Цепочка сертификата SSLContext, не заполненная в контексте

Question

Пожалуйста, помогите понять, как обеспечить цепочку сертификатов в контексте SSL.

Введение: Я использую EWSJavaAPI 1.2 для подключения к обмену ms. Он использовал соединение TLS с двухсторонней аутентификацией, основанное на моем собственном сертификате, выпущенном моей компанией, подписанном моим CA, полученным из my-root-cert. Все эти сущности существуют, но я использую только PFX.

Я инициализирую SLLконтекст одним ключом PFX и использую TRUST-ALL для доверенного менеджера.

Мои зависимостями проекта:

<dependencies> 
    <dependency> 
     <groupId>junit</groupId> 
     <artifactId>junit</artifactId> 
     <version>3.8.1</version> 
     <scope>test</scope> 
    </dependency> 
    <dependency> 
     <groupId>commons-httpclient</groupId> 
     <artifactId>commons-httpclient</artifactId> 
     <version>3.1</version> 
    </dependency> 
    <dependency> 
     <groupId>commons-codec</groupId> 
     <artifactId>commons-codec</artifactId> 
     <version>1.7</version> 
    </dependency> 
    <dependency> 
     <groupId>jcifs</groupId> 
     <artifactId>jcifs</artifactId> 
     <version>1.3.17</version> 
    </dependency> 
    <dependency> 
     <groupId>commons-logging</groupId> 
     <artifactId>commons-logging</artifactId> 
     <version>1.1.1</version> 
     <classifier>adapters</classifier> 
    </dependency> 
    <dependency> 
     <groupId>EWSJavaAPI</groupId> 

      <artifactId>EWSJavaAPI</artifactId> 
      <version>1.2</version> 
     </dependency> 
     </dependencies> 

Мой образец для подключения:

package mail.msexchangetest; 

import java.io.FileInputStream; 
import java.io.IOException; 
import java.net.URI; 
import java.net.URISyntaxException; 
import java.security.KeyStore; 
import java.security.SecureRandom; 
import java.security.cert.Certificate; 
import javax.net.ssl.HandshakeCompletedEvent; 
import javax.net.ssl.HandshakeCompletedListener; 
import javax.net.ssl.KeyManagerFactory; 
import javax.net.ssl.SSLContext; 
import javax.net.ssl.SSLSession; 
import javax.net.ssl.SSLSocket; 
import javax.net.ssl.SSLSocketFactory; 
import javax.net.ssl.TrustManager; 
import javax.net.ssl.TrustManagerFactory; 
import javax.net.ssl.X509TrustManager; 
import microsoft.exchange.webservices.data.ClientCertificateCredentials; 
import microsoft.exchange.webservices.data.EmailMessage; 
import microsoft.exchange.webservices.data.ExchangeCredentials; 
import microsoft.exchange.webservices.data.ExchangeService; 
import microsoft.exchange.webservices.data.ExchangeVersion; 
import microsoft.exchange.webservices.data.Folder; 
import microsoft.exchange.webservices.data.FolderId; 
import microsoft.exchange.webservices.data.Mailbox; 
import microsoft.exchange.webservices.data.MessageBody; 
import microsoft.exchange.webservices.data.ServiceLocalException; 
import microsoft.exchange.webservices.data.WebCredentials; 
import microsoft.exchange.webservices.data.WellKnownFolderName; 

\/** 
* 
* 
*\/ 
public class App \{ 


    private static TrustManagerFactory tmf; 
    private static SSLContext ctx ; 

    private static TrustManager[] trustAllCerts = new TrustManager[] { 
     new X509TrustManager(){ 
      public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
        return null; 
      } 

      public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType){ 
      } 

      public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType){ 
      } 
     }}; 
     // The trust all certs. 

     private static void setSSLConfigManual() throws Exception 
     { 

      KeyStore ks=KeyStore.getInstance("pkcs12"); 
      ks.load(new FileInputStream("/home/user/Documents/private/mail-cert/compUser.pfx"),"mypass".toCharArray()); 

