客户端ECC SSL证书包含“未知命名曲线". [英] Client ECC SSL Certificate contains "unknown named curve"

问题描述

问题前提: 我正在使用将SSL与远程服务器上的netty框架一起使用的现有库.我遇到了SSL/TLS握手错误.错误如下:

Question precontext: I am working in an existing library that uses SSL with the netty framework on a remote server. I am running into an SSL/TLS handshake error. The error is as follows:

javax.net.ssl.SSLProtocolException: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1345) ~[na:1.7.0_79]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519) ~[na:1.7.0_79]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:799) ~[na:1.7.0_79]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767) ~[na:1.7.0_79]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.7.0_79]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:982) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:908) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:854) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:130) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at java.lang.Thread.run(Thread.java:745) ~[na:1.7.0_79]
Caused by: javax.net.ssl.SSLProtocolException: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:451) ~[na:1.7.0_79]
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:222) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:841) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:839) ~[na:1.7.0_79]
    at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_79]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1273) ~[na:1.7.0_79]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1015) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:927) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
    ... 14 common frames omitted
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:171) ~[na:1.7.0_79]
    at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1781) ~[na:1.7.0_79]
    at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:196) ~[na:1.7.0_79]
    at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:97) ~[na:1.7.0_79]
    at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:339) ~[na:1.7.0_79]
    at sun.security.ssl.HandshakeMessage$CertificateMsg.<init>(HandshakeMessage.java:449) ~[na:1.7.0_79]
    ... 22 common frames omitted
Caused by: java.io.IOException: Unknown named curve: 1.2.840.10045.3.1.1
    at sun.security.ec.ECParameters.decodeParameters(ECParameters.java:197) ~[na:1.7.0_79]
    at sun.security.ec.ECParameters.engineInit(ECParameters.java:319) ~[na:1.7.0_79]
    at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[na:1.7.0_79]
    at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:139) ~[na:1.7.0_79]
    at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[na:1.7.0_79]
    at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:382) ~[na:1.7.0_79]
    at sun.security.x509.X509Key.parse(X509Key.java:168) ~[na:1.7.0_79]
    at sun.security.x509.CertificateX509Key.<init>(CertificateX509Key.java:75) ~[na:1.7.0_79]
    at sun.security.x509.X509CertInfo.parse(X509CertInfo.java:705) ~[na:1.7.0_79]
    at sun.security.x509.X509CertInfo.<init>(X509CertInfo.java:169) ~[na:1.7.0_79]
    ... 27 common frames omitted

现在，这是我尝试解决当前问题的方法.此远程服务器需要客户端身份验证，并且该证书是使用椭圆曲线的证书(使用具有不同公钥算法和签名算法的客户端证书不会导致错误，这意味着客户端证书在此是错误的).我跑了

Now, here was my approach to try solving this issue at hand. This remote server requires client authentication and that certificate is the one that uses elliptic curves (using a client certificate with different public key algorithms and signature algorithms does not cause the error meaning that the client certificate is at fault here). I ran

openssl x509 -in <client_cert> -text -noout

The client certificate is as follows:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3585039615565000225 (0x31c09e8937746e21)
    Signature Algorithm: ecdsa-with-SHA1
        Issuer: <ISSUER>
        Validity
            Not Before: Dec  1 23:01:26 2014 GMT
            Not After : Nov 26 23:01:26 2034 GMT
        Subject: 1.3.6.1.4.1.41387.1.1=18B43000004C627B
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (192 bit)
                pub:
                    04:dc:ca:07:76:de:28:91:b8:94:16:08:12:01:85:
                    24:a5:a5:5e:48:84:aa:2b:f8:3a:fa:87:f1:30:70:
                    f3:7b:01:68:6a:f6:29:56:c7:17:60:71:fe:b7:c0:
                    d1:d5:1c:ad
                ASN1 OID: prime192v1
                NIST CURVE: P-192
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                <SUBJECT KEY IDENTIFIER>
            X509v3 Authority Key Identifier:
                keyid: <KEY ID>

    Signature Algorithm: ecdsa-with-SHA1
         <SIGNATURE GOES HERE>

这给我留下了这样的印象，即JDK SSL库无法识别NIST P-192曲线.我正在运行的JDK版本是1.7.0_79.我不知道该如何解决此问题.有什么想法吗?

This leaves me under the impression that the NIST P-192 curve is not being recognized by JDK SSL library. The JDK version I am running is 1.7.0_79. I don't know how to proceed fixing this. Any ideas?

推荐答案

这可能与加密问题有关，而不是与SSL问题有关.您是否尝试过使用无限强度管辖权策略文件?

This might be related to an encryption issue, rather than an SSL issue. Have you tried using the unlimited strength jurisdiction policy files?

这篇关于客户端ECC SSL证书包含“未知命名曲线".的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！