I'm trying to get DavMail working on my mac with my SmartCard. it works great on my Windows PC, and i've verified that the card is functioning properly on my mac by loading the WebMail version in Chrome (using pkcs11 authentication) and it works fine. however, Davmail keeps dying with "Error signing certificate verify".
Anyone know what's going wrong? I've spend the last 3 hours looking into it with no luck.
Date: Thu Sep 15 21:35:19 CDT 2011 (1316140519206)
Thread: ImapConnection-51643
Message #: 73
Level: WARN
NDC:
Category: davmail.http.DavGatewayHttpClientFacade
Message: Error signing certificate verify
Location: davmail.http.DavGatewayHttpClientFacade.getHttpStatus(DavGatewayHttpClientFacade.java:242)
Thrown:
javax.net.ssl.SSLHandshakeException: Error signing certificate verify
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:889)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:238)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:755)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at davmail.http.DavGatewayHttpClientFacade.getHttpStatus(DavGatewayHttpClientFacade.java:240)
at davmail.exchange.ExchangeSession.isBasicAuthentication(ExchangeSession.java:294)
at davmail.exchange.ExchangeSession.<init>(ExchangeSession.java:167)
at davmail.exchange.ews.EwsExchangeSession.<init>(EwsExchangeSession.java:137)
at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:137)
at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:94)
at davmail.imap.ImapConnection.run(ImapConnection.java:135)
Caused by: java.security.SignatureException: doFinal() failed
at java.security.Signature$CipherAdapter.engineSign(Signature.java:1229)
at java.security.Signature$Delegate.engineSign(Signature.java:1128)
at java.security.Signature.sign(Signature.java:522)
at com.sun.net.ssl.internal.ssl.RSASignature.engineSign(RSASignature.java:149)
at java.security.Signature$Delegate.engineSign(Signature.java:1128)
at java.security.Signature.sign(Signature.java:522)
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1222)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:885)
… 26 more
Caused by: javax.crypto.BadPaddingException: doFinal() failed
at sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:330)
at sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:355)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at java.security.Signature$CipherAdapter.engineSign(Signature.java:1225)
… 33 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
at sun.security.pkcs11.wrapper.PKCS11.C_Sign(Native Method)
at sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:314)
… 36 more
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Apparently it is.. I just loaded "Lobo", a java WebBrowser.. With that, I can load the page just fine, SSL certificates verify and everything. (I use OpenDNs, without the necessary routes set it redirects the https request to a Google Search, and it picked up the mismatched SSL cert. With the routes in place, it loads perfectly).
So apparently this is just a SmartCard or DavMail thing. is there some trick to getting SmartCard PKCS11 with CAC working on a Mac in Java?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm trying to get DavMail working on my mac with my SmartCard. it works great on my Windows PC, and i've verified that the card is functioning properly on my mac by loading the WebMail version in Chrome (using pkcs11 authentication) and it works fine. however, Davmail keeps dying with "Error signing certificate verify".
Anyone know what's going wrong? I've spend the last 3 hours looking into it with no luck.
Date: Thu Sep 15 21:35:19 CDT 2011 (1316140519206)
Thread: ImapConnection-51643
Message #: 73
Level: WARN
NDC:
Category: davmail.http.DavGatewayHttpClientFacade
Message: Error signing certificate verify
Location: davmail.http.DavGatewayHttpClientFacade.getHttpStatus(DavGatewayHttpClientFacade.java:242)
Thrown:
javax.net.ssl.SSLHandshakeException: Error signing certificate verify
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1649)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:889)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:238)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:755)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read(BufferedInputStream.java:237)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at davmail.http.DavGatewayHttpClientFacade.getHttpStatus(DavGatewayHttpClientFacade.java:240)
at davmail.exchange.ExchangeSession.isBasicAuthentication(ExchangeSession.java:294)
at davmail.exchange.ExchangeSession.<init>(ExchangeSession.java:167)
at davmail.exchange.ews.EwsExchangeSession.<init>(EwsExchangeSession.java:137)
at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:137)
at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:94)
at davmail.imap.ImapConnection.run(ImapConnection.java:135)
Caused by: java.security.SignatureException: doFinal() failed
at java.security.Signature$CipherAdapter.engineSign(Signature.java:1229)
at java.security.Signature$Delegate.engineSign(Signature.java:1128)
at java.security.Signature.sign(Signature.java:522)
at com.sun.net.ssl.internal.ssl.RSASignature.engineSign(RSASignature.java:149)
at java.security.Signature$Delegate.engineSign(Signature.java:1128)
at java.security.Signature.sign(Signature.java:522)
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateVerify.<init>(HandshakeMessage.java:1222)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:885)
… 26 more
Caused by: javax.crypto.BadPaddingException: doFinal() failed
at sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:330)
at sun.security.pkcs11.P11RSACipher.engineDoFinal(P11RSACipher.java:355)
at javax.crypto.Cipher.doFinal(DashoA13*..)
at java.security.Signature$CipherAdapter.engineSign(Signature.java:1225)
… 33 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_FUNCTION_FAILED
at sun.security.pkcs11.wrapper.PKCS11.C_Sign(Native Method)
at sun.security.pkcs11.P11RSACipher.implDoFinal(P11RSACipher.java:314)
… 36 more
Error signing certificate verify
=> The probably means your server CA certificate is not in your local java truststore.
Well, this is a DOD site.. And I've imported all 3 of the root DOD certificates using Keytool. Is there something else?
I just went through and imported all 30-ish CER's on the Disa Site, so I know it's in there now. I'm using something like:
for s in *.cer; do echo $s; sudo keytool -import -alias ${s:0:((${#s}-4))} -trustcacerts -keystore /Library/Java/Home/lib/security/cacerts -file $s -storepass changeit ; done
This is on a Mac.. is that the right cacerts?
Apparently it is.. I just loaded "Lobo", a java WebBrowser.. With that, I can load the page just fine, SSL certificates verify and everything. (I use OpenDNs, without the necessary routes set it redirects the https request to a Google Search, and it picked up the mismatched SSL cert. With the routes in place, it loads perfectly).
So apparently this is just a SmartCard or DavMail thing. is there some trick to getting SmartCard PKCS11 with CAC working on a Mac in Java?
Ok, next step is to enable ssl debug: add
-Djavax.net.debug=all
in VMOptions inside Info.plist and check debug output
Another option is to use platform independant package to run DavMail on the command line
Ok.. Did it.. LOOOOOOOTS of output there, but the error seemed to be centered around:
%% Invalidated:
ImapConnection-56275, SEND TLSv1 ALERT: fatal, description = handshake_failure
Padded plaintext before ENCRYPTION: len = 32
Does that help at all?
Not much, you can check http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/ReadDebug.html for more details on debug output