      System.out.println("init Stores..."); 

      KeyManagerFactory kmf=KeyManagerFactory.getInstance("SunX509"); 
      kmf.init(ks,"mypass".toCharArray()); 

      ctx= SSLContext.getInstance("TLS"); 

      ctx.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom()); 

      SSLContext.setDefault(ctx); 

     } 



    public static void main(String[] args) throws URISyntaxException, Exception 
    { 

     setSSLConfigManual(); 

     System.out.println("=============BEGIN HANDSHAKE============="); 
     testConnect(); 
     System.out.print(">"); 
     System.in.read(); 
     System.out.println("=============END HANDSHAKE============="); 

     System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"); 
     System.out.println("=============BEGIN EXCHANGE_2007 MESSAGE SEND============="); 
     try{ 
      send2007Message(); 
     } catch (Exception ex){ 
      System.out.println("=============ERROR EXCHANGE_2007 MESSAGE SEND============="); 
      System.out.print(">"); 
      System.in.read(); 
      ex.printStackTrace(); 
      System.out.print(">"); 
      System.in.read(); 
     } 
     System.out.println("=============END EXCHANGE_2007 MESSAGE SEND============="); 

     System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"); 
     System.out.println("=============BEGIN EXCHANGE_2010 MESSAGE SEND============="); 
     try{ 
      send2010Message();    
     } catch (Exception ex){ 
      System.out.println("=============ERROR EXCHANGE_2010 MESSAGE SEND=============");   
      System.out.print(">"); 
      System.in.read(); 
      ex.printStackTrace(); 
      System.out.print(">"); 
      System.in.read(); 
     } 
     System.out.println("=============END EXCHANGE_2010 MESSAGE SEND=============");   

    } 

    private static void send2010Message() throws ServiceLocalException, Exception, URISyntaxException { 
     ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP2); 


     ExchangeCredentials credentials = new WebCredentials(
               "username", 
               "userpass","DOMAIN"); 
     service.setCredentials(credentials); 

     service.setTraceEnabled(true);   
     service.setUrl(new URI("https://mail.server.country/")); 

     service.setTimeout(100*1000); 


     Folder myFolder = new Folder(service); 
     myFolder.setDisplayName("My EWS Test Folder"); 
     FolderId rootFolderId = new FolderId(WellKnownFolderName.Root, new Mailbox("user@server.country")); 
     myFolder.save(rootFolderId); 

     EmailMessage msg= new EmailMessage(service); 
     msg.setSubject("Test message "+System.currentTimeMillis()); 
     msg.setBody(MessageBody.getMessageBodyFromText("Sent using the EWS Managed API.")); 
     msg.getToRecipients().add("User@gmail.com"); 

     msg.send(); 
    } 

    private static void send2007Message() throws ServiceLocalException, Exception, URISyntaxException { 
     ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2007_SP1); 

     ExchangeCredentials credentials = new WebCredentials(
               "user", 
               "pass","DOMAIN"); 
     service.setCredentials(credentials); 

     service.setTraceEnabled(true);     
     service.setUrl(new URI("https://legacy.server.country")); 
     service.setTimeout(100*1000); 


     EmailMessage msg= new EmailMessage(service); 
     msg.setSubject("Test message "+System.currentTimeMillis()); 
     msg.setBody(MessageBody.getMessageBodyFromText("Sent using the EWS Managed API.")); 
     msg.getToRecipients().add("User@gmail.com"); 

     msg.send(); 
    } 

    private static void testConnect() throws IOException { 
     SSLSocketFactory factory = ctx.getSocketFactory(); 
     SSLSocket sslsocket = (SSLSocket) factory.createSocket( 
       "mail.server.country",443); 
     sslsocket.setUseClientMode(true); 
     sslsocket.setSoTimeout(100000); 
     sslsocket.addHandshakeCompletedListener(new MyHandshakeListener()); 
     sslsocket.startHandshake();   
    } 
    public static class MyHandshakeListener implements HandshakeCompletedListener { 
     public void handshakeCompleted(HandshakeCompletedEvent e) { 
      System.out.println("Handshake succesful!"); 
      System.out.println("Using cipher suite: " + e.getCipherSuite()); 
     } 
    } 

