exist so that void conforms to U
How to parse Google Ads batch stream into pandas dataframe?
How to use a custom loss function with neural compressor for distillation
Node - Merge dynamic amount of arrays together - alternate the items in the result array
What is the difference between doing a regression with a dataframe and ndarray?
PHP with openSSL - supplied key param cannot be coerced into a private key
The calculation of new variable using the equation and parameters provided in separate columns in R
Need to find Max Value in Liferay table using Service Builder
npm - EPERM mkdir: operation not permitted on Windows
Open API code generator Maven plugin uses old Swagger 2 annotations instead of Swagger 3 annotations
Event for highlighting the hovered element?