client certificate - response code: 403
Hi,
I'm hitting into a "Server returned HTTP response code: 403" when trying to access a site requiring a client cert/authentication. The site that I'm trying to access has provided me a client cert (public/private key) to use when accessing the site. The certificate is in .pfx-format. I know the cert works because if I install it in a browser (IE or Mozilla on Solaris) it works perfect to access the site. When I try to use it in my code I hit into a "Server returned HTTP response code: 403". Because the client certificate is in .pfx-format I could not use keytool to import it into a keystore so I used BouncyCastleProvider to access the .pfx file directly. Here's my code:
java.security.Provider provider =
new org.bouncycastle.jce.provider.BouncyCastleProvider();
java.security.Security.addProvider(provider);
System.out.print("creating secure random...");
SecureRandom secureRandom = new SecureRandom();
secureRandom.nextInt();
System.out.println("done!");
System.out.print("getting the server trust/keystore...");
KeyStore serverKeyStore = KeyStore.getInstance("JKS");
System.out.println("done!");
System.out.print("loading the servers public key...");
serverKeyStore.load(new FileInputStream("/usr/java/jre/lib/security/cacerts"),
"changeit".toCharArray() );
System.out.println("done!");
System.out.print("loading my private key...");
KeyStore clientKeyStore = KeyStore.getInstance("PKCS12", "BC");
clientKeyStore.load(
new FileInputStream("/home/mabe/clientcert.pfx" ),
"SV".toCharArray() );
System.out.println("done!");
System.out.print("initializing truststore...");
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509" );
tmf.init( serverKeyStore );
System.out.println("done!");
System.out.print("initializing keystore...");
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
kmf.init( clientKeyStore, "".toCharArray() );
System.out.println("done!");
//print out the aliases from the client keystore, to see that we really got the cert
System.out.println("aliases in keystore:");
Enumeration e = clientKeyStore.aliases();
while(e.hasMoreElements())
System.out.println(e.nextElement());
System.out.print("getting the sslcontext...");
SSLContext sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( kmf.getKeyManagers(),
tmf.getTrustManagers(),
secureRandom );
System.out.println("done!");
URL myUrl =
new java.net.URL("https://bla.bla.bla");
HttpsURLConnection conn =
(javax.net.ssl.HttpsURLConnection) myUrl.openConnection();
conn.setSSLSocketFactory(sslContext.getSocketFactory());
InputStream in = conn.getInputStream();
BufferedReader reader =
new BufferedReader(new InputStreamReader(in));
String tmp = "";
while ((tmp = reader.readLine()) != null)
{
System.out.println(tmp);
}
And here is the output:
creating secure random...done!
getting the keystore...done!
loading the servers public key...done!
loading my private key...done!
initializing truststore...done!
initializing keystore...done!
aliases in keystore:
57e720cd2a8b9abea9ac42c6a13aed40_67817e58-6eef-418c-93e8-bcd1b4604bb0
getting the sslcontext...done!
Boom!
java.io.IOException: Server returned HTTP response code: 403 for URL: https://bla.bla.bla.
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:791)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
at Client.<init>(Client.java:81)
at Client.main(Client.java:11)
So it seems to me that I never send the client cert to the server... or am I missing something important? The strange alias you see in the output I think is a Microsoft thing (the cert was created, I think, in a Microsoft environment). If I use KeyStore explorer (http://www.lazgosoftware.com/kse/) I can load the .pfx-file into a keystore and view it, then I se another alias.
Is there any way to find out that the client cert is being sent? I tried to understand the output from javax.net.debug=ssl, but it was to much, If you are interested I will gladly post it.
So, do you guys have any clue why this aint working? Any help would be great!
regards
Mange