} 

MS Exchange ответ:

403 Forbidden. На странице требуется сертификат клиента как часть процесса аутентификации. Если вы используете смарт-карту, вам нужно будет вставить смарт-карту, чтобы выбрать соответствующий сертификат. В противном случае обратитесь к администратору сервера. (12213)

Рукопожатие журнала:

counrtrycoden: 
init Stores... 
*** 
found key for : inertnal-signed-user-alias-key-bla-bla-bla 
chain [0] = [ 
[ 
    Version: V3 
    Subject: CN=mycompuser, O=MYCOMP 
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 

    Key: Sun RSA public key, 2048 bits 
    modulus: BLABLABLA30690710815572912647945BLABLABLALABLA41197645359BLABLABLA883372709604731441625160BLABLABLA76697727043202584363067604BLABLABLA343388760502527327190704030612675772856546529931228983792825447712271 
    public exponent: 65537 
    Validity: [From: Thu Oct 25 09:44:41 MSK 2012, 
       To: Mon Sep 01 15:04:44 MSK 2014] 
    Issuer: CN=mycompany External CA, O=mycompany, C=counrtrycode 
    SerialNumber: [ 13bla267 00bla00 bla] 

Certificate Extensions: 9 
[1]: ObjectId: 1.bla13549.bla15 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04 37 30 35 30 0E 06 08 2A 86 48 86 F7 0D 03 02 .7050...*.H..... 
BLABLABLA 


[2]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04 28 30 26 30 0C 06 0A 2B 06 01 04 01 82 37 0A .(0&0...+.....7. 
BLABLABLA 

[3]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04 31 30BLABLABLA06 01 04 01 82 37 15 08 84 .10/.'+.....7... 
0010: F3 D1 3C 87 F2 87 61 87 BD 9B BLABLABLA01 64 ..5.*...;...>..d 
BLABLABLA 

[4]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false 
AuthorityInfoAccess [ 
    [ 
    accessMethod: ocsp 
    accessLocation: URIName: http://pki.mycompany.counrtrycode/pki/aia/Cert01.glupka-and-tupka.mcmp.counrtrycode_mycompany%20External%20CA.crt 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: ldap:///CN=mycompany%20External%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=glupka-and-tupka,DC=mcmp,DC=counrtrycode?cACertificate?base?objectClass=certificationAuthority 
, 
    accessMethod: ocsp 
    accessLocation: URIName: http://extpki.glupka-and-tupka.mcmp.counrtrycode/CertEnroll/Cert01.glupka-and-tupka.mcmp.counrtrycode_mycompany%20External%20CA.crt 
] 
] 

[5]: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: DB F3 38 88 08 D3 25 A2 D6 3E 5A C2 28 6D 21 09 ..8...%..>Z.(m!. 
BLABLABLA 
] 
] 

[6]: ObjectId: BLABLABLA.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://pki.mycompany.counrtrycode/pki/cdp/mycompany%20External%20CA.crl, URIName: ldap:///CN=mycompany%20External%20CA,CN=Cert01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=glupka-and-tupka,DC=mcmp,DC=counrtrycode?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://extpki.glupka-and-tupka.mcmp.counrtrycode/CertEnroll/mycompany%20External%20CA.crl] 
]] 

[7]: ObjectId: BLABLABLA Criticality=false 
ExtendedKeyUsages [ 
    1.3.6.1.4.1.311.10.3.4 
    emailProtection 
    clientAuth 
] 

[8]: ObjectId: BLABLABLA Criticality=false 
KeyUsage [ 
    DigitalSignature 
    Key_Encipherment 
    Data_Encipherment 
] 

[9]: ObjectId: BLABLABLA Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: A4 AD 53 4BLABLABLA8 56 FB 4B 52 E3 09 AD 01 .BLABLABLA.KR.... 
BLABLABLA          X... 
] 
] 

] 
    Algorithm: [SHA1withRSA] 
    Signature: 
0000: 9A C3 A3 3CBLABLABLAB9 80 8D F9 7CBLABLABLA8 11 EC ...<.S......a... 
BLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLA 
SUPERLONGBLABLABLA 
... 
BLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLA 
BLA0: DA 8FBLABLABLACC 96 B5 69 B2 BLABLABLADB 56 ...o`...i.V..h.V 

] 
*** 
trigger seeding of SecureRandom 
done seeding SecureRandom 
=============BEGIN HANDSHAKE============= 
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 
Allow unsafe renegotiation: false 
Allow legacy hello messages: tcounrtrycodee 
Is initial handshake: tcounrtrycodee 
Is secure renegotiation: false 
Allow unsafe renegotiation: false 
Allow legacy hello messages: tcounrtrycodee 
Is initial handshake: tcounrtrycodee 
Is secure renegotiation: false 
main, setSoTimeout(100000) called 
%% No cached client session 
*** ClientHello, TLSv1 
RandomCookie: GMT: 1362721181 bytes = { 236, 175, 168, 239, 233, 179, 57, 191, 201, 185, 133, 27, 224, 105, 83, 227, 128, 210, 87, 189, 75, 234, 192, 181, 96, 94, 243, 25 } 
Session ID: {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods: { 0 } 
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension server_name, server_name: [host_name: services.mycompany.counrtrycode] 
*** 
main, WRITE: TLSv1 Handshake, length = 174 
main, READ: TLSv1 Handshake, length = 5660 
*** ServerHello, TLSv1 
RandomCookie: GMT: 1362721181 bytes = { 237, 63, 191, 247, 95, 109, 54, 253, 237, 198, 229, 127, 137, 49, 141, 141, 138, 20, 157, 117, 43, 124, 8, 94, 102, 171, 72, 136 } 
Session ID: {8, 30, 0, 0, 253, 200, 140, 197, 123, 73, 65, 166, 251, 106, 43, 119, 244, 46, 193, 144, 144, 57, 178, 24, 197, 204, 154, 63, 191, 102, 249, 105} 
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA 
Compression Method: 0 
Extension renegotiation_info, renegotiated_connection: <empty> 
*** 
%% Initialized: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA] 
** TLS_RSA_WITH_AES_128_CBC_SHA 
*** Certificate chain 
chain [0] = [ 
[ 
    Version: V3 
    Subject: CN=ol.mycompany.counrtrycode, OU=IT, O=mycompany, L=supercity, ST=counrtrycode, C=counrtrycode 
    Signature Algorithm: SHA1withRSA, OID = BLA.2.BLABLA.BLA.49.1.1.5 

    Key: Sun RSA public key, 2048 bits 
    modulus: BLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLA890852115164310867BLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLA2675606906943672823219951400362124850736118214751967190281153250333278526809862357346858437645387972960703158481657469928478498122472555889883930655301090187944200780810614568244173675337773013453127652176661961716518027910113380649734092379900012537169502795030097799607532413142973889150997564045268730052023211864684133008169849100098476577268849374370540710200206831212156277099733103668127156062641899305BLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLA 
    public exponent: 65537 
    Validity: [From: Thu Nov 15 08:56:19 MSK 2012, 
       To: Mon Sep 01 15:04:44 MSK 2014] 
    Issuer: CN=mycompany External CA, O=mycompany, C=counrtrycode 
    SerialNumber: [ 221f33ee 00000000 8011] 

Certificate Extensions: 9 
[1]: ObjectId: 1.3.BLABLA311.21.10 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04 0BLA06 08 2B BLA05 BLA3 01 ..BLA...+BLA.... 


[2]: ObjectId: BLABLA.1.311.21.7 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: BLA30 2F 06 27 2B 06 01 04 01 82BLA 08 84 .10/.'+.....7... 
BLABLA          ... 


[3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false 
AuthorityInfoAccess [ 
    [ 
    accessMethod: ocsp 
    accessLocation: URIName: http://pki.mycompany.counrtrycode/pki/aia/Cert01.glupka-and-tupka.mcmp.counrtrycode_mycompany%20External%20CA.crt 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: ldap:///CN=mycompany%20External%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=glupka-and-tupka,DC=mcmp,DC=counrtrycode?cACertificate?base?objectClass=certificationAuthority 
, 
    accessMethod: ocsp 
    accessLocation: URIName: http://extpki.glupka-and-tupka.mcmp.counrtrycode/CertEnroll/Cert01.glupka-and-tupka.mcmp.counrtrycode_mycompany%20External%20CA.crt 
] 
] 

[4]: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: DB F3 38 88 08 D3 25 A2 D6 3E 5A C2 28 6D 21 09 ..8...%..>Z.(m!. 
BLABLA          .... 
] 
] 

[5]: ObjectId: 2.5.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://pki.mycompany.counrtrycode/pki/cdp/mycompany%20External%20CA.crl, URIName: ldap:///CN=mycompany%20External%20CA,CN=Cert01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=glupka-and-tupka,DC=mcmp,DC=counrtrycode?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://extpki.glupka-and-tupka.mcmp.counrtrycode/CertEnroll/mycompany%20External%20CA.crl] 
]] 

[6]: ObjectId: 2.5.29.37 Criticality=false 
ExtendedKeyUsages [ 
    serverAuth 
] 

[7]: ObjectId: 2.5.29.15 Criticality=false 
KeyUsage [ 
    DigitalSignature 
    Key_Encipherment 
] 

[8]: ObjectId: 2.5.29.17 Criticality=false 
SubjectAlternativeName [ 
    DNSName: services.mycompany.counrtrycode 
    DNSName: autodiscover.mycompany.counrtrycode 
    DNSName: post.mycompany.counrtrycode 
] 

[9]: ObjectId: 2.5.29.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: 22 4D BLABLA 68 FB FA 94 BLABLAEE 12 "M.L.h...9Y..... 
BLABLA 
] 

] 
    Algorithm: [SHA1withRSA] 
    Signature: 
0000: 1C B5 34 B8 79 83 40 8F 65 0F 22 63 46 EC F5 C4 ..4.y.@.e."cF... 
0010: 71 01 19 B1 2D 08 D5 0A 0E 5C 01 C4 68 A8 E9 7D q...-....\..h... 
0020: EC 29 65 F5 DD 7C C5 75 4F 51 D2 07 3D 14 44 E5 .)e....uOQ..=.D. 
0030: E5 4E 7C 39 F3 50 CA 69 FF 44 3E 01 0F A7 BF BF .N.9.P.i.D>..... 
BLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLABLA 
... 
BLABLABLABLABLABLABLABLA 
01F0: CB EF A7 1C 85 77 91 AF AF 5C C3 E9 40 20 24 6E .....w...\..@ $n 

] 
chain [1] = [ 
[ 
    Version: V3 
    Subject: CN=mycompany External CA, O=mycompany, C=counrtrycode 
    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 

    Key: Sun RSA public key, 4096 bits 
    modulus: BLABLABLABLABLABLABLABLABLABLABLABLA98237839144558867BLABLA952659709867024101076930335BLABLA3611BLABLA3074298630BLABLA 
    Validity: [From: Wed Sep 01 14:54:44 MSD 2010, 
       To: Mon Sep 01 15:04:44 MSK 2014] 
    Issuer: CN=mycompany Root CA, O=mycompany, C=counrtrycode 
    SerialNumber: [ 6BLABLAe5f 00000000 000a] 

Certificate Extensions: 8 
[1]: ObjectId: BLABLA.311.20.2 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 0BLABLAA 00 53 00 75 00 62 BLABLA3 00 41  .....S.u.b.C.A 


[2]: ObjectId: BLABLA1.311.21.1 Criticality=false 
Extension unknown: DER encoded OCTET string = 
0000: 04BLABLA1 00          ..... 


[3]: ObjectId: BLABLA7.1.1 Criticality=false 
AuthorityInfoAccess [ 
    [ 
    accessMethod: caIssuers 
    accessLocation: URIName: http://pki.mycompany.counrtrycode/pki/aia/mycompany%20Root%20CA.crt 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: ldap:///CN=mycompany%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=glupka-and-tupka,DC=mcmp,DC=counrtrycode?cACertificate?base?objectClass=certificationAuthority 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: ldap:///CN=mycompany%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ca,DC=mcmp,DC=counrtrycode?cACertificate?base?objectClass=certificationAuthority 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: http://extpki.glupka-and-tupka.mcmp.counrtrycode/CertEnroll/rootca_mycompany%20Root%20CA.crt 
, 
    accessMethod: caIssuers 
    accessLocation: URIName: http://intpki.ca.mcmp.counrtrycode/CertEnroll/rootca_mycompany%20Root%20CA.crt 
] 
] 

[4]: ObjectId: 2.5.29.35 Criticality=false 
AuthorityKeyIdentifier [ 
KeyIdentifier [ 
0000: 4BLABLAF2 BB 22 B0 DB 4E ACBLABLA85 20 A..@<.."..N.... 
0010: BLABLA 02          .*.. 
] 
] 

[5]: ObjectId: BLABLA.19 Criticality=tcounrtrycodee 
BasicConstraints:[ 
    CA:tcounrtrycodee 
    PathLen:0 
] 

[6]: ObjectId: BLABLA.29.31 Criticality=false 
CRLDistributionPoints [ 
    [DistributionPoint: 
    [URIName: http://pki.mycompany.counrtrycode/pki/cdp/mycompany%20Root%20CA.crl, URIName: ldap:///CN=mycompany%20Root%20CA,CN=rootca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=glupka-and-tupka,DC=mcmp,DC=counrtrycode?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: ldap:///CN=mycompany%20Root%20CA,CN=rootca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ca,DC=mcmp,DC=counrtrycode?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://extpki.glupka-and-tupka.mcmp.counrtrycode/CertEnroll/mycompany%20Root%20CA.crl, URIName: http://intpki.ca.mcmp.counrtrycode/CertEnroll/mycompany%20Root%20CA.crl] 
]] 

[7]: ObjectId: BLABLA29.15 Criticality=false 
KeyUsage [ 
    DigitalSignature 
    Key_CertSign 
    Crl_Sign 
] 

[8]: ObjectId: BLABLA.14 Criticality=false 
SubjectKeyIdentifier [ 
KeyIdentifier [ 
0000: DB F3 38 88 08 D3 25 A2 D6 3E BLABLAD 21 09 ..8...%..>Z.(m!. 
BLABLA          .... 
] 
] 

] 
    Algorithm: [SHA1withRSA] 
    Signature: 
0000: 62 85 DBLABLAA0 A9 74 3ABLABLA 78 3BLABLA 3A 93 b...h0..t:.x6Q:. 
BLABLABLABLABLABLA 
01F0: 06 D8 BLABLA 34 28 32 01 6A 4BLABLA E7 EC ......r4BLABLA 

] 
*** 
*** CertificateRequest 
Cert Types: RSA, DSS, ECDSA 
Cert Authorities: 
<CN=CERTBServer, DC=glupka-and-tupka, DC=mcmp, DC=counrtrycode> 
<CN=mycompany Root CA, O=mycompany, C=counrtrycode> 
<OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US> 
<CN=GTE CyberTcounrtrycodest Global Root, OU="GTE CyberTcounrtrycodest Solutions, Inc.", O=GTE Corporation, C=US> 
<CN=Symantec Root CA, O=Symantec Corporation> 
<CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.> 
<CN=Symantec Root 2005 CA, O=Symantec Corporation, C=US> 
<CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com> 
<CN=NT AUTHORITY> 
*** ServerHelloDone 
*** Certificate chain 
*** 
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1 
main, WRITE: TLSv1 Handshake, length = 269 
SESSION KEYGEN: 
PreMaster Secret: 
0000: 03 BLABLA 57 E5 32 68 13 0F BLABLAD C1 1B ...BLABLA.... 
0010: 01 DE 2F FD C6 89 8B DF 24 55BLABLA8 DB 8A 2F ../...BLABLA.(../ 
0020: A1 0BLABLA59 7A 5B 34 2BLABLA6 93 67 1D 43 .....BLABLA.g.C 
CONNECTION KEYGEN: 
Client Nonce: 
0000: 51 39BLABLAA8 EF E9 B3 39 BF BLABLA 85 1B BLABLA9..... 
0010: E0 69 53 BLABLA2 57 BD 4B EA C0 B5 60 5E F3 19 .iS.BLABLA..`^.. 
Server Nonce: 
0000: 51 39 BLABLA ED 3F BF F7 5F 6DBLABLA C6 E5 7F Q9z..BLABLA6..... 
0010: 89 31 8D 8D 8A 14 9D 75 2B 7C 08 5E 66 AB 48 88 .1....BLABLA.H. 
Master Secret: 
0000: B5 3BLABLA02 45 BLABLA2A 21 49 B4 .8.BLABLA!I. 
0010: DC E7BLABLA36 7E 4E 22 79 60 BLABLA75 CD 26 ....6.BLABLAu.& 
0020: 2D 6BLABLAD2 1E 29 7EBLABLA7D 63 9E -h..BLABLA...c. 
Client MAC write Secret: 
0000: 38 BLABLAB 0D 91 8D 67 8BLABLA40 81 8.BLABLA..b@. 
0010: 0D C5 4D D6          ..M. 
Server MAC write Secret: 
0000: 42BLABLA 79 98 BD 57 50BLABLA D2 25 36 B..BLABLAPm..%6 
0010: D4 8F E9 06          .... 
Client write key: 
0000: CBLABLAF 76 82 31 06 3FBLABLA41 6D ....BLABLA..Am 
Server write key: 
0000: 1BLABLABLABLA F3 A1 3BLABLABLABLA 24 .BLABLA...<.BLABLA.$ 
Client write IV: 
0000: BLABLA3 28 09 AD 68 AD 1BLABLA7 76 86 .(.BLABLA.h..ugv. 
Server write IV: 
0000: BLABLAC 8F E2 CC EA 5A BLABLA1 BC BD BC BLABLA..... 
main, WRITE: TLSv1 Change Cipher Spec, length = 1 
*** Finished 
verify_data: { BLA, 165, 142, 254, 222, BLA, 58, 72, BLA, 131, 19, 122 } 
*** 
main, WRITE: TLSv1 Handshake, length = 48 
main, READ: TLSv1 Change Cipher Spec, length = 1 
main, READ: TLSv1 Handshake, length = 48 
*** Finished 
verify_data: { 73, BLA, 110, BLA, 55, 62, BLA, 155, 179, BLA, 90, 19 } 
*** 
%% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA] 
>Handshake succesful! 
Using cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA 

Answer 1

Вопрос был в связи с реализацией EWSJavaAPI и моей собственной необходимости ВЗ использования клиент-сертификат на двухстороннюю-AUTH появились вместе.

Сначала мы должны правильно инициализировать контекст. EWSJavaAPI использует apache commons HttpClient 3.1, который больше не поддерживается, перемещается в другой пакет httpcomponents. Но мы используем наследие, и оно похоже на работу. Мы запускаем SSlContext, затем создаем фабрику SSL и регистрируем протокол с этой фабрикой.

KeyStore ks = KeyStore.getInstance("PKCS12");    
ks.load(new FileInputStream("cert.pfx"),"pass".toCharArray()); 

System.out.println("init Stores..."); 

ctx = SSLContext.getInstance("TLS"); 
ctx.init(new KeyManager[] { new MyKeyManager(ks, "pass") }, trustAllCerts, new SecureRandom());      
SSLContext.setDefault(ctx); 

ProtocolSocketFactory psf = new SSLProtocolSocketFactory(); 
Protocol https = new Protocol("https", psf, 443); 
Protocol.registerProtocol("https", https); 

где MyKeyManager выглядит следующим образом:

public class MyKeyManager extends X509ExtendedKeyManager { 

    KeyStore keystore = null; 
    String password = null; 
    public MyKeyManager(KeyStore keystore, String password) { 
     this.keystore = keystore; 
     this.password = password; 
    } 

    @Override 
    public String chooseClientAlias(String[] arg0, Principal[] arg1, Socket arg2) { 
     return ""; // can't be null 
    } 

    @Override 
    public String chooseServerAlias(String arg0, Principal[] arg1, Socket arg2) { 
     return null; 
    } 

    @Override 
    public X509Certificate[] getCertificateChain(String arg0) { 
     try { 
      X509Certificate[] result = new X509Certificate[keystore.getCertificateChain(keystore.aliases().nextElement()).length]; 
      for (int i = 0; i < result.length; i++){ 
       result[i] = (X509Certificate) keystore.getCertificateChain(keystore.aliases().nextElement())[i]; 
      } 
      return result; 
     } catch (Exception e) { 
     } 
     return null; 
    } 

    @Override 
    public String[] getClientAliases(String arg0, Principal[] arg1) { 
     try { 
      return new String[] { keystore.aliases().nextElement() }; 
     } catch (Exception e) { 
      return null; 
     } 
    } 

    @Override 
    public PrivateKey getPrivateKey(String arg0) { 
     try { 
      return ((KeyStore.PrivateKeyEntry) keystore.getEntry(keystore.aliases().nextElement(), 
       new KeyStore.PasswordProtection(password.toCharArray()))).getPrivateKey(); 
     } catch (Exception e) { 
     } 
     return null; 
    } 

    @Override 
    public String[] getServerAliases(String arg0, Principal[] arg1) { 
     return null; 
    } 
} 

Во время EmailMessage.send() мы будем microsoft.exchange.webservices.data.HttpClientWebRequest. И ... сюрприз:

@Override 
public void prepareConnection() throws EWSHttpException { 
    // ... 
    Protocol.registerProtocol("https", 
      new Protocol("https", new EwsSSLProtocolSocketFactory(), 443)); 
    // ... 
} 

Мы перерегистрировать гнездо завод, и наши сертификаты никогда не будут заполнены. Посмотрим, что EwsSSLProtocolSocketFactory: будет использоваться

public EwsSSLProtocolSocketFactory() { 
    super(); 
} 

private static SSLContext createEasySSLContext() { 
    try { 
     SSLContext context = SSLContext.getInstance("SSL"); 
     context.init(
      null, 
      new TrustManager[] {new EwsX509TrustManager(null, trustManager)}, 
      null); 
     return context; 
    } catch (Exception e) { 
     System.out.println(e.getMessage()+e); 
     throw new HttpClientError(e.toString()); 
    } 
} 

private SSLContext getSSLContext() { 
    if (this.sslcontext == null) { 
     this.sslcontext = createEasySSLContext(); 
    } 
    return this.sslcontext; 
} 

Супер легко создать SSLContext. Он не позволяет использовать собственные ключи, проверяя только проверенные сертификаты и только по умолчанию /usr/local/java/1.7.X/../cacerts.

К счастью, источники предоставляются, и мы впервые можем прокомментировать «Protocol.registerProtocol», и это решает проблему.